New SLP vulnerability enables amplified DDoS attacks

SISA Weekly Threat Watch - 01 May 2023

From social engineering attacks and cryptocurrency mining to DDoS attacks and zero-day exploits, threat actors used new and existing software vulnerabilities to wage cyberattacks against organizations this week. Certain security vulnerabilities demanded prompt software updates and patches, while others necessitated the use of anti-malware solutions and threat intelligence platforms by security teams to safeguard their systems against such threats. By taking proactive steps to mitigate risks and improve their security posture, organizations can minimize their exposure to threats and better protect their critical assets and operations.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Lazarus group adds Linux malware to arsenal in ‘Operation DreamJob’

Researchers have discovered a new campaign conducted by Lazarus, known as “Operation DreamJob,” which targets Linux users with malware for the first time. The operation involves social engineering attacks that utilize fake job offers on platforms such as LinkedIn or other communication channels to trick victims into downloading malicious files. These files are disguised as documents containing details about the job offer but instead drop malware onto the victim’s computer.

When the recipient clicks on the file, a malware variant known as ‘OdicLoader’ is launched. OdicLoader initially displays a fake PDF while also downloading a second-stage malware payload, ‘SimplexTea’, from a private repository hosted on the OpenDrive cloud service. It is recommended to use an endpoint protection solution that can detect and block malware, including OdicLoader and SimplexTea. Additionally, keep your software up to date and educate employees on how to recognize and respond to social engineering tactics.

2. Kubernetes RBAC exploited in large-scale campaign for cryptocurrency mining

Hackers have developed a new technique to exploit Kubernetes clusters for Monero cryptocurrency mining by using Role-Based Access Control (RBAC). By misusing RBAC to enforce harmful access control policies, attackers can remain on compromised clusters, even if the initial vulnerability that provided access is patched in the future. To establish persistence in the compromised Kubernetes cluster, the attacker creates a new ‘ClusterRole‘ with high-level privileges and a ServiceAccount called ‘kube-controller’ within the ‘kube-system’ namespace.

Subsequently, the attacker creates a ClusterRoleBinding known as ‘system:controller:kube-controller,’ which connects the ClusterRole with the ServiceAccount, enabling them to maintain persistence on the cluster even if ‘anonymous user access‘ is disabled. The consequences of these attacks include unauthorized access to sensitive data, exposure of secrets, and resource hijacking. To stay protected, it is recommended to configure the API server securely by disallowing unauthenticated requests from anonymous users and enforcing strict API access policies using RBAC. Monitor audit logs regularly to detect any suspicious activity on the cluster.

3. SLP vulnerability allows attackers to launch DDoS attacks with 2,200x amplification

A new vulnerability in the Service Location Protocol (SLP) has been discovered, which can be exploited by threat actors to launch massive denial-of-service (DoS) attacks with 2,200 times amplification. The flaw has been tracked as CVE-2023-29552 and affects over 2,000 organizations, exposing approximately 54,000 exploitable SLP instances for use in DDoS attacks. This flaw allows unauthenticated attackers to register arbitrary services on the SLP server, manipulating the content and size of its reply.

By exploiting CVE-2023-29552, attackers can increase the server’s UDP response size by registering new services until the response buffer is full. This allows attackers to achieve a maximum amplification factor of 2,200x, transforming a tiny 29-byte request into a massive 65,000-byte response directed at the target. To protect against potential abuse, SLP should be disabled on systems exposed to the Internet or untrusted networks. Alternatively, a firewall can be configured to filter traffic on UDP and TCP port 427, which is the main entry for the malicious request that exploit SLP services.

4. VMware fixes critical zero-day exploit chain used at Pwn2Own

Security updates have been released by VMware to address zero-day vulnerabilities that could be chained to gain code execution on systems running unpatched versions of the company’s Workstation and Fusion software hypervisors. Stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality (CVE-2023-20869) allows local attackers to execute code as the virtual machine’s VMX process running on the host. Information disclosure vulnerability in Bluetooth device-sharing functionality (CVE-2023-20870) enables malicious actors to read privileged information contained in hypervisor memory from a VM.

To remediate the flaws, it is advised to update Workstation and Fusion to version 17.0.2 and 13.0.2 respectively. To remove the attack vector, the Bluetooth support can also be turned off on the virtual machine by unchecking the “Share Bluetooth devices with the virtual machine” option on the impacted devices.

5. New vulnerability exposes thousands of Apache Superset servers to RCE attacks

Developers of Apache Superset, an open-source data visualization software, have released patches to fix a vulnerability in the default configuration settings. The flaw arises from the use of a default SECRET_KEY, which allows attackers to authenticate and access unauthorized resources on installations that are exposed to the internet, and further collect user credentials and compromise data. An attacker who knows the secret key can sign in as an administrator to the servers by forging a session cookie due to the flaw and ultimately take control of the systems.

A wider search conducted in February 2023 with these keys unearthed 3,176 instances, out of which 2,124 were using one of the default keys. Some of those affected include large corporations, small companies, government agencies, and universities. With the CVE-2023-27524 PoC exploit code released by the Horizon3.ai team on GitHub, organizations can check if their Apache Superset server uses a hazardous default configuration by applying the corresponding script. It is recommended to remediate the flaw by updating to version 2.1.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider