Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication

ChamelGang, a sophisticated threat actor believed to be based in China, has been using different tools for intrusions, as identified by the security researchers at Stairwell Threat Research in their recent investigation.

While apart from this, the Threat Research team of Stairwell also found new tools for Linux intrusions that are developed by the group.

Read moreBuilding cyber skills and roles from CyBOK foundations

ChamelDoH is one of the best instances for this, as it facilitates communication through DNS-over-HTTPS (DoH) tunneling, and it’s an implant that is mainly developed using C++.

Chinese Hackers Targets

The countries listed below have experienced instances of ChamelGang targeting their energy, aviation, and government organizations in the past:-

Read moreAccessibility as a cyber security priority

Russia

The United States

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Japan

Turkey

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

Taiwan

Vietnam

Read moreS3 Ep135: Sysadmin by day, extortionist by night

India

Afghanistan

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Lithuania

Nepal

DNS-over-HTTPS for Linux Malware

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

By identifying a domain and tool previously encountered in ChamelGang campaigns, Positive Technologies established the association between ChamelGang and the recently discovered Linux malware.

For remote access to the system, the sample (34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7) is primarily designed, and it’s a large C++ binary.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

The sample utilizes DoH tunneling to establish a communication channel with the configured command-and-control (C2) infrastructure.

To encode its communication, the sample employs a modified base64 alphabet, transforming it into subdomains that are directed to a nameserver under the control of the malicious actor.

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

When the implant is executed, it immediately employs several systems calls to collect reconnaissance data and compile it into a JSON object.

Here below, we have mentioned all the details that are gathered by ChamelDoH when it’s executed:-

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

host_name: System hostname

ip: Any IP address for an interface that is not 127.0.0.1

Read more6 Ways to Mitigate Risk While Expanding Access

system_type: sysname parsed from the system’s utsname struct, i.e. Linux

system_version: version parsed from the system’s utsname struct,

Read moreHypervisors and Ransomware: Defending Attractive Targets

i.e. #43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023

whoami: The user context that ChamelDoH is running under

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

process_pid: The process ID of the ChamelDoH process

bits: The bitness of the system, i.e. x86_64

Read moreEducating Your Board of Directors on Cybersecurity

pwd: The working directory of the ChamelDoH process

id: A pseudo-randomly generated integer generated by ChamelDoH that is used as an implant ID

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

ChamelDoH distinguishes itself through its original approach to command-and-control (C2) techniques.

While besides this, two keys are used in the JSON object to define the implant’s command-and-control (C2) configuration.

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

Here the sample contains the following configuration:-

With the help of the configuration, the implant establishes communication with malicious nameservers using DoH requests. 

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

It encodes its command-and-control (C2) communications as subdomains and initiates TXT requests for the encoded C2 communications within the domain it generates.

Blocking these DoH providers across the entire enterprise is difficult due to their widespread use as DNS servers for legitimate traffic.

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

Inspecting these requests without intercepting the traffic becomes challenging due to HTTPS, making it difficult for defenders to identify which domain requests are being made via DoH.

This poses a challenge in detecting or obstructing abnormal network traffic, such as the encoded communications utilized by ChamelDoH.

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

The consequence of this strategy resembles C2 communication through domain fronting, where traffic is initially directed to a legitimate service hosted on a content delivery network (CDN). 

However, it is rerouted to a C2 server using the request’s Host header. While this makes the detection and prevention of this technique completely challenging tasks.

Read moreZyxel Firewalls Hacked by Mirai Botnet

To maintain confidentiality, ChamelDoH uses AES128 encryption to secure its communication. The encrypted data is then transformed into base64 format, allowing it to be inserted as a subdomain.

Capabilities

The implant can perform several types of tasks, and here below, we have mentioned them all along with their commands:-

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

run: Execute a file/shell command

sleep: Set number of seconds until next check-in

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

wget: Download a file from a URL

upload: Read and upload a file

Read moreMemcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation

download: Download and write a file

rm: Delete a file

Read morePyPI Enforcing 2FA for All Project Maintainers to Boost Security

cp: Copy a file to a new location

cd: Change the working directory

Read moreCredible Handwriting Machine

Moreover, ongoing analysis is being conducted by the Stairwell Threat Research team to examine ChamelDoH and other tools utilized by ChamelGang, which were previously unidentified.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus

Read moreGoogle Is Not Deleting Old YouTube Videos

The post Chinese Hackers Employed DNS-over-HTTPS for Linux Malware Communication appeared first on Cyber Security News.

   Read More 

Read moreFriday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away

Cyber Security News 

Related Posts

Proxy botnets. PowerShell Gallery flaws. Cyber incident at Clorox. Beta-testing scam. Updates from Russia’s hybrid war.
Proxy botnets. PowerShell Gallery flaws. Cyber incident at Clorox. Beta-testing scam. Updates from Russia’s hybrid war.

Proxy botnets. PowerShell Gallery flaws. Cyber incident at Clorox. Beta-testing scam. Updates from Russia’s hybrid war.

Building a proxy botnet. Active flaws in PowerShell Gallery. Cyber incident disrupts Clorox. Scams lure would-be mobile beta-testers. Lessons learned from the Russian cyberattack on Viasat. Update on cyber threats to Starlink. News crawl defacement.   Read More 

The CyberWire 

xz-utils Backdoor Found in Kali Linux Installations – Check for Malware Infection

xz-utils Backdoor Found in Kali Linux Installations – Check for Malware Infection

[[{“value”:”

A backdoor was recently discovered in the xz-utils package versions 5.6.0 to 5.6.1, shocking the Linux community. This poses a significant threat to the security of Linux distributions, including Kali Linux.

The vulnerability, CVE-2024-3094, could potentially allow malicious actors to compromise sshd authentication, granting unauthorized access to systems remotely.

The xz-utils package is a widely used library in the Linux ecosystem for data compression, making the severity of this vulnerability particularly alarming.

The backdoor was discovered in versions 5.6.0 and 5.6.1 of the xz-utils package, and had it not been identified and addressed promptly, it could have had far-reaching consequences.

Document

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The issue was quickly patched in Debian and, consequently, in Kali Linux, mitigating the potential impact.

Kali Installation Affected

Kali Linux users who updated their installations between March 26th and March 29th, 2024, are at risk of having installed the compromised version of xz-utils (5.6.0-0.2).

The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.

— Kali Linux (@kalilinux) March 29, 2024

It is crucial for users who updated their systems during this period to apply the latest updates immediately to rectify the issue.

However, according to a statement from Kali Linux, this vulnerability does not affect those who did not update their Kali installations before March 26th.

To check if your system is affected, you can execute the following command:

apt-cache policy liblzma5

If the output indicates that version 5.6.0-0.2 is installed, it is imperative to upgrade to the latest version (5.6.1+really5.4.5-1) using the following commands:

sudo apt update && sudo apt install -y –only-upgrade liblzma5

This incident is a reminder to act promptly on security vulnerabilities.

The quick identification and resolution of the backdoor in xz-utils highlight the responsiveness of the Linux community to security threats.

Users are encouraged to stay informed about potential vulnerabilities and to apply updates and patches as soon as they become available to ensure the security of their systems.

For more detailed information on the vulnerability and guidance on addressing it, users can refer to the initial disclosure on Openwall, the summary post on Help Net Security, and the National Vulnerability Database (NVD) entry for CVE-2024-3094.

The discovery of the xz-utils backdoor underscores the ongoing challenges in securing the software supply chain and the critical role that community vigilance and rapid response play in safeguarding the integrity of open-source software.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post xz-utils Backdoor Found in Kali Linux Installations – Check for Malware Infection appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News 

CISA Urge Gov Agencies to Apply Patch for Windows and Office zero-days Immediately

CISA Urge Gov Agencies to Apply Patch for Windows and Office zero-days Immediately

CISA urged government agencies to apply the patch immediately for Microsoft Office and Windows HTML remote code execution vulnerabilities exploited in the wild.

As a result, these vulnerabilities have frequently been exploited and pose significant risks to the federal enterprise.

CISA works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future.

CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience.

CVE-2023-36884 – Microsoft Office and Windows HTML Remote Code Execution Vulnerability

Microsoft is aware of exploitation by using specially-crafted Microsoft Office documents; the attackers enable them to perform remote code execution.

Remote code execution (RCE) is a vulnerability that lets a malicious hacker execute arbitrary code in the programming language in which the developer wrote that application. The attacker can do that from a location different than the system running the application.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker must convince the victim to open the malicious file. NIST Explained.

Notably, Microsoft help to customers by providing a security update through our monthly release process or an out-of-cycle security update, depending on customer needs. 

The severity range of this vulnerability:8.8 (High). Moreover, CISA added a new catalog for this CVE.

Patches:

Patching known vulnerabilities is one of the best ways to prevent attacks.

Binding Operational Directive (BOD) 22-01: TO SECURE FROM HIGHLY ATTACKS.

It is known as common vulnerabilities and exposures (CVEs). “BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats”.

According to CISA, it should be a desire for all organizations to reduce the risk and secure themselves from vulnerabilities.

“Stay up to date on the latest additions and protect yourself from a malicious,” tweeted CISO.

The post CISA Urge Gov Agencies to Apply Patch for Windows and Office zero-days Immediately appeared first on Cyber Security News.

   Read More 

Cyber Security News