Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Trojanized versions of PuTTY utility being used to spread backdoor
New on LowEndTalk? Please Register and read our Community Rules.

Trojanized versions of PuTTY utility being used to spread backdoor

Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident. The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. The file was transmitted by a group Mandiant tracks as UNC4034.

https://arstechnica.com/information-technology/2022/09/trojanized-versions-of-putty-utility-being-used-to-spread-backdoor/

Pretty sure this fits the theme of this forum.

Comments

  • For all of you Mac users not doing system admin full-time and just wanting a quick and easy SSH client:

    There’s a neat trick where you can create a config file in the .ssh folder, naming the host, and enetering all of the details, such as a file path to the private key and the username and the IP.

    Then, in the default terminal, you just run ”ssh [name] and you’re in.

    Real nice.

  • Or use the old fashioned way.

    Use terminal to ssh into your server with allow/deny rules. Static IP is a given for that of course.

    Thanked by 1emg
  • emgemg Member
    edited September 2022

    One statement in the ArsTechnica article bothered me:

    "ISO files have been increasingly used in recent months to infect Windows machines because, by default, double-clicking on them causes them to mount as a virtual machine."

    I thought they mounted as virtual drives, not launched as virtual machines. That's what happens on a Windows 10 virtual machine, but I do not have convenient access to Windows on real hardware. I looked at the default applications settings, but there was no listing for ".iso" in the "default applications by extension" list. I note that Hyper-V is not installed on this Windows system.

    Can someone here point me to documentation that describes this auto-launching virtual machine behavior for .iso files, and where is the Windows setting is for it? I find it hard to believe that Microsoft would default to behavior that could automatically launch embedded executables.

  • raindog308raindog308 Administrator
    edited September 2022

    @emgh said: Then, in the default terminal, you just run ”ssh [name] and you’re in.

    This probably is the best approach.

    I've also used either a .bash_profile with aliases like

    alias server1="ssh -o whatever -i ~/.ssh/my-key -p 12345 server1.lowend.party"
    

    Or a script you call with "goto server1 that plugs keys/ports/options.

    Thanked by 4Arkas emg emgh cpsd
  • Why not just use ~/.ssh/config which is designed for exactly this kind of stuff and works the same on every platform?

    Thanked by 1angstrom
  • dfroedfroe Member, Host Rep

    @ralf said:
    Why not just use ~/.ssh/config which is designed for exactly this kind of stuff and works the same on every platform?

    Maybe because people are lazy; and server1 is quicker to type than ssh server1.
    Well, you could also properly use ~/.ssh/config for all configurations and then do alias server1="ssh server1" for the sake of lazyness. :)

  • @ralf said:
    Why not just use ~/.ssh/config which is designed for exactly this kind of stuff and works the same on every platform?

    It's no fun if you can't use BASH ;)

  • NeoonNeoon Member, Community Contributor
    edited September 2022

    @dfroe said:

    @ralf said:
    Why not just use ~/.ssh/config which is designed for exactly this kind of stuff and works the same on every platform?

    Maybe because people are lazy; and server1 is quicker to type than ssh server1.
    Well, you could also properly use ~/.ssh/config for all configurations and then do alias server1="ssh server1" for the sake of lazyness. :)

    Laziness is borderless.

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited September 2022

    PuTTY used to be the only choice on Windows.

    Now I have Git for Windows that includes ssh.exe.
    I primarily use normal .ssh/config just like on Linux computers.
    I even have (manual) synchronization of the config file.

    There's an OpenSSH Client component in Windows.
    However, I found that it lacks certain features, such as ProxyJump.
    Hence I use the program from Git for Windows.

    Thanked by 1angstrom
  • @serv_ee said:
    Or use the old fashioned way.

    Use terminal to ssh into your server with allow/deny rules. Static IP is a given for that of course.

    I screwed myself with this one just recently. My IP wasn't officially static at home, but I'd had the same IP for ~12 years, across different modems and routers, so I figured I'd throw an extra layer of security on my dedi that I don't bother with on VPSs. Spectrum decided to redo all of my area's hardware, and absolutely wrecked my day. No big deal, I added two of my VPS IPs to the firewall also just for this situation, except they were both VirMach VPSs that moved to a new IP with ryzen migrations, and I hadn't got around to updating those rules either. Whoops.

    Thanked by 1emgh
  • @bakageta said:

    @serv_ee said:
    Or use the old fashioned way.

    Use terminal to ssh into your server with allow/deny rules. Static IP is a given for that of course.

    I screwed myself with this one just recently. My IP wasn't officially static at home, but I'd had the same IP for ~12 years, across different modems and routers, so I figured I'd throw an extra layer of security on my dedi that I don't bother with on VPSs. Spectrum decided to redo all of my area's hardware, and absolutely wrecked my day. No big deal, I added two of my VPS IPs to the firewall also just for this situation, except they were both VirMach VPSs that moved to a new IP with ryzen migrations, and I hadn't got around to updating those rules either. Whoops.

    Yeah thats why I need to pay €6/mo from Telia to keep my static on my home connection.

    But that 6 euros at least gives me peace of mind.

  • TimboJonesTimboJones Member
    edited September 2022

    @emg said:
    One statement in the ArsTechnica article bothered me:

    "ISO files have been increasingly used in recent months to infect Windows machines because, by default, double-clicking on them causes them to mount as a virtual machine."

    I thought they mounted as virtual drives, not launched as virtual machines. That's what happens on a Windows 10 virtual machine, but I do not have convenient access to Windows on real hardware. I looked at the default applications settings, but there was no listing for ".iso" in the "default applications by extension" list. I note that Hyper-V is not installed on this Windows system.

    Can someone here point me to documentation that describes this auto-launching virtual machine behavior for .iso files, and where is the Windows setting is for it? I find it hard to believe that Microsoft would default to behavior that could automatically launch embedded executables.

    You're right, they're wrong. With the right default setting, double clicking an ISO only mounts as virtual drive.

    There is autoruns that could be on ISO, but I'm sure you have to jump through hoops to enable running autoruns since its been attack vector for decades.

    Are there any Linux "try before installing" ISO's that could run a Linux VM in Windows by running the autoruns?

  • WebProjectWebProject Member, Host Rep

    @serv_ee said:

    @bakageta said:

    @serv_ee said:
    Or use the old fashioned way.

    Use terminal to ssh into your server with allow/deny rules. Static IP is a given for that of course.

    I screwed myself with this one just recently. My IP wasn't officially static at home, but I'd had the same IP for ~12 years, across different modems and routers, so I figured I'd throw an extra layer of security on my dedi that I don't bother with on VPSs. Spectrum decided to redo all of my area's hardware, and absolutely wrecked my day. No big deal, I added two of my VPS IPs to the firewall also just for this situation, except they were both VirMach VPSs that moved to a new IP with ryzen migrations, and I hadn't got around to updating those rules either. Whoops.

    Yeah thats why I need to pay €6/mo from Telia to keep my static on my home connection.

    But that 6 euros at least gives me peace of mind.

    You can get static IP cheaper way, create a VM and use WireGuard, so this way get static IP and when you do use public WIFI so you know that traffic is encrypted.

  • Tony40Tony40 Member
    edited September 2022

    "PuTTY is an open source secure shell and telnet application. Secure versions of it are signed by the official developer. The version sent in the WhatsApp message was not signed."

    Thanked by 1intermall
Sign In or Register to comment.