Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
PHP Windows

Hackers Have Found an Entirely New Way To Backdoor Into Microsoft Windows (security.com) 63

Posted by EditorDavid from the where-do-you-want-to-go-today dept.
A university in Taiwan was breached with "a previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique," Symantec reports. The most notable feature of this backdoor is that it communicates with a command-and-control server via DNS traffic... The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution... Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the backdoor will change based on the value of the third octet of the resolved IP address minus seven...

The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution.

Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown.
More from The Record: Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools. Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations. Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said.
Additional coverage at The Hacker News.

Thanks to Slashdot reader joshuark for sharing the article.
This discussion has been archived. No new comments can be posted.

Hackers Have Found an Entirely New Way To Backdoor Into Microsoft Windows More

Hackers Have Found an Entirely New Way To Backdoor Into Microsoft Windows

Comments Filter:

  • So, a zero-day exploit then? (Score:3)

    by Tony Isaac ( 1301187 ) on Sunday August 25, 2024 @05:17PM (#64734596) Homepage

    This seems to actually fit the definition of a zero-day exploit, unlike others that have been known for months or years.

    • The summary mentions this is taking advantage of a recent php vulnerability that may not be patched on every system yet.

      • Re: (Score:2)

        by Bahbus ( 1180627 )

        Which makes the title of the article (both here and on Symantec's blog) wildly inaccurate and misleading. The only thing new is the use of DNS traffic for communication with the C&C. The PHP flaw is relatively recent, but not new. This amounts to nothing other than Symantec proving they barely know what they're talking about to begin with.

    • Re: (Score:2)

      by gweihir ( 88907 )

      The story is not about an exploit. It is about a rootkit/backdoor technique.

      • According to Oxford: an exploit is

        a software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware

        I'm pretty sure that rootkits and back doors both quality.

        Zero-day just means that it was previously unknown.

        • Re: (Score:2)

          by gweihir ( 88907 )

          Nope, the a rootkit or backdoor is the _malware_ being installed. Hence not an exploit. But what you use after using an exploit.

          • OK, so parsing the language, the rootkit uses the exploit. Kind of pedantic, but OK. You say this isn't an exploit, it's a rootkit. Fine. The rootkit has to use an exploit. Sorry I didn't use precisely the right language.

            • Re: (Score:2)

              by gweihir ( 88907 )

              The rootkit has to get into the system somehow. It does not and cannot get in there by itself. Essentially, it is similar to a "normal" software installation. That can be via an exploit then rootkit installation as next step. Or it can be via a supply-chain attack or a corrupt vendor or compromised developer or developer account or some other ways. The important thing is that the rootkit installation is not an attack step that compromises any protections. The rootkit just serves for easy access to an alread

              • There is no mention of a rootkit in the summary, or in the linked articles. So where did you get the notion that a rootkit is involved?

                And if a rootkit is involved, why would any other kind of attack vector be needed? The rootkit can do whatever it wants at that point. If you're rooted, you're already hosed, completely.

                • Re: (Score:2)

                  by gweihir ( 88907 )

                  Because what is described by functionality is a rootkit. Sheesh. Please get some clue.

                  • Whatever. As I said, if an attacker has root access, all bets are off, everything is a "vulnerability" at that point, there's no need to hijack DNS or anything else, you can just do what you want. So no, if this article describes "rootkit" to you, then there is nothing new about this vulnerability, because rootkits have been around for many years.

                    • Re: (Score:2)

                      by gweihir ( 88907 )

                      I will stop here. You just do not know enough to understand how off you are. Not my task to fix that.

                    • Yep, got it. You first made up this rootkit thing, and wanted to pick a fight about definitions. My initial comment wasn't that serious anyway, I too was poking fun at how the press calls everything a zero-day, when it's not.

  • Title inaccurate, click-bait (what else is new?) (Score:5, Informative)

    by 93 Escort Wagon ( 326346 ) on Sunday August 25, 2024 @05:27PM (#64734616)

    The title states this is an "entirely new way to backdoor" Microsoft Windows - but the actual exploit is the same boring old stuff, purportedly taking advantage of a Windows-specific PHP vulnerability to compromise a system.

    The only thing novel about this backdoor is how the compromised machine communicates with the attackers' command and control server(s). And, even then, it's not an "entirely new" approach... just an uncommon one.

  • If we know the domain name (pattern) this is looking for, it should be relatively easy to shut that down, right? I guess that depends on the root server for the relevant Top Level Domain. If that's ".net", Verisign controls that and can kill it, right?

  • Every use of CGI should be treated as exploitable, no exceptions.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Bullshit. CGI is not any less secure than a web-framework.

      • You are passing data through escape sequence sensitive stages with hard to predict side effects. Even moreso than SQL as the current exploit nicely shows.

        Fallibility of developers is a given, security is about avoiding methods which make it easy to exploit their incompetence. So for instance not letting them use something historically proven to be a greater cause of exploits than even dynamic SQL.

        • Re: (Score:2)

          by unrtst ( 777550 )

          You are passing data through escape sequence sensitive stages with hard to predict side effects. Even moreso than SQL as the current exploit nicely shows.

          Dunno about that being hard to predict.

          URL encode:
          perl -p -e 's/([^A-Za-z0-9\-\._~])/sprintf("%%%02X", ord($1))/seg'

          URL decode:
          perl -pe 's/\%(\w\w)/chr hex $1/ge'

          • Re: (Score:2)

            by unrtst ( 777550 )

            Hate to reply to myself, but I forgot to mention the SQL comparison...

            For SQL, if you're doing quoting instead of using params, each character you encode/decode must also know if it is currently within a quoted block. That is more complicated than URL encoding which doesn't need that context / state.

  • Patch upon patch upon patch... If only M$ would go to 'Defcon 1' and concentrate on closing the security holes rather than wasting manpower and resources rearranging the settings menu (again) and adding fluff that no one really cares about.
    • Or an easier way would be to stop letting people create admin accounts that closes 99% of them. Its how apple claims to be so secure when reality they aren't as secure as people are made to believe.

      • Re: (Score:2)

        by Torodung ( 31985 )

        I haven't run in an admin account for 15-20 years. Boy did I have to bitch companies out for all the LUA bugs, but eventually most of it got sorted.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Why would MS fix anything? Their business is going well, as all the IT morons either think MS stuff is great or cannot deal with other systems. Add a complete lack of vendor liability and you get a perfect mess like MS Windows.

    • Re: (Score:3)

      by batkiwi ( 137781 )

      Microsoft should close a security hole in PHP that is already fixed?

      That's quite an interesting idea there.

      Should the team at slackware fix security holes in .NET? I use that example because it is 100% open source, not installed by default, is easily installable, is maintained and supported by a third party (Microsoft), and can host websites.

  • Sounds like it's not a way to hack into a machine at all, but just a way to communicate a new payload or instructions into an already compromised machine.

    • Re: (Score:2)

      by gweihir ( 88907 )

      As the title of the story says, this is a backdoor. Backdoors are what you install after a successful attack. These are also called "rootkit".

  • Not Windows but Windows (Score:3)

    by Nkwe ( 604125 ) on Sunday August 25, 2024 @06:17PM (#64734702)

    Of course since PHP isn't shipped by Microsoft and isn't part of Windows, Windows still gets the blame for PHP bugs because this is Slashdot and people like to hate on Microsoft here. Similarly, since DNS can be used as a covert channel on any operating system, this is Slashdot, so it's Windows' fault.

    I don't intend to apologize for Microsoft and related past security indiscretions, but let's be fair here and blame Microsoft for the stuff that is actually their fault.

    And because it will come up, poor system administration practices are not the fault of the operating system or its vendor / distributor. Running a PHP server under a security context that allows a bug in PHP or the application it serves to own the machine is not a bug in the operating system. Run your PHP application as root on linux and see what happens...

    • Re: (Score:2, Insightful)

      by gweihir ( 88907 )

      And because it will come up, poor system administration practices are not the fault of the operating system or its vendor / distributor. Running a PHP server under a security context that allows a bug in PHP or the application it serves to own the machine is not a bug in the operating system. Run your PHP application as root on linux and see what happens...

      From the story, I do not see PHP being run as root here. One key difference between Linux and Windows is that privilege elevation is a lot easier on Windows. And that is Microsoft's fault. Obviously, the PHP bug is not and the DNS tunneling is not either.

  • Wow (Score:2)

    by Bahbus ( 1180627 )

    Such a wildly inaccurate title. But Slashdot just took the title from Symantec, and Symantec is full of morons who make barely passible products.

  • I think I prepared a simple demo for a customer some 15 years ago or so, specifically for data exfiltration. The tool dnscat2 seems to be about 10 years old and certainly was not the first dns tunneling tool. Hence that attackers only now start to use it basically means IT security is currently so abysmally bad that old but slightly advanced techniques like DNS tunneling were not needed at all so far.

  • This reminds me to check the rule for DNS on our firewall to ensure it only allows requests to one of our approved third-party providers.

    • Re: (Score:2)

      by unrtst ( 777550 )

      That's unlikely to prevent this communication. You would need to inspect the contents of the DNS query (or result) and filter based on domain (or content returned). The 3rd parties you use are almost certainly doing the recursive resolution, or foisting that to a layer up. IE: the compromised machine is not in direct communication with the DNS server doing the command and control, thanks to how DNS works.

  • ... means another 10,000 hits on my non-Windows web servers trying to exploit it.

    And then they'll pause a week or so, until the next vulnerability hits the news, and start over.

  • As explained in this course [youtu.be], Cobalt Strike alllow(ed?) communication between the beacon and the C2 server using DNS requests.
  • I know you can stick a bit of data into DNS TXT records, essentially all you need is a command byte and a few parameter bytes and it can do all you need

  • This is not a backdoor INTO Windows. It's a method for an already-compromised computer to establish an OUTBOUND connection to a control server.

    And it's not even new. Using TCP/UDP port 53 for tunneling non-DNS traffic has been around decades.

  • DNS records are already used to signal to software when a minor update is due because it is reliable and not blocked by firewalls. Even just using A records works. One just increments the octets of the chosen non-routable IP address ranges in line with the version changes. That saves polling a web server and lessens the load on the ISV infrastructure massively if they set the TTLs decently enough.

Slashdot Top Deals

One half large intestine = 1 Semicolon

Close