BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.

In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the company’s IT department and had higher levels of administrative rights.

The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker in PowerSploit.

In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner.

Upon visiting the rogue site, visitors are redirected to “myipscanner[.]com”, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.

Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called ‘dmxl.bin,’ which contains the Anunak payload.

The threat actors used WsTaskLoad.exe to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victim’s machine.

While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.

“While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.” concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). “BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, FIN7)

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.

An international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms.

Law enforcement from 19 countries participated in the operation which resulted in the arrest of 37 individuals.

The phishing-as-a-service platform was available on the clear web and has been shut down by the police.

Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.

Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.

LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platform’s services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.

“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.” reads the announcement published by Europol

Australian police arrested five individuals across the country as part of the operation, the authorities reported that more than 94,000 people in Australia were victims of the attacks launched through the platform.

“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.” reported the AFP.

“As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia. A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.”

The U.K. Metropolitan Police said LabHost’s sites have ensnared approximately 70,000 victims in the UK alone. On a global scale, the service has acquired 480,000 card numbers, 64,000 PIN numbers, and over one million passwords for various online services. The actual number of victims is anticipated to surpass current estimates, with ongoing efforts focused on identifying and assisting as many affected individuals as feasible.

Operators behind the PhaaS received about £1 million in payments from criminal users since its launch.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PhaaS)

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up. "They

Super Low RPO with Continuous Data Protection:Dial Back to Just Seconds Before an Attack Zerto, a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since 2022.

WithSecure researchers identified a new backdoor named Kapeka that has been used in attacks targeting victims in Eastern Europe since at least mid-2022. The backdoor is very sophisticated, it serves as both an initial toolkit and as a backdoor for maintaining long-term access to compromised systems. The nature of the targets, low detection rate, and sophisticated malware-supported features suggest that an APT group developed it.

WithSecure noticed overlaps between Kapeka and GreyEnergy and the Prestige ransomware attacks which are attributed to the Russia-linked Sandworm APT group. WithSecure believes that Kapeka is likely part of the Sandworm’s arsenal.

The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

“Kapeka contains a dropper that will drop and launch a backdoor on a victim’s machine and then remove itself. The backdoor will first collect information and fingerprint both the machine and user before sending the details on to the threat actor.” states WithSecure. “This allows tasks to be passed back to the machine or the backdoor’s configuration to be updated. WithSecure do not have insight as to how the Kapeka backdoor is propagated by Sandworm.”

The researcher speculates that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm.

Kapeka includes a dropper that acts as a launcher for a backdoor component on the infected host, after which it removes itself. The dropper also sets up persistence for the backdoor through a scheduled task (if admin or SYSTEM) or autorun registry (if not).

The Kapeka backdoor is a Windows DLL, which has a single exported function. The malware masqueraded as a Microsoft Word Add-In (.wll) file. It is written in C++ and compiled with Visual Studio 2017 (15.9). Upon execution, it requires the “-d” argument in the initial run but not for subsequent executions. The malware has a multi-threaded implementation, utilizing event objects for thread synchronization and signaling.

The backdoor employs the WinHttp 5.1 COM interface (winhttpcom.dll) for its network communication module. It interacts with its C2 server to fetch tasks and relay fingerprinted data and task outcomes. The malware uses JSON for C2 communication. Two distinct threads manage network communication: one for sending fingerprinted data and fetching tasks, and another for transmitting completed task results to the C2. Both threads utilize the same request/response mechanism.

The backdoor can update its C2 configuration dynamically by receiving a new JSON configuration (with the key “GafpPS”) from the C2 server during polling. If the received configuration differs from the current one, the backdoor updates its configuration on-the-fly and stores the latest C2 configuration in the registry value (“Seed”). The backdoor can also perform various tasks on the infected system by receiving a list of tasks as a JSON response (with the key “Td7opP”) from its C2 server during polling. The malicious code spawns a separate thread to execute each task.

“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin. However, due to sparsity of data at the time of writing the infection vector, the threat actor, and the actor’s ‘actions on objectives’ cannot be conclusively stated. Nevertheless, we examined multiple data points that strongly suggests a link between Kapeka and Sandworm”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Sandworm)

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly available exploit code exists.

Cisco has addressed a high-severity Integrated Management Controller (IMC) vulnerability and is aware of a public exploit code for this issue. The PoC exploit code allows a local attacker to escalate privileges to root.

Cisco Integrated Management Controller (IMC) is a baseboard management controller (BMC) that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers.

The vulnerability, tracked as CVE-2024-20295, resides in the CLI of the Cisco Integrated Management Controller (IMC). A local, authenticated attacker can exploit the vulnerability to conduct command injection attacks on the underlying operating system and elevate privileges to root. The IT giant reported that to exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.” reads the advisory.

The flaw impacts the following products if they are running a vulnerable release of Cisco IMC in the default configuration:

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series Rack Servers in standalone mode
• UCS E-Series Servers

The IT giant devices that are based on a preconfigured version of a UCS C-Series Server are also impacted by this flaw if they expose access to the IMC CLI. 

The company states that there are no workarounds to solve this vulnerability.

The Cisco PSIRT is aware that proof-of-concept exploit code is available for this vulnerability, however it is not aware of attacks in the wild exploiting it.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PoC exploit)

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024. OpenMetadata is an open-source platform that operates as a

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell. "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.

At the end of October 2023, Atlassian warned of a critical security flaw, tracked as CVE-2023-22518 (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.

The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.

Cado Security Labs recently became aware that Cerber ransomware is being deployed into Confluence servers via the CVE-2023-22518 exploit. The experts pointed out that there is very little knowledge about the Linux variant of the ransomware family.

Cerber has been active since at least 2016, most recently it was involved in attacks against Confluence servers.

The malware includes three heavily obfuscated C++ payloads compiled as 64-bit Executable and Linkable Format (ELF) files and packed with UPX. UPX is a widely-used packer among threat actors, enabling the storage of encoded program code within the binary. At runtime, the code is extracted in memory and executed, a process known as “unpacking,” to evade detection by security software.

Attackers exploited this vulnerability to gain initial access to vulnerable Atlassian instances.

“We have observed instances of the Cerber ransomware being deployed after an attacker leveraged CVE-2023-22518 in order to gain access to vulnerable instances of Confluence. It is a fairly recent improper authorization vulnerability that allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint used by the setup wizard.” states Cado Security.

Financially motivated threat actors created an admin account to deploy the Effluence web shell plugin and execute arbitrary commands on the vulnerable server.

The attackers use the web shell to download and run the primary Cerber payload.

“In a default install, the Confluence application is executed as the “confluence” user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user. It will of course succeed in encrypting the datastore for the Confluence application, which can store important information.” continues the report. “If it was running as a higher privilege user, it would be able to encrypt more files, as it will attempt to encrypt all files on the system.”

The payload is written in C++ and is highly obfuscated, and packed with UPX. The researchers pointed out that it serves as a stager for further payloads, the malware uses a C2 server at 45[.]145[.]6[.]112 to download and unpack further payloads. Upon execution, the malicious code can delete itself from the disk.

Upon execution, the malware unpacks itself, and tries to create a file at /var/lock/0init-ld.lo.  

It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and fetches a log checker known internally as agttydck.

Upon executing the “agttydck.bat” the encryptor payload “agttydcb.bat” is downloaded and executed by the primary payload.

The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in “/tmp/log.0” at startup and “/tmp/log.1” at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a “.L0CK3D” extension.

“Cerber is a relatively sophisticated, albeit aging, ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up. This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up.” concludes the report that also includes Indicators of compromise (IoCs).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Cerber ransomware)

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-08 to 2024-04-16.

News

• Google Public Sector achieves Top Secret and Secret cloud authorization - Google has entered the chat. With Microsoft's recent APT issues, I wonder if any any orgs will consider Google.
• Muddled Libra's Evolution to the Cloud - Unit 42 researchers discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
• Toward greater transparency: Adopting the CWE standard for Microsoft CVEs - "...we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard."
• Our Response to Hashicorp's Cease and Desist Letter - Some turmoil in the IaC world. "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts."
• Amazon CloudFront now supports Origin Access Control (OAC) for Lambda function URL origins - Let your cloud teams know!
• [PDF] KONA BLU - Declassified DHS project - KONA BLUE - A special access program for recovering materials user for inter dimensional, time, and space travel. While the project only was a SAP for 6 months and seems like it [PDF] never really did anything a look into what goes into a SAP is interesting and the first example being declassified we are aware of.
• Microsoft will add External Recipient Rate email limits to Exchange Online in January 2025 - The paywalls continue, this is a push for more revenue from the Azure email service. This could impact your bulk phishing engagements if you're using exchange as your mail sender and send to more than 2,000 recipients a day.
• Twitter's Clumsy Pivot to X.com Is a Gift to Phishers - Rewriting URLs is a dangerous game.
• Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) - This is being actively exploited in the wild, and is this month's SSLVPN RCE...

Techniques and Write-ups

• Using Microsoft Dev Tunnels for C2 Redirection - Using dev tunnels as your C2. Careful with burning your Microsoft account.
• CS Technologies — Evolution Vulnerabilities - A set of vulnerabilities within software used to administer the EVO2 and EVO4 door access controllers. Chained together, this leads to unauthenticated access to add a user with access to every door in the building, control doors, etc.
• A trick, the story of CVE-2024-26230 - A step-by-step walkthrough of CVE-2024-26230 (use-after-free vulnerability in the telephony service)
• We discovered an AWS access vulnerability - A vulnerability in AWS STS allowed users to gain unauthorized account access due to incorrect role trust policy evaluations. It's been patched! Cool to read that this SaaS has a different AWS account per customer as a security boundary.
• Resolving Stack Strings with Capstone Disassembler & Unicorn in Python - Walkthrough on how to resolve stack strings in malware using Capstone Disassembler and Unicorn Emulator in Python. They used Conti Ransomware to showcase it.
• Chaining N-days to Compromise All: Part 3 — Windows Driver LPE: Medium to System - This post discusses the exploitation of a logic bug in the Windows kernel driver mskssrv.sys (CVE-2023-29360), which was demonstrated in Pwn2Own 2023. The exploit allows priv-esc from user to SYSTEM by manipulating the Memory Descriptor List (MDL) to map physical memory addresses incorrectly, effectively bypassing security checks. It was part of this crazy VM escape chain.
• Rooting out Risky SCCM Configs with Misconfiguration Manager - The SpecterOps team has published a script for sysadmins and infosec practitioners to identify every TAKEOVER and ELEVATE attack in Misconfiguration-Manager. SCCM is an overlooked attack surface that usually holds a privileged position in the AD network.
• Understanding ETW Patching - A quick summary from @jsecurity101 on how function patching can be applied to ETW providers to alter or inhibit their standard behavior, potentially evading detection by modifying or bypassing function execution in both user-mode and kernel-mode operations.
• CreateRCE — Yet Another Vulnerability in CreateUri In another episode of Akamai vs Outlook clients... "An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click)". The technical write-up of CVE-2023-35628 which was patched December 2023.
• Sysrv Infection (Linux Edition) - Write up of the Sysrv botnet, which deployed a crypto miner on a Linux system using a payload pulled down from a specified URL. Sometimes detecting these can be as easy as checking those DNS logs for known mining pools.
• My Journey on Integrating Sliver into Mythic - Mythic agents that use Mythic's API and Sliver's API to remotely control Sliver agents from within Mythic!
• How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses - "Leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly."
• Why you shouldn't use a commercial VPN: Amateur hour with Windscribe - If you are going to use a commercial VPN, at least generate standard WireGuard or OpenVPN configs and use the industry standard apps. This is why.
• Flaw in PuTTY P-521 ECDSA signature generation leaks SSH private keys - "An attacker who compromises an SSH server may be able to leverage this vulnerability to compromise the user's private key. Attackers may also be able to compromise the SSH private keys of anyone who used git+ssh with commit signing and a P-521 SSH key, simply by collecting public commit signatures." Cryptography is hard!

Tools and Exploits

• UserManagerEoP - PoC for CVE-2023-36047. Patched last week. Should still be viable if you're on an engagement right now!
• Gram - Klarna's own threat model diagramming tool
• Shoggoth - Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.
• ExploitGSM - Exploit for 6.4 - 6.5 Linux kernels and another exploit for 5.15 - 6.5. Zero days when published.
• Copilot-For-Security - Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
• CVE-2024-21378 - DLL code for testing CVE-2024-21378 in MS Outlook. Using this with Ruler.
• ActionsTOCTOU - Example repository for GitHub Actions Time of Check to Time of Use (TOCTOU vulnerabilities).
• obfus.h - obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports almost all versions of the compiler.
• Wareed DNS C2 is a Command and Control (C2) that utilizes the DNS protocol for secure communications between the server and the target. Designed to minimize communication and limit data exchange, it is intended to be a first-stage C2 to persist in machines that don't have access to the internet via HTTP/HTTPS, but where DNS is allowed.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Can you hack your government? - A list of governments with Vulnerability Disclosure Policies.
• GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
• AssetViz - AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.
• GMER - the art of exposing Windows rootkits in kernel mode - GMER is an anti-rootkit tool used to detect and combat rootkits, specifically focusing on the prevalent kernel mode rootkits, and remains effective despite many anti-rootkits losing relevance with advancements in Windows security.
• AiTM Phishing with Azure Functions - The deployment of a serverless AiTM phishing toolkit using Azure Functions to phish Entra ID credentials and cookies
• orange - Orange Meets is a demo application built using Cloudflare Calls. To build your own WebRTC application using Cloudflare Calls. Combine this with some OpenVoice or Real-Time-Voice-Cloning. Scary.
• awesome-secure-defaults - Share this with your development teams and friends or use it in your own tools. "Awesome secure by default libraries to help you eliminate bug classes!"
• NtWaitForDebugEvent + WaitForMultipleObjects - Using these two together to wait for debug events from multiple debugees at once.
• taranis-ai - Taranis AI is an advanced Open-Source Intelligence (OSINT) tool, leveraging Artificial Intelligence to revolutionize information gathering and situational analysis.
• MSFT_DriverBlockList - Repository of Microsoft Driver Block Lists based off of OS-builds.
• HSC24RedTeamInfra - Slides and Codes used for the workshop Red Team Infrastructure Automation at HackSpanCon2024.
• SuperMemory - Build your own second brain with supermemory. It's a ChatGPT for your bookmarks. Import tweets or save websites and content using the chrome extension.
• Kubenomicon - An open source offensive security focused threat matrix for kubernetes with an emphasis on walking through how to exploit each attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022. The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or

The introduction of Open AI’s ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing,

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can lead to remote command execution.

Ivanti addressed multiple flaws in its Avalanche mobile device management (MDM) solution, including two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, that can lead to remote command execution.

The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets all in one system.

Below is the description for the two vulnerabilities:

• CVE-2024-24996 (CVSS score 9.8) – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. 
• CVE-2024-29204 (CVSS score 9.8) – A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

A remote attacker can exploit both issues to execute code without user interaction.

Ivanti also addressed tens of medium and high-severity vulnerabilities that could be exploited to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks and read sensitive information from memory.

The software company is not aware of attacks in the wild exploiting one of these vulnerabilities at the time of disclosure. 

The company addressed the vulnerability with the release of Avalanche 6.4.3.

“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here.” reads the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Avalanche mobile device management)

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. Armed with this access, a

Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or

Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said. Successful attacks could

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS.

Researchers at watchTowr Labs have released a technical analysis of the vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS and a proof-of-concept exploit that can be used to execute shell commands on vulnerable firewalls.

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

Now watchTowr Labs released another detection artifact generator tool in the form of an HTTP request

“As we can see, we inject our command injection payload into the SESSID cookie value – which, when a Palo Alto GlobalProtect appliance has telemetry enabled – is then concatenated into a string and ultimately executed as a shell command.” reads the analysis published by watchTowr Labs.

“Something-something-sophistication-levels-only-achievable-by-a-nation-state-something-something.”

Justin Elze, CTO at TrustedSec, also published the exploit used in attacks in the wild.

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…

— Justin Elze (@HackingLZ) April 16, 2024

This week, US CISA added the vulnerability CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to address it by April 19th.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PAN-OS)

Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services.  

Cisco Talos researchers warn of large-scale credential brute-force attacks targeting multiple targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

Below is a list of known affected services: 

• Cisco Secure Firewall VPN 
• Checkpoint VPN  
• Fortinet VPN  
• SonicWall VPN  
• RD Web Services 
• Miktrotik 
• Draytek 
• Ubiquiti 

Successful brute-force attacks can result in unauthorized network access, account lockouts, or denial-of-service (DoS) conditions.

These attacks originate from TOR exit nodes and anonymizing tunnels and proxies, such as:  

• VPN Gate  
• IPIDEA Proxy  
• BigMama Proxy  
• Space Proxies  
• Nexus Proxy  
• Proxy Rack 

“The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry.” reads the advisory published by Cisco Talos.

The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.

The advisory published by Talos includes a list of indicators of compromise (IoCs) for this campaign.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, brute-force)

The PuTTY Secure Shell (SSH) and Telnet client are impacted by a critical vulnerability that could be exploited to recover private keys.

PuTTY tools from 0.68 to 0.80 inclusive are affected by a critical vulnerability, tracked as CVE-2024-31497, that resides in the code that generates signatures from ECDSA private keys which use the NIST P521 curve.

An attacker can exploit the vulnerability to recover NIST P-521 private keys.

“The effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.” reads the advisory. “To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.)”

The vulnerability was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. Bäumer explained that the vulnerability stems from the generation of biased ECDSA cryptographic nonces, which could allow full secret key recovery.

“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.” Baumer explained. “The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).”

The following products include an affected PuTTY version and are therefore are also impacted by the flaw:

• FileZilla (3.24.1 – 3.66.5)
• WinSCP (5.9.5 – 6.3.2)
• TortoiseGit (2.4.0.2 – 2.15.0)
• TortoiseSVN (1.10.0 – 1.14.6)

The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.

Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PuTTY Secure Shell (SSH))

Security researchers have uncovered a "credible" takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. "The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS

Researchers warn of a renewed cyber espionage campaign targeting users in South Asia with the Apple iOS spyware LightSpy

Blackberry researchers discovered a renewed cyber espionage campaign targeting South Asia with an Apple iOS spyware called LightSpy.

The sophisticated mobile spyware has resurfaced after several months of inactivity, the new version of LightSpy, dubbed “F_Warehouse”, supports a modular framework with extensive spying capabilities.

LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.

The evidence gathered by the experts, including code comments and error messages, suggests that the creators of LightSpy are native Chinese speakers, prompting concerns regarding potential state-sponsored activity.

LightSpy implements certificate pinning to prevent detection of C2 communication, if the victim is on a network where traffic is being inspected, no connection to the C2 server will be established.

Based on previous campaigns, the attack chain likely commences by visiting compromised news websites carrying stories related to Hong Kong. A first-stage implant is delivered to the visitors, it gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.

“The Loader initiates the process by loading both the encrypted and subsequently decrypted LightSpy kernel. The core of LightSpy functions as a complex espionage framework, designed to accommodate extensions via a plugin system.” reads the report published by BlackBerry. “The Loader is responsible for loading these plugins, each of which extends the functionality of the main LightSpy implant. Each plugin undergoes a process of secure retrieval from the threat actor’s server in an encrypted format, followed by decryption, before being executed within the system environment.”

In March 2020, security experts at Trend Micro observed a campaign aimed at infecting the iPhones of users in Hong Kong with an iOS version of the LightSpy backdoor.

Attackers used malicious links spread through posts on forums popular in Hong Kong, which led users to real news sites that were compromised by injecting a hidden iframe that would load and run malware.

There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that’s distributed via watering hole attacks through compromised news sites.

The latest LightSpy version uses the F_Warehouse framework that supports the following capabilities:

• Exfiltrate files: Systematically search and steal files from the compromised mobile device.
• Record audio: Covertly capture audio through the device’s microphone.
• Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
• Track user activity: Harvest browsing history data to monitor online behavior.
• Application inventory: Gather details about installed applications on the device.
• Capture images: Secretly take pictures using the device’s camera.
• Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
• Device enumeration: Identify and list devices connected to the compromised system.

The researchers noticed that the malware communicates with a server located at hxxps://103.27[.]109[.]217:52202, which also hosts an administrator panel accessible on port 3458.

The panel shows a message in Chinese language saying that the username or password is incorrect when the users enter the wrong credentials.

This report also includes a list of IoCs for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, European railways)

The threat actor tracked as TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others. "The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. "Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in

Amidst rising tensions with China in the SCS, Resecurity observed a spike in malicious cyber activity targeting the Philippines in Q1 2024.

Amidst rising tensions with China in the South China Sea, Resecurity has observed a significant spike in malicious cyber activity targeting the Philippines in Q1 2024, increasing nearly 325% compared to the same period last year. The number of cyberattacks involving hacktivist groups and foreign misinformation campaigns has nearly tripled. In Q2 2024, this growth trajectory continues, with Resecurity observing multiple cyberattacks staged by previously unknown threat actors. These attacks are characterized by the intersection of ideological “hacktivist” motivations and nation-state-sponsored propaganda.

One prolific example of this dynamic is the China-linked Mustang Panda group, which Resecurity observed using cyberspace to stage sophisticated information warfare campaigns. There is a thin line between cybercriminal activity (supported by the state) and nation-state actors engaging in malicious cyber activity. Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online. This tactic is often combined with false-flag attacks originating under publicly known threat-actor profiles to keep a distance from the real intellectual authors of these malign campaigns.

According to experts, the underground scene of actors is represented by the following threat groups accelerating their activity – Philippine Exodus Security (PHEDS), Cyber Operation Alliance (COA), Robin Cyber Hood (RCH), and DeathNote Hackers (Philippines), as well as independent actors and mercenaries recruited to conduct targeted attacks. Notably, some of these groups were also spotted collaborating with Arab Anonymous and Sylnet Gang-SG.

Resecurity interprets this activity as pre-staging for broader malicious, foreign cyber-threat actor activity in the region, including cyber espionage and targeted attacks against government agencies and critical infrastructure. Multiple government resources such as the Department of Interior and Local Government, Bureau of Plant Industry, Philippine National Police, and Bureau of Customs have been targeted.

The full report is available here.

https://www.resecurity.com/blog/article/misinformation-and-hacktivist-campaigns-target-the-philippines-amidst-rising-tensions-with-china

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – misinformation, The Philippines)

For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.

Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.

The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.

“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.

A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.

On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond.

On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.

While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.

But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.

A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.