Security News – Week 34

DirtyCred – A Critical Linux Kernel Security Vulnerability

A new Linux Kernel vulnerability called “DirtyCred” was disclosed at the Black Hat security conference on August 10, 2022. The vulnerability, which is similar to the notorious DirtyPipe vulnerability and is tracked as CVE-2022-0847, was discovered by Ph.D. and detected by student Zhenpeng Lin and his team.

DirtyCred is a kernel exploit that replaces non-privileged kernel credentials with privileged ones to escalate privileges on vulnerable systems. Instead of overwriting any critical data area in the kernel stack, DirtyCred abuses the stack memory reuse mechanism to gain privileges. It can overwrite all files with reading permission that affects kernel version 5.8 or higher. The vulnerability allows a local threat actor to crash the system or execute arbitrary code on the vulnerable system.

Github Link is here.

Security researchers have posted a demo on their social media accounts showing how the DirtyCred vulnerability can be used to elevate the privileges of a low-privileged user on two different systems, such as Centos 8 and Ubuntu, using the same Exploit code with the DirtyPipe vulnerability.

There are currently no mitigations or updates to the DirtyCred exploit. Security researchers recommend separating privileged credentials from non-privileged ones using virtual memory to prevent potential Cross-Cache attacks using the vulnerability.

A Phishing Campaign Targeting Hotels and Travel Companies Detected

A phishing campaign targeting multiple hotels and travel companies has been detected running by the TA558 group. In the campaign, it was observed that RAT malware was exploited, allowing threat actors to access targeted systems, monitor the system regularly, capture critical data and carry out fraudulent activities with the captured data. In addition, it is seen that RAR and ISO file attachments have started to be used in this campaign instead of macro-content documents sent by phishing e-mails.

The chain of infection starts with the sending of phishing e-mails with message text in English, Spanish and Portuguese to the associated destinations. The main topic covered in the e-mails is to make a reservation at the targeted establishment. Such e-mails are sent purporting to come from key sources such as conference organizers and tourist office agents that are hard for recipients to ignore.

Figure 1: One of the phishing emails
Figure 1: One of the phishing emails
An ISO file from a remote source is uploaded to the target system when targets click on the URL claimed to be the reservation link in the message body. The ISO file contains a BAT file (batch file) that will run a PowerShell script when executed. In order to ensure permanence, the script creates a scheduled task to hold the RAT load on the target computer as long as the script is running. By executing the BAT file and then the PowerShell script, target systems are injected with malware such as AsyncRAT (mostly), Loda, Revenge RAT, XtremeRAT, CaptureTela, and BluStealer. RAT malware endangers hotel systems and causes the identity information of customers, bank, and credit card data being stored to be captured by threat actors.
Figure 2: Attack Lifecycle
Figure 2: Attack Lifecycle

TA558 has been an active threat actor targeting the hospitality, travel, and related industries since 2018. The activities carried out by this actor lead to the capture of corporate and customer data and possible financial losses. For example, in July 2022, the Booking.com account of The Marino Boutique Hotel in Lisbon, Portugal, was targeted by this hacking campaign. It is known that threat actors caused a financial loss of € 500,000 through a compromised hotel account in just four days. In this context, it is recommended to consider the following security practices to avoid being the target of similar attack campaigns.

Zoom Releases Updates Fixing A Critical Vulnerability Affecting macOS

Zoom has released security updates that fix a vulnerability in the macOS operating system that could allow a threat actor to take control of a user’s system. (Reference Link)

The security vulnerability with code CVE-2022-28756 affects the automatic update feature of the application. A low-privileged threat actor can exploit the vulnerability to gain root privileges on the vulnerable operating system during the automatic update process of versions 5.7.3 to 5.11.3. The vulnerability was identified by Patrick Wardle, founder of the Objective-See Foundation, and presented at the annual world-known Def Con Hack conference.

Figure: Twitter posts from Patrick Wardle
Figure: Twitter posts from Patrick Wardle

The vulnerability has been fixed in version 5.11.5 of the currently available Zoom app for macOS.

It is recommended that users using vulnerable versions of the Zoom App for macOS immediately apply the updates that fix the vulnerability so that they are not the target of attacks that can be carried out using the vulnerability.

Share This: