Red Hat Security Advisory 2024-6784-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6784.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.3 security updateAdvisory ID:        RHSA-2024:6784-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6784Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-39908====================================================================Summary: An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.Security Fix(es):* rexml: DoS vulnerability in REXML (CVE-2024-39908)* rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace character, >] and ]> (CVE-2024-41123)* rexml: DoS vulnerability in REXML (CVE-2024-41946)* rexml: DoS vulnerability in REXML (CVE-2024-43398)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-39908References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2298243https://bugzilla.redhat.com/show_bug.cgi?id=2302268https://bugzilla.redhat.com/show_bug.cgi?id=2302272https://bugzilla.redhat.com/show_bug.cgi?id=2307297https://issues.redhat.com/browse/RHEL-55409

Red Hat Security Advisory 2024-6784-03

Red Hat Security Advisory 2024-6783-03 - An update for openssl is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6783.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: openssl security updateAdvisory ID:        RHSA-2024:6783-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6783Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-6119====================================================================Summary: An update for openssl is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.Security Fix(es):* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6119References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2306158

Red Hat Security Advisory 2024-6783-03

Red Hat Security Advisory 2024-6782-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6782.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox  updateAdvisory ID:        RHSA-2024:6782-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6782Issue date:         2024-09-19Revision:           03CVE Names:          ====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6782-03

Red Hat Security Advisory 2024-6779-03 - Red Hat Advanced Cluster Management for Kubernetes 2.10.6 General Availability release images, which fix bugs and update container images.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6779.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Advanced Cluster Management 2.10.6 bug fixes and container updates  
Advisory ID:        RHSA-2024:6779-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6779  
Issue date:         2024-09-19  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.10.6 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.10.6 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/release_notes/

Security fix(es):

CVE-2024-42459 nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended  
CVE-2024-42460 nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero  
CVE-2024-42461 nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2302458  
https://bugzilla.redhat.com/show_bug.cgi?id=2302459  
https://bugzilla.redhat.com/show_bug.cgi?id=2302460

Red Hat Security Advisory 2024-6779-03

Red Hat Security Advisory 2024-6765-03 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6765.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:6765-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6765Issue date:         2024-09-18Revision:           03CVE Names:          CVE-2024-7143====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* python3-pulpcore/python39-pulpcore: RBAC permissions incorrectly assigned in tasks that create objects (CVE-2024-7143)* python3-urllib3/python39-urllib3: urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)* receptor: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)* receptor: golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Updated fallback to use RHSM subscription credential for shipping analytics data if analytics gathering is enabled (AAP-30228)* Upgraded 'channels-redis' library to fix Redis connection leak (AAP-30124)* automation-controller has been updated to 4.5.11Additional fixes:* python3/python39-django has been updated to 4.2.16* python3/python39-pulpcore has been updated to 3.28.32* python3/python39-urllib3 has been updated to 1.26.20* receptor has been updated to 1.4.8-1.1Solution:CVEs:CVE-2024-7143References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2279814https://bugzilla.redhat.com/show_bug.cgi?id=2292787https://bugzilla.redhat.com/show_bug.cgi?id=2292788https://bugzilla.redhat.com/show_bug.cgi?id=2300125

Red Hat Security Advisory 2024-6765-03

Red Hat Security Advisory 2024-6757-03 - An update for libnbd is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6757.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libnbd security updateAdvisory ID:        RHSA-2024:6757-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6757Issue date:         2024-09-18Revision:           03CVE Names:          CVE-2024-7383====================================================================Summary: An update for libnbd is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Network Block Device (NBD) is a protocol for accessing Block Devices (hard disks and disk-like devices) over a Network. The libnbd is a userspace client library for writing NBD clients.Security Fix(es):* libnbd: NBD server improper certificate validation (CVE-2024-7383)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7383References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2302865

Red Hat Security Advisory 2024-6757-03

Red Hat Security Advisory 2024-6755-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6755.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Data Foundation 4.16.2 security and bug fix updateAdvisory ID:        RHSA-2024:6755-03Product:            Red Hat OpenShift Data FoundationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6755Issue date:         2024-09-18Revision:           03CVE Names:          CVE-2024-6104====================================================================Summary: Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.Description:Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multi-cloud data management service with anS3 compatible API.Bug fixes:* Previously, when the label on the node was empty, the mount would fail. With this fix, when the node label is empty, the node is not considered for `crush_location` mount option and as a result persistent volume claim (PVC) mounts successfully. (BZ#2303177)* Previously, after the OpenShift Data Foundation upgrade, the backingstore was stuck with \"Connecting\" status. With this fix, the location of the `upgrade_bucket_policy` script is corrected. (BZ#2303414)All users of Red Hat OpenShift Data Foundation are advised to upgrade to these updated images, which provide these bug fixes.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6104References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/cve/CVE-2024-6104https://access.redhat.com/security/cve/CVE-2024-8421https://access.redhat.com/security/cve/CVE-2024-24789https://access.redhat.com/security/cve/CVE-2024-28176https://access.redhat.com/security/cve/CVE-2024-28863https://access.redhat.com/security/cve/CVE-2024-29180https://access.redhat.com/security/cve/CVE-2024-37890https://access.redhat.com/security/cve/CVE-2024-41818https://bugzilla.redhat.com/show_bug.cgi?id=2266006https://bugzilla.redhat.com/show_bug.cgi?id=2268820https://bugzilla.redhat.com/show_bug.cgi?id=2270863https://bugzilla.redhat.com/show_bug.cgi?id=2290526https://bugzilla.redhat.com/show_bug.cgi?id=2290675https://bugzilla.redhat.com/show_bug.cgi?id=2292668https://bugzilla.redhat.com/show_bug.cgi?id=2292777https://bugzilla.redhat.com/show_bug.cgi?id=2293200https://bugzilla.redhat.com/show_bug.cgi?id=2294000https://bugzilla.redhat.com/show_bug.cgi?id=2300022https://bugzilla.redhat.com/show_bug.cgi?id=2300289https://bugzilla.redhat.com/show_bug.cgi?id=2300332https://bugzilla.redhat.com/show_bug.cgi?id=2300499https://bugzilla.redhat.com/show_bug.cgi?id=2303177https://bugzilla.redhat.com/show_bug.cgi?id=2303414https://bugzilla.redhat.com/show_bug.cgi?id=2304074https://bugzilla.redhat.com/show_bug.cgi?id=2309710https://bugzilla.redhat.com/show_bug.cgi?id=2310210

Red Hat Security Advisory 2024-6755-03

Red Hat Security Advisory 2024-6754-03 - An update for expat is now available for Red Hat Enterprise Linux 9. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6754.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: expat security updateAdvisory ID:        RHSA-2024:6754-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6754Issue date:         2024-09-18Revision:           03CVE Names:          CVE-2024-45490====================================================================Summary: An update for expat is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Expat is a C library for parsing XML documents.Security Fix(es):* libexpat: Negative Length Parsing Vulnerability in libexpat (CVE-2024-45490)* libexpat: Integer Overflow or Wraparound (CVE-2024-45491)* libexpat: integer overflow (CVE-2024-45492)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45490References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2308615https://bugzilla.redhat.com/show_bug.cgi?id=2308616https://bugzilla.redhat.com/show_bug.cgi?id=2308617

Red Hat Security Advisory 2024-6754-03

Red Hat Security Advisory 2024-6753-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include double free and out of bounds read vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6753.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:6753-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6753  
Issue date:         2024-09-18  
Revision:           03  
CVE Names:          CVE-2021-47352  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: ext4: fix double-free of blocks due to wrong extents moved_len (CVE-2024-26704)

* kernel: ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() (CVE-2024-26773)

* kernel: ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (CVE-2024-26772)

* kernel: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (CVE-2024-27020)

* kernel: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (CVE-2024-27019)

* kernel: ipv6: sr: fix out-of-bounds read when setting HMAC data. (CVE-2022-48687)

* kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)

* kernel: virtio-net: Add validation for used length (CVE-2021-47352)

* kernel: mm, thp: bail out early in collapse_file for writeback page (CVE-2021-47492)

* kernel: bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47352

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2273174  
https://bugzilla.redhat.com/show_bug.cgi?id=2273236  
https://bugzilla.redhat.com/show_bug.cgi?id=2273242  
https://bugzilla.redhat.com/show_bug.cgi?id=2278256  
https://bugzilla.redhat.com/show_bug.cgi?id=2278258  
https://bugzilla.redhat.com/show_bug.cgi?id=2278930  
https://bugzilla.redhat.com/show_bug.cgi?id=2281669  
https://bugzilla.redhat.com/show_bug.cgi?id=2282401  
https://bugzilla.redhat.com/show_bug.cgi?id=2282924  
https://bugzilla.redhat.com/show_bug.cgi?id=2298412

Red Hat Security Advisory 2024-6753-03

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.
"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le

Cryptojacking / Cloud Security

The cryptojacking operation known as **TeamTNT** has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.

"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.

The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts.

The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host.

The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed.

TeamTNT was first discovered in the wild in 2019, undertaking illicit cryptocurrency mining activities by infiltrating cloud and container environments. While the threat actor bid farewell in November 2021 by announcing a "clean quit," public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.

The latest activity linked to the group manifests in the form of a shell script that first checks if it was previously infected by other cryptojacking operations, after which it precedes to impair device security by disabling SELinux, AppArmor, and the firewall.

Changes implemented on ssh service

"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers said. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."

Besides killing all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, terminate containerized processes, and remove images deployed in connection with any coin miners.

Furthermore, it establishes persistence by configuring cron jobs that download the shell script every 30 minutes from a remote server (65.108.48\[.\]150) and modifying the "/root/.ssh/authorized\_keys" file to add a backdoor account.

"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers noted. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News