Cyber Security Weekly Briefing 16–22 April

April 22, 2022

Fodcha: new DDoS botnet

360netlab and CNCERT researchers have discovered a new botnet focused on conducting denial-of-service attacks, and which is rapidly spreading on the Internet.

This new botnet has been named Fodcha, because of the first C2 was in the folded[.]in domain, and due to the fact that it uses the ChaCha algorithm to encrypt network traffic.

It spreads through exploitation of n-day vulnerabilities in Android products, GitLab, Realtek Jungle SDK, Zhone Router or Totolink Routers among others; as well as through the compromise of weak Telnet/SSH passwords by using the brute-force attack tool Crazyfia.

Fodcha's activity began in January, with a significant increase of attacks on 1 March, but activity was reportedly intensified from the end of March. In fact, around 19 March there was a change in the botnet's versions, which, according to the researchers, was due to a shutdown of the old servers by the cloud providers.

INCONTROLLER/PIPEDREAM new malware targeting ICS/SCADA environments

A new malware targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems has recently been discovered. This malware could lead to system outages, degradation or even destruction.

Mandiant researchers have labelled this malware as INCONTROLLER, while Dragos' team has named it PIPEDREAM, noting that it was developed by the threat actor CHERNOVITE.

This malware stands out for having a set of tools to attack the systems of its victims, and it does not exploit a specific vulnerability, but rather takes advantage of native functionalities of the affected ICS systems, which is why both researchers and several US security agencies (CISA, the FBI and the CSA) have published a series of measures for detection and protection.

It is worth noting that while investigations have found that the malware could target different manufacturers, it contains modules specifically developed for Schneider Electric and Omron programmable logic controllers (PLCs).

HOMAGE: zero-click vulnerability in iOS used in espionage campaign

The Citizen Lab team has published an investigation detailing an espionage campaign carried out between 2017 and 2020, which they have named Catalangate, and which involved the exploitation of several vulnerabilities in iOS.

The most relevant is the use of a new exploit for a zero-click vulnerability in iOS used to infect devices with spyware belonging to NSO Group. This vulnerability has been named HOMAGE, it affected an iMessage component and iOS versions prior to 13.1.3, having been fixed in iOS 13.2 (it should be noted that the latest stable version of iOS is 15.4).

Likewise, researchers have also detected the use of other vulnerabilities: another zero-click vulnerability discovered in 2020 and called KISMET, which affected iOS versions 13.5.1 and iOS 13.7, as well as another in WhatsApp, also patched CVE-2019-3568.

As a result of this investigation, it has been detected that at least 65 people have been infected with the Pegasus and Candiru spyware.

​Vulnerabilities in ALAC audio encoding format

Researchers at Check Point have announced several vulnerabilities in Apple Lossless Audio Codec (ALAC), also known as Apple Lossless, an audio encoding format.

Exploitation of the discovered flaw could allow an attacker to remotely execute code on a vulnerable device by tricking the user into opening a manipulated audio file - an attack they have named ALHACK.

ALAC was initially developed by Apple, and in late 2011 the firm made it open-source and has since been incorporated into a multitude of devices and software. Since its release, Apple has updated the proprietary version several times, but the shared code has not been patched since then.

It is therefore to be assumed that all third-party vendors using the initial code provided by Apple in 2011 have a vulnerable version.

According to the researchers, this is exactly what happened in the case of Qualcomm and MediaTek, which are said to have incorporated the vulnerable code in the audio decoders used by more than half of today's smartphones.

The disclosure of the flaws has been done in a responsible way, so before making its discovery public, Check Point alerted MediaTek and Qualcomm, with both firms fixing the vulnerabilities last December 2021: CVE-2021-0674 and CVE-2021-0675 in the case of Mediatek and CVE-2021-30351 in the case of Qualcomm.

Technical details of the vulnerability will be made public next May at the CanSecWest conference.