Patch Your WSO2: CVE-2022-29464 Exploited to Install Linux-Compatible Cobalt Strike Beacons, Other Malware
Conclusion
Users with the affected products should immediately patch or apply the temporary mitigation procedures recommended by following the steps identified in the WSO2 security advisory. We also released an initial notification in April after we made a preliminary analysis to inform users and organizations. Three days after the vulnerability was disclosed and a day after the PoC was published, attacks abusing this gap have since been observed and are notably aggressive in installing web shells. Cobalt Strike beacons were also observed in both Linux and Windows environments. Since there is no official beacon provided for Linux, the compatible one we observed would have been prepared by the threat actor. We also observed scan tool fscan for Windows and cryptocurrency miners in the Linux environment. Looking at the vulnerability’s vector analysis, exploiting this gap is easy as the servers using the affected products can be found with a Google or a Shodan search. Moreover, the threat actors appear to be persistent in implementing the existing PoC, and the availability of the Metasploit module is one milestone in the increased exploit of vulnerabilities for cybercriminals.
While there were previous reports of a Linux-compatible Cobalt Strike beacon we detect as Trojan.Linux.VERMILLIONSTRIKE.A in September 2021, our analysis found that this recent beacon had a different structure. We also observed the installation of other samples of the beacon from the same family in other environments affected by the vulnerability. Considering this, we expect to see samples of this family in vulnerable Linux environments more actively in the future as the installation of backdoor beacons indicate the potential for more malicious and damaging activities than the installation of coinminers.
WSO2 products are often used in a number of industries such as healthcare, banking, energy, education, government, and communications, among others. A quick scan of their API Manager’s GitHub page shows the source code to be committed at least once a day, and show over 8,000 tickets — a combination of open issues yet to be addressed and issues already remediated — which are indications that its users and contributors are active in its development. Looking at these factors, an abuse of this exploit to infiltrate or infect these critical sectors with malware would not only mean a significant amount of disruption, but also affect a trove of personal and proprietary information that can significantly affect customers, organizations, economy, and national security.
Compared to other servers, WSO2 Identity Server can be considered one of the most valuable assets for infiltration for threat actors as it is an open source Identity Access Management (IAM) product. Threat actors getting access to the IAM servers could gain access to all services and user data that have access management under the WSO2 products server at will. Administrators and IT teams assigned for clean up should check around the WSO2 product to see if there are any files, users, and/or processes that do not belong and delete them all. We continue to observe other attacks and infections that can potentially exploit this vulnerability.
While the patching of products reportedly affected by the exploit and abuse is strongly recommended, some of the best practices include knowing your environment’s inventory, assessing the impact of vulnerability announcements from vendors, and patching before abuses in the wild are reported. A quick response is necessary especially in cases of RCE vulnerabilities such as this. In situations where immediate patching cannot be done and even if you are not a user of the affected products, we recommend that teams and users check their criteria and workflow preparations to verify the procedures for performing irregular operations as quickly as necessary.