nation state hackers caught exploiting cisco firewalls

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a back door has been found in Cisco's ASAS or adaptive security appliances you can think of it kind of like a firewall in this video we're going to break down how the back door works we're going to go over the report by tals and at the end I'll kind of give my opinion on why I think all of this is happening so close together also if you're new here hi my name is l learning I make videos about software security and cyber security so if you like those things or just want to hang out with me hit that sub button really appreciate it also can follow me on Twitch I stream there too now the back door we're going to talk about was caught by Cisco tals the threat intelligence organization within Cisco what they do is they collect Telemetry from devices around the world as well as crash dumps from failed hacking attempts and use that to put together intelligence about campaigns that are going on around the world they're calling this campaign Arcane door in the back door we're going to talk about is in the arcan door campaign but I think what's happening with arcan door is really interesting a new Espionage Focus campaign found a targeting perimeter network devices Arcane door is a campaign of nation state hackers trying to get in to perimeter devices on very very important networks hel commmunication providers and energy sector organizations now what's unfortunate is that they don't know the initial access Vector of this campaign what it likely is there's a zero day vulnerability in the Cisco ASA software that is being exploited but the problem is when you're doing the assessment of a security incident and the campaign behind it it's really hard to determine what the initial access Vector was because if there's a backd door in the device that back door will still be there and typically they're doing a long-term campaign they have a lot of data that they're sending in in and out and if they make one mistake you can catch that back door and you can find the persistence mechanism but the initial access Vector the exploit they threw to get in there is much harder to find it's a one-time event and it happens so fast that it's pretty common for it to just get missed right and if you don't know exactly when it happened you may never find it but what is interesting though is the back door itself it's called line dancer an inmemory implant here they go into the technical details I want to highlight a couple of interesting pieces about this the first one is that it's an inmemory implant it's much more difficult to audit an inmemory implant meaning memory that never touches disc as opposed to aexe that goes onto the flash right so by leaving it in memory that tells us two things one very Advanced actor most likely in nation state but also two they're very very particular about their code not getting caught this may have taken years to develop and they want to make sure that no one sees what they're doing now the line dancer back door enables a couple of really really interesting features that are kind of scary if you're a security-minded person first it disables CIS log okay obviously right they don't want any logs going out from that device the next two are the most interesting two in my opinion the first is they hook the crash dump process which forces a device to skip crash dump generation and jump directly to a device reboot this is crazy a lot of the bigger firewalls like Palo Alto sofos Cisco Etc have features that when a particular process crashes they want to know about it the manufacturer wants to know about the crash for two reasons one they want to provide their customer with a good product and they want to figure out where where in the process did it crash is that a bug that we can fix but also too A lot of times when devices are getting exploited it has to do with memory corruption vulnerabilities doing a buffer overflow or a heap overflow and those are very difficult to get right by hooking the crash dump process this actor is actually preventing if their exploit or their back door were to fail instead of sending the crash dump out to Cisco tals it says uhuh uhuh we're not going to do that we're just going to booot the device Instead This is designed to evade forensic analysis as the crash dump would contain evidence of compromise and provide additional forensic details and the last one is actually how they're doing their command to control their Communications between the threat Network they're controlling this from and the target Network that got hacked right they hook the AAA functions to allow for a magic number authentication capability when the attacker attempts to connect the device using this magic number they're able to establish a Remote Access VPN tunnel by bypassing the configur AA mechanisms and they go on later to describe this here but basically the implant allows a threat actor to put a magical 32 by token and if that token is found in any of the packets that cross over this device instead of doing the normal functionality that would reply to that device it takes the data inside of that packet with the magic value and runs it instead I do find it interesting here that tals didn't give us the 32 by value I think that's for two reasons if you know the 32b token you can then go out and in theory take control device that are compromised which is probably not good we don't want everyone to have access to this network of of implants right but also to it may be that the actor has uniquely keyed every organization they've hacked with a different token and if they show us this organization's 32 by token it may reveal which organization got hacked and maybe become a bit of a privacy concern you can look it very basically this is a decompilation I think either probably in gidra or Ida depending on which one you use um this is a decompilation of the packet so it says the payload is equal to the IP packets it goes to the IP header plus hex 20 and if within that IP packet there are hex 20 bytes that match some magical string we then take that base 64 payload out of there to code it and then we run that as Shell Code very simply if a magic word is said jump to the code inside of it this gives the threat Network the ability to arbitrarily command and control this device now what's even more interesting is the way that this back door persists on the device basically they're taking advantage of an old vulnerability in Cisco ASAS when the Cisco device goes to reboot what it does is it looks for this bundle called client bundle. zip it'll take that client bundle and it'll run the Cisco config.lua script inside of it before it goes and actually reboots because the Cisco ASA looks for this file will always run the Cisco config dolis script they're able to put their malicious code back onto the system even though it's rebooting this is a inmemory implant sort of but the way that it persists does have to go to dis otherwise there's no way for it to maintain itself as for right now there really is nobody who's been directly attributed with this no one knows who's hacking these devices because of the sophistication of the implant they're pretty confident this is a nation state actor but no one knows which nation state so they have come up with some ways that if you do have a Cisco ASA and you think you may have been hacked by this you can go run these commands and check for it right now if you run show memory region and then include the Lena command what I'm assuming is that the Lena command is the binary that runs all the major Cisco ASA features and is where the malicious actor is putting their malicious code with they're saying is that if you look at this memory map and you see multiple pages of memory that are readable and executable that is an indicator of compromise the reason being there should only be one page for this binary that is readable and executable and by having a second one it indicates that this is a place where the malicious actor is hiding their shell code to run their implant in memory also interestingly enough I saw on Twitter somewhere if you think you're affected by this back door what you can actually do is instead of rebooting and or trying to crash dump it which have all been hooked by the back door you can actually just pull the power cord on the device it's kind of funny because unplugging the power automatically bypasses this client bundle vulnerability you can literally just go to your network cabinet right now pull the power disable the ups and as long as it doesn't shut down gracefully it'll bypass this persistence mechanism it won't allow the back door to reload people ask me all the time in chat why have there been so many vulnerabilities lately why does it feel like every week There's a new bug a new big story to talk about and I don't think that this month is actually different than any other month I think what's happening is that people like myself like other people on YouTube are just making more videos and talking about these vulnerabilities but there are new cves there are new vulnerabilities found basically like every week every day where some threat actor is caught doing something or some bug is caught in some software this is kind of just like the nature of cyber security and I think it's really interesting that there are so many people who just don't know that this is reality they're they're like th this is happening all the time everywhere it's just we're talking about it more so I feel like it feels like more is happening but I think this is just what's happening all the time so anyway if you think that's interesting you want to see more videos hit that sub button I really appreciate it and then go check this video out YouTube thinks you'll like it appreciate it goodbye

Info

Channel: Low Level Learning

Views: 205,845

Rating: undefined out of 5

Keywords: apple, apple m1, m1 bug, cpu bug, hackers, vulnerability, cache

Id: GMiGHWTPv5Q

Channel Id: undefined

Length: 8min 14sec (494 seconds)

Published: Thu Apr 25 2024