HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system.

HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS.

The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to remotely execute arbitrary code.

The four critical RCE vulnerabilities are: 

• CVE-2024-26305 – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-26304 – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33511 – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol. An unauthenticated remote attacker can achieve code execution by sending specially crafted packets to the PAPI UDP port (8211). Successful exploitation allows to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33512 – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol. The exploitation of the flaw can allow unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). Successfully exploiting this vulnerability allows executing arbitrary code as a privileged user on the underlying operating system.

Below is the list of impacted products and software versions:

HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking suggests enabling the Enhanced PAPI Security feature with a non-default key to mitigate the vulnerabilities. This mitigation works in ArubaOS 8.x, however, for ArubaOS 10.x, this vulnerability does not apply. Upgrading to one of the recommended ArubaOS 10.x versions will address the other vulnerabilities mentioned in the advisory.

At the time of this publishing, the vendor is not aware of attacks in the wild exploiting one of the flaws addressed by the April 2024 security updates.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, HPE Aruba)

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) published a joint advisory to warn of pro-Russia hacktivist groups targeting critical infrastructure organizations in North America and Europe.

The attacks focus on industrial control systems (ICS) and other operational technology (OT) systems in the target infrastructure.

Pro-Russia hacktivists have been targeting and compromising small-scale Operational Technology (OT) systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture Sectors. They aim to exploit modular, internet-exposed Industrial Control Systems (ICS), targeting software components like human machine interfaces (HMIs). The threat actors were observed using methods such as exploiting virtual network computing (VNC) remote access software and default passwords.

The malicious activity began in 2022 and is still ongoing. The government agencies urge OT operators in critical infrastructure sectors to implement a set of mitigations provided in the advisory.

“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.” reads the joint advisory. “Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.”

The pro-Russia hacktivists tend to over exaggerate their the effects of the attacks. Since 2022, they have claimed on social platforms to have carried out disruptive cyber operations, including distributed denial of service and data wiping against numerous North American and international entities. However, reports from victims downplayed the effects of the attacks.

In early 2024, several U.S.-based water and wastewater systems (WWS) victims faced limited physical disruptions after attackers hacked into their Human Machine Interfaces (HMIs). The hacktivists altered settings, exceeded normal operating parameters of water pumps and blower equipment, disabled alarm mechanisms, and changed administrative passwords to lock out operators.

“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.” concludes the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, critical infrastructure)

A Ukrainian national, a member of the REvil group, has been sentenced to more than 13 years in prison for his role in extortion activities.

The Ukrainian national, Yaroslav Vasinskyi (24), aka Rabotnik, has been sentenced to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks and extorting victims.

The man is a member of the REvil ransomware gang and was sentenced for his role in carrying out more than 2,500 ransomware attacks and demanding over $700 million in ransom payments.

In November 2021, the US Department of Justice charged Vasinskyi, REvil ransomware affiliate, for orchestrating the ransomware attacks on Kaseya MSP platform that took place on July 4, 2021.

Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. Vasinskyi was extradited to the U.S. in March 2022.

Vasinskyi is a REvil ransomware affiliate since at least March 1st, 2019.

“According to court documents, Yaroslav Vasinskyi, also known as Rabotnik, 24, conducted thousands of ransomware attacks using the ransomware variant known as Sodinokibi/REvil.” reads the press release published by DoJ. “Ransomware is malicious software designed to encrypt data on victim computers, allowing bad actors the ability to demand a ransom payment in exchange for the decryption key.” The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains. To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims’ data when victims would not pay ransom demands.”

Vasinskyi had previously pleaded guilty in the Northern District of Texas to an 11-count indictment. The charges included conspiracy to commit fraud and computer-related activity, damaging protected computers, and conspiracy to commit money laundering. In a related matter, in 2023, the Department concluded the forfeiture of millions of dollars’ worth of ransom payments through two connected civil forfeiture cases. This included seizing 39.89138522 Bitcoin and $6.1 million in U.S. dollars linked to purported ransom payments received by other members of the conspiracy.

“Deploying the REvil ransomware variant, the defendant reached out across the globe to demand hundreds of millions of dollars from U.S. victims,” said Deputy Attorney General Lisa Monaco. “But this case shows the Justice Department’s reach is also global—working with our international partners, we are bringing to justice those who target U.S. victims, and we are disrupting the broader cybercrime ecosystem.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems. Of the 10 security defects, four are rated critical in severity - CVE-2024-26304 (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years. "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google, said.

The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors' attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. "The

SaaS applications are dominating the corporate landscape. Their increased use enables organizations to push the boundaries of technology and business. At the same time, these applications also pose a new security risk that security leaders need to address, since the existing security stack does not enable complete control or comprehensive monitoring of their usage.

Zloader continues to evolve, its authors added an anti-analysis feature that was originally present in the Zeus banking trojan.

Zloader (aka Terdot, DELoader, or Silent Night) is a modular trojan based on the leaked ZeuS source code. After a hiatus of almost two years, Zloader reappeared with new obfuscation techniques, domain generation algorithm (DGA), and network communication.

Recently, its authors reintroduced an anti-analysis feature similar to the one implemented in the original ZeuS 2.x code. This feature prevents malware execution outside the infected machine, a feature that had been abandoned by many malware variants that borrow the Zeus leaked source code.

“Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus.” reads the analysis published by Zscaler. “The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection. A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently.”

Zloader samples with versions greater than 2.4.1.0 will abruptly terminate if they are copied and executed on another system after the initial infection. The malware implements this feature by checking a specific key/value in the Windows registry.

Each sample generates the registry key and value based on a unique hardcoded seed.

“If the registry key/value pair is manually created (or this check is patched), Zloader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions.” continues the analysis. “This is due to a secondary check in Zloader’s MZ header.”

Zscaler observed that Zloader’s method of storing installation data to evade detection shows similarities to Zeus version 2.0.8, albeit with a different implementation. Instead of using the Registry, Zloader uses a data structure called PeSettings to store its configuration.

The anti-analysis technique implemented in Zloader makes the malicious code harder to detect and analyze.

“In recent versions, Zloader has adopted a stealthy approach to system infections. This new anti-analysis technique makes Zloader even more challenging to detect and analyze. The samples analyzed by ThreatLabz have all been pre-initialized, suggesting a more targeted distribution strategy.” concludes the report.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

In today's rapidly evolving digital landscape, the threat of Distributed Denial of Service (DDoS) attacks looms more significant than ever. As these cyber threats grow in sophistication, understanding and countering them becomes crucial for any business seeking to protect its online presence. To address this urgent need, we are thrilled to announce our upcoming webinar, "Uncovering Contemporary

Microsoft devised an attack technique, dubbed ‘Dirty Stream,’ impacting widely used Android applications, billions of installations are at risk.

Microsoft is warning Android users about a new attack technique, named Dirty Stream, that can allow threat actors to take control of apps and steal sensitive data.

The IT giant describes Dirty Stream as an attack pattern, linked to path traversal, that affects various popular Android apps. The technique allows a malicious app to overwrite files in the vulnerable app’s home directory, potentially leading to arbitrary code execution and the theft of tokens.

An attacker can trigger the flaw to grant full control over the app and access to user accounts and sensitive data.

The researchers identified multiple vulnerable applications in the official Google Play Store that count over four billion devices. 

“We identified this vulnerability pattern in the then-current versions of several Android applications published on the Google Play Store, including at least four with more than 500 million installations each. In each case, we responsibly disclosed to the vendor. Two example vulnerable applications that we identified are Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).” continues the advisory.

Microsoft notified developers of the affected apps through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The company worked with Xiaomi, Inc. and WPS Office security teams to address the issue. Fixes have been deployed for the affected apps as of February 2024, and users are urged to update their devices and installed applications.

The problem resides in the content provider component, and its ‘FileProvider’ class, of the Android’s data and file sharing system.

“FileProvider, a subclass of ContentProvider, is intended to provide a secure method for an application (“server application”) to share files with another application (“client application”).” reported Google. “However, if the client application does not properly handle the filename provided by the server application, an attacker-controlled server application may be able to implement its own malicious FileProvider to overwrite files in the client application’s app-specific storage.”

The component facilitates file sharing among installed apps, however incorrect implementation of this mechanism can pose significant vulnerabilities.

“The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application’s implementation. Arbitrary code execution can provide a threat actor with full control over an application’s behavior. Meanwhile, token theft can provide a threat actor with access to the user’s accounts and sensitive data.” reads the advisory published by Microsoft.

The issue arises when the receiving application fails to verify the content of the file it receives and relies on the filename provided by the sending application. The receiving application caches the file within its internal data directory opening the door to potential exploitation if the sending application uses a malicious version of FileProvider. In this scenario a malicious app can exploit Dirty Stream to overwrite important files within the receiving application.

“To prevent these issues, when handling file streams sent by other applications, the safest solution is to completely ignore the name returned by the remote file provider when caching the received content. Some of the most robust approaches we encountered use randomly generated names, so even in the case that the content of an incoming stream is malformed, it won’t tamper with the application.” concludes Microsoft.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Android)

The Ubiquiti EdgeRouter botnet is still used by Russia-linked group APT28 and cybercriminals organizations.

Trend Micro researchers reported that the EdgeRouter botnet, called Moobot, used by the APT28 group is still active and is also used by cyber criminal organizations.

In January, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners released a joint Cybersecurity Advisory (CSA) to warn that Russia-linked threat actors are using compromised Ubiquiti EdgeRouters to evade detection in cyber operations worldwide.

The US agencies and international partners (peers from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom) observed multiple Russia-linked threat actors (the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium)) using the Moobot botnet.

The threat actors used the botnet harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

The Moobot botnet has been active since at least 2016, it also includes other routers and virtual private servers (VPS). After FBI took down the botnet, the operators set up a new C2 infrastructure to control the compromised systems. Multiple bots were still infected even after the takedown operated by law enforcement.

Trend Micro also discovered that at least two prominent cybercriminal groups and the Russia-linked APT group Pawn Storm used the botnet.

The researchers observed hundreds of Ubiquiti EdgeRouter routers being used for different purposes, including Secure Shell (SSH) brute forcing, pharmaceutical spam, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on phishing sites, multi-purpose proxying, cryptocurrency mining, and sending spear phishing e-mails. 

“We attribute the NTLMv2 hash relay attacks and the proxying of credential phishing to Pawn Storm, while the pharmaceutical spam looks to be related to the infamous Canadian Pharmacy gang.” reported Trend Micro. “Apart from the EdgeRouter devices, we also found compromised Raspberry Pi and other internet-facing devices in the botnet. Moreover, we found more than 350 datacenter VPS IP addresses that were still compromised even after the FBI disruption. Many of these compromised servers previously called back to the old C&C and later called back to the new C&C infrastructure. These could be easily abused by Pawn Storm or any other threat actor, as the criminal botnet operator protects their stolen assets poorly.”

During the investigation into a Linux botnet targeted in a partial takedown by the FBI in January 2024, the researchers discovered another Linux botnet running on some of the same EdgeRouters previously exploited by Pawn Storm.

This second botnet exhibits greater discretion and improved operational security, as the associated malware operates exclusively in memory, leaving no malicious files on the disk. The analysis of memory dumps and command-and-control connections revealed that the botnet is running a variant of the Ngioweb malware. Evidence suggests that these bots are part of a residential botnet available for commercial use to subscribers. The discovery underscores significant interest among different threat actors in compromising internet-facing routers.

The following table shows simultaneous activity found by Trend Micro on compromised EdgeRouters.

Intrusion set	Motivation	TTP	TTP	Time range
Pawn Storm	Espionage	Shell scripts, SSH tunneling	Credential Phishing, NTLMv2 hash relay attack	April 2022 – April 2024
					Water Zmeu	Financial gain	Shell scripts, SSHDoor	Proxy service, Data theft, Scanning, Cryptocurrency mining	2016 – 2024
Water Barghest	Financial gain	Reverse proxy, Multilayered C&C infrastructure	Residential proxy service	2018-2024

“Internet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage.” concludes the report. “In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been installing backdoored SSH servers and a suite of scripts on the compromised devices for years without much attention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb malware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn Storm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a pool of EdgeRouter devices they could abuse for various purposes.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)