Chinese cyberspies use new SSH backdoor in network device hacks - Related to hacks, version, do, ssh, whistleblower

Chinese cyberspies use new SSH backdoor in network device hacks

A Chinese hacking group is hijacking the SSH daemon on network appliances by injecting malware into the process for persistent access and covert operations.

The newly identified attack suite has been used in attacks since mid-November 2024, attributed to the Chinese Evasive Panda, aka DaggerFly, cyber-espionage group.

As per the findings of Fortinet's Fortiguard researchers, the attack suite is named "ELF/[website]!tr" and consists of a collection of malware injected into the SSH daemon to perform a broad range of actions.

Fortiguard says ELF/[website]!tr was used in attacks against network appliances, but although it has been documented previously, no analytical reports exist on how it works.

The Evasive Panda threat actors have been active since 2012 and were in the recent past exposed for conducting attacks deploying a novel macOS backdoor, carrying out supply chain attacks via ISPs in Asia, and collecting intelligence from [website] organizations in a four-month-long operation.

While Fortiguard has not shared how the network appliances are initially being breached, once compromised, a dropper component checks if the device is already infected and if it's running under root privileges.

If conditions are met, several binaries, including an SSH library ([website], will be dropped onto the target machine.

This file acts as the main backdoor component, responsible for command and control (C2) communications and data exfiltration.

Other binaries, such as 'mainpasteheader' and 'selfrecoverheader,' help the attackers secure persistence on the infected devices.

The malicious SSH library is injected into the SSH daemon and then waits for incoming commands from the C2 to perform system reconnaissance, credential theft, process monitoring, remote command execution, and file manipulation,.

Collect system details like hostname and MAC address and exfiltrate them. List installed services by checking files in /etc/[website] Read sensitive user data from /etc/shadow. Retrieve a list of all active processes on the system. Attempt to access /var/log/dmesg for system logs. Try to read /tmp/[website] for potential sensitive data. List the contents of a specified directory. Upload or download files between the system and the attacker. Open a remote shell to give the attacker full command-line access. Execute any command remotely on the infected system. Stop and remove the malicious process from memory. Delete specific files from the system. Rename files on the system. Notify the attacker that the malware is active. Send stolen system info, service lists, and user credentials.

Fortiguard also noted that it used AI-assisted tools to reverse engineer and analyze this malware. While this wasn't free of significant problems such as hallucination, extrapolation, and omissions, the tool showed promising potential.

"While disassemblers and decompilers have improved over the last decade, this cannot be compared to the level of innovation we are seeing with AI," commented Fortinet's researchers.

Fortinet says its end-people are already protected against this malware through its FortiGuard AntiVirus service, which detects the threats as ELF/[website] !tr and Linux/[website]!tr.

The researchers also shared hashes to samples uploaded to VirusTotal [1, 2, 3].

Twitter is blasted for security and privacy lapses by the firm’s former head of security who alle...

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that...

Google has shipped patches to address 47 security flaws in its Android operating system, including o...

Do We Really Need The OWASP NHI Top 10?

The Open Web Application Security Project has in recent times introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.

Non-human identity security represents an emerging interest in the cybersecurity industry, encompassing the risks and lack of oversight associated with API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets, and other machine credentials and workload identities.

Considering that the flagship OWASP Top 10 projects already cover a broad range of security risks developers should focus on, one might ask - do we really need the NHI Top 10? The short answer is - yes. Let's see why, and explore the top 10 NHI risks.

While other OWASP projects might touch on related vulnerabilities, such as secrets misconfiguration, NHIs and their associated risks go well beyond that. Security incidents leveraging NHIs don't just revolve around exposed secrets; they extend to excessive permissions, OAuth phishing attacks, IAM roles used for lateral movement, and more.

While crucial, the existing OWASP Top 10 lists don't properly address the unique challenges NHIs present. Being the critical connectivity enablers between systems, services, data, and AI agents, NHIs are extremely prevalent across development and runtime environments, and developers interact with them at every stage of the development pipeline.

With the growing frequency of attacks targeting NHIs, it became imperative to equip developers with a dedicated guide to the risks they face.

Understanding the OWASP Top 10 ranking criteria.

Before we dive into the actual risks, it's crucial to understand the ranking behind the Top 10 projects. OWASP Top 10 projects follow a standard set of parameters to determine risk severity:

Exploitability: Evaluate how easily an attacker can exploit a given vulnerability if the organization lacks sufficient protection.

Evaluate how easily an attacker can exploit a given vulnerability if the organization lacks sufficient protection. Impact: Considers the potential damage the risk could inflict on business operations and systems.

Considers the potential damage the risk could inflict on business operations and systems. Prevalence: Assesses how common the security issue is across different environments, disregarding existing protective measures.

Assesses how common the security issue is across different environments, disregarding existing protective measures. Detectability: Measures the difficulty of spotting the weakness using standard monitoring and detection tools.

Breaking down the OWASP NHI Top 10 risks.

Now to the meat. Let's explore the top risks that earned a spot on the NHI Top 10 list and why they matter:

NHIs are designed to facilitate automated processes, services, and applications without human intervention. However, during the development and maintenance phases, developers or administrators may repurpose NHIs for manual operations that should ideally be conducted using personal human credentials with appropriate privileges. This can cause privilege misuse, and, if this abused key is part of an exploit, it's hard to know who is accountable for it.

NHI reuse occurs when teams repurpose the same service account, for example, across multiple applications. While convenient, this violates the principle of least privilege and can expose multiple services in the case of a compromised NHI - increasing the blast radius.

A lack of strict environment isolation can lead to test NHIs bleeding into production. A real-world example is the Midnight Blizzard attack on Microsoft, where an OAuth app used for testing was found to have high privileges in production, exposing sensitive data.

Secrets that remain valid for extended periods pose a significant risk. A notable incident involved Microsoft AI inadvertently exposing an access token in a public GitHub repository, which remained active for over two years and provided access to 38 terabytes of internal data.

NHI6:2025 - Insecure Cloud Deployment Configurations.

CI/CD pipelines inherently require extensive permissions, making them prime targets for attackers. Misconfigurations, such as hardcoded credentials or overly permissive OIDC configurations, can lead to unauthorized access to critical resources, exposing them to breaches.

Many NHIs are granted excessive privileges due to poor provisioning practices. , 37% of NHI-related security incidents were caused by overprivileged identities, highlighting the urgent need for proper access controls and least-privilege practices.

NHI4:2025 - Insecure Authentication Methods.

Many platforms like Microsoft 365 and Google Workspace still support insecure authentication methods like implicit OAuth flows and app passwords, which bypass MFA and are susceptible to attacks. Developers are often unaware of the security risks of these outdated mechanisms, which leads to their widespread use, and potential exploitation.

Many development pipelines rely on third-party tools and services to expedite development, enhance capabilities, monitor applications, and more. These tools and services integrate directly with IDEs and code repos using NHIs like API keys, OAuth apps, and service accounts. Breaches involving vendors like CircleCI, Okta, and GitHub have forced consumers to scramble to rotate credentials, highlighting the importance of tightly monitoring and mapping these externally owned NHIs.

Secret leakage remains a top concern, often serving as the initial access vector for attackers. Research indicates that 37% of organizations have hardcoded secrets within their applications, making them prime targets.

Ranked as the top NHI risk, improper offboarding refers to the prevalent oversight of lingering NHIs that were not removed or decommissioned after an employee left, a service was removed, or a third party was terminated. In fact, over 50% of organizations have no formal processes to offboard NHIs. NHIs that are no longer needed but remain active create a wide array of attack opportunities, especially for insider threats.

A standardized framework for NHI security.

The OWASP NHI Top 10 fills a critical gap by shedding light on the unique security challenges posed by NHIs. Security and development teams alike lack a clear, standardized view of the risks these identities pose, and how to go about including them in security programs. For that, Astrix Security implemented the OWASP NHI Top 10 as a framework in its compliance dashboard.

The Astrix OWASP NHI Top 10 Compliance Dashboard.

This capability correlates the organization's security findings with the NHI Top 10 risks, to help security professionals visualize the current posture, identify gaps, and prioritize next steps.

Using the dashboard alongside the Top 10 framework lets you quickly see which areas need the most attention and track improvement over time.

Google has shipped patches to address 47 security flaws in its Android operating system, including o...

[website] turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a c...

A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security featu...

Twitter Whistleblower Complaint: The TL;DR Version

Twitter is blasted for security and privacy lapses by the organization’s former head of security who alleges the social media giant’s actions amount to a national security risk.

A in recent times surfaced 84-page whistleblower investigation filed with the US government by Twitter’s former head of security Peiter “Mudge” Zatko last month blasts his former employer for its alleged shoddy security practices and being out of compliance with an FTC order to protect user data.

Twitter has responded alleging that Zatko is a “disgruntled employee” who was fired for poor performance and leadership. In a letter to employees Twitter’s CEO Parag Agrawal asserts that Zatko’s implies are a “false narrative that is riddled with inconsistencies and inaccuracies, and presented without crucial context.”.

Here is an abbreviated overview of the allegations and Twitter’s reaction.

Zatko, a respected white-hat hacker who served as Twitter’s head of security for roughly 15 months between 2020 and 2022, accused Twitter of a litany of poor security and privacy practices that together constituted a national security risk.

Twitter is a mismanaged business and gives too many of its staff access to sensitive security and privacy controls without adequate oversight.

One or more Twitter employees may be working for undisclosed foreign intelligence services. This, , elevates his concerns to a matter of national security.

Nearly half of Twitter’s servers lack basic security aspects, such as data encryption, because software running on them is either outdated or unpatched.

Twitter executives have prioritized growth over security as they have personally pursued massive bonuses, as high as $10 million, as incentives for the business’s rapid expansion.

The firm is out of compliance with a 2010 FTC order to protect people’ personal information. Additionally, the firm has lied to independent auditors of an FTC mandated “comprehensive information security program” tied to the 2010 order.

Twitter does not honor user requests to delete their personal data, because of technical limitations.

When Zatko attempted to bring these and many other security and privacy issues to Twitter’s board, business management misrepresented his finding and/or tried to hide the findings.

Twitter allowed some foreign governments “… to infiltrate, control, exploit, surveil and/or censor the ‘enterprise’s platform, staff, and operations,” .

Twitter does not have the resources or capacity to accurately determine the true number of fake (or bot) accounts on its platform. This question is central to a Elon Musk’s attempt to back out of buying the firm for $44 billion.

The thrust of Twitter’s response to Zatko is that he is a disgruntled employee, bad at his job and scapegoating Twitter for his failures. It points out that it has addressed and continues to aggressively address many of the IT security issues pointed out by Zatko.

An alleged response by Twitter’s CEO Parag Agrawal sent internally to Twitter employees was posted online.

NEW: First time Twitter CEO @paraga weighs in on whistleblower story. Sending this message to staff this morning. [website] — Donie O'Sullivan (@donie) August 23, 2022.

Meanwhile top Democrats and Republicans in Congress have reacted by promising to investigate the indicates. Sen. Richard Durbin (D-IL), chair of the Senate Judiciary Committee, confirmed he was investigating the whistleblower disclosure.

Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged custo...

​Food delivery business GrubHub disclosed a data breach impacting the personal information of an undi...

The maintainers of the Python Package Index (PyPI) registry have presented a new feature that allows...