CyberWire Daily - It was only a matter of time. [Research Saturday]
Episode Date: July 25, 2020On April 29, 2020, the Salt management framework, authored by the IT automation company SaltStack, received a patch concerning two CVEs; CVE-2020-11651, an authentication bypass vulnerability, and CVE...-2020-11652, a directory-traversal vulnerability. On April 30, 2020, researchers at F-Secure disclosed their vulnerability findings to the public, with an urgent warning for Salt users - patch now. Before the weekend was out, criminals were deploying malware and targeting vulnerable Salt installations, successfully affecting operations at Ghost, DigiCert, and LineageOS. The malware is a cryptominer, but there is an additional component, a Remote Access Tool written in Go called nspps. Researchers at Akamai have also observed in-the-wild attacks on Salt vulnerabilities. Joining us on this week's Research Saturday is Larry Cashdollar, Senior Security Response Engineer at Akamai, to discuss this issue. The research can be found here: SaltStack Vulnerabilities Actively Exploited in the Wild Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
You know, one of my co-workers had come to me and said,
hey, we're hearing about this SaltStack vulnerability
that's going around and there are systems
being compromised on the internet.
Do you know anything about it? And I'm like, well, no, I've actually never heard of SaltStack before. vulnerability that's going around and there are systems being compromised on the internet.
Do you know anything about it? And I'm like, well, no, I've actually never heard of SaltStack before.
That's Larry Kashtaller. He's a senior security response engineer at Akamai Technologies.
The research we're discussing today is titled SaltStack Vulnerabilities Actively Exploited in the wild. So the first thing was to go and start looking at what SaltStack was.
I hadn't used it before, and it turns out that it's a,
it's like a management system for other systems.
It's like an infrastructure automation software where you can use it to manage your systems, push configurations, update services, things like that, your collection of systems on your network.
And I hadn't ever used it or heard of it, so the next thing was to try and collect information
about what was going on I had a friend who had his system compromised send me
some of the binaries that he had found he sent me some of the scripts that I
used to collect some of the other binaries and and scripts that he didn't
see on his system and then I began began investigating, you know, what systems were
being targeted? What were they being targeted with? How are they being, you know, was their
persistence being established? What were the perpetrators actually doing on the system?
And then I was pointed to a Slack channel where there was a group of SaltStack users and researchers
that were investigating the same thing I was.
So I jumped on there and started getting information from them, sharing information,
and just trying to help them decipher what the malware was doing.
And we were sharing samples with each other.
It was sort of like a collaborative community thing.
And then I sent out a blog post just to alert the Internet as a whole, you know, Akamai customers as a whole as to what was going on.
And that if you were indeed running SaltStack, that you needed to patch it immediately and possibly investigate, make sure that, you know, your system hadn't been compromised already because there were widespread attacks that had already been published in the news.
And there were already some that had already been published in the news,
and some major sites had been compromised. So it was an active attack and trying to just help people who were affected get their systems cleaned up and patched, and people that were
unaware, to make them aware that, hey, this vulnerability is actively being explored on
the internet, and if you're running this, you need to patch it immediately.
Well, can you describe to us what the vulnerability is
and how it was being exploited?
So the vulnerability was disclosed by researchers at F-Secure.
There were two vulnerabilities.
One was remote code execution.
And the other is a, I think it was a path traversal.
I had zeroed in on the remote code execution because that was the most interesting one.
So what this would do is it would bypass authentication
and allow a malicious user to execute code or code on the SaltStack system as root.
And that was pretty severe.'s that's the most severe
vulnerability you really have with the system is is just unauthenticated code execution as you know
system administration level user so this is the type of vulnerability that attackers are really
looking for so it was only a matter of time a short amount
of time in this case where they started abusing him and because I believe that
you know the salt stack systems themselves are probably relatively beefy
systems they're probably multi-core CPUs plenty of disk and RAM these systems
were targeted for crypto mining software so a piece of malware that we saw initially was called SaltStore.
And what it would do is it would kill off other possible pieces of malware,
but it would also kill off any sort of services that were using resources
or resource-intensive services on that system,
and then begin mining malware.
They would install a copy of XMR Miner and begin mining cryptocurrency.
So that was what these guys were mostly fighting.
It had a remote access tool where it would set itself up in Cron
and pull down a script from a remote server and then execute that script itself up in Cron and pull down a script from a remote server
and then execute that script every minute in Cron to ensure it had some sort of persistence on the system.
And then if there was any commands being issued,
they could be pulled through this HTTP request to this script that was being executed and run from a remote server.
There were, last I knew, five different versions of this,
each version more malicious than the next.
So this piece of malware actually went through
like a development cycle.
Initially, there wasn't any persistence,
and then the developer of this malware
created some sort of persistence using Cron,
and then it wasn't actually killing off every
single possible piece of linux malware so they kept adding different things to look on the system
for and kill um eventually was flushing ip tables firewall um rules with ip tables dash app so you
know the the clearly the the person who developed this
was developing and testing and making adjustments
to their malware as they went along.
So it was an interesting thing to investigate and work on.
Yeah, it's an interesting thing you mentioned here
that I think is a little bit of side information,
but is worth mentioning that scans revealed
that about 6,000 deployments of SALT
were exposed to the internet,
and that shouldn't be?
Yeah, typically the SALT stack stuff
was usually on an internal network,
and I think perhaps folks had installed it
and then accidentally left it exposed to the Internet because it really should be something that is kept on an internal network and firewalled off the rest of the Internet.
So in addition to patching, perhaps checking that is probably a good idea as well. Yeah, you know, make sure that your services are firewalled off
from folks that shouldn't be accessing them or using them.
And, you know, if you've got something that's not supposed to be on the DMZ,
you really should make sure that it's not on the DMZ.
Some of these services seem to be not as hardened as services
that are normally offered out on the Internet as a regular thing.
And so far, it's primarily been crypto mining that you've seen?
Yeah, that's really what I've been seeing.
It's all been crypto mining malware.
folks have gotten their systems fixed up and patched so that they can get ahead of this before other pieces of malware start to be developed and added to a list of things that they're installing
on vulnerable salt stack systems. Is it fair to say, I mean, if they can execute code and they
have root access, then I suppose the sky's the limit on the possibilities of what they could do.
Yeah, that's correct.
If they've got root, then they can destroy the system, exfiltrate data. Actually, I think the last thing that I had heard was they were beginning to start to exfiltrate data off of these systems.
They were copying files off.
So it's really, really something that you need to get ahead of and patch and firewall off and make sure that your system is secure if you're running SaltStack.
And so the bottom line here, I suppose, is patching, right? Yep. Patching, you know, keeping an eye on your vendor, vendors notifying their customers when a new patch comes out.
Vendors notifying their customers when a new patch comes out.
And then, you know, especially working with vulnerability disclosures, you know, vendors should really work with, you know, security researchers and folks that, you know, disclose vulnerabilities.
And then create a timeline of, you know, when the patches will be ready, notifying your customers of those patches, and then when that vulnerability is going to be publicly announced.
Giving your customers a chance to patch systems
before an exploit is widely being used
on the internet for it is a plus.
Yeah, it's interesting to note also
that one of the victims of this noted
that the cryptocurrency mining had spiked their CPUs, which is one of the things that alerted them that they had an issue.
Yeah, crypto mining is very CPU intensive.
So if folks are noticing resources on their systems spiking, specifically CPU, that they don't normally expect.
You know, if you're like, hey, my backups normally run at 1 a.m., why is my CPU spiking
at 8 p.m.?
It might be something to investigate.
Our thanks to Larry Kashtaller for joining us.
The research is titled Salt Stack Vulnerabilities Actively
Exploited in the Wild. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.