SSD’s Security Disclosure weekly news recap — March 25, 2021
In this edition, we’ll discuss the Mirai botnet attack on IoT devices, Google Project Zero discovering 11 vulnerabilities exploited in 2020, Trail of Bits security researcher creates a tool to weaponize insecure pickled Python files, and our CVE of the week: an RCE vulnerability in F5 Big IP.
The Mirai Botnet Attacking IoT Devices
Mirai is a Japanese malware discovered in 2016, targeting computers running Linux and turning them into remotely controlled bots that can be used to execute large-scale attacks.
In February, a new variant of Mirai was found to abuse 9 vulnerabilities in IoT devices including D-Link, Netgear, and SonicWall, alongside another three previously unknown vulnerabilities affecting various IoT devices.
The researchers (Vaibhav Singhal, Ruchna Nigam, Zhibin Zhang, and Asher Davila) are still not sure which IoT devices are being targeted but all of the known vulnerabilities have already been patched by the vendors.
The researchers from unit 42 who found this malware say that this attack shows that IoT devices continue to become a security threat and advise users to patch their devices regularly.
Mysterious Hacking Group Exploited 11 Zero-Days in 2020
Google Project Zero published a report on a mysterious hacking group that operated in 2020 and exploited at least 11 zero-day vulnerabilities attacking Android, iOS, and Windows users.
This group has executed 2 waves of attacks, in February and October of 2020, using watering hole attacks.
In watering-hole attacks, hackers discover a website that is usually used by their potential victims and infect it with malware to compromise the victims’ system.
The attackers infected the users with malware through websites that were connected to 2 servers that hosted exploit chains. The exploits in this case range from RCEs to buffer overflows and sandbox escapes.
Project zero detailed that these exploit chains are designed for efficiency & flexibility through their modularity. They added that these exploits are well-engineered, composed of complex code and novel exploitation methods, and contain high volumes of anti-analysis and targeting checks.
The New Fickling Tool
Fickling is a new tool designed to help security researchers improve the pickling process in Python that was released last week.
Pickling is the process of serializing and deserializing objects in Python. Researchers at Trail of Bits had suspicions about this process and assumed attackers could abuse it to inject malware. They raised these concerns to the vendors but got an insufficient response, which made them develop the Fickling tool.
Fickling allows for reverse engineering, testing, and even weaponizing of Pickled files for security research. As well as offering a safer way to deserialize these files in the process. Trail of Bits had mentioned that Fickling is also supposed to motivate the vendors to provide safer deserialization options further down the line.
Remote Code Execution in F5’s BIG-IP
BIG-IP is a network firewall offered by F5 that is designed to protect data centers. Last week, NCC Group discovered an RCE vulnerability was being exploited against this system.
This vulnerability affects the iControlREST interface of BIG-IP designed to control F5 configuration objects. It is ranked at a very high risk since it could allow an attacker with network access to iControlREST execute arbitrary commands on the system. This could allow the attacker to create or delete files, disable devices, and could lead to complete system compromise.
NCC Group noticed this vulnerability has been exploited in the wild after it had already been patched earlier this month. This vulnerability was also seen by Palo Alto’s Unit 42 who noticed that the Mirai botnet is also abusing it.
These attacks are of course targeting unpatched devices and so F5 is advising all of their clients to update their devices ASAP.
Want to Be Part of the News?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
