A story of malware and misplaced keys - May 8th-14th, 2023 - F5 SIRT - This Week in Security

Aaron here in the editor's chair again this week, and this week I think I'm going to spend a lot of time talking about malware. Articles on Malware were everywhere last week (and continue to be, this week, with coverage of MichaelKors[1], ZXShell/Merdoor[2] and ESXi Jackpotting[3]) and it seems to be an inescapable topic that shows no sign of slowing down; I've tried to pick up a couple of other interesting pieces as well though, so we aren't left only discussing malware this week!

Last week was also BlackHat Asia 2023[4] which some of my colleagues were lucky enough to attend - hopefully they'll be able to write about what they saw there in future TWIS editions. Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT. 

It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

  1. https://thehackernews.com/2023/05/new-michaelkors-ransomware-as-service.html
  2. https://thehackernews.com/2023/05/researchers-uncover-powerful-backdoor.html
  3. https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/
  4. https://www.blackhat.com/asia-23/


Malware all over the news

A running theme in many of the news articles I've seen in the last week has been malware; I don't know if this is the result of CISA's #StopRansomware activity[1] like their warning on LockBit 3.0 from last month[2], or if we are genuinely seeing a rash of novel ransomware hitting the market - but suffice to say it has been everywhere!

On Tuesday we had Microsoft's Patch Tuesday which closed a hole being used by the BlackLotus malware (CVE-2023-24932 & CVE-2023-29336)[3], while Wednesday gave us Deep Instinct documenting a new version of BPFDoor[4] (first seen almost exactly a year prior). Thursday we had CISA and the FBI release a joint statement[5] on the "Bl00dy Ransomware Gang's" active exploitation of CVA-2023-17350 (PaperCut) and news from SentinelOne of ten new ransomware families based on Babuk targetting ESXi systems[6], and on Friday THN covered Securonix and Elastic Security Labs articles on XWorm being dropped using Follina[7] and Netgear disclosing five vulnerabilities in RAX30 routers that can be chained to achieve unauthenticated remote code execution[8] - and those were just the ones that stood out to me!

The important thing, for me, is that the mitigation for all of these is the same:
  • Train your users - train them to identify phishing attacks (Follina), train them to handle their devices in a secure manner (BlackLotus requires physical access - i.e. unattended devices)
  • Document secure deployment practices - preventing attacks like PaperCut by not exposing internal services to the Internet
  • Patching known exploited vulnerabilities as a priority (I'd also suggest prioritizing Remote Code Execution vulnerabilities, personally) - Follina has been a KEV since June 2022, PaperCut since April 2023
  • Enable MFA everywere and enforce good password hygiene
Remember, malware is just software you didn't install, so the key to preventing it is stopping someone outside of your organisation from executing commands on your hosts - supply chain attacks aside, of course! Speaking of supply chain attacks, that brings me to my next piece.
  1. https://www.cisa.gov/stopransomware
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
  3. https://www.theregister.com/2023/05/09/microsoft_may_patch_tuesday/
  4. https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
  5. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
  6. https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/
  7. https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html
  8. https://thehackernews.com/2023/05/netgear-routers-flaws-expose-users-to.html

MSI loses the keys to the castle

Micro-Star International, a major manufacturer of computer hardware headquartered in Taiwan, suffered a ransomware incident in April which, after they refused to pay the ransom, resulted in the leak of private UEFI (Unified Extensible Firmware Interface) keys along with other data including motherboard firmware, firmware signing keys for 57 products and Intel Boot Guard keys for 166 products[1][2]. For the end-user, this means that malicious actors can create firmware updates for affected devices signed by the legitimate MSI keys; they then need to get those updates into the hands of users, of course, but once they do the updates will be indestinguishable from the real-deal. While NCSC-NL say they think the risk of abuse is small, I say look out for phishing and malvertising campaigns attempting to direct people looking for firmware updates to less-than-legitimate sources in the coming months.

The problem here is that MSI have no way to revoke the keys en-masse and in a short period of time - the stolen keys will remain valid at least until firmwares are updated to versions which no longer recognize the leaked keys as valid, and MSI doesn't have the at-scale update capabilities of larger manufacturers like Dell. This one is likely to take quite a while to play out - especially as MSI don't seem to be particularly forthcoming or transparent, unfortunately.

  1. https://twitter.com/matrosov/status/1653923749723512832
  2. https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/

GitHub Push Protection to keep your keys safe

Speaking of keeping private keys safe (sorry MSI!), GitHub made "Push Protection" available to all users last week[1]; combined with "Secret scanning" (which was made available for free in December[2]) this gives GitHub administrators a way to automatically scan every push for secrets being leaked and, by default, prevent the push from happening. Of course it is possible to override the blockage by providing a reason (risk acceptance) but this should help prevent accidental leaks which, as we discussed in March's This Month in Security[3] are often discovered by threat actors in minutes.

To enable Push Protection, simply go to Settings > Select "Code security and analysis" > Enable "Secret scanning" and "Push protection."

  1. https://github.blog/changelog/2023-05-09-secret-scannings-push-protection-now-generally-available-for-github-advanced-security/
  2. https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/
  3. https://youtu.be/cFj2Tzbu4r4?t=643
Published May 17, 2023
Version 1.0

Was this article helpful?

No CommentsBe the first to comment