Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt systems. Discover all…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology’s promises and opportunities.
darkreading – Read More
Cyble Research and Intelligence Labs (CRIL) researchers investigated 18 vulnerabilities and 10 dark web exploits in the last week – including an actively exploited Fortinet vulnerability with nearly 1 million exposed assets on the internet.
Other vulnerabilities analyzed by Cyble affect third-party Windows drivers, SharePoint, Qualcomm, Android, QNAP and more.
Here are the vulnerabilities highlighted by Cyble as meriting high-priority attention by security teams.
CVE-2024-23113 is a critical format string vulnerability affecting Fortinet’s FortiOS, specifically within the FGFM (FortiGate to FortiManager) service. The vulnerability could allow unauthenticated remote code execution (RCE) by malicious actors.
While the vulnerability dates from February, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog last month, and Cyble researchers have seen multiple exploits and proofs of concept (PoC) targeting the vulnerability discussed on the dark web and in cybercrime forums.
Cyble’s ODIN vulnerability search tool has detected 978,000 vulnerable Fortinet instances:
Another vulnerability with wide exposure is CVE-2024-50550, a critical privilege escalation vulnerability in LiteSpeed Cache plugin for WordPress, which is installed on over 6 million websites. Cyble honeypot sensors recently detected attacks on a different LiteSpeed vulnerability (CVE-2024-44000) and another WordPress plugin.
Cyble researchers said the new LiteSpeed vulnerability “could be leveraged to access backend databases as well to install arbitrary plugins or sniffers, leading attackers to exfiltrate payment card data and sensitive information of users,” as well as altering web pages.
CVE-2021-41285 and CVE-2020-14979 are high-severity vulnerabilities in drivers that could allow attackers to achieve local privilege escalation to NT AUTHORITYSYSTEM in Windows Systems. A newly identified malware called “SteelFox” has been observed mining for cryptocurrency and stealing credit card data by using the “bring your own vulnerable driver” (BYOVD) technique to create a service that runs WinRing0.sys inside vulnerable drivers, leading to privilege escalation.
CVE-2024-38094 is a high-severity remote code execution vulnerability affecting Microsoft SharePoint. Microsoft recently disclosed that the vulnerability is being exploited to gain initial access to corporate networks by attackers. Researchers also observed that attackers are targeting vulnerable SharePoint servers using publicly disclosed SharePoint proof-of-concept exploit code to plant a web shell that they later leverage to gain privileges and pivot into the compromised network.
CVE-2024-43047 is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that can lead to elevated privileges. CVE-2024-43093 is also a high-severity elevation of privilege flaw, impacting the Android Framework component and Google Play system updates, specifically in the Documents UI. Recently Google fixed both of the actively exploited zero-day flaws as part of its November security updates.
CVE-2024-8956 and CVE-2024-8957 impact PTZ cameras, which are extensively used in organizations around the world for applications such as live streaming, security surveillance, and conference automation. The critical vulnerabilities can also be chained by attackers to execute arbitrary OS commands on these devices, as well as access sensitive data such as usernames, password hashes, and device configuration details.
CVE-2024-10443 is a critical vulnerability in Synology’s BeeStation and DiskStation NAS devices, specifically within the BeePhotos and SynologyPhotos applications, which are designed to provide user-friendly personal cloud storage solutions. The vulnerability can allow remote attackers to execute arbitrary code. As NAS devices are commonly used to store sensitive data by both home and enterprise customers, Cyble researchers have assessed that attackers could attempt to leverage the vulnerability to breach the systems and steal data.
CVE-2024-50387: This as of yet unclassified vulnerability detailed in a QNAP advisory was revealed at Pwn2Own 2024. It is a critical SQL injection (SQLi) vulnerability impacting QNAP’s SMB Service, which is the vendor’s implementation of the Server Message Block (SMB) protocol within QNAP NAS devices, enabling file sharing and network services across Windows and other operating systems.
Here are 7 vulnerabilities and exploits that Cyble researchers observed under active discussion on underground forums and Telegram channels, plus claims of zero-day vulnerabilities for sale in Palo Alto Networks and Microsoft products.
CVE-2024-6778: A high-severity vulnerability affecting the Chromium web browser prior to version 126.0.6478.182. The vulnerability arises from a race condition in the DevTools component. An attacker can convince a user to install such an extension, allowing them to inject arbitrary scripts or HTML into privileged pages, thereby facilitating a sandbox escape.
CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability identified in pfSense version 2.5.2. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.
CVE-2024-44193: A vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to potentially elevate their privileges on affected systems, posing significant security risks.
CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.
CVE-2024-40711: A critical vulnerability in Veeam Backup & Replication software classified as a deserialization of untrusted data issue. This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary code on affected systems without requiring any authentication.
CVE-2024-0311: A cybersecurity vulnerability identified in the Skyhigh Client Proxy, this flaw allows a malicious insider to bypass existing security policies without needing a valid release code, which can potentially lead to unauthorized access to sensitive data or applications.
CVE-2024-20419: The critical vulnerability affecting Cisco’s Smart Software Manager On-Prem (SSM On-Prem) arises from improper validation in the password change functionality, allowing unauthenticated remote attackers to change user passwords without prior knowledge of the existing password.
Cyble researchers also observed zero-day vulnerabilities being offered for sale on dark web forums, including a remote code execution (RCE) vulnerability in Palo Alto’s PAN-OS, and a privilege escalation (LPE) vulnerability in Windows that a threat actor was asking US$200,000 to $400,000 for. Palo Alto issued an advisory stating that it is aware of the PAN-OS claim.
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.
The post IT Vulnerability Report: Exposed Fortinet Vulnerabilities Approach 1 Million appeared first on Cyble.
Blog – Cyble – Read More
The Australian Cyber Security Center (ACSC) has issued an important cybersecurity advisory detailing a range of vulnerabilities in 2023. The report, which was coauthored by cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom, provides a comprehensive overview of the vulnerabilities most targeted by cybercriminals, including the risks posed by zero-day exploits.
These advisory aims to inform organizations worldwide about the growing cyber threat landscape and offers guidance to minimize the risks posed by these vulnerabilities. The ACSC’s advisory identifies the most frequently exploited Common Vulnerabilities and Exposures (CVEs) of 2023 and their associated Common Weakness Enumerations (CWEs).
This security advisory is a collaborative effort from cybersecurity agencies around the world, including the Australian Cyber Security Center (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from Canada, New Zealand, and the United Kingdom.
In particular, CISA has worked closely with international partners to monitor, identify, and mitigate common vulnerabilities, reinforcing their shared commitment to securing digital infrastructure. The FBI has also been actively involved in identifying cyber threat actors exploiting these vulnerabilities, especially those targeting critical infrastructure in both the public and private sectors.
One of the most concerning trends identified in the advisory is the increasing exploitation of zero-day vulnerabilities. These vulnerabilities, which are unknown to the software vendor or the public at the time of exploitation, allow attackers to bypass security defenses and gain unauthorized access to systems.
In 2023, cybercriminals used zero-day vulnerabilities to exploit systems rapidly after their disclosure. Notably, these exploits were used to compromise high-value targets, including organizations in critical sectors such as healthcare, finance, and government.
The ACSC’s advisory highlights that reducing the lifespan of zero-day exploits can be achieved by improving security lifecycles and ensuring responsible vulnerability disclosure. Both vendors and developers are urged to adopt secure-by-design principles and frameworks like the SP 800-218 Secure Software Development Framework (SSDF) to enhance the security of software from the ground up.
The advisory identifies several CVEs that were routinely exploited in 2023. Among the most frequently targeted vulnerabilities are:
These vulnerabilities were exploited by a variety of cyber threat actors, including advanced persistent threat (APT) groups and ransomware operators. For instance, CVE-2023-34362, which affects the MOVEit Transfer product, was actively targeted by the CL0P ransomware gang. Similarly, CVE-2023-22515 in Atlassian Confluence was exploited by threat actors to gain unauthorized access to corporate networks, compromising sensitive data.
In many cases, these exploits were used to execute remote code, bypass authentication, or escalate privileges within affected systems. These vulnerabilities often result in significant disruption, financial loss, and reputational damage to affected organizations.
The advisory also sheds light on the associated Common Weakness Enumerations (CWEs) that underlie many of the vulnerabilities exploited in 2023. For example:
By understanding the CWEs associated with these CVEs, organizations can implement more targeted defenses to mitigate the risk of exploitation. Developers are encouraged to adopt practices that prevent these weaknesses from being introduced in the first place, such as using memory-safe languages and conducting regular security testing.
In response to these findings, the advisory provides several key recommendations for organizations and developers to enhance their cybersecurity posture and reduce the risk of exploitation:
The Australian Cyber Security Center (ACSC), in partnership with CISA, the FBI, and other international cybersecurity agencies, is calling on vendors, developers, and end-users to take immediate action to address these vulnerabilities and enhance their overall cybersecurity posture.
By following the advisory’s recommendations, organizations can reduce their exposure to cyber threats and strengthen their defenses against cyberattacks. The collaboration between global cybersecurity agencies emphasizes the importance of shared intelligence and international cooperation in the fight against cybercrime.
The post Australian Cyber Security Center Highlights Key Vulnerabilities Exploited in 2023 appeared first on Cyble.
Blog – Cyble – Read More
Unlock how AI transforms lead generation for businesses, from real-time targeting to automated follow-ups. Discover essential tools, tips…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Ivanti has released fixes for dozens of vulnerabilities in Endpoint Manager, Avalanche, Connect Secure, Policy Secure, and Secure Access Client.
The post Ivanti Patches 50 Vulnerabilities Across Several Products appeared first on SecurityWeek.
SecurityWeek – Read More
Intel and AMD have published November 2024 Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products.
The post Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories appeared first on SecurityWeek.
SecurityWeek – Read More
The CISO Forum Virtual Summit takes place on November 13th in SecurityWeek’s Virtual Conference Center.
The post CISO Forum Virtual Summit is Today appeared first on SecurityWeek.
SecurityWeek – Read More
US Immigration and Customs Enforcement put out a fresh call for contracts for surveillance technologies before an anticipated surge in the number of people it monitors ahead of deportation hearings.
Security Latest – Read More
Editor’s note: The current article is authored by the threat researcher Aaron Jornet Sales, also know as RexorVc0. You can find him on X and LinkedIn.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spearphishing campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013.
This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.
Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns.
Additionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos used on campaigns with HawkEye, Pony used on campaigns with HawkEye, etc.
The method of HawkEye’s delivery has varied throughout its history, as have the types of sources behind the attacks. Nevertheless, it has been primarily involved in spearphishing campaigns, where attackers devised convincing scenarios to trick victims into downloading the malicious file, which could be a document, compressed file, or another malware acting as a loader for the keylogger.
It has also been used to target websites of portals typically accessed by companies, which were the main targets of the attacking groups. Another common method of spreading HawkEye was through “free” software, which turned out to be malware in disguise.
HawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior have remained relatively consistent over the years. A behavior graph of what has been observed in recent months would look as follows:
During the analysis process, I typically spend weeks, even months, collecting samples to understand how they function as a whole based on the existing variants. Therefore, we may observe variations among those presented. In most executions, we encounter enormous trees of processes based on their activities.
To simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs. It generally consists of an executable that drops others in temporary paths, then injects code into one of them or into a .NET-related software. Later, in memory, it gathers all possible data and sends it to a C&C.
Going straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive process—a succession of execution copies launched in temporary paths.
In this instance, they used the RoamingTemplates path, but this is highly variable depending on who created it. Generally speaking, they tend to abuse paths like AppDataRoaming and AppDataTemp, which are classic choices.
Here’s the list of paths observed for dropping files:
All of these files that are launched, and which we’ve observed executing in the previous step, are copies of themselves. The filenames are also highly variable, as you might expect, but they often try to have an icon that makes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like legitimate software.
Ultimately, after comparing the dropped files, we can see they are simple copies of the original, with the particularity that some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the “View hidden files” function in Windows.
During these file droppings, we can encounter both replicas of the original file in different paths, as well as support files whose functionality is typically to establish persistence (or check if it’s already done, and if not, do it) and to perform injector functions, which is a characteristic of this malware. In this case, the smaller binary is responsible for these actions.
I check to see if there is any shared information between the two binaries and notice that certain parts of the code match the original. This will become relevant later, as right now we’re seeing them separately, but everything will make sense afterward.
After this step, we can see how persistence is established. PredatorPain isn’t just a malware that establishes persistence once—it’s been observed to check and establish persistence up to three different times, depending on the phases (Loader > Injector > Payload).
This makes it clear that the malware is determined to persist on the system, one way or another. At this stage, to avoid revealing persistence mechanisms through strings, it obfuscates a string and then decodes it to introduce, in this case, one of the binaries launched earlier. This practice isn’t as common and adds a level of sophistication not found in other samples.
Not only does it create persistence in the registry, but we also find samples that establish persistence in tasks using commands like the following:
schtasks.exe /Create /TN "<Path><TaskName>" /XML "<File>"After observing its behavior in the early stages, we delve deeper into the entire execution thread throughout the analysis phase with debugging. I’ve followed several samples, and they’re mostly similar—samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar, which are relatively easy to deobfuscate.
In most samples, I noticed heavy interaction with resources, which will become crucial shortly since I observed a significant amount of data in these resources across most of the samples I found.
In the malware’s initial phases, it looks for the running process (which will be the previously prepared copy), where it will check the PID to access the resources. Within these resources, we see two distinct types of code: the initial part, which acts as a key, and the data chunk, which is what will be deobfuscated. To achieve this, it uses XOR + Poly, and at the end of the process, it extracts a Portable Executable.
It can do this in various ways depending on the sample, but we see the same extraction of a binary from a resource as we do from obfuscated code in memory, like the example shown below.
The result of this phase is two extracted files—one will be the injector, and the other will be the Keylogger.
I compared both files, and they’re entirely different, in size, in structure—the only common factor is that both are .NET binaries.
To highlight the difference between the injector dropped on disk (Right) and the one extracted from memory (Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports related to injection that the disk version doesn’t (such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, etc.).
Here we can observe various functionalities while extracting the binaries, such as self-deletion. This is done to maintain evasion and avoid revealing its location, as it drops replicas of the original binary in various locations, as we saw earlier.
One of the dropped files, the smaller one, acts as the injector. When extracted from memory, it has more functionalities than the one seen on disk. This is because the injection tasks are carried out during runtime, but the written file is actually a portion of this, triggering the main binary located in the temporary path.
It checks persistence and restarts the entire process, including injection. Therefore, it’s a part of the file without revealing all of its functionalities. I’ll show you how it performs injection using Process Hollowing.
In essence, the injector doesn’t have much more functionality. It includes a phase where it checks running processes, which is an interesting technique to detect analysis tools or to determine if the process is already running. If not, it launches the process, adds it to the registry (as seen earlier), and restarts the execution.
Lastly, we only have the second extraction left to observe, which is HawkEye itself. I’ve encountered many versions of it, as the modules included will vary significantly based on what the creator configures in the builder of the Keylogger itself.
We’ll talk more about this later, but you can see all the functionalities that can be added during its creation, which will impact the modules incorporated into it.
At this point, I conducted tests with several builders to verify this theory, as I had extracted multiple samples to the final phase, and almost none of them resembled each other too much. I tested by removing or adding options, and even with the same sample, there were significant differences, so you can imagine how different it can be if it’s not exactly the same version of the keylogger and different elements were selected during its creation.
At this stage, we just need to examine the payload’s functionalities. Upon first glance, we can see strings that reveal its nature—this sample didn’t expect anyone to reach this point, as it has three well-defined phases that conceal its tracks, but here we can see many indicators of what it is.
During the execution of this specific module, we can observe it invoking vbc.exe as it injects the payload into this process, using the same techniques we’ve previously seen.
Regarding the modules it brings, I compared three different samples, and they are quite similar in terms of what they can do. The general functionalities that typically match include:
Calling HawkEye a keylogger is really an oversimplification, as it performs more functions than many stealers I’ve seen. Once injected into vbc.exe or other processes, it carries out various actions mentioned above.
As we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script kiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different sites, as it changed developers and domains over time, which is quite common.
It has also been distributed through cracks, where it was sold or offered on forums to members, avoiding the usual membership fees or markets, offering it for very low payments compared to the standard price, which as we mentioned earlier, ranged from $20 to $50.
It’s always important with these kinds of tools to locate the original software in different versions to understand how it works from both the victim’s and the attacker’s perspectives, so we can get a complete view of the malware
Here, we can see that the builder provides a multitude of configuration options, allowing us to choose where to send the stolen information (email, FTP, etc.), what we want to collect (browser info, FTP credentials, mail, etc.), whether to check for certain tools, establish persistence, delete data, download from a domain (this could function as a downloader for other malware), change the payload data to make it appear like legitimate software (e.g., changing the icon, description, etc.). As you can see, it’s incredibly comprehensive. After compiling, we’ll have our complete Keylogger, Stealer, or Downloader (call it what you will, as it does everything) ready to use.
I don’t want to repeat myself too much, but when comparing the versions we’ve seen and extracted with the ones we created ourselves, they function exactly the same—same injections, persistence, data theft (or whatever was chosen in the builder). Therefore, in telemetry, we won’t find any surprises, as you can see below.
After analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has displayed over the decades. It’s truly a tremendously powerful and easy-to-use tool that, unfortunately, we will continue to see in security incidents from actors of all types.
Finally, I would like to thank you for reading this analysis and for supporting me.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Request free trial of ANY.RUN’s products →
[TA0001][T1566.001] SpearPhishing
[TA0002][T1204] User Execution
[TA0003][T1053] Scheduled Task/Job
[TA0003][T1547.001] Registry Run Keys / Startup Folder
[TA0005][T1112] Modify Registry
[TA0005][T1564.001] Hidden Files and Directories
[TA0005][T1055] Process Injection
[TA0005][T1562] Impair Defenses
[TA0005][T1027] Obfuscated Files or Information
[TA0005][T1140] Deobfuscate/Decode Files or Information
[TA0005][T1036] Masquerading
[TA0005][T1497] Virtualization/Sandbox Evasion
[TA0006][T1552] Unsecured Credentials
[TA0006][T1555] Credentials from Password Stores
[TA0007][T1087] Account Discovery
[TA0007][T1518.001] Security Software Discovery
[TA0007][T1033] System Owner/User Discovery
[TA0007][T1012] Query Registry
[TA0007][T1016] System Network Configuration Discovery
[TA0007][T1518] Software Discovery
[TA0007][T1082] System Information Discovery
[TA0009][T1074.001] Local Data Staging
[TA0009][T1005] Data from Local System
[TA0009][T1560] Archive Collected Data
[TA0009][T1114] Email Collection
[TA0009][T1115] Clipboard Data
[TA0009][T1113] Screen Capture
[TA0011][T1105] Ingress Tool Transfer
[TA0011][T1071] Application Layer Protocol
[TA0011][T1571] Non-Standard Port
[TA0042][T1583.008] Malvertising
60fabd1a2509b59831876d5e2aa71a6b
defc51f31f6c4fa89cc6a39a62d8a08f
dea59d578e0e64728780fb67dde7d96d
040058f70ffdee6398f7b64ae1ea46d3
e651dca5c850451cdba7f25cbb4134e7
de823ba5d67de8682e6d7b8b472dbbcb
25a2d98dfcf6a12ea6459882c56aa2e0
179b219afa2ac15b14affd399273148b
38a3cb547a0a19a61534792f572f08b0
addcd85e0126e63e46da09eb8ea97120
0a2f6501a36c1b13532139e3c1843109
addcd85e0126e63e46da09eb8ea97120
06916c9505da82f63a73768c6f336192
ab264deb2563dc4df8b281b18e0861ba
66[.]147[.]236[.]46
204[.]141[.]42[.]56
129[.]204[.]194[.]84
The post HawkEye Malware: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More