Google Project Zero called 2021 a “record year for in-the-wild 0-days,” as 58 security vulnerabilities were detected and disclosed during the course of the year.
The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020.
“The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits,” Google Project Zero security researcher Maddie Stonesaid.
“Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Stone added.
The tech giant’s in-house security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them markedly different for the technical sophistication and use of logic bugs to escape the sandbox.
Both of them relate to FORCEDENTRY, a zero-click iMessage exploit attributed to the Israeli surveillanceware company NSO Group. “The exploit was an impressive work of art,” Stone said.
The sandbox escape is “notable for using only logic bugs,” Google Project Zero researchers Ian Beer and Samuel Groß explained last month. “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.”
A platform-wise breakdown of these exploits shows that most of the in-the-wild 0-days originated from Chromium (14), followed by Windows (10), Android (7), WebKit/Safari (7), Microsoft Exchange Server (5), iOS/macOS (5), and Internet Explorer (4).
Of the 58 in-the-wild 0-days observed in 2021, 39 were memory corruption vulnerabilities, with the bugs stemming as a consequence of use-after-free (17), out-of-bounds read and write (6), buffer overflow (4), and integer overflow (4) flaws.
It’s also worth noting that 13 out of the 14 Chromium 0-days were memory corruption vulnerabilities, most of which, in turn, were use-after-free vulnerabilities.
What’s more, Google Project Zero pointed out the lack of public examples highlighting in-the-wild exploitation of 0-day flaws in messaging services like WhatsApp, Signal, and Telegram as well as other components, including CPU cores, Wi-Fi chips, and the cloud.
“This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?,” Stone said, adding, “As an industry we’re not making 0-day hard.”
“0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits,” forcing them “to start from scratch each time we detect one of their exploits.”
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the company explains in a security advisory rating the bug with a critical threat level.
The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access.
Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these security flaws according to November’s binding operational directive (BOD 22-01).
CISA has given them three weeks, until May 2nd, to patch the CVE-2022-23176 flaw added today to its catalog of Known Exploited Vulnerabilities.
Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.
It establishes persistence on the device through firmware updates, and it provides its operators with remote access to compromised networks.
It uses the infected devices’ legitimate firmware update channels to maintain access to the compromised devices by injecting malicious code and deploying repacked firmware images.
This malware is also modular, making it simple to upgrade and target new devices and security vulnerabilities, tapping into new pools of exploitable hardware.
WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances.
The UK NCSC, FBI, CISA, and NSA joint advisory says organizations should assume all accounts on infected devices as being compromised. Admins should also immediately remove Internet access to the management interface.
Botnet disrupted, malware removed from C2 servers
On Wednesday, US government officials announced the disruption of the Cyclops Blink botnet before being weaponized and used in attacks.
The FBI also removed the malware from Watchguard devices identified as being used as command and control servers, notifying owners of compromised devices in the United States and abroad before cleaning the Cyclops Blink infection.
“I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners,” FBI Director Chris Wray warned.
“So those owners should still go ahead and adopt Watchguard’s detection and remediation steps as soon as possible.”
WatchGuard has shared instructions on restoring infected Firebox appliances to a clean state and updating them to the latest Fireware OS version to prevent future infections.
This has been a busy month for cyber attackers, and the Cisco Umbrella team – in conjunction with Cisco Talos – has observed several new threats for users to be aware of.
In this month’s edition of the Cybersecurity Threat Spotlight, we discuss a wiper making its way through Ukraine, a dropper targeting India and China, and a newly discovered Trojan targeting EU banks.
Want to see Cisco Umbrella in action? Sign up for a free trial today!
HermeticWiper
Threat Type: Wiper
Attack Chain:
Description: HermeticWiper is a data destructing malware observed in attacks targeting Ukraine. This wiper comes as a small executable with a valid digital signature issued to “Hermetica Digital Ltd.” The malware leverages embedded resources to interact with storage devices present on infected systems. The applicable embedded driver is extracted, loaded into the wiper’s process memory space, decompressed, and written to the disk before the wipe process. The wiper disables the generation of crash dumps and corrupts the first 512 bytes to destroy the MBR of physical drives. For partitions, it disables the Volume Shadow Copy Service and uses different destructive mechanisms on the partitions depending on whether they’re FAT type or NTFS type. The wiper also attempts to corrupt housekeeping files. During the final stage, HermeticWiper waits for all sleeping threads to complete and initiates a reboot to ensure the success of the wiping activity.
HermeticWiper Spotlight: Cisco Talos has become aware of a series of wiper attacks going on inside Ukraine. One of the wipers used in these attacks has been dubbed “HermeticWiper.” Deployment of this destructive malware began on February 23, 2022. The malware has two components designed for destruction: one targeting the Master Boot Record (MBR) and another targeting partitions.
Description: SDUser is a VBA-based dropper that is used by Advanced Persistent Threat (APT) groups. The functionality of the payload includes command and control protocol, anti-sandboxing techniques, and a reverse shell mechanism.
SDUser Spotlight: In June 2021, Cisco Talos researchers discovered a malicious Excel spreadsheet that attempted to drop a previously unknown RAT. A month later, they discovered another closely related spreadsheet. These samples were internally referred to as “SDUser” sampled due to the specific PDB string left in the binary payload.
More recent analysis shows similar code being used by two different APT groups: Transparent Tribe, which targets organizations in India, and Donut, which targets organizations in Pakistan and China. These two different threat actors may use code from the same source in their attacks, which means that their attacks would display similarities despite being conducted by different groups. Code reuse, adopting techniques from successful attacks, and deliberate integration of evidence designed to fool analysts can disguise the true perpetrator and lead to these attacks being attributed to different groups.
Target Geolocations: Pakistan, China Target Data: User Credentials, Browser Data, Sensitive Information Target Businesses: Any Exploits: N/A
Description: Xenomorph is an Android Banking Trojan. It is capable of stealing credentials via overlay attack, and it uses SMS and notification interception to log and use potential 2FA tokens. Stolen data is sent to the C2 for further exploitation.
Xenomorph Spotlight: Xenomorph was initially discovered in February 2022. It is distributed through the official Google Play Store. It targets users of 56 different European banks and cryptocurrency wallets. Capabilities include – but are not limited to – stealing credentials, SMS and notification interception, excessive logging, and data exfiltration. The core engine is designed as a modular system and still appears to be in the development stage. Malware heavily relies on the overlay attack mechanism to steal personally identifiable information (PII) and other sensitive data. Collected data is exfiltrated to an attacker-controlled server using the open-source project RetroFit2.
Target Geolocations: EU Target Data: User Credentials, Browser Data, Sensitive Information Target Businesses: Any Exploits: N/A
Mitre ATT&CK for Xenomorph
Initial Access: Deliver Malicious App via Authorized App Store
Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages.
The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.
This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.
“An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device,” Cisco explained.
“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS [Denial-of-Service] condition.”
To make things even worse, continued attacks can cause the targeted devices to become completely unavailable, which results in a persistent DoS condition.
The company’s Product Security Incident Response Team (PSIRT) said that it found no evidence of malicious exploitation in the wild before the security advisory was published on Wednesday.
Vulnerable component not enabled by default
While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.
Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on.
Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.
The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.
Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).
Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.
Exploitable remotely without authentication
Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”
The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.
The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.
“SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.
NSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 1600
6.5.4.4-44v-21-1452 and earlier
6.5.4.4-44v-21-1519 and higher
NSsp 15700 firewall gets hotfix, full patch in April
The only affected firewall still waiting for a patch against CVE-2022-22274 is the NSsp 15700 enterprise-class high-speed firewall.
While a hotfix is already available for those reaching out to the support team, SonicWall estimates that a full patch to block potential attacks targeting this firewall will be released in roughly two weeks.
“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844),” the company explained.
“SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.”
Temporary workaround available
SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched.
As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources.
“Until the [..] patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management),” SonicWall added.
The updated access rules will ensure that the impacted devices “only allow management access from trusted source IP addresses.”
