fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Gitpaste-12 Worm Botnet Returns With 30+ Vulnerability Exploits

Gitpaste-12 Worm Botnet Returns With 30+ Vulnerability Exploits

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.

The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.

This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Targets Linux, Android tools, and IoT devices

Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.

Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Initially, the researchers observed the new GitHub repository containing just 3 files.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.

Now-removed GitHub repository sptv001 hosting gitpaste-12 second version
Now-removed GitHub repository that had been hosting Gitpaste-12 second iteration
Source: Juniper

Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.

Also Read: 10 Practical Benefits of Managed IT Services

These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.

The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkxus

In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.

The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.

gitpaste-12 second version workflow
Gitpaste-12 second version workflow

Carries 31 vulnerability exploits: 24 unique ones

The newer version of Gitpaste-12 has exploits for “at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” explains Langton.

The list of exploits, provided by the researchers includes:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3313

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17562

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11511

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11447

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19509

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10987

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17463

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17496

https://www.exploit-db.com/exploits/37474

https://www.exploit-db.com/exploits/40500

https://www.exploit-db.com/exploits/45135

https://www.exploit-db.com/exploits/45161

https://www.exploit-db.com/exploits/46542

https://www.exploit-db.com/exploits/48225

https://www.exploit-db.com/exploits/48358

https://www.exploit-db.com/exploits/48676

https://www.exploit-db.com/exploits/48734

https://www.exploit-db.com/exploits/48737

https://www.exploit-db.com/exploits/48743

https://www.exploit-db.com/exploits/48751

https://www.exploit-db.com/exploits/48758

https://www.exploit-db.com/exploits/48771

https://www.exploit-db.com/exploits/48775

https://www.exploit-db.com/exploits/48805

https://www.exploit-db.com/exploits/48827

Some of these vulnerability exploits concern popular open-source applications, such as JBoss Seam 2CutePHP, mongo-express, Pi-hole, and FuelCMS.

Whereas, well-known proprietary web applications like vBulletin are targeted by the worm. 

In addition to exploiting these vulnerabilities, the X10-unix worm bundled within Gitpaste-12 attacks the Android Debug Bridge (adb) application running on port 5555, to upload a malicious native binary (“blu”) and APK to Android devices.

The sophisticated APK, on installation, posts the IP address of the device to Pastebin, and further downloads malicious payload.

This iteration of Gitpaste-12, according to the researchers, has compromised at least 100 distinct hosts.

“While it’s difficult to ascertain the breadth or effectiveness of this malware campaign, in part because Monero — unlike Bitcoin — does not have publicly traceable transactions, [Juniper Threat Labs] can confirm over a hundred distinct hosts have been observed propagating the infection,” stated the researchers.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

This evolved version of Gitpaste-12 surfaced not too long after the initial October release.

We are yet to find out if there would be even more advanced versions of this attack coming up in the near future.

The complete research findings and a list of Gitpaste-12 Indicators of Compromise (IOCs) can be found in Juniper Threat Labs’ blog post.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us