Minecraft’s BleedingPipe Vulnerability: Breaking down the dangerous vulnerability found in popular mods and how to protect your server.
Hey Minecraft players, if you’re into modding you’re going to want to tune in. So, in an article by Malwarebytes Labs a new vulnerability known as BleedingPipe has been found. The bug allows for Remote Code Execution or RCE on both servers and clients. The bug occurs when a hacker sends a specially crafted payload to take over the server. The bug is found within the deserialization class in java that is used to exchange network packets between servers and clients. The bug has been exploited as lately as July 9th 2023. In a blog post by MMPA, it lists the vulnerable mods as those like EnderCore, Gadomancy, LogisticsPipes with versions older than 0.10.0.71 and a few other mods. MMPA has released a mod to help protect servers and clients by adding filtering on the network going to the vulnerable part of the code.
So, let’s talk first about what is happening in a bit more of a code perspective. Deserialization and serialization are ways to transfer data from one place to another. So, let’s say you have a player whose health dropped a bit. The server can send out that information by serializing a data packet and sending it out. This then requires the receiver to deserialize the packet and interpret what is needs to update or do. This is a common functionality that exists in all kinds of apps that communicate between clients, servers, and other programs. My big concern here is twofold. One is the person or company that maintains the mods. They must be aware of and have the time and effort available to fix the vulnerability. Secondly, is the maintainer of the server. The server admin and/or owner must have time and effort available as well as the insight to update the affected mods. If you know someone who maintains mods or maintains servers, then you should share my content with them so we can raise awareness. In the meantime, you can go look at the PipeBlocker mod by MMPA to help start protecting yourself sooner rather than later.
MMPA: https://blog.mmpa.info/posts/bleeding-pipe/
BlueCharlie’s Evasive Moves: Dive deep into how this Russian APT actor shifts tactics and what this means for cybersecurity
So, the APT or Advanced Persistent Threat actor BlueCharlie is attempting to evade detection by swapping their old infrastructure such as domains out for 94 new domains. BlueCharlies is a Russian espionage APT actor. They also go by “Clasito”, “COLDDRIVER”, “SEABORGIUM”, and “StarBlizzard” and have been active since 2017. They target government, defense, education, and political organizations and have also targeted Non-Government Organizations, Journalists, and think tanks. Recently, researchers began to map out BlueCharlie’s campaigns, the impact on the Russia-Ukraine war, broke down BlueCharlie’s infrastructure and attributed a specific person that is though to be leading BlueCharlie’s actions. An anonymous analyst from Recorded Future’s Insikt revaled some insight into how BlueCharlie used a tool known as Evilginx. The attackers took advantage of Evilginx ability to conduct a Man-in-The-Middle attack. The framework allows an attacker to append a legitimate looking domain url to the end of a phishing domain. So an example would be something like http://phisphingDomain[.]com/sso[.]legitimate[.]gov. where an unaware user may see the sso[.]legitimate[.]gov url and assume it’s an authentic website instead of appended to a domain controlled by the attacker. However, their new domains now appear to combine two random IT-related terms and are not currently appending legitimate urls at the end of their phishing domains. An example of their new naming structure given would be storage-gateway[.]com and no longer append a legitimate domain in efforts to appear real. The change is predicted to be because of their old infrastructure being exposed. It’s not uncommon for APT actors to change up strategy when their main strategy is exposed and is being actively looked for.
So, I’ve talked about the article but what does all this mean? An APT actor is a way to identify activities by some malicious cyber group. In this case, the APT actor is a Russian affiliated actor that is conducting hack-and-leak oriented attacks. In other words, they want to put all secrets of everyone they target out in the open. Their favorite known tool is called Evilginx, which is an open-source tool available on github. This tool is maintained by someone in the cyber security space. A lot of the popular tools used by white hat, black hat, and gray hat alike are open-source tools or commercially available. The tools can be used for good purposes, educational purposes, or evil purposes. The use ultimately falls on who is using it. There are proprietary tools and software like malware written by black hats, or Ghidra written by the NSA before it was open-sourced. The biggest takeaway is that attacks will come in all shapes and sizes and exposing an attack doesn’t completely neutralize it. It’s important to keep good security practices, keep software up to date, and minimize risk by being precautious in what you click and let run on your machines.
Blue Charlie Higher Up: https://www.nisos.com/blog/coldriver-group-report/
Infrastructure switch up: https://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023
Google’s AI Bug Hunter: Learn how Google is utilizing AI to push the boundaries of vulnerability discovery
So, Google has released a security blog article titled, “AI-Powered Fuzzing: Breaking the Bug Hunting Barrier”. It’s an interesting sounding title but what does it mean? Let’s break it down.
A project by the name OSS-Fuzz was started back in 2016 and has been super important in automated vulnerability discovery for projects that are open sourced. For those who may not know Open-Source projects are projects whose authors have released the code for others to view. Different licenses let you do different things from making a copy with your own changes to different commercialization rights, but the underlying premise is people being able to see the code that runs the software. Vulnerability discovery is important because it’s the process of finding bugs that can lead to attacks against a software. Without the vulnerability discovery feedback, you could have bugs that could go unnoticed and then attacked in the wild. Now Google has been testing applying their Large Language Models or LLMs to help improve performance of OSS-Fuzz. To give further context fuzzing is the process of introducing large amounts of random, malformed, and unexpected inputs to see if crashes or bad behavior occurs.
Google has used the OSS-Fuzz service to freely support over 1,000 open sources projects and they have found and verified fixes for over 10,000 vulnerabilities. Even with these impressive numbers it’s thought that the service only covers about 30% of an open source’s project’s total code. A study referenced in the blog article suggests that the best way to increase the coverage is by adding additional places for fuzzing to test. This isn’t quite simple as it isn’t automated the way the current estimated 30% coverage is.
The blog article also states that the best way to get extra coverage is for those who maintain an open-source project is to take the time to add more fuzz targets as they are onboarded and integrate OSS-Fuzz into their infrastructure. This does take a time investment and as with any testing that is put into a program is generally a great way to improve the reliability and stability of a program. The downside is that it does require some investment to not only set the testing and fuzz targets in place but some rearchitecting of the program may be needed if the code is not easily modified for testing.
This is where the most recent innovation of LLMs can come into play.
Google created a framework to evaluate whether LLMs like Google’s Large Language Models could be prompted to add new fuzz targets and improve code coverage. Well simply put the results look extremely promising. After several rounds of prompt engineering, the process of fine-tuning prompting to get the desired outcome, they were able to add anywhere from 1.5% to 31% additional coverage to projects. This is amazing given it does not require the maintainers of the open-source project to do any code changes themselves.
Now this is only the early stages, and more research is still to come but this is exciting technology for fuzz-oriented bug hunting. As well the Google blog notes their longer-term goals which include extending support to other language ecosystems beyond C/C++ to languages like Java and Python. They also want to automate the project onboarding process to bring the barrier of entry lower for any open-source project that wishes to take advantage of OSS-Fuzz.
I know that was a lot and many non-developers may not know the full impact of this. It’s essentially leveraging AI like ChatGPT to add ways for testing to occur. The more testing can happen at scale and automatically then the more bugs can be found faster. Zero-days and Vulnerabilities are like games of cat and mouse. The fastest player wins until the other catches up. The more bugs are squashed before major attackers can take advantage the better projected targets are. The last thing anyone wants is a major bug to go unnoticed and allow a nation-state hacker group to steal millions of dollars’ worth of data.
Source: https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html
New Mac Malware Alert: Unmasking the new variant of XLoader hiding in a productivity app
So the apple never falls far from the tree. A new variant of XLoader malware has been discovered. XLoader is a macos malware that is hiding itself as OfficeNote, a productivity app. The new version of XLoader is bundled inside an Apple disk image or .dmg file. The file uses the name OfficeNote.dmg and is signed by a developer signature MAIT JAKHU (54YDV8NU9C). The first time this malware was found was back in 2020. The malware is thought to be the new “Formbook” a keylogger and information grabber that was distributed as a Malware-as-a-service or MaaS. We’ve been seeing Malware-as-a-service appear more and more. It’s the illegal version of software-as-a-service that allows people to subscribe to useful software and webapps for their personal or business needs.
The original mac variant of XLoader was a compiled .JAR file that requires a Java runtime to be able to execute. However Apple does not ship Java Runtime Environments with Macs for quite a while now. The newest XLoader is now using C and Objective C which run natively on Macs. The disk image that the malware is bundled with was signed on July 17, 2023. It’s important to note that apple has revoked the signature and should no longer show up as a trusted signature. SentinelOne said that the multiple traces of the malware were detected on VirusTotal around July 2023. This likely indicates they were actively trying to get infections and running a large infection campaign around that time.
Researchers found advertisements for the Mac variant of the malware for $199/month or 3 months at $299. The researches noted that this is significantly more expensive than the windows version which are normally sold for $59 a month or $129 for 3 months.
The malware itself is designed to steal clipboard data and information stored in common web browser directors such as Firefox and chrome. Safari does not appear to be targeted, however. As well the malware is using sleep commands to avoid raising red flags that could lead to it being detected.
What does this all mean exactly? Well, a new Mac malware is on the loose and looking to infect someone looking for a productivity app such as a word processor. Clipboard stealing and directory data harvesting are concerning because they could be trying to steal credentials, cookies, and other data that could lead to leaking sensitive data or ways to gain access to personal or business accounts. This is especially concerning since the malware appears to create a persistent process in the Mac OS through a Launch Agent. Launch Agents are legitimate ways for developers who need persistent processes to run such as a background service for a user’s application.
Most operating systems provide ways to have something known as Daemons running. A Daemon is a background process that handles requests for an application but does not require the user to have a window up. This is useful for things like web servers and remote tools since you don’t want to leave a window open to have things running.
Keep a look out for any apps known as OfficeNote for the mac users out there. Only install software from trusted sources and always be careful what you download and what you install.
Source: https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html
Outro
Hey guys thank you for listening to this episode of Exploit Brokers. Please consider subscribing and clicking the bell notification to get updated when new episodes are published. As well share us with others to help us get noticed by others so we can spread awareness of the cyber threats we face today.
The digital world will continue to evolve and whether hacking news, breaches, malware, ai, or a myriad of other issues arise; Exploit Brokers will be here to help shine some light on it. While it may seem daunting, our mission is to serve as your beacon, to help lighten up the dark corners of the cyber world and be a source of knowledge for those willing to join us. Information is our strongest ally and together we form our strongest shield. Until our next episode, stay safe and keep your digital shields up.
Leave a Reply