Team Nucleus
8th September, 2022
Linux malware has become increasingly popular in 2022 with many prominent malwares being discovered already such as BPFDOOR, Symbiote and Syslogk. Shikitega has been spotted using a multi-stage infection chain and exploiting a Metasploit package to exploit vulnerabilities, elevate the attackers privileges and add persistence via crontab. Like most modern malware, Shikitega uses a C2 functionality to allow the attacker to execute remote commands depending on the infected machine. The malware has been seen to use polymorphic C2 encoding which makes it harder to spot by analysts as it attaches itself to other legitimate cloud services.
The first vulnerability, tracked as CVE-2022-28199 which has a CVSS score of 8.6, this vulnerability stems from improper error handling in DPDK’s network stack. Once this vulnerability has been targeted, it can lead to a denial of service condition and can lead to an impact on data integrity and confidentially. The next vulnerability was attached to the SD-WAN vManage software which allowed an unauthorised user to access the VPN0 logical network. According to Cisco,‘Successful exploitation of the flaw could permit the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload.’
The northface.com website has seen almost 200,000 accounts breached due to credential stuffing. Credential stuffing is the process of hackers using emails and passwords from a previous data breach and attempting to access other websites using these credentials. The hack has revealed extensive details about the users, such as full name, purchase history, billing address, telephone numbers and other identifying information of the users. Fortunately, North Face have kept payment details on a separate server meaning that credit card information has not been breached. This highlights the need for multiple different passwords and email accounts for different websites, a password manager is perfect for this as it eliminates the need to remember every single password and email being used.
A malicious campaign mounted by the North Korean Lazarus group has been targeting energy groups in multiple countries such as United States, Canada and Japan. The end goal of the campaign is to gain persistence on the victim energy group and communicate via a C2 infrastructure. The overall campaign is very reminiscent of the US backed Stuxnet virus designed to interrupt the nuclear program of Iran. The campaign uses multiple different methods to implant the malware such as a HTTP bot named 'VSingle' and a Golang backdoor named YamaBot. The VSingle malware has been said to carry out activities such as reconnaissance, data exfiltration and backdooring which will give the attackers a good understanding of the victims network.
Latest news and views from our Cyber Analysts
Latest news and views from our Cyber Analysts
Latest news and views from our Cyber Analysts
Subscribe to our newsletter and stay updated.