Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-06-03 to 2024-06-10.
[X/Twitter] CSS injection in GitHub profiles - Not a lot of detail on this but apparently using LaTeX you can include external CSS in your GitHub profile.
Features removed or no longer developed starting with Windows Server 2025 (preview) - "All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated." Backwards compatibility will keep NTLM relaying alive for at least another decade.
Microsoft Recall
- Update on the Recall preview feature for Copilot+ PCs - Microsoft says Recall will now be opt-in. For how long one wonders, until they flip it back to opt-out.
- Add Recall module for dumping all users Microsoft Recall DBs & screenshots #335 - Recall extraction feature added to netexec.
- TotalRecall - This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.
FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out - A lot of keys! Pretty cool!
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
The Japanese video-sharing platform, Niconico, temporarily suspended its services following a large-scale cyberattack on June 8, 2024.
“Due to the effects of a large-scale cyber attack, Niconico has been unavailable since early morning on June 8th” reads the incident notice published by the company. “We sincerely apologize for the inconvenience.
In response to the incident, the company temporarily suspended Niconico Family Services such as Niconico Video, Niconico Live Broadcast, Niconico Channel, etc. The company also suspended the Niconico Account login on external services.
“Beginning in the early hours of Saturday, June 8th, an issue occurred that prevented access to multiple servers in our group. In response to this incident, we immediately shut down the relevant servers to protect the data. Based on the scope of our internal analysis and investigation that was conducted on the same day, we have determined that there is a high possibility that we were the victim of a cyber attack.” reads a statement from the company.
The video-sharing platform also canceled/postponed programs scheduled from June 10th to June 16th.
The company is investigating the security incident with the help of law enforcement and external experts to determine the full extent of the damage.
The company has yet to determine if threat actors have stolen any information from its systems.
The Japanese firm did not reveal the type of cyberattack it suffered; however, the problems it is facing and the incident response procedure adopted suggest it was the victim of a ransomware attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cyber attack)
The UK National Health Service (NHS) issued an urgent call for O-type blood donations due to the recent ransomware attack on Synnovis that disrupted operations at several healthcare organizations in London.
In early June, a ransomware attack on pathology and diagnostic services provider Synnovis severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases, patients were redirected to other hospitals.
Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.
In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.
“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”
Synnovis has yet to release a new update and hasn’t provided any information on the scope of the attack.
Law enforcement suspects that Qilin extortion gang is behind the attack.
The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.
“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement published by NHS London.
“All urgent and emergency services remain open as usual and the majority of outpatient services continue to operate as normal.” continues the NHS. “Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.”
The NHS confirmed that the ransomware attack has disrupted blood matching tests, for this reason, affected hospitals are using O Negative and O Positive blood for patients who can’t wait for alternative matching methods. For this reason, the NHS is calling for O-type blood donations.
“England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.
“The IT incident affecting a pathology provider means the affected hospitals cannot currently match patients’ blood at the same frequency as usual. For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished. That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients.”
O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. Despite only 8% of the population having O Negative, it accounts for about 15% of hospital orders. O Positive, the most common blood type, can be given to anyone with a positive blood type, benefiting 76% of the population. 35% of blood donors have O Positive blood.
“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.
“We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.”
“To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability.” said Dr Gail Miflin, Chief Medical Officer, NHS Blood and Transplant. “We have availability for donors who know they are type O but we also welcome new donors who don’t yet know their blood type. You might have one of these special types that can be used in emergencies.””
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, London hospitals)
At the end of May, the auction house Christie’s disclosed a data breach after the ransomware group RansomHub threatened to leak stolen data. The security breach occurred in early May and the website of the auction house was unreachable after the attack.
According to BBC, Christie had problems in selling art and other high-value items worth an estimated $840 million due to a cyberattack. The spring auctions include a Vincent van Gogh painting valued at $35 million and rare wine, among other lots. Some sales have been delayed due to the cyber attack.
RansomHub claimed responsibility for the attack and added the company to its Tor leak site. The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.
“While utilizing access to Christies network we were able to gain access to their customers sensitive personal information including [BirthPlace MRZFull DocumentNumber BirthDate ExpiryDate FirstName LastName IssueDate IssuingAuthority Sex DocumentCategory DocumentType NationalityName] as well as address, hieght, race and much more sensitive information for at least 500,000 of their private clients from all over the world.” states the group.
The group threatened to leak the stolen data if the victim did not pay the ransom by Sunday, June 2,024.
The gang said it has attempted to negotiate the payment with the auction house without success. The gang added that after they will post stolen data, Christie will incur heavy fines from GDPR.
The auction house notified privacy regulators and law enforcement.
According to Christie’s Individual Notification Letter shared with the Maine Attorney General, the threat actors stole some files containing personal information, including names, driver’s license numbers, and non-driver identification card numbers. The incident impacted 45,798 individuals.
“On May 9, 2024, we discovered that we were the victim of a cybersecurity incident that impacted some of our systems. As soon as we became aware of this event, we promptly took steps to secure our environment, launched an investigation, and engaged external cybersecurity experts to assist. We also notified law enforcement and continue supporting their investigation. The investigation revealed an unauthorized actor accessed some of our systems and certain files stored therein between May 8, 2024, and May 9, 2024, and some files were copied from those systems on May 9, 2024.” reads the letter. “We conducted a robust review of the files to identify individuals whose information may have been impacted and worked to obtain addresses and notify them as quickly as possible after completing the review on May 30, 2024.”
The company is offering identity theft and fraud monitoring services for one year.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Sticky Werewolf is a threat actor that was first spotted in April 2023, initially targeting public organizations in Russia and Belarus. The group has expanded its operations to various sectors, including a pharmaceutical company and a Russian research institute specializing in microbiology and vaccine development.
In their latest campaign, Sticky Werewolf targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Kristall, a Moscow-based company involved in aircraft and spacecraft production and maintenance. Previously, the group used phishing emails with links to malicious files. In the latest campaign, the threat actor used archive files containing LNK files that pointed to a payload stored on WebDAV servers.
After executing the binary hosted on a WebDAV server, an obfuscated Windows batch script is launched. The script runs an AutoIt script that ultimately injects the final payload.
“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io. However, in their latest campaign, the infection method has changed.” reads the analysis published by Morphisec. “The initial email includes an archive attachment; when the recipient extracts the archive, they find LNK and decoy files. These LNK files point to an executable hosted on a WebDAV server. Once executed, this initiates a Batch script, which then launches an AutoIt script that ultimately injects the final payload.”
The archive includes a decoy PDF File and two LNK Files Masquerading as DOCX Documents named Повестка совещания.docx.lnk (Meeting agenda) and Список рассылки.docx.lnk (Mailing list) respectively.
The threat actor used phishing messages allegedly sent by the First Deputy General Director and Executive Director of AO OKB Kristall. The recipients are individuals from the aerospace and defense sector who are invited to a video conference on future cooperation. The messages use a password-protected archive containing a malicious payload.
The payloads employed by the threat actors include commodity RATs or stealers. Recently, Sticky Werewolf was spotted using Rhadamanthys Stealer and Ozone RAT in their campaigns. In previous attacks the group also deployed MetaStealer, DarkTrack, and NetWire.
“These malwares enable extensive espionage and data exfiltration. While there is no definitive evidence of Sticky Werewolf’s national origin, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists, though this attribution remains uncertain.” concludes the report that also includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – Hacking, malware)
Last week, the RansomHub ransomware group claimed to have stolen the information of over 2 million customers from the American telecommunications company Frontier Communications. The RansomHub group claimed to have stolen 5GB of data from the telecommunications giant.
Stolen data include names, email addresses, SSNs, credits, scores, dates of birth, and phone numbers.
“Data is more than 2 million customer with address name email ssn credit score date of birth and phone number. We gave frontier 2 months to contact us but they don’t care about clients data. Below is screenshot of some of the data.” reads the message published by the group. “Now anyone who wants to buy this data can contact our blog support, we only sell it once.”
In April, Frontier Communications notified the Securities and Exchange Commission (SEC) that it had to shut down certain systems following a cyberattack. The incident was identified on April 14 after that an unauthorized threat actor gained unauthorized access to parts of its IT environment.
The company launched an investigation into the security breach with the help of leading cybersecurity experts and started operations to contain the incident.
“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. “While we do not believe the incident is reasonably likely to materially impact our financial condition or results of operations, we continue to investigate the incident, have engaged cybersecurity experts, and have notified law enforcement authorities.”
RansomHub has published an image of the stolen records as proof of the data breach and threatens to publish the stolen data if the victim will not pay the ransom within nine days.
Initially, the company did not provide details about the attack, but last week it started notifying over 751,895 individuals that their personal information was stolen in the attack.
“On April 14, 2024, we detected unauthorized access to some of our internal IT systems. Our investigation identified your personal information among the data affected by this incident.” reads the notification letter sent to the Impacted individuals. “The personal information involved includes your <>. Based on our investigation, we do not believe your personal financial information was affected.
Frontier Communications revealed that threat actors stole names, other personally identifiable information, and Social Security numbers.
Frontier Communications is offering a year of complimentary credit monitoring and identity theft resolution services months to the impacted individuals.
“In addition to activating the credit monitoring and identity theft resolution services, we recommend that you remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors.” concludes the letter reads.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Researchers at cybersecurity firm DEVCORE discovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-4577, in the PHP programming language. An unauthenticated attacker can exploit the flaw to take full control of affected servers.
PHP is a popular open-source scripting language widely used for web development.
“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.” reads the advisory published by DEVCORE.
The vulnerability CVE-2024-4577 was reported to the PHP development team by the Devcore researcher Orange Tsai on May 7, 2024. The developers released a version that address the issue on June 6, 2024.
The flaw resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.
Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.
Shadowserver researchers observed multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against its honeypot sensors starting on June 7th.
Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows.
— The Shadowserver Foundation (@Shadowserver) June 7, 2024
Patches released June 6th: https://t.co/jM5HgGUZJF
Exploit PoC is public.
Greynoise researchers also reported malicious attempts of exploitation of the CVE-2024-4577.
“As of this writing, it has been verified that when the Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server:
For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.” continues the advisory. “Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.”
XAMPP Users are vulnerable due to a default configuration that exposes the PHP binary. Although XAMPP has not yet released an update for this vulnerability, DEVCORE provided instructions to mitigate the risk of attacks.
The experts recommend administrators of systems that cannot be upgraded and users of EoL versions, to apply a mod_rewrite rule to block attacks:
LoginRewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]XAMPP users should find the ‘ScriptAlias’ directive in the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf) and comment it out.
“It is strongly recommended that all users upgrade to the latest PHP versions of 8.3.8, 8.2.20, and 8.1.29.” concludes the advisory. “However, since PHP CGI is an outdated and problematic architecture, it’s still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
Cybercriminals Attack Banking Customers In EU With V3B Phishing Kit
London hospital services impacted by ransomware incident
Snowflake Data Breach Impacts Ticketmaster, Other Organizations
New York Times source code stolen using exposed GitHub token
Malware
Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan
RansomHub: New Ransomware has Origins in Older Knight
FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out
TargetCompany’s Linux Variant Targets ESXi Environments
Hacking
Snowflake at centre of world’s largest data breach
Hacking Millions of Modems (and Investigating Who Hacked My Modem)
Molding Lies Into Reality || Exploiting CVE-2024-4358
A Zero Day TikTok Hack Is Taking Over Celebrity And Brand Accounts
2024: Old CVEs, New Targets — Active Exploitation of ThinkPHP
Intelligence and Information Warfare
Video Games Might Matter for Terrorist Financing
Disrupting FlyingYeti’s campaign targeting Ukraine
GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns
Revealed: Russian legal foundation linked to Kremlin activities in Europe
NSA chief says China readying destructive cyberattacks on critical infrastructure
How Russia is trying to disrupt the 2024 Paris Olympic Games
Cybersecurity
Generative AI is expected to magnify the risk of deepfakes and other fraud in banking
Cyber house of cards – Politicians’ personal details exposed online
Preventing and Waging War in the AI–CYBER Era
Google Leak Reveals Thousands of Privacy Incidents
Coast Guard To Empower Maritime Cybersecurity
361 million stolen accounts leaked on Telegram added to HIBP
Cisco Patches Webex Bugs Following Exposure of German Government Meetings
How to Opt Out of Instagram and Facebook Using Your Posts for AI
How to spot a deepfake: the maker of a detection tool shares the key giveaways
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
This week, VX-Underground first noticed that the internal data of The New York Times was leaked on 4chan by an anonymous user. The mysterious user leaked 270GB of data and claimed that the American newspaper has over 5,000 source code repositories, with less than 30 being encrypted.
The New York Times confirmed to BleepingComputer that the internal source code and data belonging to the company leaked on the 4chan message board is legitimate.
Today on 4chan someone leaked the source code (?) to the New York Times. They leaked 270GB of data
— vx-underground (@vxunderground) June 6, 2024
They wrote that the New York Times has 5,000+ source code repositories, with less than 30 being encrypted (?). It is 3,600,000 files in total
Note: We haven't reviewed the data
The Times said the data and source code were stolen from the company’s GitHub repositories in January 2024.
According to BleepingComputer stolen files may include IT documentation, infrastructure tools, and source code, allegedly the Wordle game.
The threat actor wrote he had used an exposed GitHub token to access the repositories, but The Times initially said that the attackers obtained the credentials for a cloud-based third-party code platform. Later, the company confirmed that the third-party platform was GitHub.
The Times clarified that the security breach of its GitHub account did not affect its internal systems and had no impact on its operations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, The NY Times)
SolarWinds announced security patches to address multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform. The vulnerabilities affect Platform 2024.1 SR 1 and previous versions.
One of the vulnerabilities addressed by the company, tracked as CVE-2024-28996, was reported by a penetration tester working with NATO.
The flaw CVE-2024-28996 (CVSS score 7.5) was discovered by NATO Communications and Information Agency pentester Nils Putnins. The flaw is a read-only subset of SQL, SWQL, which allows users to query the SolarWinds database for network information. According to the advisory, the attack complexity is high.
The company also addressed multiple vulnerabilities in third-party companies. The flaws, tracked as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), are a race condition issue and a stored XSS bug in the web console, respectively.
The company fixed multiple bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.
The company released version 2024.2 that addressed the above vulnerabilities.
It is unclear if any of these flaws have been exploited in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SolarWinds)
The story of the attack against the Chinese shopping platform Pandabuy demonstrates that paying a ransom to an extortion group is risky to the victims.
BleepingComputer first reported that Pandabuy had previously paid a ransom to an extortion group to prevent stolen data from being published, but the same threat actor extorted the company again this week.
In April, at least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum.
The member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several critical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another threat actor named ‘IntelBroker.’
PandaBuy has been breached by Threat Actors operating under the names "Sanggiero" and "IntelBroker". Exfiltrated data includes:
— vx-underground (@vxunderground) April 1, 2024
– UserId
– First name
– Last name
– Phone number
– Login Ip
– Full address
– Order information
Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1
Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country.
“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking forum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by BreachForums.
The data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.
HIBP founder Troy Hunt confirmed that 1.3 million email addresses are valid, the remaining addresses are duplicates. Hunt added the leaked addresses to HIBP, users can check if they have been impacted in the incident.
A company representative said on a Discord channel that the security breach took place in the past, he also added that the company security team said no data breach took place this year.
On June 3, 2024, Sanggiero offered the entire database he had previously stolen from Pandabuy for sale at $40,000. The actor claims the database contains more than 17 million lines, greater than the initial dataset offered in April, which included 1.3 million lines.
“A Pandabuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount to stop the data leak, adding that the threat actor may have shared the data with others, so they would no longer cooperate with him.” reported BleepingComputer.
The company attempted to downplay the incident saying that the data offered by Sanggiero is the same of the previous leak
Pandabuy added that they could not continue paying ransom due to frozen funds, anyway they addressed the vulnerabilities exploited in the original attack. The company speculates the threat actors had “secretly sold” their data to cybercriminals.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercriminals)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber espionage campaign targeting defense forces in the country. The Ukrainian CERT attributes the attack to the threat actor UAC-0020 which employed a malware called SPECTR as part of the campaign tracked as SickSync.
The threat actor UAC-0020, aka Vermin, operates under the control of the law enforcement agencies of the temporarily occupied Luhansk.
The SPECTR malware has been active since at least 2019, it allows operators to steal sensitive data and files from the infected computer, it relies on the standard synchronization functionality of the legitimate SyncThing software.
Threat actors sent out spear-phishing messages with an attachment in the form of a password-protected archive named “turrel.fop.vovchok.rar”.
The archive contains another archive, named RARSFX archive (“turrel.fop.ovchok.sfx.rar.scr”) that contains the “Wowchok.pdf” decoy file, the “sync.exe” EXE installer created using InnoSetup, and the BAT file ” run_user.bat” used for initial startup.
The UA-CERT states that the “sync.exe” file contains the legitimate SyncThing components and SPECTR malware files, including additional libraries and scripts. Attackers modified the standard files of the SyncThing software to change the names of directories, scheduled tasks, disable the functionality of displaying messages to the user, etc.
The SPECTR information stealer can capture screenshots every 10 seconds, collect files, extract data from removable USB drives, and steal credentials from web browsers and applications like Element, Signal, Skype, and Telegram.
“It should be noted that the stolen information is copied to subfolders in the directory %APPDATA%\sync\Slave_Sync\, after which, using the standard synchronization functionality of the legitimate program SyncThing , the contents of these directories get to the attacker’s computer, which ensures data exfiltration.” reads the report from the CERT-UA. “From the point of view of network indicators (in case of confidence in not using the mentioned technology is authorized), taking into account the establishment of a peer-to-peer connection, among other things, we recommend paying attention to signs of interaction with the SyncThing infrastructure: *.syncthing.net.”
The report also includes indicators of cyber threats.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThinkPHP)
Akamai researchers observed a Chinese threat actor exploiting two old remote code execution vulnerabilities, tracked as CVE-2018-20062 and CVE-2019-9082, in ThinkPHP.
The campaign seems to have been active since at least October 2023, it initially targeted a limited number of customers/organizations but recently became widespread.
The attacks originated from various IP addresses associated with servers hosted on the “Zenlayer” cloud provider (ASN 21859) which is primarily located in Hong Kong.
“Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082.” reads the analysis published by Akamai.
In attacks detected on October 17, 2023, threat actors exploited vulnerabilities by instructing victim servers to install an obfuscated shell from a remote server under the attacker’s control, rather than using common “proof of concept” commands. This initial campaign was short-lived, but a similar and much larger campaign has been observed as of April 2024.
The CVE-2018-20062 and CVE-2019-9082 vulnerabilities in the Chinese ThinkPHP framework impact content management systems like NoneCMS and open-source BMS. These vulnerabilities allow attackers to remotely execute code on the victim’s server. They are part of a series of exploit variants targeting different ThinkPHP components, disclosed over several years starting from 2018.
The attacks detected by Akamai exploit the flaws to download a file named “public.txt” from a compromised server in China. This file is saved on victims’ systems as “roeter.php,” likely a misspelling of “router.” The downloaded file contains an obfuscated web shell, a server-side backdoor script for remote control. The web shell code is obfuscated using a basic ROT13 transformation, resulting in a long HEX string. The attackers used a simple password, “admin,” to access the web shell.
“The web shell demonstrates advanced capabilities, such as navigating the file system, which enables operations like file editing, deletion, and timestamp modification for obfuscation purposes.” continues the analysis. “The webshell user interface, also known as Dama, is in Traditional Chinese. In addition to the aforementioned advanced mechanisms, Dama facilitates file uploads to the server and gathers crucial technical system data, including precise OS versions and PHP information, which aids in the identification of pertinent privilege escalation exploits.
The experts pointed out that the Dama web shell stands out because of the Chinese origin of the user interface.
Post-exploitation features include network port scanning and access to existing databases and server data. The web shell also allows privilege escalation by bypassing disabled sensitive PHP functions to execute shell commands on the server. The web shell also uses the Windows task scheduler to reconfigure WMI and add high-privileged users. The Akamai researchers observed that despite its extensive functionality, the web shell lacks support for a command-line interface (CLI) for executing direct OS shell commands.
“This web shell is yet another example of a one-day — despite how long they’ve been known, attackers continue to target and exploit them, with notable success. This underscores the persistent challenge organizations face in identifying vulnerable assets and maintaining effective patch management processes.” concludes the report. “The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control. Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThinkPHP)
