Discovery of the Backdoor

The initial discovery of the backdoor was made by Andres Freund, a Microsoft software engineer, during routine diagnostics on Debian sid (development) installations. Freund’s investigation, sparked by unusually high CPU usage during SSH logins and accompanying error alerts, led to the identification of the culprit: a malicious insertion within the liblzma library, a core component of the XZ package. This finding was subsequently designated with the vulnerability identifier CVE-2024-3094. Attribution for this calculated insertion has been directed at an individual known as “Jia Tan” (JiaT75 on GitHub), who, through an elaborate scheme of social engineering and the use of sock puppet accounts, gained the trust of the XZ Utils maintainer community. This long-term infiltration underscores the advanced nature of the threat actor involved, pointing towards a highly skilled and resourceful adversary.

Affected Distributions and Response

Guidance and Recommendations

In light of these disclosures, affected parties have been advised to approach the situation as a definitive security incident, necessitating a comprehensive review and mitigation process. This includes the diligent examination for any unauthorized access or misuse, the rotation of exposed credentials, and a thorough security audit of systems that might have been compromised during the exposure window.

Insight into the Backdoor Mechanism

The intricacy of the backdoor, embedded within the xz-utils’ liblzma library and manifesting under precise conditions, notably through remote, unprivileged connections to public SSH ports, speaks volumes about the sophistication of the threat actors behind this maneuver. This backdoor not only raises concerns over performance degradation but also poses a significant risk to the integrity and security of the affected systems.

How to detect if you are a victim

In light of the recent discovery of the CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1, the cybersecurity community has been on high alert. Binarly has introduced a free scanner to identify the presence of this backdoor in affected systems. Below is a detailed tutorial, including examples, on how to use the Binarly Free Scanner to detect the CVE-2024-3094 backdoor in your systems.

Step 1: Understanding the Threat

The CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1 poses a significant security risk, potentially allowing unauthorized remote access. It’s crucial to grasp the severity of this issue before proceeding.

Example: Imagine a scenario where an organization’s critical systems are running on a compromised version of XZ Utils, leaving the network vulnerable to attackers who could gain unauthorized access through the backdoor.

Step 2: Accessing the Binarly Free Scanner

Navigate to XZ.fail, the dedicated website Binarly set up for the scanner.

Example: Open your web browser and type “https://xz.fail” in the address bar to access the Binarly Free Scanner’s homepage.

Step 3: Utilizing the Scanner

The Binarly Free Scanner uses advanced static analysis to detect the backdoor by examining ifunc transition behaviors in the binaries.

Example: After accessing XZ.fail, you’ll be prompted to upload or specify the path to the binary files you wish to scan. Suppose you want to check a file named example.xz; you would select this file for scanning through the web interface or command line, depending on the tool’s usage options provided.

Step 4: Interpreting the Results

Once the scan completes, the scanner will report back on whether the CVE-2024-3094 backdoor was detected in the scanned files.

Example: If the scanner finds the backdoor in example.xz, it might display a message such as “Backdoor Detected: CVE-2024-3094 present in example.xz”. If no backdoor is found, a message like “No Backdoor Detected: Your files are clean” would appear.

Step 5: Taking Action

If the scanner detects the backdoor, immediate action is required to remove the compromised binaries and replace them with secure versions.

Example: For a system administrator who finds the backdoor in example.xz, the next steps would involve removing this file, downloading a secure version of XZ Utils from a trusted source, and replacing the compromised file with this clean version.

Step 6: Continuous Vigilance

Regularly scan your systems with the Binarly Free Scanner and other security tools to ensure no new threats have compromised your binaries.

Example: Set a monthly reminder to use the Binarly Free Scanner on all critical systems, especially after installing updates or adding new software packages, to catch any instances of the CVE-2024-3094 backdoor or other vulnerabilities.

The Binarly Free Scanner is a powerful tool in the fight against the CVE-2024-3094 backdoor, offering a reliable method for detecting and addressing this significant threat. By following these steps and incorporating the examples provided, users can effectively safeguard their systems from potential compromise.

The accidental discovery of this backdoor by Freund represents a crucial turning point, underscoring the importance of vigilant and proactive security practices within the open-source domain. This incident serves as a stark reminder of the vulnerabilities that can arise in even the most trusted components of the digital infrastructure. It has sparked a renewed debate on the necessity for enhanced security protocols and collaborative efforts to safeguard crucial open-source projects against increasingly sophisticated threats.

In the aftermath, the open-source community and its stewards are called upon to reassess their security posture, emphasizing the need for comprehensive auditing, transparent communication, and the adoption of robust security measures to prevent future compromises. This incident not only highlights the vulnerabilities inherent in the digital landscape but also the resilience and collaborative spirit of the open-source community in responding to and mitigating such threats.

The post How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps appeared first on Information Security Newspaper | Hacking News.

However, if it is not set and maintained effectively, it presents the opportunity for spying, lateral movement, and persistence assaults by malicious actors. CTS makes it possible to add people from another tenancy to a target tenant by syncing their user accounts.
It is possible to migrate laterally from a compromised tenant to another tenant of the same or a different company by exploiting a CTS setting that has been setup in a lax manner and that may be abused by an attacker. It is possible to install a malicious CTS configuration and utilize it as a backdoor approach in order to keep access to a Microsoft tenancy that is controlled by an external attacker.

Vectra AI, a cybersecurity company, recently produced a research in which it elaborated on how threat actors might use this capability to propagate laterally to related tenants or even employ this feature for persistence.

However, they also caution that in order to abuse this functionality, a threat actor must first either compromise a privileged account or acquire privilege escalation in a Microsoft cloud environment that has already been compromised. The first method detailed in Vectra AI’s paper entails evaluating the CTS settings in order to find target tenants linked via these policies and, more particularly, searching for tenants with the ‘Outbound Sync’ feature enabled, which enables synchronizing with other tenants.

After discovering a tenant that satisfies those requirements, the attacker finds the application that is used for CTS synchronization and adjusts its settings in order to include the compromised user inside its sync scope. This gives the attacker access to the network of the other tenant. Because of this, it is possible for the threat actor to accomplish lateral movement without the need for fresh user credentials.

The second method that Vectra demonstrates includes establishing a rogue CTS configuration in order to maintain permanent access to the tenants that are the focus of the attack. It should be emphasized once again that in order for this strategy to work, the threat actor must have already succeeded in compromising a privileged account inside the tenant.

To get more specific, the attacker installs a new CTS policy and activates ‘Inbound Sync’ and ‘Automatic User Consent,’ which gives them the ability to push new users from their external tenancy to the target at any moment.

Because of the way this arrangement is configured, the attacker will always have access to the target tenancy via the external account.

Even if the rogue accounts are deactivated, the attacker may still create and “push” new users at anytime, obtaining instant access to the resources of the target tenancy. This is the reason why the researchers refer to this as a “backdoor.”

Defense

The methods of attack described in this article presume the presence of a compromise. The continued implementation and enforcement of security best practices inside businesses is required to continue lowering the chance of accounts being compromised.

CTS Target residents are required to:

It is best to steer clear of the practice of establishing a default inbound CTA setup if at all possible, since this would allow any users, groups, and apps from the source tenancy to sync inbound.

Implement an incoming CTA setup that is less inclusive, such as specifically designating accounts (if it’s at all feasible) or groups that can receive access via CTS.

In order to block access by unauthorized users, combine the CTA policy with any additional Conditional Access Policies.

Tenants of CTS Source are required to:

Ensure that all privileged groups, including those that are permitted access to other tenants through CTS, are subject to the appropriate levels of regulation and monitoring.

The post New Azure AD Cross-Tenant Synchronisation (CTS)  Attack allows hacking tenants laterally appeared first on Information Security Newspaper | Hacking News.

Vulnx is used to find vulnerabilities in different types of CMS. Vulnx scan for subdomains, port scan, IP address, country, region. Vulnx is designed to automate your pentesting.

• For testing we have used Kali Linux 2018.2. Make ensure python3 is installed.
  • Type sudo apt-get update
  • Type sudo apt-get install python3
• Type git clone https://github.com/anouarbensaad/vulnx.git

root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/anouarbensaad/vulnx.git
 Cloning into 'vulnx'…
 remote: Enumerating objects: 35, done.
 remote: Counting objects: 100% (35/35), done.
 remote: Compressing objects: 100% (28/28), done.
 remote: Total 1034 (delta 13), reused 17 (delta 7), pack-reused 999
 Receiving objects: 100% (1034/1034), 505.30 KiB | 410.00 KiB/s, done.
 Resolving deltas: 100% (609/609), done.

• Type cd vulnx/
• Type ls

root@kali:/home/iicybersecurity/Downloads# cd vulnx/
root@kali:/home/iicybersecurity/Downloads/vulnx# ls
 CHANGELOG.md  common  docker      LICENSE  README.md         shell      vulnx.py
 cli.py        config  install.sh  modules  requirements.txt  update.sh

• Type ./install.sh

root@kali:/home/iicybersecurity/Downloads/vulnx# ./install.sh

===== VULNX INSTALL =====
 [+] Vulnx Will Be Installed In Your System
 [+] Installing python3...
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.7.3-1).
0 upgraded, 0 newly installed, 0 to remove and 664 not upgraded.
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r ./requirements.txt (line 1)) (2.21.0)
Collecting bs4 (from -r ./requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: beautifulsoup4 in /usr/lib/python2.7/dist-packages (from bs4->-r ./requirements.txt (line 2)) (4.8.0)
Building wheels for collected packages: bs4
  Running setup.py bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
Successfully built bs4
Installing collected packages: bs4
Successfully installed bs4-0.0.1
 [+] Checking directories...
 [+] Installing ...
 [+] Creating Symbolic Link ...
 [+] Tool Successfully Installed And Will Start In 5s!
 [+] You can execute tool by typing vulnx



                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad

• Type chmod 755 requirements.txt vulnx.py

root@kali:/home/iicybersecurity/Downloads/vulnx# chmod 755 requiremnets.txt vulnx.py

• Type python3 vulnx.py –help

root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py --help

                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad

usage: vulnx.py [-h] [-u URL] [-D DORKS] [-o OUTPUT] [-t TIMEOUT]
                [-c {user,themes,version,plugins,all}] [--threads NUMTHREAD]
                [-n NUMBERPAGE] [-i INPUT_FILE]
                [-l {wordpress,prestashop,joomla,lokomedia,drupal,all}]
                [-p SCANPORTS] [-e] [--it] [-w] [-d] [--dns]

OPTIONS:
  -h, --help            show this help message and exit
  -u URL, --url URL     url target to scan
  -D DORKS, --dorks DORKS
                        search webs with dorks
  -o OUTPUT, --output OUTPUT
                        specify output directory
  -t TIMEOUT, --timeout TIMEOUT
                        http requests timeout
  -c {user,themes,version,plugins,all}, --cms-info {user,themes,version,plugins,all}
                        search cms info[themes,plugins,user,version..]
  --threads NUMTHREAD   number of threads
  -n NUMBERPAGE, --number-pages NUMBERPAGE
                        search dorks number page limit
  -i INPUT_FILE, --input INPUT_FILE
                        specify input file of domains to scan
  -l {wordpress,prestashop,joomla,lokomedia,drupal,all}, --dork-list {wordpress,prestashop,joomla,lokomedia,drupal,all}
                        list names of dorks exploits
  -p SCANPORTS, --ports SCANPORTS
                        ports to scan
  -e, --exploit         searching vulnerability & run exploits
  --it                  interactive mode.
  -w, --web-info        web informations gathering
  -d, --domain-info     subdomains informations gathering
  --dns                 dns informations gatherings

• Type python3 vulnx.py -u http://hack.me –dns -d -w -e –output ./hack.me
• –dns is used to gather dns information.
• -d is used to gather domain info.
• -w is used to gather web domain info.
• -e is used to search for vulnerabilities & exploits.

root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py -u http://hack.me --dns -d -w -e --output ./hack.me

                   .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad


 [Target] => http://hack.me

------------------------------------------------
 [?] looking for cms
 [+] CMS : Lokomedia
------------------------------------------------
------------------------------------------------
 [~] Scanning Ports

   PORTS                     STATUS  PROTO
 [?] 22                    CLOSE   SSH
-----------------------------------------------
 [~] Starting DNS dump
 [!] Retrieved token: 7lMSlFeGREkQtU4PxAkC9E7JuA0wsfXnLpLxG3izLIboqqtCEBFGs2YDRCIMsJLh
 [?] Search for DNS Servers
 [+] Host : ns-113.awsdns-14.com.
 [+] IP : 205.251.192.113
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1428.awsdns-50.org.
 [+] IP : 205.251.197.148
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1869.awsdns-41.co.uk.
 [+] IP : 205.251.199.77
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-881.awsdns-46.net.
 [+] IP : 205.251.195.113
 [+] AS : AMAZON-02
  ----------------
 [?] Search for MX Records
 [+] Host : 1 aspmx.l.google.com.
 [+] IP : 172.217.197.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt3.aspmx.l.google.com.
 [+] IP : 64.233.184.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt4.aspmx.l.google.com.
 [+] IP : 172.217.218.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt1.aspmx.l.google.com.
 [+] IP : 64.233.186.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt2.aspmx.l.google.com.
 [+] IP : 209.85.202.26
 [+] AS : GOOGLE
  ----------------
-----------------------------------------------
 [~] Check Vulnerability

• Above shows the CMS of the target URL. Then vulnx has scanned for opened ports & it has also retrieved token associated with DNS.
• Then it has retrieved DNS servers with their respective IP addresses & hosts. Such basic information can also be retrieved with nslookup.
• But here vulnx makes an automation for finding all the DNS servers.
• You can scan websites for different CMS in a similar way.

The post How to find Vulnerabilities in CMS Websites appeared first on Information Security Newspaper | Hacking News.