A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned.
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.
About the vulnerability (CVE-2020-14882)
CVE-2020-14882 may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0, and has been patched by Oracle last week.
Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses.
For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.
“The exploit appears to be based on this blog post published in Vietnamese by ‘Jang’,” he added. (The researcher in question has previously flagged several flaws in Oracle’s offerings, though not this one.)
The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending one simple POST request.
A demonstration of the exploit in action is available here.
The PoC exploit was published yesterday, and it didn’t take long for attackers to take advantage of it. Admins are advised to patch vulnerable systems as soon as possible.
Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk.
At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited.
On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts).
About the vulnerabilities
The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws.
The security advisory Citrix published noted them and laid out the pre-conditions needed for their exploitation, but does not contain too many details.
“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Citrix CISO Fermin Serna explained, and made sure to note that the patches provided fully resolve all issues.
He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation.
Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January.
About the recent exploitation attempts
Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet.
“One interesting issue is that most of the scans originate from a single ISP so far, suggesting that this may be just one group at this point trying to enumerate vulnerable systems,” he told Help Net Security.
“Vulnerable systems leak information about the system if hit with these exploits. So these are not as dangerous as the code execution issues we saw with Citrix over new year, or the F5 issues. But enumerating systems, and using the leaked information may lead to additional more targeted follow on attacks later.”
One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication.
“Some of the other vulnerabilities patched with this update are ‘interesting’, but more tricky to exploit,” he added.
Attackers are bypassing a mitigation for the BIG-IP TMUI RCE vulnerability (CVE-2020-5902) originally provided by F5 Networks, NCC Group’s Research and Intelligence Fusion Team has discovered.
On CVE-2020-5902 (K52145254) @TeamAresSec reported publicly at 18:24 the mitigation could be bypassed, we saw it used in the wild at 12:39 for the first time – upgrade don’t mitigate – https://t.co/sSr4JIZwu3 pic.twitter.com/PMfG0rCpyQ
— NCC Group Infosec (@NCCGroupInfosec) July 7, 2020
“Early data made available to us, as of 08:05 on July 8, 2020, is showing of ~10,000 Internet exposed F5 devices that ~6,000 were made potentially vulnerable again due to the bypass,” they warned.
F5 Networks has updated the security advisory to reflect this discovery and to provide an updated version of the mitigation. The advisory has also been updated with helpful notes regarding the impact of the flaw, the various mitigations, as well as indicators of compromise.
CVE-2020-5902 exploitation attempts
CVE-2020-5902 was discovered and privately disclosed by Positive Technologies researcher Mikhail Klyuchnikov.
F5 Networks released patches and published mitigations last Wednesday and PT followed with more information.
Security researchers were quick to set up honeypots to detect exploitation attempts and, a few dats later, after several exploits had been made public, they started.
Some were reconnaissance attempts, some tried to deliver backdoors, DDoS bots, coin miners, web shells, etc. Some were attempts to scrape admin credentials off vulnerable devices in an automated fashion.
There’s also a Metasploit module for CVE-2020-5902 exploitation available (and in use).
Any organization that applied the original, incomplete mitigation instead of patching their F5 BIG-IP boxes should take action again:
🚨 For those orgs who applied the F5 BIG-IP and BIG-IQ mitigation rather than patching 🚨
there’s a bypass to the mitigation being used in the wild now.
— Kevin Beaumont (@GossiTheDog) July 8, 2020
this is not good. If you applied the workaround… you need to patch! (or finally isolate your admin interface) https://t.co/RlWb61qZoh
— SANS ISC (@sans_isc) July 8, 2020
They should also check whether their devices have been compromised in the interim.
SANS Technology Institute’s Internet Storm Center (ISC) has been a valuable warning service and source of critical cyber threat information to internet users, organizations and security practitioners for nearly two decades.
Dr. Johannes Ullrich, the man whose site (DShield.org) became the basis of a SANS project (Incident.org) that later became the Internet Storm Center, has been leading the effort from the start.
Old and new attack trends
“Initially, the Internet Storm Center mostly dealt with firewall logs. In the early days (2000-2008 or so), firewall logs helped us understand the spread of worms like Leaves, Nimda, Blaster, and others,” he told Help Net Security.
“But as soon as home computers started to either use built-in firewalls, or take advantage of home router/firewall combos that are very common today, we saw how things shifted. Instead of actively scanning for systems, attackers tricked users into running the code for them. This lead to the never ending ways of malicious websites and emails that are still dominating.”
More recently, they witnessed the shift from data theft to data encryption by ransomware, as attackers discovered that the person willing to pay most for the data is the original owner.
In addition to this major trend, Dr. Ullrich says that it has become obvious over the years that old attacks and vulnerabilities never quite disappear.
“I think that the vast majority of attacks, even advanced attacks, only use a small handful of actual vulnerabilities, but it’s actually very difficult to obtain real good data to support or reject this thesis. There are a lot of studies that look at different pieces of the puzzle, but it’s hard to find out how it all fits together.“
He also thinks that some very “noisy” attacks are very much overrated and that companies spent a lot of effort and money on defending against attacks that would never have been successful. One of the hard parts in defense is to accurately determine the actual risk posed by a particular attack.
Understanding risks and finding solutions
One thing that’s definitely not overrated? Application control.
“I think it’s one of the most important techniques that has finally made it to the mainstream. Having users execute arbitrary applications is probably one of the most common weaknesses. And yes, a lot of users hate the restrictions, but I find limiting the ‘zoo’ of allowed applications significantly reduces risks,” he explained.
“This is not a new idea. Microsoft has made this a standard optional feature in all currently supported versions of Windows and Apple has to some extent ‘mastered’ this with their mobile device app stores. But it is one of those simple and maybe a bit boring techniques that can always use more attention.”
In the end, though, some of the risks may be a bit overhyped, and it’s important to understand that there is no perfect security.
“In cybersecurity, just like in ‘real world’ security, it is important to understand risks. Just like a shop owner may have a discount table outside the store, well knowing that some of the items may be stolen, and a locked cabinet in the back with high value items, in cyber security we still have to learn how to accurately determine risk and how to spend the right amount of effort on the right problems. The goal isn’t to prevent every breach, but to limit the impact of a breach.”
Getting talented people into cybersecurity
In parallel with working on the Internet Storm Center, Dr. Ullrich became more involved in teaching SANS courses. He started out teaching the Intrusion Detection class – which is the class he still enjoys teaching the most – and added various other classes along the way.
He was also involved in SANS’s effort to establish a graduate school, and the work he has done with the Internet Storm Center has also become part of the graduate schools research program that he’s heading up now as Dean of Research.
With all that in mind, I wondered what his take is on how to attract more young people into the cybersecurity field?
“There has been a lot of progress in the creation of gamified exercises to better identify talent and interest them in cybersecurity,” he noted.
“Cybersecurity is less about the knowledge of specific tools and techniques, but more about a talent to understand complex technological relationships and persevere in solving hard challenges.”
He also stressed that cybersecurity is a field that changes always and quickly.
“I think if you ‘sell’ cybersecurity as a field that offers you a set of challenging, never ending and changing puzzles, you likely address the right crowd. This is not a field where you learn once and ‘stick with it’ (does such a field still exist?). To excel, you also have to be a bit of a risk taker and you can’t always wait for instructions,” he concluded.
The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned.
“Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted.
“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”
This is the third FBI private industry notification since the beginning of the year about the group’s activities and the modular Kwampirs RAT it uses.
According to the alert:
- The attack group first establishes a broad and persistent presence on the targeted network and then delivers and executes the Kwampir RAT and other malicious payloads
- Kwampirs actors have successfully gained and sustained persistent presence on victim networks for a time period ranging from three to 36 months
- The Kwampir RAT is modular and, depending on the target, different modules are dropped. But it seems that the threat actors main goal is cyber espionage
- Significant intrusion vectors include: lateral movement between company networks during mergers and acquisitions; malware being passed between entities through shared resources and internet facing resources during the software co-development process; and software supply chain vendors installing infected devices on the customer/corporate LAN or customer/corporate cloud infrastructure.
“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI added.
While the Kwampirs/Orangeworm threat actors is considered to be an APT (Advanced Persistent Threat), it is currently unknown whether they are state-backed.
What is known is that they don’t go after PII, payment card data, and are not interested in destroying or encrypting data for ransom – though, according to the FBI, several code-based similarities exist between the Kwampirs RAT and the Shamoon/Disstrack wiper malware.
The group also doesn’t limit their targeting to healthcare and software supply chain organizations. To a lesser extent, they go after companies in the energy and engineering industry as well as financial institutions and prominent law firms, across the United States, Europe, Asia, and the Middle East.
Defense and post-infection remediation
The notice delivers best practices for network security and defense to be incorporated before infection, recommended post-infection actions and identifies residual Kwampirs RAT host artifacts that can help companies to determine if they were a victim.
SANS ISC handler (and Dean of Research at the SANS Technology Institute Twitter) Johannes Ullrich notes that Kwampirs will likely enter an organization’s network undetected as part of a software update from a trusted vendor.
“Anti-malware solutions will detect past versions. But do not put too much trust in anti-malware to detect the next version that is likely tailored to your organization,” he added, and offered helpful advice for writing abstracted detection signatures that might come in handy.
While not recently updated, the MITRE ATT&CK entry for the Kwampirs malware may also be helpful. For more technical details about the malware, you might want to check out ReversingLabs’s recent analysis.
As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24.
A short timeline before the situation update
CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local network from the internet, was responsibly disclosed last December.
At the time, Citrix only offered mitigations advice instead of fixes, but both security researchers and hackers eventually used them to discern the nature of the flaw and create exploits for it.
The number of publicly available exploits quickly rose in the coming days and they began to be deployed by attackers. At the same time, scans revealed tens of thousands of (still) vulnerable installations.
Citrix CISO Fermin J. Serna then announced that the first available fixes will land on January 20.
The current situation
Several days after rising attacks, FireEye researchers flagged a threat actor gaining access to vulnerable Citrix installations and removing known cryptocurrency miners from them.
Simultaneously, the threat actor downloads and deploys a utility (NOTROBIN) that block exploitation attempts against the CVE-2019-19781 vulnerability, as well as effectively setting up a backdoor that can only be used if one knows the right password (hardcoded key).
“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries,” the researchers noted.
“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign.”
A similar attack, delivering partial fixes, was spotted recently by SANS ISC, as it was used on their honeypots.
In the meantime, Citrix confirmed that some SD-WAN WANOP versions (v10.2.6 and 11.0.3) are also vulnerable to CVE-2019-19781 as they include Citrix ADC as a load balancer, and that the offered mitigation steps will work on them.
Finally, on Sunday, the company released fixes for CVE-2019-19781 for ADC versions 11.1 and 12.0.
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Serna pointed out.
He also said that the remaining fixes – for ADC version 12.1, 13, 10.5, and SD-WAN WANOP 10.2.6 and 11.0.3 – are scheduled to be released on January 24.
He also warned that the offered fixes can be used only on the indicated versions. “If you have multiple ADC versions in production, you must apply the correct version fix to each system,” he advised.
In the meantime, mitigations should be implemented and admins should check whether they’ve been successfully applied. Citrix has provided a tool that will help them do that.
By the way: CISA has released last week a utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. It’s available here.
Also: TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised through CVE-2019-19781.
With several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day.
Do you use Citrix’s Application Delivery Controller (ADC) or Gateway? If you haven’t implemented the mitigations provided by the company, there’s a good change you might have been hit already.
Numerous CVE-2019-19781 exploits available
The existence of CVE-2019-19781 – humorously dubbed Shitrix by cybersecurity researcher Kevin Beaumont – was first made public in late December.
Discovered by Mikhail Klyuchnikov of Positive Technologies, the flaw has yet to be patched. In the meantime, Citrix offered mitigation advice to users.
CVE-2019-19781 is very bad news: it’s easy to exploit and can lead to remote code execution. The exploit published by TrustedSec “works well” and establishes a reverse shell, SANS ISC’s Johannes Ullrich noted.
“We do see heavy exploitation of the flaw using variations of both exploits. Most attempts follow the ‘Project Zero India’ pattern, which is likely simpler to include in existing exploit scripts. Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’,” he shared.
“A few exploits attempted to download additional code. I was successful retrieving one sample so far, a simple Perl backdoor.”
SANS ISC handler Didier Stevens shared an overview of the payloads delivered by the attackers. AlienVault has consolidated indicators of compromise from a number of reports of recent exploitation of the flaw.
Implement mitigations, check for compromise
Citrix CISO Fermin J. Serna urged users to go through the offered mitigation steps and said that they are working on developing permanent fixes.
“As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested,” he noted, and said that the first fixes (in the form of refresh builds) are scheduled to be released on January 20, then followed by the rest on January 27 and 31.
TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised.
You might also want to peruse Beaumont’s advice:
Citrix Gateway and ADC vulnerability aka #Shitrix – a thread of some things which are catching out defenders:
— Kevin Beaumont (@GossiTheDog) January 12, 2020