ESXiArgs Recovery Script, Ascon cryptography- Feb 4th - 10th, 2023 - F5 SIRT - This Week in Security
Hello Everyone, This week, your editor is Dharminder.
I am back again with another edition of This Week in Security. This time, I have security news about GoAnywhere MFT zero-day POC, ESXiArgs Ransomware recovery script and NIST's lightweight cryptography algorithm winner.
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok so let's get started and find out more about those interesting security news.
POC of GoAnywhere MFT zero-day
POC of the latest zero day in GoAnywhere MFT has been released by a security researcher Florian Hauser. GoAnywhere MFT is a managed file transfer solution that automates and secures file transfers using a centralized enterprise-level approach. The vulnerability type is unauthenticated remote code execution (unauthenticated RCE). To exploit this vulnerability attacker requires access to the administrative console of the application. Usually the administrative console is restricted to a local network/VPN/ or allow-listed IP addresses if in cloud environment but based on Shodan scan data, many vulnerable instance are exposed to the Internet.
In the security advisory, published by the Fortra, IOC (indicator of compromise) including a stack trace which can be found in the logs of compromised systems has been provided. So that customers can mitigate the vulnerability, some mitigations such as, access controls to allow access to the GoAnywhere MFT administrative interface only from trusted sources or disabling the licensing service has also been provided
Apart from mitigations, Fortra has provided following recommendations, incase of suspicion or evidence of an attack.
- Rotate your Master Encryption Key.
- Reset credentials - keys and/or passwords - for all external trading partners/systems.
- Review audit logs and delete any suspicious admin and/or web user accounts
- Contact support.
Detailed information on exploit/POC is available at https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
Aside from the above issue, we all know that exposing mgmt of any device/application console is very dangerous. If in first place we restrict those console access, chances of exploit can be reduced drastically. Hence we all should learn from other’s mistake and before it’s too late, let's go back and recheck the security controls and take necessary actions to secure the infrastructure.
ESXiArgs Ransomware Recovery Script Released By CISA
Victims of ESXiArgs Ransomware who are struggling to recover the files may have some relief now. CISA - The US Cybersecurity and Infrastructure Security Agency has release a recovery script which can be used to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have infected. This script is freely available on Github and is based on the work of two researchers Enes Sonmez and Ahmet Aykac on how victims of ESXiArgs could reconstruct VM metadata from disks that the ransomware might have failed to encrypt.
ESXiArgs was first spotted by France's Computer Emergency Response Team (CERT) on February 3rd which exploits a couple of years old RCE vulnerability CVE-2021-21974. ESXiArgs has already infected more than 3000 servers and there are high chances that this number may further increase.
Some of the organisations have already used the script to successful recover the files. For organisations which are impacted by ESXiArgs and wants to use this tool, CISA has recommended to evaluate the script and guidance provided in the README file available with the tool. Another important point to note is that, this script is delivered without any warranty. This is what CISA has said about the script "While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit."
Since the patch for this vulnerability was released two years back, VMware has recommended to implement the patch and have also provided some temporary measures for unpatched servers. The temporary measures to mitigate the vulnerability is either to disable ESXI service location protocol SLP or to disable port 427 which is used by SLP.
Detailed information on the script is available on CISA’s website at : https://www.cisa.gov/uscert/ncas/alerts/aa23-039a
NIST Selects Ascon ‘Lightweight Cryptography’ Algorithm
We have been surrounded by never ending lists of IOT gadgets/devices such as smart wearable devices, keyless vehicles, implanted medical devices etc. Such devices store or collect sensitive data but due to limited resources on those devices, security implementation is usually not so great or limited.
From last few years NIST (National Institute of Standards and Technology) was working on to determine the best suited and most efficient lightweight cryptography for those devices. After thorough testing of 57 different submission received from industry and organisations, NIST has announce the winner called Ascon, which will be published as NIST’s lilghtweight cryptography standard later in 2023.
Ascon was developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University. It was selected in 2019 as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition. There are currently seven members of the Ascon family, some or all of which may become part of NIST’s published lightweight cryptography standard. As a family, the variants give a range of functionality that will offer designers options for different tasks. According to Kerry McKaycomputer scientist NIST, Authenticated encryption with associated data (AEAD) and hashing are the most important in lightweight cryptography.
AEAD protects the confidentiality of a message, but it also allows extra information such as the header of a message, or a device’s IP address to be included without being encrypted. The algorithm ensures that all of the protected data is authentic and has not changed in transit. AEAD can be used in vehicle-to-vehicle communications, and it also can help prevent counterfeiting of messages exchanged with the radio frequency identification (RFID) tags that often help track packages in warehouses.
Hashing creates a short digital fingerprint of a message that allows a recipient to determine whether the message has changed. In lightweight cryptography, hashing might be used to check whether a software update is appropriate or has downloaded correctly.
With availability of this new lightweight cryptography algorithm, I hope companies will soon start using those in various IOT devices/implementaions to make IOT devices secure.