CyberChannel: Week of 9/29/24

CUPS Vulnerability Could Amplify DDoS Attacks by 600 Times

A recently patched vulnerability in the Common Unix Printing System (CUPS) has emerged as a potential tool for cyber criminals. This flaw can be exploited to launch Distributed Denial-of-Service (DDoS) attacks with a significant amplification factor of 600 times. This means attackers can use a small amount of traffic to overwhelm a targeted server with a much larger volume, making it inaccessible to legitimate users.

Researchers discovered that chaining this CUPS flaw with three other vulnerabilities could potentially allow remote code execution on Unix-like systems. However, the primary concern lies in its DDoS amplification capabilities. Thankfully, patches are available to address this issue. System administrators are urged to update their CUPS installations to mitigate the risk and prevent their servers from being used in DDoS attacks.

"Pig Butchering" Apps Preying on App Store Users

"Pig butchering" scams have been discovered on both the Google Play Store and Apple's App Store. These fraudulent trading apps lure victims with promises of high returns on fake cryptocurrencies. Once users invest, their funds are stolen by the scammers. It's important to be cautious when downloading investment apps and to research the developer and user reviews before investing any money.

To avoid falling victim to these scams, users should be wary of unsolicited investment offers. It's also important to verify the legitimacy of the trading platform and the cryptocurrency before investing. Additionally, users should never share their personal or financial information with strangers.

Cloudflare Blocks 3.8 Tbps DDoS Attack, Setting New Record

Cloudflare, a web security company, recently thwarted a record-breaking distributed denial-of-service (DDoS) attack. The attack peaked at a staggering 3.8 terabits per second (Tbps) and lasted for 65 seconds. The attackers launched the attack by exploiting a network of vulnerable devices, including Asus routers and Mikrotik systems. This attack is the largest publicly recorded DDoS attack ever observed.

In comparison to previous large-scale DDoS attacks, this attack stands out due to its volume and duration. DDoS attacks work by overwhelming a target server with traffic, making it unavailable to legitimate users.

Evasive Linux Malware Enables Widespread Cryptomining

A stealthy malware campaign targeting Linux servers for years has finally come to light. The malware, dubbed "perfctl," has likely infected millions of servers and caused significant disruption. Researchers believe perfctl has been active for at least three years, exploiting vulnerabilities in Polkit (CVE-2021-4043) to escalate privileges and install cryptomining software.

Perfctl is particularly dangerous due to its evasive tactics. It avoids detection by stopping its activities when a new user logs in, only resuming once the user becomes idle again. Additionally, it deletes its own binary after execution, further enhancing its stealth. This highlights the importance of keeping systems updated and implementing strong security measures to protect against evolving cyber threats like perfctl.

FIN7 Targets Users with Deepfake Nude Generators to Spread Malware

There is a new tactic used by FIN7 hackers to spread malware. FIN7 is a cybercrime group known for sophisticated phishing and social engineering attacks. In this new campaign, FIN7 is creating fake AI-powered deepnude generator sites. These sites are designed to lure people interested in generating nude images using deepfakes. When users try to download the generated images, they are unknowingly downloading malware instead.

This is not the first time FIN7 has used social engineering to spread malware. FIN7 has been distributing NetSupport RAT and other malware through similar tactics. NetSupport RAT is a remote access trojan that allows attackers to take control of infected devices.

UMC Health System Impacted by Ransomware, Patients Diverted

The UMC Health System in Texas was recently impacted by a ransomware attack. This disrupted their IT infrastructure, forcing them to take critical measures to contain the incident. While their facilities remained open, some emergency and non-emergency patients had to be diverted to other locations.

UMC took immediate action to disconnect their systems and launched an investigation. As of now, no major ransomware group has claimed responsibility for the attack. This incident highlights the potential consequences of cyberattacks on critical infrastructure like healthcare systems. The disruption caused by the attack emphasizes the importance of robust cybersecurity measures in protecting patient care and hospital operations.

LockBit Ransomware Gang Hit with Global Crackdown

In a global effort to crack down on the LockBit ransomware gang, law enforcement from twelve countries have joined forces. This resulted in the arrest of four individuals connected to the cyber criminal group. These arrests included a developer, a bulletproof hosting service administrator, and two others associated with LockBit activity.

The operation not only involved arrests but also the seizure of LockBit infrastructure and the release of a decryption tool. This tool allows victims to recover their encrypted files for free. Additionally, authorities issued indictments targeting other LockBit affiliates and offered a substantial reward for information leading to the capture of the gang's leadership. These actions demonstrate international cooperation in combating ransomware threats and potentially offer relief to victims of LockBit attacks.

Hacker Steals Confidential Data for Profit

A British citizen, Robert B. Westbrook, has been charged by the U.S. Securities and Exchange Commission (SEC) for hacking into the computer systems of five public American companies. His goal was to access confidential earnings information before it was made public.

Westbrook allegedly used this stolen information to make profitable stock trades ahead of earnings announcements. Over a period of 18 months, between January 2019 and August 2020, he made an estimated $3.75 million in illegal profits through insider trading. The SEC alleges that Westbrook reset the passwords of senior executives to gain access to documents and emails containing financial reports. He then used anonymous email accounts, VPN services, and Bitcoin to conceal his identity while making the illicit investments. However, the SEC was eventually able to track him down using data analytics.

Nmap Basics for Penetration Testing

          ___.-------.___
      _.-' ___.--;--.___ `-._
   .-' _.-'  /  .+.  \  `-._ `-.
 .' .-'      |-|-o-|-|      `-. `.
(_ <O__      \  `+'  /      __O> _)
  `--._``-..__`._|_.'__..-''_.--'
        ``--._________.--''

Nmap, short for Network Mapper, is a free and open-source tool widely used for network discovery and security auditing. Nmap utilizes raw IP packets in innovative ways to gather information about a network. It can identify available hosts, running services (including application name and version), operating systems, firewalls or packet filters in use, and many other details. Designed for rapid scanning of large networks, Nmap also works effectively for single hosts.

Network administrators rely on Nmap for various tasks, including creating network inventories, managing service upgrades, and monitoring uptime of hosts and services, while hackers may utilize it for enumeration i.e. identifying open ports running services that may be exploitable.

Nmap is available for most operating systems but is included with the Kali Linux distro. Remember to replace the placeholder ip address with your target ip address. You can also test this out by scanning the url: scanme.nmap.org. Let's start off with a basic Nmap scan. We can scan using an ip address or a host name i.e. scanme.nmap.org:

nmap 192.168.1.1

We can also scan a list of network/host targets within a text file using the following commands where "ip_list.txt" is the path to the text file.

nmap -iL ip_list.txt 

When performing a penetration test on a network, we may want to perform a ping sweep scan, which pings all available hosts on a network by sending ICMP packets and returns the live hosts. Conducting a ping sweep is a crucial part of identifying active hosts on a network and lays the groundwork for a penetration test.

nmap -sn 192.168.0.0/24

Once we have the list of live hosts, we can then do port scans on the individual hosts. Note the "/24" addition to the ip address. This sets the ip address range. It will send an ICMP echo request to every ip address in the network from 192.168.0.1 to 192.168.0.255.

Nmap defaults to scanning the 1000 most commonly used ports. Port specification and scan order refer to the process of selecting which ports to scan during network reconnaissance. This is crucial for efficient scanning as it allows you to exclude irrelevant ports and prioritize the scan based on port usage frequency.

We can specify ports using the following command:

nmap -p 22,80,443 192.168.1.1

We can also scan for the operating system. This information helps pinpoint vulnerabilities specific to the operating system, enabling more effective attacks on the target system. We can use "-O" to enable OS detection.

nmap -O 192.168.1.1

What if we want to detect the services being run on open ports on the network? The service/version detection feature in Nmap provides valuable insights into the target system, enabling you to identify vulnerabilities and weaknesses on those ports. This option can be enabled by using "-sV".

nmap -sV 192.168.1.1

With the returned information, we can run a query using something like  searchsploit for possible exploits for these services.

One of the most popular scans used is the SYN scan. A SYN scan involves sending an SYN packet to the target host and monitoring for a response. If the target responds with an SYN/ACK packet, the port is open; if it responds with an RST packet, the port is closed. This half-open scan technique, which doesn't complete the full TCP three-way handshake, is fast and, most importantly, stealthy, ideal for mapping large networks.

nmap -sS 192.168.1.1

Being stealthy is an important part of penetration testing. Some firewalls and Intrusion Detection System (IDS) solutions may temporarily block ip addresses that exhibit unusual network activity, such as high traffic volumes or sending network packets to multiple hosts in a systematic manner. We can mitigate these risks by using certain commands that effect the scans order and timing.

We can add the "-T" option to effect the scans timing template. By default, Nmap uses the "-T2" timing template but we can slow the scan down by using the "-T1" or "-T0" timing templates. These will slow down the scan process but will minimize the impact on the network and prevent triggering any alerts.

nmap -T1 192.168.0.0/24

You can also slow down an Nmap scan using delay. Use the "--scan-delay" option and specify the desired delay time in seconds.

nmap --scan-delay 3s 192.168.0.0/24

Let's change the order of targets we scan. Nmap's --randomize-hosts option can help you randomize your scans, making them less predictable and harder to detect by security.

nmap --randomize-hosts 192.168.0.0/24

One of the most powerful features of Nmap is it's ability to run scripts. The Nmap Script Engine (NSE) are scripts written in the programming language, Lua.

For example, you can run the following command that runs the "http-headers" script which pulls the HTTP headers configured on the target webserver.

nmap --script http-headers scanme.nmap.org

As a penetration tester, you may want to run the "vulners" script which automatically lists the vulnerabilities on a target using a CVE database.

nmap --script vulners 192.168.1.1

There are hundreds of NSE scripts available which you can view here.