# Chinese APT: A Master of Exploiting Edge Devices ###### Charles Li Greg Chen ----- #### Agenda ###### n Exploit Target Changed n Case Study of Weaponized Edge Device n Malware implanted in Edge Device n Mitigation & Response ----- ## Exploit Target Changed ----- ----- ##### Good old days of spear phishing emails ###### Document exploitation were good exploit targets for spear phishing attack. CVE-2009-3867 CVE-2010-0188 CVE-2009-0556 CVE-2010-2883 CVE-2009-0927 CVE-2018-0798 CVE-2009-3129 CVE-2018-0802 CVE-2011-0611 CVE-2009-4324 CVE-2010-3333 CVE-2012-0158 CVE-2017-11882 CVE-2008-5353 2008 2009 2010 2011 2012 2013 2017 2018 2022 • Adobe sandboxed PDF and flash player |CVE-2009-|3867| |---|---| |CVE-2009-|0556| |---|---| |CV CV|Col2|Col3|8 3| |---|---|---|---| ||CV|E-2010-018|8| ||||| ||CV|E-2010-288|3| ||||| |CVE-2009-|0927| |---|---| |CVE-2018-0798|Col2| |---|---| |CVE-2009-|3129| |---|---| |CVE-2018-0802|Col2| |---|---| |CVE-2011|-0611| |---|---| |CVE-2009-|4324| |---|---| |CVE-2010-|3333| |---|---| |CVE-201|2-0158| |---|---| |CVE-20|17-11882| |---|---| |Col1|CVE-2022-30190| |---|---| |CVE-2008|-5353| |---|---| ###### • Vista SP1 with full memory ###### • EDR emerged ----- ##### Exploitation for Edge Device Raises ###### 1/2 ###### • Edge device: An endpoint on the network, the interface between the data center and the real world. It collects or communicates information. • Edge device has become the important targets for Chinese actors as an initial compromise entry • After advent of COVID19, work-from-Home becomes the trend, and it requires more edge devices to access Enterprise network. ----- |APT31|Col2| |---|---| ||| ||| ###### Volt Typhoon ###### APT31 ##### Exploitation for Edge Device Raises ###### 2/2 ###### Black Tech ###### Chinese APT ----- ###### The good for attack, the bad for defense 1/2 ###### Mostly close platforms, few attentions from CSIRT team • No Antivirus or EDR (Endpoint Detection and Response) • Difficult for Incident Response • Unpatched 3-party vulnerable component • Perl XLS parse library vuln. (CVE-2023-7101) in Barracuda ESG No modern exploit mitigation • Citrix ADC/NetScaler (FreeBSD 11.4) without ASLR ###### CVE-2023-3519: Stack Overflow ----- ###### The good for attack, the bad for defense 2/2 ###### Difficult to Patch! • Service may be suspended during patch work • Patch work requires to follow upgrade path which is not allowed to jump version Unable to Patch!! • Long living End-Of-Life products • Sophos Web Appliance, ZyXel Zywall USG, etc. • Low barriers to find 0-day ----- ##### Chinese APT exploiting Edge Devices ###### Chinese APT has demonstrated the capability of finding and exploiting 0-day on the following edge devices: • Sophos Firewall (CVE-2022-1040) • Fortinet FortiOS SSLVPN (CVE-2022-42475) • Barracuda ESG (CVE-2023-2868; CVE-2023-7102) • Array Network SSLVPN (CVE-2023-28461) • Citrix NetScaler Gateway (CVE-2023-3519) • Ivanti Connect Secure (CVE-2023-46805; CVE-2024-21887) • Surveillance router (T5-VUL-11730; 0-day) ----- ## Case Study of Weaponized Edge Device ----- ###### 1/2 ###### • Chinese actors (SLIME56) have abused ZyXel ZyWall USG to build botnet in July 2023 • SLIME56 has implanted lots of SOCK5 proxy in edge devices to build botnet and spread disinformation against Taiwan Government. • Combined two old vulnerabilities to achieve remote code execution (RCE) • T5-VUL-11705: Server-Side Request Forgery (SSRF) to bypass authentication • T5-VUL-12195: authenticated command injection • Both vulnerabilities are patched in ZyWall USG50/60, but T5-VUL-12195 is still vulnerable for ZyWall USG20/40 because of End-Of-Life products. • After compromising edge device, SLIME56 installed EmergeBot for further command and control. ----- ###### 2/2 ###### SLIME56 have exploited 0-day (T5-VUL-11730) to compromise massive surveillance router in Taiwan since August 2023. • Security patch of T5-VUL-11730 is still incomplete. • Chinese actors implanted microsocks proxy on the surveillance router • Microsocks is a lightweight SOCKS5 proxy tool to port on IoT device • The source IPs connect microsocks proxy from Alibaba cloud hosted in Hong Kong. Mi k ----- ###### 1/2 ###### • SLIME56 also compromised Sophos Firewall via CVE-2022-3236 and implanted new malware: EquipDoor in Jan. 2023 in Sophos Firewall. • SLIME56 has abused both compromised Sophos firewall and surveillance router to spread disinformation for 2024 Taiwanese Presidential Election in Jan. 2024. ----- ###### 2/2 ###### • SLIME56 compromised Sophos firewall to spread disinfo. (source from a well- known Bulletin Board System: PTT in Taiwan). https://www ptt cc/bbs/Gossiping/M 1680750456 A F24 html ###### Legislator Hsu Chiao-hsin said, 'We handed over secrets to the United ----- ###### • Chinese APT actors abuse edge devices as a compromised C2 to hide attacker source for other exploitation. • CISA advisory in December 2023: Threat Actors Exploit ColdFusion CVE-2023-26360 for Initial Access to Government Servers. • The C2: 125.227.50[.]97 may be originated from compromised ASUS router located in Taiwan. • Shared infrastructure: compromised HikiVision (DVR) https://www cisa gov/news-events/cybersecurity-advisories/aa23-339a ----- ###### • MenuPass (aka. APT10) compromised Array Networks SSLVPN to conduct lateral movement to intranet against entities in Japan. • CVE-2023-28461 (0-day ITW) was assigned in March 2023, but exploit disclosure had been published from Chinese blog in 2022. • Chinese blog revealed exploit detail from path traversal to code execution. • We also found another 0-day that can upload arbitrary file, and Array Networks has fixed the 0- day in August 2022. • We intercepted menuPass’ proprietary malware BigPooh (aka LODEINFO) for intranet in April 2023. ###### Exploit Detail of Array Networks ###### https://wzt.ac.cn/2022/12/20/ArrayVPN_rce2/ ----- ###### 1/2 ###### • SLIME 57 (aka. UNC4841) compromised Barracuda ESG (E-mail Security Gateway) against Japan Government & Taiwan Research Institute to retrieve mail content such as attachment. • CVE-2023-2868: Command injection during unpacking attachment • CVE-2023-2868 has been exploited as a 0 day in the wild since October 2022 against Pakistan financial institutes. • CVE-2023-7101: Barracuda ESG parses XLS file through 3[rd] party Perl library with command injection flaw. ----- ###### 2/2 ###### • SLIME57 also compromised another Mail Gateway against Taiwan Government and Japan IT Industry in 2024. • We track the vulnerability as T5-VUL 12927 caused by 3[rd] party UnRAR binary (CVE-2022-30333). • CVE-2022-30333 can lead to arbitrary file write via UnRAR binary. ----- ## Malware on Edge Devices ----- ###### Port-knocking backdoor Listen with low level socket ----- ##### Port Knocking Backdoor on Edge Device ###### 1/4 ###### • RawKnockDoors in Sophos Firewall • Create raw socket to listen UDP • Receive magic string: 4821XXXX and encoded C2 • Launch Kali Shadowinteger’s Backdoor (aka. SBD) or connect C2 through tinyshell variant. ###### RawKnockDoor ----- ##### Port Knocking Backdoor on Edge Device ###### 2/4 ###### SLIME57 developed tailor-made backdoors: SEASPY/SEASPRAY for Barracuda ESG • SEASPY RAT receives encoded C2 by magic strings: Tfuz and oXmo through PCAP capture interface. • SEASPRAY launcher is deeply embedded in Barracuda’s attachment-related module: mod_attachment.lua to launch next-stage malware. • SEASPRAY launcher retrieves next-stage backdoor from attachemnt which contains magic file name obt075 and .tmp.zip. ----- ###### Because the file system of Barracuda ESG is encrypted via 2-stage encryption: AES and LUKS (Linux Unified Key Setup), it is more challenging to obtain malware. ----- ##### Port Knocking Backdoor on Edge Device ###### 3/4 ###### New SEASPY variant is found in another Mail Gateway in 2024. • We found new malware family I3Shell in crafted RAR (CVE-2022-30333). • After capturing new magic strings, the SEASPY variant invokes I3Shell as next stage backdoor. ----- ##### Port Knocking Backdoor on Edge Device ###### 4/4 ###### More malware family related to port knocking backdoors : • EmergeBot implanted in ZyXel firewall receives packets via random ports with 15-byte magic string to execute shell commands. • CASTLETAP implanted in FortiGate receive ICMP packets with magic string 1qaz@WSXa to parse C2, and connect C2 though tinyshell • REPTILE variant implanted in FortiManager receives OSI L2 frame including magic string mznCvqSBo to get C2. ----- ###### • LOLBins (Living Off the Land Binaries ) make use of legitimate system binaries for malicious purpose. • SLIME56 compromise ZyXel USG Firewall using vendor provided components to complete malicious operations • Leak credential through Command Line Interface (CLI) banner • banner motd file CONFIG_WITH_CREDENTIAL_PATH • Upload malware : /cgi-bin/file_*****-cgi • Close firewall: /cgi-bin/zy*****-cgi • Code execution: /cgi-bin/web*****in.cgi command injection vulnerability ###### Fig. command injection in vulnerable CGI. ----- ## Mitigation & Response ----- ###### 1/2 ###### • Most of the edge devices are belong to Internet facing endpoints, but we strongly recommend to restrict access to unneeded Internet-facing service. • Apply the patch on those critical vulnerablitlies • Vulnerability management: Simple patch prioritization guideline üCVSS 0-day ITW üPublished Exploits üExploited in the wild ###### All CVEs Published Exploited Exploits in the wild ----- ###### 2/2 ###### Keep the access or audit log off edge devices • Edge devices have limited storage to store log. • Experienced actors may wipe the log. Understand actors like actors understand your edge devices ----- ###### • We have found more compromised edge devices to build botnet, and those edge devices are implanted sophisticated proxy daemon. • Difficult to identify the implanted proxy daemon • Random ports • Traffic encrypted • Complex access credentials ----- ## Thank you ###### contact@teamt5.org -----