Normal view
Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
MITRE revealed that nation-state actors breached its systems via Ivanti zero-days
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by exploiting Ivanti VPN zero-days.
In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
According to the MITRE Corporation, a nation state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.
βStarting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through twoΒ Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into ourΒ networkβs VMware infrastructureΒ using a compromised administrator account.β reads a post published by the organization on Medium. βThey employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.β
MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.
The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.Β
Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.
The organization said that the core enterprise network or partnersβ systems were not affected by this incident.
βNo organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,β saidΒ Jason Providakes, president and CEO, MITRE. βWe are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industryβs current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.β
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, Ivanti)
BlackTech Targets Tech, Research, and Gov Sectors New 'Deuterbear' Tool
How Attackers Can Own a Business Without Touching the Endpoint
Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers
FBI chief says China is preparing to attack US critical infrastructure
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.
FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.
According to the FBI chief, the Chinese hackers are waiting βfor just the right moment to deal a devastating blow.β
In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APTΒ Volt TyphoonΒ infiltrated a critical infrastructure network in the US and remained undetected for at least five years.
βthe U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,βΒ reads the alert.
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusivelyΒ living-off-the-land techniquesΒ and hands-on-keyboard activity to evade detection.
In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.
The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in theΒ Communications,Β Energy,Β Transportation Systems, andΒ Water and Wastewater SystemsΒ sectors.
βThe group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.βΒ continues the alert. βVolt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victimβs environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.β
U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
The Volt Typhoonβs activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.
The US agencies also released aΒ technical guideΒ containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.
A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.
Wray confirmed that Volt Typhoonβs campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.
The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.
The FBI Director remarked that China is developing the βability to physically wreak havoc on US critical infrastructure at a time of its choosing,β βIts plan is to land low blows against civilian infrastructure to try to induce panic.β
Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.
Wray added that the China-linked actors employed a series of botnets in their activities.
In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actorΒ Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022.Β The threat actors target devices at the edge of networks.
The KV-Botnet is composed of end-of-life products used by SOHO devices. InΒ early July and August of 2022, the researchers noticed several CiscoΒ RV320s,Β DrayTek Vigor routers, and NETGEARΒ ProSAFEsΒ that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E.Β
The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.
About the author: PierluigiΒ Paganini
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, China)
United Nations Development Programme (UNDP) investigates data breach
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data.
The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft.
TheΒ United Nations Development ProgrammeΒ (UNDP) is aΒ United NationsΒ agency tasked with helping countriesΒ eliminate povertyΒ and achieveΒ sustainable economic growthΒ andΒ human development.
The cyber attack recently targeted the IT infrastructure of the Agency in UN City, Copenhagen.
On March 27, UNDP became aware that a data-extortion threat actor had stolen data, including human resources and procurement information.
βOn March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.β reads the statement published by the Agency. βActions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted.βΒ
UNDP is investigating the security incident to determine the scope of the cyberattack. The agency is keeping individuals affected by the breach updated and sharing information with other stakeholders, including its partners across the UN system.
βUNDP takes this incident extremely seriously and we reiterate our dedication to data security. We are committed to continue working to detect and minimize the risk of cyber-attacks.β continues the statement.
UNDP did not share details about the attack, however, on March 27, 2024, the ransomware group 8base added the agency to its Tor leak site (the Tor leak site is unavailable at the time of this writing).
The extortion group as yet to publish the stolen data.
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, United Nations Development Programme)
Hackers Target Middle East Governments with Evasive "CR4T" Backdoor
FIN7 targeted a large U.S. carmaker with phishing attacks
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.
In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the companyβs IT department and had higher levels of administrative rights.
The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).
FIN7Β is a Russian criminalΒ groupΒ (akaΒ Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker inΒ PowerSploit.
In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL βadvanced-ip-sccanner[.]comβ masquerading as the legitimate website βadvanced-ip-scanner[.]comβ, which is a free online scanner.
Upon visiting the rogue site, visitors are redirected to βmyipscanner[.]comβ, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.
Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called βdmxl.bin,β which contains the Anunak payload.
The threat actors used WsTaskLoad.exeΒ to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victimβs machine.
While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.
βWhile the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.β concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). βBlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.β
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, FIN7)
Law enforcement operation dismantled phishing-as-a-service platform LabHost
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.
An international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the worldβs largest phishing-as-a-service platforms.
Law enforcement from 19 countries participated in the operation which resulted in the arrest of 37 individuals.
The phishing-as-a-service platform was available on the clear web and has been shut down by the police.
Between April 14th and April 17th, law enforcement agencies conducted searches at 70 addresses worldwide, leading to the arrest of the suspects. Four individuals, including the original developer of LabHost, were arrested in the United Kingdom.
Phishing as a service (PaaS) platforms provide phishing tools and resources to crooks, often for a fee or subscription. These tools typically include pre-designed phishing templates, email or text message sending capabilities, website hosting services for phishing pages. Most important PhaaS platforms also provide technical support to their customers.
LabHost was a prominent tool for cybercriminals globally, offering a subscription-based service that facilitated phishing attacks. The platform provided phishing kits, hosting infrastructure, interactive features for engaging victims, and campaign management tools. The investigation conducted by law enforcement revealed approximately 40,000 phishing domains associated with LabHost, which reached 10,000 users worldwide. Subscribers paid an average monthly fee of $249 for use the platformβs services. LabHost offered a selection of over 170 convincing fake websites for users to deploy with ease.
βWhat made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.β reads the announcement published by Europol
Australian police arrested five individuals across the country as part of the operation, the authorities reported that more than 94,000 people in Australia were victims of the attacks launched through the platform.
βAustralian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails.β reported the AFP.
βAs a result of the Australian arm of the investigation, led by the AFPβs Joint Policing Cybercrime Coordination Centre (JCP3), more than 200 officers from the AFP and state and territory police were yesterday (17 April, 2024) involved in executing 22 search warrants across five states. This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia. A Melbourne man and an Adelaide man, who police will allege were LabHost users, were arrested during the warrants and charged with cybercrime-related offences. Three Melbourne men were also arrested by Victoria Police and charged with drug-related offences.β
The U.K. Metropolitan PoliceΒ saidΒ LabHostβs sites have ensnared approximately 70,000 victims in the UK alone. On a global scale, the service has acquired 480,000 card numbers, 64,000 PIN numbers, and over one million passwords for various online services. The actual number of victims is anticipated to surpass current estimates, with ongoing efforts focused on identifying and assisting as many affected individuals as feasible.
Operators behind the PhaaS received about Β£1 million in payments from criminal users since its launch.
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking,Β PhaaS)
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor
Recover from Ransomware in 5 MinutesβWe will Teach You How!
New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks
How to Conduct Advanced Static Analysis in a Malware Sandbox
- The Hacker News
- Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested Worldwide
Global Police Operation Disrupts 'LabHost' Phishing Service, Over 30 Arrested Worldwide
Previously unknown Kapeka backdoor linked to Russian Sandworm APT
Russia-linked APT Sandworm employed a previously undocumented backdoor calledΒ Kapeka in attacks against Eastern Europe since 2022.
WithSecure researchers identified a new backdoor named Kapeka that has been used in attacks targeting victims in Eastern Europe since at least mid-2022. The backdoor is very sophisticated, it serves as both an initial toolkit and as a backdoor for maintaining long-term access to compromised systems. The nature of the targets, low detection rate, and sophisticated malware-supported features suggest that an APT group developed it.
WithSecure noticed overlaps between Kapeka and GreyEnergy and the Prestige ransomware attacks which are attributed to the Russia-linked Sandworm APT group. WithSecure believes that Kapeka is likely part of the Sandwormβs arsenal.
The SandwormΒ group (akaΒ BlackEnergy,Β UAC-0082,Β Iron Viking,Β Voodoo Bear, andΒ TeleBots) has been active since 2000, it operates under the control ofΒ Unit 74455Β ofΒ the Russian GRUβs MainΒ CenterΒ for Special Technologies (GTsST). The group is also the author of theΒ NotPetya ransomwareΒ that hit hundreds of companies worldwide in June 2017. In 2022, the RussianΒ APTΒ used multiple wipers in attacksΒ aimedΒ at Ukraine,includingΒ AwfulShred,Β CaddyWiper,Β HermeticWiper,Β Industroyer2,Β IsaacWiper,Β WhisperGate,Β Prestige,Β RansomBoggs, and ZeroWipe.Β
βKapeka contains a dropper that will drop and launch a backdoor on a victimβs machine and then remove itself. The backdoor will first collect information and fingerprint both the machine and user before sending the details on to the threat actor.β states WithSecure. βThis allows tasks to be passed back to the machine or the backdoorβs configuration to be updated. WithSecure do not have insight as to how the Kapeka backdoor is propagated by Sandworm.β
The researcher speculates that Kapeka is a successor to GreyEnergy, which itself was likely a replacement for BlackEnergy in Sandworm.
Kapeka includes a dropper that acts as a launcher for a backdoor component on the infected host, after which it removes itself. The dropper also sets up persistence for the backdoor through a scheduled task (if admin or SYSTEM) or autorun registry (if not).
The Kapeka backdoor is a Windows DLL, which has a single exported function. The malware masqueraded as a Microsoft Word Add-In (.wll) file. It is written in C++ and compiled with Visual Studio 2017 (15.9). Upon execution, it requires the β-dβ argument in the initial run but not for subsequent executions. The malware has a multi-threaded implementation, utilizing event objects for thread synchronization and signaling.
The backdoor employs the WinHttp 5.1 COM interface (winhttpcom.dll) for its network communication module. It interacts with its C2 server to fetch tasks and relay fingerprinted data and task outcomes. The malware uses JSON for C2 communication. Two distinct threads manage network communication: one for sending fingerprinted data and fetching tasks, and another for transmitting completed task results to the C2. Both threads utilize the same request/response mechanism.
The backdoor can update its C2 configuration dynamically by receiving a new JSON configuration (with the key βGafpPSβ) from the C2 server during polling. If the received configuration differs from the current one, the backdoor updates its configuration on-the-fly and stores the latest C2 configuration in the registry value (βSeedβ). The backdoor can also perform various tasks on the infected system by receiving a list of tasks as a JSON response (with the key βTd7opPβ) from its C2 server during polling. The malicious code spawns a separate thread to execute each task.
βThe backdoorβs victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin. However, due to sparsity of data at the time of writing the infection vector, the threat actor, and the actorβs βactions on objectivesβ cannot be conclusively stated. Nevertheless, we examined multiple data points that strongly suggests a link between Kapeka and Sandwormβ
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, Sandworm)
- Security Affairs
- Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available
Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly available exploit code exists.
Cisco has addressed a high-severity Integrated Management Controller (IMC) vulnerability and is aware of a public exploit code for this issue. The PoC exploit code allows a local attacker to escalate privileges to root.
Cisco Integrated Management Controller (IMC) is a baseboard management controller (BMC) that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers.
The vulnerability, tracked asΒ CVE-2024-20295, resides in the CLI of the Cisco Integrated Management Controller (IMC). A local, authenticated attacker can exploit the vulnerability to conduct command injection attacks on the underlying operating system and elevate privileges toΒ root. The IT giant reported that to exploit this vulnerability, the attacker must haveΒ read-onlyΒ or higher privileges on an affected device.
βThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges toΒ root.β reads the advisory.
The flaw impacts the following products if they are running a vulnerable release of Cisco IMC in the default configuration:
- 5000 Series Enterprise Network Compute Systems (ENCS)
- Catalyst 8300 Series Edge uCPE
- UCS C-Series Rack Servers in standalone mode
- UCS E-Series Servers
The IT giant devices that are based on a preconfigured version of a UCS C-Series Server are also impacted by this flaw if they expose access to the IMC CLI.Β
The company states that there are no workarounds to solve this vulnerability.
The Cisco PSIRT is aware that proof-of-concept exploit code is available for this vulnerability, however it is not aware of attacks in the wild exploiting it.
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, PoC exploit)
Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes
Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor
Linux variant of Cerber ransomware targets Atlassian servers
Threat actors are exploiting the CVE-2023-22518Β flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
At the end of October 2023, AtlassianΒ warnedΒ of a critical security flaw, tracked asΒ CVE-2023-22518Β (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.
The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
Cado Security Labs recently became aware that Cerber ransomware is being deployed into Confluence servers via theΒ CVE-2023-22518Β exploit. The experts pointed out that there is very little knowledge about the Linux variant of the ransomware family.
Cerber has been active since at least 2016, most recently it was involved in attacks against Confluence servers.
The malware includes three heavily obfuscated C++ payloads compiled as 64-bit Executable and Linkable Format (ELF) files and packed with UPX. UPX is a widely-used packer among threat actors, enabling the storage of encoded program code within the binary. At runtime, the code is extracted in memory and executed, a process known as βunpacking,β to evade detection by security software.
Attackers exploited this vulnerability to gain initial access to vulnerable Atlassian instances.
βWe have observed instances of the Cerber ransomware being deployed after an attacker leveragedΒ CVE-2023-22518Β in order to gain access to vulnerable instances of Confluence. It is a fairly recent improper authorization vulnerability that allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint used by the setup wizard.β states Cado Security.
Financially motivated threat actors created an admin account to deploy the Effluence web shell plugin and execute arbitrary commands on the vulnerable server.
The attackers use the web shell to download and run the primary Cerber payload.
βIn a default install, the Confluence application is executed as the βconfluenceβ user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user. It will of course succeed in encrypting the datastore for the Confluence application, which can store important information.β continues the report. βIf it was running as a higher privilege user, it would be able to encrypt more files, as it will attempt to encrypt all files on the system.β
The payload is written in C++ and is highly obfuscated, and packed with UPX. The researchers pointed out that it serves as a stager for further payloads, the malware uses a C2 server at 45[.]145[.]6[.]112 to download and unpack further payloads. Upon execution, the malicious code can delete itself from the disk.
Upon execution, the malware unpacks itself, and tries to create a file atΒ /var/lock/0init-ld.lo. Β
It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and fetches a log checker known internally asΒ agttydck.
Upon executing the βagttydck.batβ the encryptor payload βagttydcb.batβ is downloaded and executed by the primary payload.
The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in β/tmp/log.0β at startup and β/tmp/log.1β at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a β.L0CK3Dβ extension.
βCerber is a relatively sophisticated, albeit aging, ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up. This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up.β concludes the report that also includes Indicators of compromise (IoCs).
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking, Cerber ransomware)
Last Week in Security (LWiS) - 2024-04-16
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-08 to 2024-04-16.
News
- Google Public Sector achieves Top Secret and Secret cloud authorization - Google has entered the chat. With Microsoft's recent APT issues, I wonder if any any orgs will consider Google.
- Muddled Libra's Evolution to the Cloud - Unit 42 researchers discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
- Toward greater transparency: Adopting the CWE standard for Microsoft CVEs - "...we will now publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWEβ’) industry standard."
- Our Response to Hashicorp's Cease and Desist Letter - Some turmoil in the IaC world. "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts."
- Amazon CloudFront now supports Origin Access Control (OAC) for Lambda function URL origins - Let your cloud teams know!
- [PDF] KONA BLU - Declassified DHS project - KONA BLUE - A special access program for recovering materials user for inter dimensional, time, and space travel. While the project only was a SAP for 6 months and seems like it [PDF] never really did anything a look into what goes into a SAP is interesting and the first example being declassified we are aware of.
- Microsoft will add External Recipient Rate email limits to Exchange Online in January 2025 - The paywalls continue, this is a push for more revenue from the Azure email service. This could impact your bulk phishing engagements if you're using exchange as your mail sender and send to more than 2,000 recipients a day.
- Twitter's Clumsy Pivot to X.com Is a Gift to Phishers - Rewriting URLs is a dangerous game.
- Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) - This is being actively exploited in the wild, and is this month's SSLVPN RCE...
Techniques and Write-ups
- Using Microsoft Dev Tunnels for C2 Redirection - Using dev tunnels as your C2. Careful with burning your Microsoft account.
- CS Technologies β Evolution Vulnerabilities - A set of vulnerabilities within software used to administer the EVO2 and EVO4 door access controllers. Chained together, this leads to unauthenticated access to add a user with access to every door in the building, control doors, etc.
- A trick, the story of CVE-2024-26230 - A step-by-step walkthrough of CVE-2024-26230 (use-after-free vulnerability in the telephony service)
- We discovered an AWS access vulnerability - A vulnerability in AWS STS allowed users to gain unauthorized account access due to incorrect role trust policy evaluations. It's been patched! Cool to read that this SaaS has a different AWS account per customer as a security boundary.
- Resolving Stack Strings with Capstone Disassembler & Unicorn in Python - Walkthrough on how to resolve stack strings in malware using Capstone Disassembler and Unicorn Emulator in Python. They used Conti Ransomware to showcase it.
- Chaining N-days to Compromise All: Part 3 β Windows Driver LPE: Medium to System - This post discusses the exploitation of a logic bug in the Windows kernel driver mskssrv.sys (CVE-2023-29360), which was demonstrated in Pwn2Own 2023. The exploit allows priv-esc from user to SYSTEM by manipulating the Memory Descriptor List (MDL) to map physical memory addresses incorrectly, effectively bypassing security checks. It was part of this crazy VM escape chain.
- Rooting out Risky SCCM Configs with Misconfiguration Manager - The SpecterOps team has published a script for sysadmins and infosec practitioners to identify every TAKEOVER and ELEVATE attack in Misconfiguration-Manager. SCCM is an overlooked attack surface that usually holds a privileged position in the AD network.
- Understanding ETW Patching - A quick summary from @jsecurity101 on how function patching can be applied to ETW providers to alter or inhibit their standard behavior, potentially evading detection by modifying or bypassing function execution in both user-mode and kernel-mode operations.
- CreateRCE β Yet Another Vulnerability in CreateUri In another episode of Akamai vs Outlook clients... "An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click)". The technical write-up of CVE-2023-35628 which was patched December 2023.
- Sysrv Infection (Linux Edition) - Write up of the Sysrv botnet, which deployed a crypto miner on a Linux system using a payload pulled down from a specified URL. Sometimes detecting these can be as easy as checking those DNS logs for known mining pools.
- My Journey on Integrating Sliver into Mythic - Mythic agents that use Mythic's API and Sliver's API to remotely control Sliver agents from within Mythic!
- How I Leveraged WMI to Enumerate a Process Modules and Their Base Addresses - "Leverage Windows Management Instrumentation (WMI) to extract the loaded modules of a specific process and understand how to get each module base address, show the advantages and the ability to perform ShellCode injection in .text section directly."
- Why you shouldn't use a commercial VPN: Amateur hour with Windscribe - If you are going to use a commercial VPN, at least generate standard WireGuard or OpenVPN configs and use the industry standard apps. This is why.
- Flaw in PuTTY P-521 ECDSA signature generation leaks SSH private keys - "An attacker who compromises an SSH server may be able to leverage this vulnerability to compromise the user's private key. Attackers may also be able to compromise the SSH private keys of anyone who used git+ssh with commit signing and a P-521 SSH key, simply by collecting public commit signatures." Cryptography is hard!
Tools and Exploits
- UserManagerEoP - PoC for CVE-2023-36047. Patched last week. Should still be viable if you're on an engagement right now!
- Gram - Klarna's own threat model diagramming tool
- Shoggoth - Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.
- ExploitGSM - Exploit for 6.4 - 6.5 Linux kernels and another exploit for 5.15 - 6.5. Zero days when published.
- Copilot-For-Security - Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
- CVE-2024-21378 - DLL code for testing CVE-2024-21378 in MS Outlook. Using this with Ruler.
- ActionsTOCTOU - Example repository for GitHub Actions Time of Check to Time of Use (TOCTOU vulnerabilities).
- obfus.h - obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports almost all versions of the compiler.
- Wareed DNS C2 is a Command and Control (C2) that utilizes the DNS protocol for secure communications between the server and the target. Designed to minimize communication and limit data exchange, it is intended to be a first-stage C2 to persist in machines that don't have access to the internet via HTTP/HTTPS, but where DNS is allowed.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Can you hack your government? - A list of governments with Vulnerability Disclosure Policies.
- GoAlert - Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert
- AssetViz - AssetViz simplifies the visualization of subdomains from input files, presenting them as a coherent mind map. Ideal for penetration testers and bug bounty hunters conducting reconnaissance, AssetViz provides intuitive insights into domain structures for informed decision-making.
- GMER - the art of exposing Windows rootkits in kernel mode - GMER is an anti-rootkit tool used to detect and combat rootkits, specifically focusing on the prevalent kernel mode rootkits, and remains effective despite many anti-rootkits losing relevance with advancements in Windows security.
- AiTM Phishing with Azure Functions - The deployment of a serverless AiTM phishing toolkit using Azure Functions to phish Entra ID credentials and cookies
- orange - Orange Meets is a demo application built using Cloudflare Calls. To build your own WebRTC application using Cloudflare Calls. Combine this with some OpenVoice or Real-Time-Voice-Cloning. Scary.
- awesome-secure-defaults - Share this with your development teams and friends or use it in your own tools. "Awesome secure by default libraries to help you eliminate bug classes!"
- NtWaitForDebugEvent + WaitForMultipleObjects - Using these two together to wait for debug events from multiple debugees at once.
- taranis-ai - Taranis AI is an advanced Open-Source Intelligence (OSINT) tool, leveraging Artificial Intelligence to revolutionize information gathering and situational analysis.
- MSFT_DriverBlockList - Repository of Microsoft Driver Block Lists based off of OS-builds.
- HSC24RedTeamInfra - Slides and Codes used for the workshop Red Team Infrastructure Automation at HackSpanCon2024.
- SuperMemory - Build your own second brain with supermemory. It's a ChatGPT for your bookmarks. Import tweets or save websites and content using the chrome extension.
- Kubenomicon - An open source offensive security focused threat matrix for kubernetes with an emphasis on walking through how to exploit each attack.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks
GenAI: A New Headache for SaaS Security Teams
Ivanti fixed two critical flaws in its Avalanche MDM
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can lead to remote command execution.
Ivanti addressed multiple flaws in its Avalanche mobile device management (MDM) solution, including two critical flaws, tracked as CVE-2024-24996 and CVE-2024-29204, that can lead to remote command execution.
The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets all in one system.
Below is the description for the two vulnerabilities:
- CVE-2024-24996 (CVSS score 9.8) β A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.Β
- CVE-2024-29204 (CVSS score 9.8) β A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
A remote attacker can exploit both issues to execute code without user interaction.
Ivanti also addressed tens of medium and high-severity vulnerabilities that could be exploited to trigger denial-of-service conditions, execute arbitrary commands, carry out remote code execution attacks and read sensitive information from memory.
The software company is not aware of attacks in the wild exploiting one of these vulnerabilities at the time of disclosure.Β
The company addressed the vulnerability with the release of Avalanche 6.4.3.
βTo address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche.Β You can download the latest Avalanche 6.4.3 releaseΒ here.β reads the advisory.
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking,Β Avalanche mobile device management)