The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good

A 40-year old man, by the name of Andrew Rakhshan, has been given the maximum sentence possible as a result of his involvement in DDoS attacks against The legal news aggregation site has posted publicly available data regarding Rakhshan’s past criminal convictions in Canada. The actual events in question occurred in January 2015, at which point Rakhshan coordinated multiple DDoS attacks against the site, which was hosted by a provider in the Dallas/Ft. Worth area.

Rakhshan (born Kamyar Jahanrakhshan) received a sentence of 5 years in prison and was ordered to pay over $520,000 in fees and restitution costs. This was not the first run through of the case, however. The original trial took place in March 2018. A new trial was granted based on the defense attorneys’ claim that their defense (at the time) was ineffective. A conspiracy charge was added in the subsequent trial, adding to the previous findings of the original case.

Any time the law can be used as an effective tool against cyber crime is a celebratory occasion. This is not always easy and cases often lag for years, or are tried ineffectively due to a lack of technical prowess across all involved parties. That being said, cheers to all involved in this case, and let it serve as a lesson. Even “simple” DDoS attacks can result in steep penalties.

The Bad

This week, Israeli security consulting company, JSOF disclosed 19 unique vulnerabilities within a commonly-shared TCP/IP software library developed by Treck. The library, developed in the late 1990s, is a lightweight TCP/IP stack estimated to be used in “hundreds of millions” of network devices. Affected vendors range from individual developers to well-established Fortune 100 enterprises (e.g., Intel, Schneider Electric, and HP) and vulnerable devices include almost everything from home ‘smart’ devices to power grid infrastructure, transportation systems, healthcare systems and even devices used in commercial aircraft.

Four of the vulnerabilities are considered critical. JSOF said they plan to release updated information along with exploitation details at Black Hat USA 2020. Here’s a quick summary on each CVE:

  • CVE-2020-11896 (Critical RCE): IPv4 tunneling flaw in Treck TCP/IP Stack
  • CVE-2020-11897 (Critical OOB Write): OOB Write via malformed IPv6 packets in Treck TCP/IP stack
  • CVE-2020-11901 (Critical RCE): Remote code execution via invalid DNS response in Treck TCP/IP stack
  • CVE-2020-11898 (Critical ID): Information Disclosure through improper handling of IPv4 or ICMPv4 Length Parameter Inconsistency
  • CVE-2020-11900 (UAF): Double Free / Use-After-Free via IPv4 tunneling in Treck TCP/IP stack
  • CVE-2020-11902 (OOB Read): Out-of-Bounds read via IPv6OverIPv4 tunneling in Treck TCP/IP stack
  • CVE-2020-11904 (OB Write): Integer Overflow due to improper memory allocation in Treck TCP/IP stack
  • CVE-2020-11899 (OOB Read): Out-of-Bounds read via IPv6 malformed transmission in Treck TCP/IP stack
  • CVE-2020-11903 (ID): Out-of-Bounds read via DHCP control request in Treck TCP/IP stack
  • CVE-2020-11905 (ID): Out-of-Bounds read via DHCP over IPv6 in Treck TCP/IP stack
  • CVE-2020-11906 (IU): Integer Underflow via Ethernet Link Layer in Treck TCP/IP stack
  • CVE-2020-11907 (IU): Integer Underflow via Length Parameter Inconsistency in Treck TCP/IP stack
  • CVE-2020-11909 (IU): Integer Underflow via malformed IPv4 data in Treck TCP/IP stack
  • CVE-2020-11910 (OOB Read): Out-of-Bounds read via malformed IPv4 transmission data in Treck TCP/IP stack
  • CVE-2020-11911 (MC): Improper ICMPv4 Access Control behavior in Treck TCP/IP stack
  • CVE-2020-11912 (OOB Read): Out-of-Bounds Read in Treck TCP/IP stack
  • CVE-2020-11913 (OOB Read): Out-of-Bounds read via IPv6 in Treck TCP/IP stack
  • CVE-2020-11914 (OOB Read): Out-of-Bounds read via malformed ARP data in Treck TCP/IP stack
  • CVE-2020-11908 (ID): Information disclosure via improper handling of ‘�’ termination markers in DHCP.

As of this writing, the following resources have been made available:

We strongly recommend that IT and security teams review the applicable CERT advisories and vendor advisories for the latest updates and remediation options. Identifying vulnerable devices, gauging exposure, and preventing post-exploitation activities is key with these types of flaws. SentinelOne’s Ranger provides a robust and streamlined interface for asset discovery, risk management and threat prevention.

The Ugly

It is no secret that the bad guys are well aware of many of the tools that the good guys use and rely on everyday in our ongoing battle. Online multi-scanners and sandboxes are leveraged by both sides. When the good guys provide details on some fancy new tool or process, you can bet that the bad guys will find a way to use it if it benefits them as well. One such recent case of this pertains to the Thanos ransomware family and their implementation of the RIPlace evasion technique, publicized by Nyotron.

The RIPlace tool can be used to evade certain AV products, allowing the malware to run uninhibited. Nyotron released their findings on RIPlace in November of 2019 in an effort to educate the public on this newly observed evasion technique. In addition, researchers from Recorded Future indicate that the actors behind Thanos have been repeatedly modifying new variants of the ransomware over the last several months. They are using RIPlace to specifically evade Malwarebytes AntiMalware and Windows Defender products. There is a high likelihood that variants tuned to other products are present in the wild as well.

SentinelOne’s Endpoint Protection platform is fully capable of detection and prevention of Thanos ransomware, as well as threats incorporating the RIPlace evasion technique.