This week saw an impressive pair of takedowns pulled off by law enforcement agencies around the world. The first was the 911 S5 botnet, Which the FBI is calling “likely the world’s largest botnet ever”. Spreading via fake free VPN services, 911 was actually a massive proxy service for crooks. Most lately, this service was operating under the name “Cloud Router”. As of this week, the service is down, the web domain has been seized, and the alleged mastermind, YunHe Wang, is in custody.

The other takedown is interesting in its own right. Operation Endgame seems to be psychological warfare as well as actual arrests and seizures. The website features animated shorts, a big red countdown clock, and a promise that more is coming. The actual target was the ring that manage malware droppers — sort of middlemen between initial shellcode, and doing something useful with a compromised machine. This initial volley includes four arrests, 100+ servers disrupted, and 2,000+ domains seized.

The arrests happened in Armenia and Ukraine. The messaging around this really seems to be aimed at the rest of the gang that’s out of reach of law enforcement for now. Those criminals may still be anonymous, or operating in places like Russia and China. The unmistakable message is that this operation is coming for the rest of them sooner or later.

Checkpoint CloudGuard

And now we turn to the massive number of security and VPN appliances that got detailed exploit write-ups this week. And up first is the Watchtowr treatment of Check Point CloudGuard appliance, and the high priority information exposure CVE. This vulnerability already has a patch, so the obvious starting point is patch diffing. Thanks to a new log message in the patch, it’s pretty clear that this is actually a path traversal attack.

The vulnerable endpoint is /clients/MyCRL, which is a file download endpoint used for fetching updates to the VPN client. Based on Check Point’s CVSS string regarding this vulnerability, that endpoint is accessible without any authentication. The thing about this endpoint is that it takes an argument, and returns the file requested based on that argument. There is a list of allowed files and folders, but the check on incoming requests uses the strstr() C function, which simply checks whether one string contains a second.

One of the entries on this list was the CSHELL/ directory, which is the last piece of the puzzle to make for a nasty exploit. Send a POST to /clients/MyCRL requesting aCSHELL/../../../../../../../etc/shadow and the shadow password file is returned. This gives essentially arbitrary file read due to path traversal on a public endpoint.

Interestingly, the vendor states that the issue only affects devices with username-and-password authentication enabled, and not with the (much stronger) certificate authentication enabled.

There’s some definite weirdness going on with how the CVSS score was calculated, and how Check Point opted to disclose this. Cross-referencing from another vendor’s statement, it becomes clear that the fastest way to turn this into a full exploit is by grabbing the password hashes of users, and any legacy local users with password-only accounts can be mined for weak passwords. But make no mistake, this is an unauthorized arbitrary file read vulnerability, and the hash capture is just one way to exploit it. Attacks are ongoing, and the fix is available.

Fortinet FortiSIEM

One of my most/least favorite things to cover is trivial vulnerability patch bypasses. There’s nothing that disturbs and amuses like knowing that a Fortinet command injection in the NFS IP address was rediscovered in the NFS mount point field of the exact same endpoint.

If the botched fix wasn’t bad enough, the public disclosure was almost worse. There was over a month of lag between the disclosure and reproduction of the reported issue. Then Fortinet silently rolled out patches a couple weeks later, with no disclosure at all. The CVEs were eventually released, but then claimed to be a duplicate, and published in error. And now finally the whole story is available.

Ivanti Landesk

And rounding out the appliance vulnerabilities is this one in the Avanti Landesk, where a data flow can reach a strncpy() call, that takes user-supplied input for the number of bytes to copy, and a fixed buffer destination. Overflowing that buffer allows for function pointer overwrite, and writing even more data into this area eventually reaches a read-only section of memory. The write attempt triggers an exception, which bounces through a few functions, and eventually calls a pointer that has already been overwritten in the attack. A bit of Return Oriented Programming (ROP) magic, and the shellcode is marked executable and jumped into, for arbitrary code execution.

The flaw does require a low-privilege user account, and the vulnerable code hasn’t been in the product since the 2021.1 release. Ivanti has issued a CVE, but since the last vulnerable release is outside its support window, there won’t be any patches published.

Bricking 600,000 Routers

This one is just odd. Last year, the US ISP Windstream had about 600,000 DSL routers crash and permanently die over three days. The theory at the time was that this was a flubbed firmware upgrade, but researchers from Lumen did some quick detective work, and managed to snag malicious binaries that were actively flowing to the Windstream network.

It turns out that those routers were infected by the Chalubo malware, although the the initial infection vector is still unknown. Given the circumstances, it’s likely due to an internal breach at Windstream, possibly even an insider attack. Chalubo is designed to enable remote access, and can be used to launch DDOS attacks, among other capabilities. It’s not typical for this malware to immediately wipe devices, leading to the speculation that the malware was used for plausible deniability, to shield the actual perpetrators. This has signs of being an insider attack, by a disgruntled admin at Windstream, though there is not any hard evidence at the moment.

Bits and Bytes

Like a bad penny, North Korea has come back up with the FakePenny malware campaign. In Microsoft’s fun APT naming scheme, this is the work of Moonstone Sleet, whose usual strategy is to backdoor popular software and spread it however they can. In a major ransomware deployment, Moonstone Sleet requested $6.6 million in Bitcoin, which is quite the step up from previous campaigns.

And lastly, Ticketmaster seems to have a 560 million user data breach on its hands. Data brokers on the Breach Forums claim to have this in a 1.3 terabyte database, and is willing to part with it for merely half-a-million dollars. There is a bit of a backstory here, as Breach Forums is run by ShinyHunters, and the whole operation was shut down by the FBI a couple weeks ago. That didn’t last long, and it looks like they’re back, and back in business.