The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by exploiting Ivanti VPN zero-days.

In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, a nation state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

“Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account.” reads a post published by the organization on Medium. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration. 

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Ivanti)

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave. The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear. "Waterbear is known for its complexity, as it

Attackers are increasingly making use of “networkless” attack techniques targeting cloud apps and identities. Here’s how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services.  Before getting into the details of the attack techniques being used, let’s discuss why

Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S.,

China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.

FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.

According to the FBI chief, the Chinese hackers are waiting “for just the right moment to deal a devastating blow.”

In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.

The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.

The US agencies also released a technical guide containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.

A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.

Wray confirmed that Volt Typhoon’s campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.

The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.

The FBI Director remarked that China is developing the “ability to physically wreak havoc on US critical infrastructure at a time of its choosing,” “Its plan is to land low blows against civilian infrastructure to try to induce panic.”

Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.

Wray added that the China-linked actors employed a series of botnets in their activities.

In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.

The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E. 

The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.

About the author: Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, China)

The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data.

The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft.

The United Nations Development Programme (UNDP) is a United Nations agency tasked with helping countries eliminate poverty and achieve sustainable economic growth and human development.

The cyber attack recently targeted the IT infrastructure of the Agency in UN City, Copenhagen.

On March 27, UNDP became aware that a data-extortion threat actor had stolen data, including human resources and procurement information.

“On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.” reads the statement published by the Agency. “Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted.” 

UNDP is investigating the security incident to determine the scope of the cyberattack. The agency is keeping individuals affected by the breach updated and sharing information with other stakeholders, including its partners across the UN system.

“UNDP takes this incident extremely seriously and we reiterate our dedication to data security. We are committed to continue working to detect and minimize the risk of cyber-attacks.” continues the statement.

UNDP did not share details about the attack, however, on March 27, 2024, the ransomware group 8base added the agency to its Tor leak site (the Tor leak site is unavailable at the time of this writing).

The extortion group as yet to publish the stolen data.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, United Nations Development Programme)

Government entities in the Middle East have been targeted as part of a previously undocumented campaign to deliver a new backdoor dubbed CR4T. Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed 

BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.

In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the company’s IT department and had higher levels of administrative rights.

The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker in PowerSploit.

In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner.

Upon visiting the rogue site, visitors are redirected to “myipscanner[.]com”, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.

Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called ‘dmxl.bin,’ which contains the Anunak payload.

The threat actors used WsTaskLoad.exe to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victim’s machine.

While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.

“While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.” concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). “BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, FIN7)

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.

An international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms.

Law enforcement from 19 countries participated in the operation which resulted in the arrest of 37 individuals.

The phishing-as-a-service platform was available on the clear web and has been shut down by the police.

Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.

Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.

LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platform’s services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.

“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.” reads the announcement published by Europol

Australian police arrested five individuals across the country as part of the operation, the authorities reported that more than 94,000 people in Australia were victims of the attacks launched through the platform.

“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.” reported the AFP.

“As a result of the Australian arm of the investigation, led by the AFP’s Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia. A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.”

The U.K. Metropolitan Police said LabHost’s sites have ensnared approximately 70,000 victims in the UK alone. On a global scale, the service has acquired 480,000 card numbers, 64,000 PIN numbers, and over one million passwords for various online services. The actual number of victims is anticipated to surpass current estimates, with ongoing efforts focused on identifying and assisting as many affected individuals as feasible.

Operators behind the PhaaS received about £1 million in payments from criminal users since its launch.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PhaaS)

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform since 2018. More than 20 such documents have been uploaded since 2022. "The documents contained VBA

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team said in a new write-up. "They

Super Low RPO with Continuous Data Protection:Dial Back to Just Seconds Before an Attack Zerto, a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since 2022.

WithSecure researchers identified a new backdoor named Kapeka that has been used in attacks targeting victims in Eastern Europe since at least mid-2022. The backdoor is very sophisticated, it serves as both an initial toolkit and as a backdoor for maintaining long-term access to compromised systems. The nature of the targets, low detection rate, and sophisticated malware-supported features suggest that an APT group developed it.

WithSecure noticed overlaps between Kapeka and GreyEnergy and the Prestige ransomware attacks which are attributed to the Russia-linked Sandworm APT group. WithSecure believes that Kapeka is likely part of the Sandworm’s arsenal.

The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

“Kapeka contains a dropper that will drop and launch a backdoor on a victim’s machine and then remove itself. The backdoor will first collect information and fingerprint both the machine and user before sending the details on to the threat actor.” states WithSecure. “This allows tasks to be passed back to the machine or the backdoor’s configuration to be updated. WithSecure do not have insight as to how the Kapeka backdoor is propagated by Sandworm.”

The researcher speculates that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm.

Kapeka includes a dropper that acts as a launcher for a backdoor component on the infected host, after which it removes itself. The dropper also sets up persistence for the backdoor through a scheduled task (if admin or SYSTEM) or autorun registry (if not).

The Kapeka backdoor is a Windows DLL, which has a single exported function. The malware masqueraded as a Microsoft Word Add-In (.wll) file. It is written in C++ and compiled with Visual Studio 2017 (15.9). Upon execution, it requires the “-d” argument in the initial run but not for subsequent executions. The malware has a multi-threaded implementation, utilizing event objects for thread synchronization and signaling.

The backdoor employs the WinHttp 5.1 COM interface (winhttpcom.dll) for its network communication module. It interacts with its C2 server to fetch tasks and relay fingerprinted data and task outcomes. The malware uses JSON for C2 communication. Two distinct threads manage network communication: one for sending fingerprinted data and fetching tasks, and another for transmitting completed task results to the C2. Both threads utilize the same request/response mechanism.

The backdoor can update its C2 configuration dynamically by receiving a new JSON configuration (with the key “GafpPS”) from the C2 server during polling. If the received configuration differs from the current one, the backdoor updates its configuration on-the-fly and stores the latest C2 configuration in the registry value (“Seed”). The backdoor can also perform various tasks on the infected system by receiving a list of tasks as a JSON response (with the key “Td7opP”) from its C2 server during polling. The malicious code spawns a separate thread to execute each task.

“The backdoor’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin. However, due to sparsity of data at the time of writing the infection vector, the threat actor, and the actor’s ‘actions on objectives’ cannot be conclusively stated. Nevertheless, we examined multiple data points that strongly suggests a link between Kapeka and Sandworm”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Sandworm)

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly available exploit code exists.

Cisco has addressed a high-severity Integrated Management Controller (IMC) vulnerability and is aware of a public exploit code for this issue. The PoC exploit code allows a local attacker to escalate privileges to root.

Cisco Integrated Management Controller (IMC) is a baseboard management controller (BMC) that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers.

The vulnerability, tracked as CVE-2024-20295, resides in the CLI of the Cisco Integrated Management Controller (IMC). A local, authenticated attacker can exploit the vulnerability to conduct command injection attacks on the underlying operating system and elevate privileges to root. The IT giant reported that to exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.” reads the advisory.

The flaw impacts the following products if they are running a vulnerable release of Cisco IMC in the default configuration:

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series Rack Servers in standalone mode
• UCS E-Series Servers

The IT giant devices that are based on a preconfigured version of a UCS C-Series Server are also impacted by this flaw if they expose access to the IMC CLI. 

The company states that there are no workarounds to solve this vulnerability.

The Cisco PSIRT is aware that proof-of-concept exploit code is available for this vulnerability, however it is not aware of attacks in the wild exploiting it.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PoC exploit)

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024. OpenMetadata is an open-source platform that operates as a

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell. "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.

At the end of October 2023, Atlassian warned of a critical security flaw, tracked as CVE-2023-22518 (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.

The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.

Cado Security Labs recently became aware that Cerber ransomware is being deployed into Confluence servers via the CVE-2023-22518 exploit. The experts pointed out that there is very little knowledge about the Linux variant of the ransomware family.

Cerber has been active since at least 2016, most recently it was involved in attacks against Confluence servers.

The malware includes three heavily obfuscated C++ payloads compiled as 64-bit Executable and Linkable Format (ELF) files and packed with UPX. UPX is a widely-used packer among threat actors, enabling the storage of encoded program code within the binary. At runtime, the code is extracted in memory and executed, a process known as “unpacking,” to evade detection by security software.

Attackers exploited this vulnerability to gain initial access to vulnerable Atlassian instances.

“We have observed instances of the Cerber ransomware being deployed after an attacker leveraged CVE-2023-22518 in order to gain access to vulnerable instances of Confluence. It is a fairly recent improper authorization vulnerability that allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint used by the setup wizard.” states Cado Security.

Financially motivated threat actors created an admin account to deploy the Effluence web shell plugin and execute arbitrary commands on the vulnerable server.

The attackers use the web shell to download and run the primary Cerber payload.

“In a default install, the Confluence application is executed as the “confluence” user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user. It will of course succeed in encrypting the datastore for the Confluence application, which can store important information.” continues the report. “If it was running as a higher privilege user, it would be able to encrypt more files, as it will attempt to encrypt all files on the system.”

The payload is written in C++ and is highly obfuscated, and packed with UPX. The researchers pointed out that it serves as a stager for further payloads, the malware uses a C2 server at 45[.]145[.]6[.]112 to download and unpack further payloads. Upon execution, the malicious code can delete itself from the disk.

Upon execution, the malware unpacks itself, and tries to create a file at /var/lock/0init-ld.lo.  

It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and fetches a log checker known internally as agttydck.

Upon executing the “agttydck.bat” the encryptor payload “agttydcb.bat” is downloaded and executed by the primary payload.

The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in “/tmp/log.0” at startup and “/tmp/log.1” at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a “.L0CK3D” extension.

“Cerber is a relatively sophisticated, albeit aging, ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up. This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up.” concludes the report that also includes Indicators of compromise (IoCs).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Cerber ransomware)

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-08 to 2024-04-16.

News

• Google Public Sector achieves Top Secret and Secret cloud authorization - Google has entered the chat. With Microsoft's recent APT issues, I wonder if any any orgs will consider Google.
• Muddled Libra's Evolution to the Cloud - Unit 42 researchers discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
• Toward greater transparency: Adopting the CWE standard for Microsoft CVEs - "...we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard."
• Our Response to Hashicorp's Cease and Desist Letter - Some turmoil in the IaC world. "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts."
• Amazon CloudFront now supports Origin Access Control (OAC) for Lambda function URL origins - Let your cloud teams know!
• [PDF] KONA BLU - Declassified DHS project - KONA BLUE - A special access program for recovering materials user for inter dimensional, time, and space travel. While the project only was a SAP for 6 months and seems like it [PDF] never really did anything a look into what goes into a SAP is interesting and the first example being declassified we are aware of.
• Microsoft will add External Recipient Rate email limits to Exchange Online in January 2025 - The paywalls continue, this is a push for more revenue from the Azure email service. This could impact your bulk phishing engagements if you're using exchange as your mail sender and send to more than 2,000 recipients a day.
• Twitter's Clumsy Pivot to X.com Is a Gift to Phishers - Rewriting URLs is a dangerous game.
• Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) - This is being actively exploited in the wild, and is this month's SSLVPN RCE...

Techniques and Write-ups

• Using Microsoft Dev Tunnels for C2 Redirection - Using dev tunnels as your C2. Careful with burning your Microsoft account.
• CS Technologies — Evolution Vulnerabilities - A set of vulnerabilities within software used to administer the EVO2 and EVO4 door access controllers. Chained together, this leads to unauthenticated access to add a user with access to every door in the building, control doors, etc.
• A trick, the story of CVE-2024-26230 - A step-by-step walkthrough of CVE-2024-26230 (use-after-free vulnerability in the telephony service)
• We discovered an AWS access vulnerability - A vulnerability in AWS STS allowed users to gain unauthorized account access due to incorrect role trust policy evaluations. It's been patched! Cool to read that this SaaS has a different AWS account per customer as a security boundary.
• Resolving Stack Strings with Capstone Disassembler & Unicorn in Python - Walkthrough on how to resolve stack strings in malware using Capstone Disassembler and Unicorn Emulator in Python. They used Conti Ransomware to showcase it.
• Chaining N-days to Compromise All: Part 3 — Windows Driver LPE: Medium to System - This post discusses the exploitation of a logic bug in the Windows kernel driver mskssrv.sys (CVE-2023-29360), which was demonstrated in Pwn2Own 2023. The exploit allows priv-esc from user to SYSTEM by manipulating the Memory Descriptor List (MDL) to map physical memory addresses incorrectly, effectively bypassing security checks. It was part of this crazy VM escape chain.
• Rooting out Risky SCCM Configs with Misconfiguration Manager - The SpecterOps team has published a script for sysadmins and infosec practitioners to identify every TAKEOVER and ELEVATE attack in Misconfiguration-Manager. SCCM is an overlooked attack surface that usually holds a privileged position in the AD network.
• Understanding ETW Patching - A quick summary from @jsecurity101 on how function patching can be applied to ETW providers to alter or inhibit their standard behavior, potentially evading detection by modifying or bypassing function execution in both user-mode and kernel-mode operations.
• CreateRCE — Yet Another Vulnerability in CreateUri In another episode of Akamai vs Outlook clients... "An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click)". The technical write-up of CVE-2023-35628 which was patched December 2023.
• Sysrv Infection (Linux Edition) - Write up of the Sysrv botnet, which deployed a crypto miner on a Linux system using a payload pulled down from a specified URL. Sometimes detecting these can be as easy as checking those DNS logs for known mining pools.
• My Journey on Integrating Sliver into Mythic - Mythic agents that use Mythic's API and Sliver's API to remotely control Sliver agents from within Mythic!
• How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses - "Leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly."
• Why you shouldn't use a commercial VPN: Amateur hour with Windscribe - If you are going to use a commercial VPN, at least generate standard WireGuard or OpenVPN configs and use the industry standard apps. This is why.
• Flaw in PuTTY P-521 ECDSA signature generation leaks SSH private keys - "An attacker who compromises an SSH server may be able to leverage this vulnerability to compromise the user's private key. Attackers may also be able to compromise the SSH private keys of anyone who used git+ssh with commit signing and a P-521 SSH key, simply by collecting public commit signatures." Cryptography is hard!

Tools and Exploits

• UserManagerEoP - PoC for CVE-2023-36047. Patched last week. Should still be viable if you're on an engagement right now!
• Gram - Klarna's own threat model diagramming tool
• Shoggoth - Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.
• ExploitGSM - Exploit for 6.4 - 6.5 Linux kernels and another exploit for 5.15 - 6.5. Zero days when published.
• Copilot-For-Security - Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
• CVE-2024-21378 - DLL code for testing CVE-2024-21378 in MS Outlook. Using this with Ruler.
• ActionsTOCTOU - Example repository for GitHub Actions Time of Check to Time of Use (TOCTOU vulnerabilities).
• obfus.h - obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports almost all versions of the compiler.
• Wareed DNS C2 is a Command and Control (C2) that utilizes the DNS protocol for secure communications between the server and the target. Designed to minimize communication and limit data exchange, it is intended to be a first-stage C2 to persist in machines that don't have access to the internet via HTTP/HTTPS, but where DNS is allowed.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Can you hack your government? - A list of governments with Vulnerability Disclosure Policies.
• GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
• AssetViz - AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.
• GMER - the art of exposing Windows rootkits in kernel mode - GMER is an anti-rootkit tool used to detect and combat rootkits, specifically focusing on the prevalent kernel mode rootkits, and remains effective despite many anti-rootkits losing relevance with advancements in Windows security.
• AiTM Phishing with Azure Functions - The deployment of a serverless AiTM phishing toolkit using Azure Functions to phish Entra ID credentials and cookies
• orange - Orange Meets is a demo application built using Cloudflare Calls. To build your own WebRTC application using Cloudflare Calls. Combine this with some OpenVoice or Real-Time-Voice-Cloning. Scary.
• awesome-secure-defaults - Share this with your development teams and friends or use it in your own tools. "Awesome secure by default libraries to help you eliminate bug classes!"
• NtWaitForDebugEvent + WaitForMultipleObjects - Using these two together to wait for debug events from multiple debugees at once.
• taranis-ai - Taranis AI is an advanced Open-Source Intelligence (OSINT) tool, leveraging Artificial Intelligence to revolutionize information gathering and situational analysis.
• MSFT_DriverBlockList - Repository of Microsoft Driver Block Lists based off of OS-builds.
• HSC24RedTeamInfra - Slides and Codes used for the workshop Red Team Infrastructure Automation at HackSpanCon2024.
• SuperMemory - Build your own second brain with supermemory. It's a ChatGPT for your bookmarks. Import tweets or save websites and content using the chrome extension.
• Kubenomicon - An open source offensive security focused threat matrix for kubernetes with an emphasis on walking through how to exploit each attack.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022. The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or

The introduction of Open AI’s ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing,

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can lead to remote command execution.

Ivanti addressed multiple flaws in its Avalanche mobile device management (MDM) solution, including two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, that can lead to remote command execution.

The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets all in one system.

Below is the description for the two vulnerabilities:

• CVE-2024-24996 (CVSS score 9.8) – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. 
• CVE-2024-29204 (CVSS score 9.8) – A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

A remote attacker can exploit both issues to execute code without user interaction.

Ivanti also addressed tens of medium and high-severity vulnerabilities that could be exploited to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks and read sensitive information from memory.

The software company is not aware of attacks in the wild exploiting one of these vulnerabilities at the time of disclosure. 

The company addressed the vulnerability with the release of Avalanche 6.4.3.

“To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here.” reads the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Avalanche mobile device management)

Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. Armed with this access, a

Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or

Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said. Successful attacks could

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS.

Researchers at watchTowr Labs have released a technical analysis of the vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS and a proof-of-concept exploit that can be used to execute shell commands on vulnerable firewalls.

CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software. An unauthenticated attacker can exploit the flaw to execute arbitrary code with root privileges on affected firewalls. This flaw impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024.

The researchers are tracking this cluster of activity, conducted by an unknown threat actor, under the name Operation MidnightEclipse.

“Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon exploiting the flaw, the threat actor was observed creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash.

The researchers were unable to access the commands executed by the attackers, however, they believe threat actors attempted to deploy a second Python-based backdoor on the vulnerable devices.

Researchers at cybersecurity firm Volexity referred this second Python backdor as UPSTYLE.

The threat actor, tracked by Volexity as UTA0218, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their primary objective was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations.

Now watchTowr Labs released another detection artifact generator tool in the form of an HTTP request

“As we can see, we inject our command injection payload into the SESSID cookie value – which, when a Palo Alto GlobalProtect appliance has telemetry enabled – is then concatenated into a string and ultimately executed as a shell command.” reads the analysis published by watchTowr Labs.

“Something-something-sophistication-levels-only-achievable-by-a-nation-state-something-something.”

Justin Elze, CTO at TrustedSec, also published the exploit used in attacks in the wild.

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…

— Justin Elze (@HackingLZ) April 16, 2024

This week, US CISA added the vulnerability CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to address it by April 19th.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, PAN-OS)

Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services.  

Cisco Talos researchers warn of large-scale credential brute-force attacks targeting multiple targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

Below is a list of known affected services: 

• Cisco Secure Firewall VPN 
• Checkpoint VPN  
• Fortinet VPN  
• SonicWall VPN  
• RD Web Services 
• Miktrotik 
• Draytek 
• Ubiquiti 

Successful brute-force attacks can result in unauthorized network access, account lockouts, or denial-of-service (DoS) conditions.

These attacks originate from TOR exit nodes and anonymizing tunnels and proxies, such as:  

• VPN Gate  
• IPIDEA Proxy  
• BigMama Proxy  
• Space Proxies  
• Nexus Proxy  
• Proxy Rack 

“The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry.” reads the advisory published by Cisco Talos.

The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.

The advisory published by Talos includes a list of indicators of compromise (IoCs) for this campaign.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, brute-force)