The Blackbasta extortion group claims to have hacked Atlas, one of the largest national distributors of fuel in the United States.

Atlas is one of the largest national fuel distributors to 49 continental US States with over 1 billion gallons per year.

The Blackbasta extortion group added the company to the list of victims on its Tor leak site, as the researcher Dominic Alvieri reported.

Atlas Oil allegedly breached by Basta.

Atlas is one of the largest national distributers of fuel to 49 continental US States with over 1 billion gallons per year.

Sunoco is the largest at 8 billion gallons. pic.twitter.com/5OUODUt3fu

— Dominic Alvieri (@AlvieriD) May 20, 2024

The gang claims to have stolen 730GB of data from ATLAS, including Corporate data: Accounts, HR, Finance, Executive, department data, and users and employees’ data.

The gang published a series of documents as proof of the hack, including people’s ID cards, data sheets, payroll payment requesters and a picture of the folder exfiltrated from the victim’s systems.

The oil company has yet to disclose the alleged incident.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlas Oil)

A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads," Securonix

The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from Recorded Future show. "The core of SolarMarker's operations is its layered infrastructure, which consists of at least two clusters: a primary one for active operations and a secondary one likely

One of the enduring challenges of building modern applications is to make them more secure without disrupting high-velocity DevOps processes or degrading the developer experience. Today’s cyber threat landscape is rife with sophisticated attacks aimed at all different parts of the software supply chain and the urgency for software-producing organizations to adopt DevSecOps practices that deeply

File Integrity Monitoring (FIM) is an IT security control that monitors and detects file changes in computer systems. It helps organizations audit important files and system configurations by routinely scanning and verifying their integrity. Most information security standards mandate the use of FIM for businesses to ensure the integrity of their data. IT security compliance involves adhering to

A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution. Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx. "If exploited, it could allow attackers to execute arbitrary code on your system,

A vulnerability in the Fluent Bit Utility, which is used by major cloud providers, can lead to DoS, information disclosure, and potentially RCE.

Tenable researchers have discovered a severe vulnerability in the Fluent Bit utility, which is used on major cloud platforms.

Fluent Bit is an open-source, lightweight, and high-performance log processor and forwarder. It is designed to collect, process, and ship logs and other types of data from various sources to different destinations. Fluent Bit is part of the Fluentd ecosystem and is optimized for resource efficiency, making it suitable for environments with limited resources, such as IoT devices, edge computing, and containerized applications.

The tool had over 3 billion downloads as of 2022 and approximately has 10 million new deployments each day.

The utility is used by major organizations such as VMware, Cisco, Adobe, Walmart, Splunk, Intel, Arm, Adobe and LinkedIn, and almost any cloud service provider, including AWS, Microsoft, and Google Cloud.

Researchers at cybersecurity firm Tenable have discovered a vulnerability in the Fluent Bit utility, called Linguistic Lumberjack, which is tracked CVE-2024-4323 (CVSS score of 9.8).

The vulnerability can trigger a denial-of-service (DoS) condition, lead to an information disclosure, and potentially remote code execution (RCE).

Tenable discovered the vulnerability in the Fluent Bit monitoring API that allows users or services with access to it to launch a Denial of Service (DoS) attack or obtain potentially sensitive information.

Fluent Bit’s monitoring API allows administrators to query and monitor internal service information through various HTTP endpoints, such as those for service uptime and plugin metrics. However, the researchers discovered that endpoints /api/v1/traces and /api/v1/trace, which manage trace configurations, can be accessed by any user with API access.

The vulnerability arises during the parsing of requests to these endpoints, where the data types of input names are not properly validated. They are mistakenly assumed to be valid strings (MSGPACK_OBJECT_STRs). The researchers discovered that an attacker can pass non-string values, such as integers, in the “inputs” array, leading to memory corruption issues. Specifically, the flb_sds_create_len() function can misinterpret the values, causing potential vulnerabilities.

“In their lab environment, the researchers were able to reliably exploit this issue to crash the service and cause a denial of service scenario. They were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses. While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information.” reads the report published by Tenable. “As for the remote code execution possibilities of this issue, exploitation is dependent on a variety of environmental factors such as host architecture and operating system. While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive. The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished.”

The flaw was introduced in version 2.0.7 and exists thru 3.0.3. It is addressed in the main source branch and is expected in release 3.0.4.

Tenable also published a proof-of-concept (PoC) to trigger a DoS condition.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fluent Bit)

 Microsoft on Monday confirmed its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the second half of the year, as it announced a slew of new security measures to harden the widely-used desktop operating system. "Deprecating NTLM has been a huge ask from our security community as it will strengthen user authentication, and deprecation is planned in the second half of 2024," the

Experts warn of fifteen vulnerabilities in the QNAP QTS, the operating system for the Taiwanese vendor’s NAS products.

An audit of QNAP QTS conducted by WatchTowr Labs revealed fifteen vulnerabilities, most of which have yet to be addressed. The most severe vulnerability is a flaw tracked as CVE-2024-27130. The issue is an unpatched stack buffer overflow vulnerability in the ‘No_Support_ACL’ function of ‘share.cgi,’ an unauthenticated attacker can exploit this issue to perform remote code execution under certain conditions.

The WatchTowr Labs researchers also published technical details of the flaw CVE-2024-27130 and a proof of concept (PoC) exploit code.

An attacker can exploit CVE-2024-27130 by sending a malicious request with a specially crafted ‘name’ parameter, causing a buffer overflow and leading to remote code execution. To do this, the attacker needs a valid ‘ssid’ parameter, generated when a NAS user shares a file from their QNAP device. This parameter is included in the URL of the ‘share’ link. An attacker can obtain the parameter by using a social engineering technique.

“Unsafe use of strcpy in No_Support_ACL accessible by get_file_size function of share.cgi leads to stack buffer overflow and thus RCE” reads the advisory published by WatchTowr Labs. To exploit the flaw, an attacker needs a valid NAS user to share a file.

The other vulnerabilities impacting Network Attached Storage (NAS) discovered by WatchTowr code execution, buffer overflow, memory corruption, authentication bypass, and XSS issues impacting the security of Network Attached Storage (NAS) devices across different deployment environments.

Below is the full list of the vulnerabilities discovered by the experts:

Bug	Nature	Fix status	Requirements
CVE-2023-50361	Unsafe use of sprintf in getQpkgDir invoked from userConfig.cgi leads to stack buffer overflow and thus RCE	Patched (see text)	Requires valid account on NAS device
CVE-2023-50362	Unsafe use of SQLite functions accessible via parameter addPersonalSmtp to userConfig.cgi leads to stack buffer overflow and thus RCE	Patched (see text)	Requires valid account on NAS device
CVE-2023-50363	Missing authentication allows two-factor authentication to be disabled for arbitrary user	Patched (see text)	Requires valid account on NAS device
CVE-2023-50364	Heap overflow via long directory name when file listing is viewed by get_dirs function of privWizard.cgi leads to RCE	Patched (see text)	Requires ability to write files to the NAS filesystem
CVE-2024-21902	Missing authentication allows all users to view or clear system log, and perform additional actions (details to follow, too much to list here)	Accepted by vendor; no fix available (first reported December 12th 2023)	Requires valid account on NAS device
CVE-2024-27127	A double-free in utilRequest.cgi via the delete_share function	Accepted by vendor; no fix available (first reported January 3rd 2024)	Requires valid account on NAS device
CVE-2024-27128	Stack overflow in check_email function, reachable via the share_file and send_share_mail actions of utilRequest.cgi (possibly others) leads to RCE	Accepted by vendor; no fix available (first reported January 3rd 2024)	Requires valid account on NAS device
CVE-2024-27129	Unsafe use of strcpy in get_tree function of utilRequest.cgi leads to static buffer overflow and thus RCE	Accepted by vendor; no fix available (first reported January 3rd 2024)	Requires valid account on NAS device
CVE-2024-27130	Unsafe use of strcpy in No_Support_ACL accessible by get_file_size function of share.cgi leads to stack buffer overflow and thus RCE	Accepted by vendor; no fix available (first reported January 3rd 2024)	Requires a valid NAS user to share a file
CVE-2024-27131	Log spoofing via x-forwarded-for allows users to cause downloads to be recorded as requested from arbitrary source location	Accepted by vendor; no fix available (first reported January 3rd 2024)	Requires ability to download a file
WT-2023-0050	N/A	Under extended embargo due to unexpectedly complex issue	N/A
WT-2024-0004	Stored XSS via remote syslog messages	No fix available (first reported January 8th 2024)	Requires non-default configuration
WT-2024-0005	Stored XSS via remote device discovery	No fix available (first reported January 8th 2024)	None
WT-2024-0006	Lack of rate-limiting on authentication API	No fix available (first reported January 23rd 2024)	None
WT-2024-00XX	N/A	Under 90-day embargo as per VDP (first reported May 11th 2024)	N/A

The flaws impact QTS, QuTScloud, and QTS hero.

The vendor responded to the vulnerability reports submitted between December 12, 2023, and January 23, 2024, with multiple delays and has fixed only four of the fifteen flaws.

At this time, QNAP only addressed CVE-2023-50361, CVE-2023-50362, CVE-2023-50363, and CVE-2023-50364 with the release of a security update in April 2024. The following versions fixed the four vulnerabilities:

• QTS 5.1.6.2722 build 20240402 and later
• QuTS hero h5.1.6.2734 build 20240414 and later

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a security flaw impacting NextGen Healthcare Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, tracked as CVE-2023-43208 (CVSS score: N/A), concerns a case of unauthenticated remote code execution arising from an incomplete

Cybersecurity researchers have discovered a critical security flaw in a popular logging and metrics utility called Fluent Bit that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution. The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Research. It impacts versions from 2.0.7 through

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-0842 (formerly DEV-0842) by