HTTP Smuggling Attack

HTTP Request Smuggling Attacks
A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

What is HTTP Request Smuggling?

HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.
Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or “smuggle”) an ambiguous request that gets prepended to the next legitimate user request.

This desynchronization of requests can be exploited to hijack credentials, inject responses to users, and even steal data from a victim’s request and exfiltrate the information to an attacker-controlled server.

What’s in New variants?

The new variants using various proxy-server combinations, including Aprelium’s Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

The list of all new four new variants is as below, including an old one that the researcher successfully exploited in his experiments.
Variant 1: “Header SP/CR junk: …”
Variant 2 – “Wait for It”
Variant 3 – HTTP/1.2 to bypass mod_security-like defense
Variant 4 – a plain solution
Variant 5 – “CR header”

When handling HTTP requests containing two Content-Length header fields, Abyss, for example, was found to accept the second header as valid, whereas Squid used the first Content-Length header, thus leading the two servers to interpret the requests differently and achieve request smuggling.

In situations where Abyss gets an HTTP request with a body whose length is less than the specified Content-Length value, it waits for 30 seconds to fulfill the request, but not before ignoring the remaining body of the request.

This also results in discrepancies between Squid and Abyss, with the latter interpreting portions of the outbound HTTP request as a second request.

A third variant of the attack uses HTTP/1.2 to circumvent WAF defense as defined in OWASP ModSecurity Core Rule Set (CRS) for preventing HTTP request smuggling attacks craft a malicious payload that triggers the behavior.

Lastly,using the “Content-Type: text/plain” header field was sufficient to bypass paranoia level checks 1 and 2 specified in CRS and yield an HTTP Request Smuggling vulnerability.

What Are the Possible Defenses?

After the findings were disclosed to Aprelium, Squid, and OWASP CRS, the issues were fixed in Abyss X1 v2.14, Squid versions 4.12, and 5.0.3 and CRS v3.3.0.

Calling for normalization of outbound HTTP Requests from proxy servers,the need for an open source, robust web application firewall solution that’s capable of handling HTTP Request Smuggling attacks.

Wasted locker Evasion Technique

As time goes … One after another Ransomware come and goes. Like we say it’s summer.. winter.. Rainy.. Spring seasons.. Once released it’s been a talk of town and one after another big organisation gets the hit.. paying ransoms getting the decryptors is regular now a days. But the difference is each one is getting better sophisticated than other… The teahniques used for evasion varies..

Here we see how Wasted locker used the Technique to evade security systems

WastedLocker, a ransomware strain that reportedly shut down Garmin’s operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.

The ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect.

“WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions,”.

Evading Security

WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called “survival skills” allow the malware to live in the network long enough to encrypt files.

“Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior,”.

WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.

“This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it’s harder for a behavioral detection to catch it,” .

In memory evasion

WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.

The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system’s cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it.

WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory.

Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file’s content stored in the cache.When the data stored in the cache is modified, it will be become “dirty” so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.

Iran APT34 poisoned DOH for exploit

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it’s a new protocol that not all security products are capable of monitoring. Second, it’s encrypted by default, while DNS is cleartext.

Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.

A spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.

Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran’s top military entity.

Taidoor Strains seen again

Three agencies of the US government have published today a joint alert alerting US private entities about new versions of Taidoor, a malware family previously associated with Chinese state-sponsored hackers.

The three agencies have recently begun collaborating on releasing joint reports about new malware threats. The first joint alert was sent earlier this year, in February, when the three agencies warned about six new malware strains developed by North Korea’s state-sponsored hackers.

Named Taidoor, the three agencies say this malware has been used since 2008. Previous versions of this malware have been spotted in the wild in 2012 and 2013, respectively, and detailed in reports by NTT, FireEye, and Trend Micro, according to malware encyclopedia site Malpedia.

In their most recent alert, the three US government agencies say they’ve spotted Taidoor being used in new attacks. The new Taidoor samples have versions for 32- and 64-bit systems and are usually installed on a victim’s systems as a service dynamic link library (DLL), according to the joing alert.

This DLL file, in turn, contains two other files.

“The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).”

The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware — the usual things for which remote access trojans are typically employed.

Taidoor is normally deployed together with proxy servers to hide the true point of origin of the malware’s operator.