JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system.
These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed.
A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action.
Vulnerabilities Overview
HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities:
CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users.
CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials.
Both vulnerabilities:
Require administrative authentication credentials to exploit.
Allow attackers to gain full control over the device upon successful exploitation.
Impact the confidentiality, integrity, and availability of the device.
Affected Software Versions
The vulnerabilities affect the following software versions:
HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below.
Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected.
Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption.
Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers.
Mitigation and Recommendations
To safeguard against these vulnerabilities, organizations should follow these steps:
Upgrade to a Fixed Version:
Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal.
Restrict Management Interfaces:
Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies.
Audit Network Devices:
Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations.
Strengthen Authentication Mechanisms:
Enforce strong administrative passwords.
Regularly rotate administrative credentials to minimize the risk of unauthorized access.
Monitor for Suspicious Activity:
Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge.
Stay Informed:
Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches.
Technical Details of the Vulnerabilities
CVE-2024-54006
Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials.
Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device’s underlying operating system via the web interface.
Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita.
Workarounds
For organizations unable to immediately update to the fixed version, the following workarounds are recommended:
Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet.
Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces.
Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities.
These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy.
Final Notes
These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls.
Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems.
Our security solutions for Android are temporarily unavailable in the official Google Play store. To install Kaspersky apps on Android devices, we recommend using alternative app stores. You can also install our apps manually from the APK files available on our website or in your My Kaspersky account. This post gives in-depth instructions for installing Kaspersky on Android in 2025.
General recommendations
First, the good news: any Kaspersky apps you’ve already installed from Google Play will continue to work on your device. But they’ll automatically receive only antivirus database updates — not app or security feature improvements. If you uninstall an app, you won’t be able to reinstall it from Google Play.
Therefore, we recommend not deleting the apps already installed from Google Play, but to download and install over them the versions from these alternative stores:
You’ll find the same set of Kaspersky apps in all these stores, and the download methods are also alike:
Open the store app.
Enter “kaspersky” in the search bar (you may need to tap the magnifying glass icon to open the bar).
Find the app you want in the search results.
Depending on the store, tap Get, Install, Download or Update, or simply touch the download icon next to the name of the app.
If our apps are already installed on your device and you then download them from alternative stores, your device will retain all settings, and you won’t have to reactivate the license. What’s more, the apps can be updated automatically by enabling auto-update in the settings of the alternative store. Below is a how-to guide for all the recommended stores.
You can also install apps by downloading the APK files from our website. When you install over existing apps, all settings and licenses are retained. However, apps installed this way will not be updated automatically — you’ll need to track down new versions yourself, download them as APK files, and install them on your device manually. Because this is less convenient, we’ll soon be adding a feature to update apps automatically via their APK files, and will notify you when new updates come out. In the meantime, we recommend using the alternative app stores mentioned above.
What to do if your smartphone only has Google Play
If you only have Google Play on your smartphone, you first need to install an alternative app store, for example, Huawei AppGallery. Here’s how to do it:
How to enable auto-update for Kaspersky apps in alternative stores
To make sure you always have the latest version, after installing an app from an alternative store you need to enable auto-update in the store settings. We have step-by-step instructions for all stores — just follow one of the links below to go to the one you need:
Your device may warn you that the file isn’t safe to download. If this happens, confirm your action by tapping Keep or Download.
Once the download is complete, go to My files → Downloads, and tap the downloaded file. When installing it, you’ll need to allow installation of unknown apps from a new source. Here’s how to do it: Go to Settings → Apps → Additional → Special app access → Install unknown apps, find your browser in the list, and toggle the switch “Allow app installs” to On. That done, the Kaspersky app will continue to install. See here for more detailed instructions.
Granting permission to install unknown apps from Google Chrome
After installing our apps, make sure to turn this feature Off, since it can pose a security risk and so should only be used when absolutely necessary. To find out why we insist on this, see this Kaspersky Daily post.
How to buy a Premium subscription in your Kaspersky app
You can buy a subscription — for example, Kaspersky Premium — directly in the app itself. To do this, navigate to Profile, and under the Kaspersky Free icon tap Let’s go. Then select one of the three subscription tiers — Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium and the number of devices you want to protect, and check out.
How to activate an existing license in your Kaspersky app
If you installed any of our apps from an alternative store or from an APK file over one already installed from Google Play, there’s no need to reactivate your license.
If you bought a Kaspersky app on Google Play and connected it to your My Kaspersky account, but then uninstalled it and downloaded a new one from an APK file or an alternative store, your previously purchased license will work without any problems. See our detailed activation instructions.
If you uninstalled a Kaspersky app that was purchased from Google Play but not connected to your My Kaspersky account, then installed a new one according to the instructions in this post, please contact technical support to reactivate your license. They’ll be happy to assist.
If you have a license for multiple devices, the easiest way to activate apps on additional devices is to install them using the links in My Kaspersky — this way they’ll be activated automatically. You can also install Kaspersky apps from an alternative store or APK file as described above, and follow the instructions to activate the license.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-21 12:07:172025-01-21 12:07:17How to download, install, and update Kaspersky apps for Android | Kaspersky official blog
This signature technique was previously used to distribute QRLog and Docks /RustDoor, and is now delivering BeaverTail and InvisibleFerret. In this first article, we will conduct a technical dissection of the latter.
InvisibleFerret actively seeks source code, wallets, and sensitive files
The Beaver
These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus. By staging fake job interviews, threat actors aim to spread malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now known as Contagious Interview or DevPopper.
One of the implants distributed is BeaverTail, a stealer and loader written in obfuscated JavaScript and delivered as an NPM module. While not the focus of this article, BeaverTail downloads a customized portable Python environment (“p.zip”) and later deploys InvisibleFerret as its next stage, which is the main subject of this research.
BeaverTail targets major browsers such as Opera, Brave, and Chrome, seeking user and add-on data
The Ferrets
InvisibleFerret is a Python-based malware that, at first glance, shows a disorganized structure and unnecessary escaping sequences, giving a glimpse of what lies ahead if we dare to explore the code further. A quick look reveals a compact initialization of hardcoded constants used to install dependencies via pip, which are later reused multiple times throughout its execution.
InvisibleFerret’s code is messy, with over 100 functions adding to its complexity
As expected from malware of its kind, InvisibleFerret does not generate an output trail or a logfile of its actions. Its silent nature, combined with a somewhat difficult-to-read codebase, led me to add verbosity to its functions and expand some of its compressed syntax and overly compact one-liners for better readability, creating PrettyVisibleFerret. This version is more talkative and easier to read for everyone, but still executes malicious instructions and should be handled with care.
PrettyVisibleFerret running on ANY.RUN showing exfiltrated information in real-time
After submitting the malware for analysis to ANY.RUN’s Interactive Sandbox, the first thing this mischievous ferret attempts is to gather basic information about the victim, such as geolocation — by querying legitimate services like ip-api.com (commonly used by other malware and even drainers like “ETH Polygon BNB”) — as well as system details like OS release, version, hostname, and username, before finally generating a unique ID.
Try secure malware and phishing analysis with ANY.RUN’s Interactive Sandbox
Outgoing HTTP connections to ip-api.com and the C2 server on an unusual port are shown in ANY.RUN
After the /keys endpoint is accessed, the ferret jumps to the next C2 server in the infection chain, registering the host by its name and tagging it based on its OS.
Outgoing HTTP connections to both C2 servers captured by ANY.RUN
Our host is now registered within the adversary infrastructure, but before continuing along the infection chain and following the white ferret, let’s review the traffic and noise generated so far.
Up to this point, most of the traffic is legitimate, either originating from the package manager pip — even if invoked by the malware itself — or directed to legitimate services like ip-api. However, we can observe three streams to two C2 servers using ports 1244 and 1245, which are correctly flagged as ‘unusual’ by ANY.RUN.
As seen in ANY.RUN, initial traffic targets legitimate sources with 3 streams connecting to 2 C2 servers
Aside from the unusual port, there’s another interesting yet careless detail: the Python package ‘requests’ is using its default User-Agent (python-requests/2.25.1 in this case), making it easier to dissect the traffic, narrow down destinations, and map the adversary’s infrastructure.
Legitimate traffic blends with malicious requests, all generated by the same script
What happens next is better understood by examining the code rather than dry-running the sample in a sandbox filled with placebo files. We’ll let the simulation run and return later to gather indicators and behaviors.
Be advised: much of this malware is held together by sticks and mud, so expect confusing and poor practices, such as ‘obfuscating’ C2 addresses within a sliced Base64-encoded string.
The careless use of Base64 obfuscation makes it trivial to decode and retrieve C2 server addresses
The Session class implements FTP as one of its exfiltration methods, relying on the Python ftplib package. If the package is not found, it attempts to install it. Once again, the exfiltration host is poorly hidden in plain sight within a Base64-encoded string.
Python imports are scattered throughout the code, loaded as needed rather than grouped at the top
The ferret then moves on to assess what to steal, declaring five extensive arrays: some designed to list extensions, files, directories, and patterns to ignore, and others specifying what to target.
Targets source code and sensitive files, suggesting corporate espionage
The Shell class implements new and dangerous methods allowing our fluffy adversary to run arbitrary commands sent by the attacker and downloading and executing a subsequent stage of the infection chain.
Functions for downloading and executing the next stage adapting to the host OS
Remember ftplib? It comes into play again in the o_ftp method, which opens FTP connections. Meanwhile, the ssh_upload method handles the data exfiltration process.
Functions for preparing and exfiltrating data
This process — defined by the method storbin — is somewhat complex. Files with specific extensions, such as compressed files or virtual machine disk files, are sent directly to the server via the FTP STOR command. Other files are obfuscated using XOR with a specific key before being transferred to the server. While not a robust encryption method, this technique adds a basic layer of protection.
The key “G01d*8@(“ is used on files not matching the extensions
Files are compressed using py7zr in 7z format (on Windows) or zip format with pyzipper (on Unix), with the password defaulting to ‘2024’ if none is provided.
‘2024’ is not a compliant password
Finally, down_any and ssh_any, download and execute AnyDesk, a legitimate remote desktop software, to establish persistence.
AnyDesk is downloaded directly from the adversary’s infrastructure
Two notable mentions are the ssh_env function, responsible for detecting the running OS and mapping points of interest in the corresponding file system: Documents and Downloads on Windows and /Volumes, /home, and /vol on Unix;
Documents, Downloads, home folders and volumes are targets
and the ssh_kill one, which kills Google Chrome and Brave browsers processes.
Terminates browser processes on both Windows and Unix
However, this tricky ferret doesn’t stop there—it has more in store for the victim’s browsers. After identifying the local browser, it defines specific paths to extract user data, such as profiles, cookies, credentials, and browsing history. Dedicated classes are implemented for Chrome, Chromium, Opera, Brave, Edge, and Vivaldi.
Browser data exfiltration routines for multiple vendors
A set of browser extensions is targeted to exfiltrate their data, primarily including crypto exchange and wallets like Metamask, multi factor authentication apps like Google Authenticator and password managers like 1Password.
This function targets a large number of extensions
Telegram is also used as an exfiltration channel for files, directly invoking the BotsAPIsendDocument endpoint. Since the connection and queries are handled entirely locally, PrettyVisibleFerret can reveal the Chat ID and Bot Secret Token used, enabling interaction with the bot and potentially reconfiguring or shutting it down through @BotFather, Telegram’s Bot Manager.
PrettyVisibleFerret discloses the received Telegram Bot token
On Windows systems, the ferret imports (or attempts to install if missing) pywin32 (provides Windows API access), psutil (used to retrieve system information and manage processes), pyWinhook (a library for keyboard and mouse event handling), and pyperclip (used to manage the clipboard). The last two are pretty self-explanatory.
Pyperclip is specifically used to monitor clipboard changes and exfiltrate its content. This is useful to capture passwords, keys and other secrets.
All clipboard changes within 50ms will be copied and exfiltrated using a custom format
PyHook is used to hook into the Windows operating system to capture user input events, monitoring both the keyboard (keystrokes) and the mouse.
Keylogger implementation using pyHook to capture keystrokes and clipboard events
And so the code reaches its EOF. Let’s return to the simulation to examine the resulting IOCs and see what conclusions we can draw from them.
Chasing a Ferret: IOCs & TTPs
This playful threat left quite a mess, so let’s summarize the indicators gathered so far. Remember that the earlier stage, BeaverTail, downloads a portable Python runtime (‘p.zip’) from the /pdown endpoint to run InvisibleFerret, meaning indicators from that activity are also included.
These indicators can be observed in action through ANY.RUN’s timeline, providing a structured view of how the malware operates in a step-by-step view.
ANY.RUN’s timeline provides a detailed view of malware behavior, highlighting key actions
As previously discussed, not every queried IP or downloaded file is inherently malicious, even if retrieved by malware. Many are legitimate packages, dependencies, or services that benefit the broader community but are sometimes misused by bad actors. We can’t label a tool or artifact as an Indicator of Compromise simply because it’s used by malicious actors.
However, we can trace behaviors, such as “this bad actor uses this API to geolocate victims” or “this actor frequently relies on this remote desktop solution for persistence”. These behaviors are the essence of TTPs: Tactics, Techniques, and Procedures—essentially, how an actor operates and achieves its objectives.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
ANY.RUN maps IOCs to techniques used by InvisibleFerret
Contextualizing these threats helps researchers and the broader community standardize threat behaviors, improving their understanding and making collaboration more effective. For example, a threat actor (or malware) querying ip-api to geolocate a victim and another one using a different service for the same purpose both fall under the T1016 technique, “System Network Configuration Discovery”, in general terms. While their actions at a more specific level are classified as Procedures, grouping them under a shared taxonomy significantly reduces information fragmentation and organizes data in a structured manner.
With proper context, a query to ip-api.com becomes T1016
The same applies to the other behaviors discussed in this article, such as using an unusual port to connect to a service. These actions fall under T1571, regardless of the specific port, protocol, or direction used.
As before, adding context to an unusual connection renders T1571
ANY.RUN’s direct integration with the MITRE ATT&CK Matrix simplifies the TTP mapping process by assembling it in real time.
That said, I think we’ve had enough playtime with our pet—it’s time to put the ferret back in its cage.
Ferret Fever
These campaigns involve large investments not only in infrastructure and human resources but also in developing quite convincing scenarios, like a fake job interview where you are asked to run a coding challenge or download a meeting software, which may seem completely normal if you don’t overthink it.
Always double-check job offers, don’t run software from unknown origins on your company equipment, stay safe out there, and whatever your situation is, don’t befriend ferrets, invisible or pretty visible ones alike.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Mozilla products, including the popular Mozilla Firefox and Thunderbird, have been found to contain multiple vulnerabilities that could allow attackers to execute arbitrary code, cause system instability, and even gain escalated privileges. The severity of these issues is high, and they affect both desktop and mobile versions of Mozilla’s browser and email client.
The Indian Computer Emergency Response Team (CERT-In) reported these Mozilla vulnerabilities in an advisory published on January 20, 2025, with patches already available in recent updates. Users and organizations relying on Mozilla Firefox, Mozilla Thunderbird, and their extended support release (ESR) versions are advised to take immediate action to mitigate risks.
The Mozilla vulnerabilities are present in several versions of Mozilla Firefox and Thunderbird, specifically:
Mozilla Firefox versions prior to 134
Mozilla Firefox ESR versions prior to 128.6
Mozilla Firefox ESR versions prior to 115.19
Mozilla Thunderbird versions prior to 134
Mozilla Thunderbird ESR versions prior to 128.6
Mozilla Thunderbird ESR versions prior to 115.19
The issues are critical for both individual users and enterprises using these open-source applications for browsing and communication. Users should ensure they have the latest updates installed to avoid potential exploits.
Overview of the Mozilla Vulnerabilities
A range of vulnerabilities has been identified in Mozilla Firefox and Thunderbird, with the potential to allow attackers to perform actions such as remote code execution (RCE), denial of service (DoS) attacks, bypass security restrictions, or even spoof system elements. Mozilla has provided security patches in versions 134 for Firefox and Thunderbird, as well as in the ESR releases 128.6 and 115.19. These issues are significant because they provide opportunities for remote attackers to exploit weaknesses in the software without needing to interact directly with the targeted system.
Vulnerabilities in Mozilla Firefox and Thunderbird have been classified with high and moderate severity levels, as attackers could gain unauthorized access to sensitive information, execute arbitrary code, or disrupt normal system operations. The full exploitation of these vulnerabilities may result in system instability or a complete compromise of the affected device.
Key Vulnerabilities
Several vulnerabilities have been identified and addressed across Mozilla Firefox and Thunderbird. Below are some of the notable issues that have been fixed in the latest updates:
CVE-2025-0244: Address Bar Spoofing in Firefox for Android
Impact: High
Description: This vulnerability allowed an attacker to spoof the address bar in Firefox for Android when redirecting to an invalid protocol scheme. This could mislead users into believing they were on a legitimate site, facilitating phishing and other malicious activities.
Note: This issue only affected Android operating systems.
CVE-2025-0245: Lock Screen Setting Bypass in Firefox Focus for Android
Impact: Moderate
Description: A flaw in Firefox Focus allowed attackers to bypass user authentication settings for the lock screen, potentially giving unauthorized individuals access to the application.
CVE-2025-0237: WebChannel API Vulnerability
Impact: Moderate
Description: The WebChannel API, used for communication across processes in Firefox and Thunderbird, did not properly validate the sender’s principal. This could lead to privilege escalation attacks, allowing attackers to perform actions with higher privileges than intended.
CVE-2025-0239: Memory Corruption via JavaScript Text Segmentation
Impact: Moderate
Description: A flaw in how Firefox and Thunderbird handled JavaScript text segmentation could cause memory corruption, which might lead to crashes or, in some cases, the execution of arbitrary code.
CVE-2025-0242: Memory Safety Bugs
Impact: High
Description: Several memory safety bugs were discovered in both Firefox and Thunderbird that showed signs of memory corruption. If exploited, these bugs could allow remote attackers to execute arbitrary code, compromising system security.
These vulnerabilities in Mozilla products are part of a broader set of security flaws that the Mozilla team has identified and addressed. The vulnerabilities affect multiple platforms, including desktop and mobile versions, and may result in severe security breaches if not patched.
Recommendations for Users
Given the potential impact of these Mozilla vulnerabilities, it is crucial for all users to update their systems to the latest versions of Mozilla Firefox or Thunderbird. The updates, which are available for both standard and ESR releases, fix critical security flaws and improve overall system stability. Additionally, users are advised to consider the following precautions:
Ensure that Mozilla Firefox and Thunderbird are updated to versions 134 or higher, or to the appropriate ESR releases (128.6 or 115.19).
Keep an eye on system behavior for signs of malicious exploitation, such as unexpected crashes or unauthorized access.
For those using Mozilla Firefox or Thunderbird in a business environment, enable multifactor authentication and other security features to limit exposure to attacks.
Without the proper patches, attackers can exploit Mozilla Firefox vulnerabilities to gain access to sensitive data, compromise user systems, and cause severe disruptions. Memory corruption issues, such as those reported in CVE-2025-0242, could lead to remote code execution, allowing attackers to hijack user systems or deploy malware. Furthermore, flaws like CVE-2025-0244 could facilitate phishing campaigns by spoofing URLs in the address bar, tricking users into visiting malicious websites.
Conclusion
Mozilla has released important security fixes for vulnerabilities in Mozilla Firefox and Mozilla Thunderbird that affect a wide range of users. These vulnerabilities, which could lead to arbitrary code execution, denial of service, or privilege escalation, are present in older versions of the software. Users are strongly advised to upgrade to the latest versions to protect against potential exploitation. Additionally, by applying recommended mitigations and staying informed about the latest security updates, users can better protect their systems from cyber threats.
To protect online systems against these vulnerabilities, Cyble, an award-winning cybersecurity firm, offers advanced, AI-powered cybersecurity solutions. With platforms like Cyble Vision, businesses can leverage real-time threat detection and actionable insights to mitigate risks from these vulnerabilities, including Mozilla vulnerabilities. Cyble’s comprehensive suite of tools, including vulnerability management, dark web monitoring, and brand intelligence, helps organizations proactively address security gaps. By integrating Cyble’s threat intelligence, companies can enhance their defenses and better protect against cyberattacks.
For more information on how Cyble can help protect your systems, schedule a personalized demo and see how AI-driven solutions can strengthen your cybersecurity strategy.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-21 11:07:222025-01-21 11:07:22Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users
Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild.
Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet’s products.
This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively.
The Vulnerability Explained
The CVE-2024-55591 vulnerability stems from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including:
Creating administrative or local user accounts.
Modifying firewall policies, addresses, or system settings.
The vulnerability impacts the following versions of FortiOS and FortiProxy products:
FortiOS
Versions 7.0.0 through 7.0.16 are affected.
Versions 7.6, 7.4, and 6.4 are not affected.
FortiProxy
Versions 7.0.0 through 7.0.19.
Versions 7.2.0 through 7.2.12.
Versions 7.6 and 7.4 are not affected.
Solution:
Upgrade FortiOS to version 7.0.17 or later.
Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later.
How Attackers Exploit the Vulnerability
Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions:
Create random user accounts such as “Gujhmk” or “M4ix9f”.
Add these accounts to administrative or VPN groups.
Use SSL VPN connections to infiltrate the internal network.
Indicators of Compromise (IOCs)
Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks.
Log Entries
Look for the following types of suspicious log entries in your system:
Attackers have been observed using the following IP addresses to launch attacks:
45.55.158.47 (most commonly used)
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37
It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin.
Recommended Actions
1. Update Immediately
If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site.
2. Mitigations for Immediate Protection
If an upgrade cannot be performed immediately, consider implementing the following mitigations:
Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet.
Restrict Access with Local-In Policies: Limit access to the administrative interface by allowing only trusted Ips
Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts.
Exploitation in the Wild
Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as:
Gujhmk
Ed8x4k
Alg7c4
These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation.
Best Practices for Enhanced Security
Enable Logging and Monitoring: Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections.
Conduct Regular Vulnerability Scans: Perform routine scans to identify and patch other vulnerabilities within your network infrastructure.
Adopt a Zero Trust Approach: Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks.
Educate Your Team: Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats.
Implement Multi-Factor Authentication (MFA): Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors.
Conclusion
The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative.
It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation.
The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones.
As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow.
Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape.
Your next step could define the safety of your organization.
Cyble honeypots have detected vulnerability exploits on Check Point and Ivanti products, databases, CMS systems, and many other IT products.
Overview
Cyble honeypot sensors have detected new attacks on vulnerabilities in Check Point and Ivanti products, among dozens of other vulnerability exploits recently picked up by Cyble sensors.
Cyble’s sensor intelligence reports to clients in the first two weeks of 2025 also highlighted new database and CMS attacks. Unpatched Linux systems and network and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.
The reports also examined new brute-force attacks and phishing campaigns. Here are some of the highlights.
Vulnerabilities Under Attack
Here are some of the vulnerability exploits detected by Cyble sensors.
CVE-2024-24919 is an 8.6-severity vulnerability affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, identified by Check Point being actively exploited. If successfully exploited, the vulnerability could allow an attacker to access sensitive information on Internet-connected Gateways that have a remote access VPN or mobile access enabled, and potentially move laterally and gain domain admin privileges.
Ivanti had a challenging 2024, with 11 vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog, trailing only Microsoft, and new vulnerabilities have already been added this year. One particular Ivanti vulnerability that Cyble is detecting attacks on is CVE-2024-7593, a 9.8-severity Ivanti Virtual Traffic Manager (vTM) vulnerability that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm.
Attackers are exploiting CVE-2024-8503, a time-based SQL injection vulnerability in VICIDIAL that could allow an unauthenticated attacker to enumerate database records. By default, VICIDIAL stores plaintext credentials within the database. VICIDIAL is a software suite that works with the Asterisk Open-Source PBX Phone system to create an inbound/outbound contact center.
CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG gateways, specifically MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.
CVE-2024-56145 is a critical vulnerability in Craft CMS systems. If the register_argc_argv setting in php.ini is enabled, this issue affects users of impacted versions, allowing an unspecified remote code execution vector. Users are advised to update to versions 3.9.14, 4.13.2, or 5.5.2. Those unable to upgrade should mitigate the risk by disabling register_argc_argv in their PHP configuration.
Cyble sensors have also identified attackers scanning for the URL “/+CSCOE+/logon.html”, which is used to access the login page for the Cisco Adaptive Security Appliance (ASA) WebVPN service. The URL has been found to have various vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting, which could allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.
Brute-Force Attacks
The Cyble sensor reports also include considerable detail on brute-force attacks. These attacks frequently target remote desktops and access systems, with ports 5900 (VNC), 3389 (RDP), and 22 (SSH) being the most frequently attacked ports.
Other frequently attacked ports include 3386 (GPRS tunneling), 445 (SMB), and 23 (Telnet).
Cyble advises adding security system blocks for frequently attacked ports.
Recommendations and Mitigations
Cyble researchers recommend the following security controls:
Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
Constantly check for Attackers’ ASNs and IPs.
Block Brute Force attack IPs and the targeted ports listed.
Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
For servers, set up strong passwords that are difficult to guess.
Conclusion
With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.
To access the full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-20 15:06:492025-01-20 15:06:49Cyble Sensors Detect Attacks on Check Point, Ivanti and More
Quantum computers remain a highly exotic technology, used by a very small number of companies for very specific computational tasks. But if you search for “quantum computer news”, you might get the impression that all the major IT players have already armed themselves with quantum technology, and that any day now hackers will start using it to crack encrypted communications and manipulate digital signatures. The reality is both less tense and more complex — but such nuances don’t make the headlines. So, who’s been making all the noise about quantum hacking?…
Mathematicians
Although the respected American mathematician Peter Shor meant to create neither hype nor panic, it was he who, back in 1994, proposed the idea of an entire family of algorithms for solving computationally complex mathematical problems on a quantum computer. Chief among these was the problem of factoring into prime numbers. For sufficiently large numbers, a classical computer would need… centuries to find a solution — which serves as the foundation of cryptographic algorithms like RSA. However, a powerful quantum computer using Shor’s algorithm could solve this problem much faster. Although such a computer was still a dream in 1994, Shor’s idea captured the imagination of hackers, physicists, and of course, journalists. Shor recalls that when he first presented his idea at a conference in 1994, he hadn’t yet completely solved the factorization problem — the final version of his research was only published in 1995. Nevertheless, just five days after his presentation, people were confidently proclaiming that the factorization problem had been solved.
Startups
For many years, the quantum threat was considered just a distant possibility. The number of quantum bits (qubits) required to break cryptography was estimated to be in the thousands or millions, while experimental quantum computers were still in single digits. The situation changed in 2007, when the Canadian company D-Wave Systems demonstrated the “first commercial quantum computer”, boasting 28 qubits, with a plans to scale up to 1024 qubits by the end of 2008. The company predicted that by 2009 it would be possible to rent quantum computers for cloud computations — using them for risk analysis in insurance, modeling in chemistry and materials science, as well as for “government and military needs”. By 2009, D-Wave expected to achieve quantum supremacy — when a quantum computer could solve a problem faster than a classical one.
The quantum community had to spend years dealing with the company’s claims. The principle of quantum annealing, used in D-Wave systems, wasn’t even considered a quantum effect, and its existence was only proven in 2013 — albeit with serious reservations. Meanwhile, the magnitude (and even the existence) of quantum supremacy continued to be a subject of debate even longer. In any case, D-Wave systems can run neither Shor, nor Grover’s algorithms, making them unsuitable for cryptanalysis tasks. The company continues to build computers (or, rather, “quantum annealers”) with ever-increasing numbers of qubits, but their practical application remains very limited.
Cyber agencies
When the U.S. National Security Agency (NSA) issues warnings and advice on a problem, it’s a good reason to take that problem seriously. That’s why the NSA’s 2015 recommendation urging companies and governments to begin transitioning to quantum-resistant encryption was taken as a signal that the arrival of practical quantum computers might just be round the corner. This warning came as a surprise: at the time, the largest number that had been factored using Shor’s algorithm on a quantum computer was… 21. This fueled speculation that the NSA knew something about quantum computers that the rest of the world didn’t.
Now, nearly a decade later, we can be fairly confident that the NSA was sincere in its subsequent explanations, released six months later: they were simply warning of a potential danger ahead of time. After all, equipment purchased for government agencies tends to remain in service for decades, so systems should be upgraded well in advance to avoid future vulnerabilities. Around the same time, NIST announced a competition to develop a standardized set of quantum-resistant algorithms. In 2024, this new standard was adopted.
Internet giants
Many major IT companies, such as Google and IBM, have shown interest in quantum computing — and invested in it. At the end of the 20th century, IBM labs created the first working quantum computer with two qubits. But it was Google that, in 2019, announced the long-awaited achievement of quantum supremacy. Their experimental 53-qubit computer, Sycamore, could reportedly solve a problem in not much over three minutes that would take a classical supercomputer 10,000 years. However, IBM disputed this claim, arguing that this problem was purely synthetic, designed for quantum computers specifically, and having no real-world application. For a supercomputer to solve the same problem, it would simply have to simulate a quantum one, which would be quite useless — not to mention slow. IBM further stated that with sufficient disk space, a classical supercomputer could solve the same problem with greater accuracy and in a relatively short time: no more than 2.5 days.
Even the original creator of the term “quantum supremacy”, Professor John Preskill, criticized Google’s excessive use of the phrase, noting its popularity with journalists and marketers. As a result, its intended technical use has been obscured.
Governments
Security experts, including the NSA, have repeatedly emphasized that the quantum threat is a reality — even in the absence of a practical quantum computer. One possible scenario is well-resourced malefactors storing an encrypted copy of valuable data today in order to decrypt it in the future when quantum computers become viable. Such an attack, known as harvest now, decrypt later, is often mentioned in the context of the “quantum race”, and in 2022, the U.S. government created quite a stir by claiming to already be facing SNDL attacks. Experts from the post-quantum security firm QuSecure also referred to SNDL attacks as a “common practice” in an article ominously titled Quantum apocalypse.
Meanwhile, the White House coined the term CRQC (Cryptanalytically Relevant Quantum Computer) and ordered U.S. agencies to switch to post-quantum encryption algorithms no later than 2035.
Enthusiasts
Quantum computers are complex, unique physical devices that often require extreme cooling. As a result, small firms and individual researchers have a hard time keeping up in the quantum race; however, that doesn’t stop some from trying. In 2023, statements from a researcher named Ed Gerck, founder of a company called Planalto Research, created a small buzz. According to Gerck, his company managed to perform quantum computations on a commercial Linux desktop with capital costs of less than a thousand dollars and without using cryogenics. The author claimed to have broken a 2048-bit RSA key despite these limitations. Interestingly, Gerck allegedly developed his own algorithm to do this, rather than using Shor’s. Cryptographers and developers of quantum computers have repeatedly demanded proof of Gerck’s claims but received only excuses in response. Gerck’s paper has in fact been published; however, experts note serious methodological flaws and speculative elements.
And, of course, the press
A study by researchers at Shanghai University directly linking quantum computing to encryption cracking was published in China in September 2024. However, it only caused a splash worldwide after a November article in the South China Morning Post. This article claimed that the Chinese scientists had successfully broken “military-grade encryption”, and this headline was carelessly replicated by other media outlets.
In fact, the authors of the study did target encryption, but solved a much more modest problem — they cracked 50-bit ciphers related to AES (Present, Gift-64, and Rectangle). Interestingly, they used one of the latest models from the very same D-Wave, using classical algorithms to compensate for its limitations compared to a full-fledged quantum computer. This study is scientifically novel, but its practicality in breaking real-world encryption is highly questionable. In addition to the deficit of qubits, the incredibly long classical pre-calculations required to crack real 128 or 256-bit keys remains an obstacle.
This wasn’t the first time researchers have claimed success in breaking encryption, but an earlier, similar announcement in 2022 received little attention.
Internet giants (yes, again)
A new round of speculation began with Google’s recent announcement of its Willow chip. The developers have claimed that they’ve managed to solve one of the key problems in scaling quantum computing — error correction. This problem arises because it’s extremely challenging to read the state of a qubit without making errors or disturbing its entanglement with other qubits. Therefore, calculations are often run multiple times, and many “noisy” physical qubits are combined into a single “perfect” logical one. Despite these measures, as the number of qubits increases, errors grow exponentially, making the system increasingly fragile. In contrast, the new chip demonstrates the opposite behavior — as the number of qubits increases, errors are reduced.
Willow has 105 physical qubits. Of course, this is far from enough to break modern encryption. According to the Google researchers themselves, their computer would need millions of qubits to become a CRQC.
But such trifles didn’t stop other researchers from declaring the imminent death of modern cryptography. For example, researchers at the University of Kent have estimated that advances in quantum computing could require the Bitcoin network to shut down for 300 days in order to update to quantum-resistant algorithms.
Welcome to reality
Leaving the mathematical and technical aspects aside, it’s worth emphasizing that, as of right now, cracking modern encryption using quantum computers is still impossible, and this is unlikely to change in the near future. However, sensitive data that will remain valuable for years to come should be encrypted with quantum-resistant (post-quantum) algorithms today to avoid potential future risks. Several major IT regulators have already issued recommendations on transitioning to post-quantum cryptography, which should be studied and gradually implemented.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-17 14:07:222025-01-17 14:07:22Hype and confusion surrounding quantum computers in cryptography
Key vulnerabilities in SAP, Microsoft, Fortinet, and others demand immediate attention as threat actors exploit critical flaws.
Overview
Cyble Research and Intelligence Labs (CRIL) analyzed significant IT vulnerabilities disclosed between January 8 and 14, 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft released its January 2025 Patch Tuesday updates, addressing 159 vulnerabilities, including eight zero-days, three of which are under active exploitation.
Other notable vulnerabilities this week are flaws in SAP NetWeaver Application Server and other high-profile products. CRIL’s monitoring of underground forums also revealed discussions on critical zero-day vulnerabilities and their potential weaponization.
Key Vulnerabilities
SAP NetWeaver and BusinessObjects
CVE-2025-0070: Improper authentication in SAP NetWeaver AS for ABAP, enabling privilege escalation.
CVE-2025-0066: Weak access controls leading to unauthorized information disclosure.
CVE-2025-0061: Session hijacking in SAP BusinessObjects, risking sensitive data exposure.
Impact: SAP NetWeaver’s foundational role in critical industries like finance, healthcare, and manufacturing makes these vulnerabilities particularly concerning.
Mitigation:Patches are available for all vulnerabilities, and immediate application is recommended.
Fortinet FortiOS
CVE-2024-55591: A critical authorization bypass vulnerability in FortiOS with a CVSS score of 9.8, allowing unauthorized users to execute arbitrary commands.
Impact: Exploited in the wild, this vulnerability has been observed in attempts to gain super-admin privileges on affected systems.
Mitigation: Upgrade FortiOS to the latest patched versions (7.0.17 or above for version 7.0 and 7.2.13 or above for version 7.2).
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: Use-after-free and buffer overflow vulnerabilities in Microsoft Hyper-V NT Kernel Integration VSP.
Impact: These vulnerabilities pose risks of denial-of-service or privilege escalation within virtualized environments.
Mitigation: Apply Microsoft’s January Patch Tuesday updates.
Vulnerabilities on Underground Forums
CRIL observed active discussions and Proof-of-Concept (PoC) code for vulnerabilities on underground forums:
CVE-2024-55956: Critical unauthenticated file upload vulnerability in Cleo Harmony, VLTrader, and LexiCom products, allowing arbitrary code execution.
Observed Activity: PoC shared on Telegram by a threat actor.
CVE-2024-45387: SQL injection vulnerability in Apache Traffic Ops, enabling attackers to execute SQL commands against backend databases.
Observed Activity: Threat actor “dragonov_66” posted PoC on cybercrime forums.
Additionally, a threat actor advertised for sale zero-day pre-authentication Remote Code Execution (RCE) vulnerabilities affecting GoCloud Routers and Entrolink PPX VPN services.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog
The following vulnerabilities were added to CISA’s KEV catalog:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-17 13:08:242025-01-17 13:08:24Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others
Cyble Research and Intelligence Labs (CRIL) has identified an ongoing cyberattack – targeting organizations in Germany.
The attack is initiated through a deceptive LNK file embedded within an archive. When executed by an unsuspecting user, this LNK file triggers cmd.exe to copy and run wksprt.exe, a legitimate executable.
This executable sideloads a malicious DLL that employs DLL proxying, ensuring the host application continues to operate seamlessly while executing malicious shellcode in the background.
The shellcode ultimately decrypts and executes the final payload: Sliver, a well-known open-source Red Team/adversary emulation framework.
Once deployed, Sliver functions as an implant, enabling threat actors to establish communication with the compromised system and conduct further malicious operations, thereby enhancing their control over the infected network.
Overview
Cyble Research & Intelligence Labs (CRIL) recently identified an ongoing campaign involving an archive file containing a deceptive LNK file. While the initial infection vector remains unclear, this attack is likely initiated via spear-phishing email.
The archive file “Homeoffice-Vereinbarung-2025.7z,” once extracted, contains a shortcut (.LNK) file along with several other components, including legitimate executables (DLL and EXE files), a malicious DLL file, an encrypted DAT file, and a decoy PDF. Interestingly, the creation times of most files in the archive are about a year old, with only the lure document being recently created. This suggests that the Threat Actor (TA) has not updated their core components, opting instead to introduce a new lure document to maintain the campaign’s relevance.
Upon execution, the LNK file triggers the opening of a decoy document, masquerading as a Home Office Agreement. This document serves as a lure to deceive the user. Concurrently, the LNK file also executes a legitimate executable, which subsequently performs DLL sideloading. The legitimate executable loads the malicious DLL, which is designed to retrieve and decrypt the shellcode from the DAT file stored in the same extracted archive. This entire process occurs entirely in memory, enabling the attack to evade detection by security products.
The shellcode is designed to decrypt and execute an embedded payload, a Sliver implant—an open-source red teaming and command and control framework employed by the TA for further malicious actions. Upon execution, the implant establishes connections to specific remote servers/endpoints, enabling the TA to conduct additional malicious operations on the victim’s system.
The figure below provides an overview of the infection process.
Figure 1 – Infection chain
Technical Details
The attack begins once the victim extracts an archive file, likely delivered via an email attachment, containing several files:
Homeoffice-Vereinbarung-2025.pdf.lnk – Main shortcut file
However, only Homeoffice-Vereinbarung-2025.pdf.lnk, disguised as a PDF, is visible, while the other files remain hidden. When the user runs this LNK file, it triggers cmd.exe to execute a series of commands, copying files to specific directories and performing additional tasks. The image below shows the command embedded in the LNK file.
Figure 2 – Contents of the .LNK file
Following the execution of the LNK file, a directory named “InteI” is created within the user’s local app data folder (%localappdata%InteI). A legitimate Windows file, wksprt.exe, from C:WindowsSystem32 is then copied into this newly created InteI directory. Subsequently, the hidden files IPHLPAPI.dll, IPHLPLAPI.dll, and ccache.dat are copied into the “InteI” directory, with their hidden attributes preserved.
To establish persistence on the victim’s machine, wksprt.lnk, one of the files from the extracted folder, is copied to the Startup folder (%appdata%MicrosoftWindowsStart MenuProgramsStartup). This LNK file is designed to execute wksprt.exe, which has been copied to the “InteI” directory, ensuring that the executable runs automatically upon system startup.
Figure 3 – Command line parameters of LNK file
Before the final step, the decoy file “00_Homeoffice-Vereinbarung-2025.pdf” is executed to maintain the appearance of a legitimate document being opened.
Figure 4 – Lure document
The lure document is a Home Office Agreement (Homeoffice-Vereinbarung) written in German, serving as a supplementary agreement to an existing employment contract between an organization and an employee, outlining the terms for remote work. Based on the content of this lure document, we believe this campaign is designed to target individuals or organizations in Germany. Furthermore, the initial .7z file was observed to have been uploaded to VirusTotal from a German location, supporting this assessment. Finally, wksprt.exe is launched from the “InteI” directory to carry out further actions.
The malicious DLL file has a very low detection rate, as shown below.
Figure 5 – Low Detection rate of Malicious DLL file
DLL Sideloading and DLL Proxying:
The legitimate executable wksprt.exe sideloads a malicious DLL (IPHLPAPI.dll) from the current directory. The malicious IPHLPAPI.dll then loads a slightly renamed legitimate DLL (IPHLPLAPI.dll), designed to appear authentic. Both DLLs export the same functions, as shown below.
Figure 6 – Export functions of both DLLs
The malicious DLL acts as a proxy, intercepting function calls from the executable and forwarding them to the legitimate DLL, which contains the actual implementation of the function, as shown below.
Figure 7 – DLL proxying
The forwarding of function calls ensures that the application maintains its normal behavior while allowing the malicious DLL to execute its own code. In addition, the malicious DLL spawns a new thread to read the contents of the file ccache.dat, as shown below.
Figure 8 – Reading the encrypted content from the .dat file
After the “ccache.dat” file’s content is read, the malicious thread decrypts the malicious data. It employs the following cryptographic APIs for key generation and decryption:
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptDeriveKey
CryptDecrypt
The thread now copies the decrypted content to the newly allocated memory and executes it. The figure below shows the decrypted content of “ccache.dat” and the control transfer to the decrypted content.
Figure 9 – Decrypted content
The decrypted content is a shellcode that runs another decryption loop to retrieve the actual payload embedded within it, as shown below.
Figure 10 – Final payload
The shellcode is designed to execute the embedded Sliver implant—an open-source red teaming framework used for malicious purposes by the TAs. Once executed, the implant connects to the following endpoints to carry out additional activities on the victim’s system.
While we cannot definitively attribute this campaign to any specific group at this point, the initial infection vector, stager DLL behavior, shellcode injection, and Sliver framework exhibit patterns typically associated with APT29 in past campaigns. Additionally, this group has frequently employed the DLL sideloading technique in its operations. However, the most recent sample analyzed introduces DLL proxying, a technique not previously observed in APT29’s campaigns.
Conclusion
This campaign targets organizations in Germany by impersonating an employee agreement for remote working. Using this lure, the threat actors deploy a deceptive LNK file and malicious components to gain an initial foothold on the victim’s system, leading to its compromise and further exploitation.
By employing advanced evasion techniques such as DLL sideloading, DLL proxying, shellcode injection, and the Sliver framework, the attackers effectively bypass traditional security measures. This multi-stage cyberattack highlights the increasing sophistication and adaptability of threat actors, underscoring the growing complexity of APT operations and the urgent need for enhanced detection and defense strategies.
Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.
Our Recommendations
The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
Use application whitelisting to prevent unauthorized execution of LNK files and other suspicious components.
Deploy Endpoint Detection and Response (EDR) solutions to identify and block malicious behaviors, such as DLL sideloading and shellcode injection.
Monitor for anomalous network activities, such as unexpected outbound connections, to detect Sliver framework-related activities.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-17 11:07:122025-01-17 11:07:12Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques
Outgoing U.S. President Joe Biden issued an order yesterday outlining measures to improve government cybersecurity. The lengthy order includes suggestions to improve cloud and software security by building requirements into the federal acquisition process. It also orders federal agencies to adopt a number of cybersecurity technologies and practices and takes a forward-thinking approach to AI.
As the culmination of efforts that began nearly four years ago in response to the Colonial Pipeline ransomware attack, the order is also valuable as a “lessons learned” document from an Administration that has had much to deal with in four years of dramatic cybersecurity events.
Cloud, Software Security Goals
Biden’s final cybersecurity plan is also ambitious in its implementation timeline, as many of the initiatives would be completed within a year.
The lead federal agencies would develop contract language requiring software providers to attest and validate that they use secure software development practices. Open-source software would also be included in the plans, as agencies would be given guidance on security assessments and patching, along with best practices for contributing to open-source projects.
Federal government contractors would be required to follow minimum cybersecurity practices identified by NIST “when developing, maintaining, or supporting IT services or products that are provided to the Federal Government.”
Cloud service providers that participate in the FedRAMP Marketplace would create “baselines with specifications and recommendations” for securely configuring cloud-based systems to protect government data.
IAM, Post-Quantum Encryption Goals
Federal agencies would be required to “adopt proven security practices” to include in identity and access management (IAM) practices. Pilot tests for commercial phishing-resistant standards such as WebAuthn would be conducted to help those authentication efforts.
The Biden plan says post-quantum cryptography (PQC) – in at least a hybrid format – should be implemented “as soon as practicable upon support being provided by network security products and services already deployed” in government network architectures.
The plan also requires secure management of access tokens and cryptographic keys used by cloud service providers and encryption of DNS, email, video conferencing, and instant messaging traffic.
CISA would lead the development of “the technical capability to gain timely access” to data from agency EDR solutions and security operation centers (SOCs) to enable rapid threat hunting.
BGP’s security flaws are also addressed, with requirements that ISPs implement routing security measures such as Route Origin Authorizations, Route Origin Validation, route leak mitigation, and source address validation.
AI Cybersecurity Innovation
The executive order says AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”
AI cybersecurity implementation would start with a pilot program on the use of AI to improve critical infrastructure security in the energy sector. That program may gauge the effectiveness of AI technologies in detecting vulnerabilities, automating patch management, and identifying malicious threats.
The Department of Defense would start its own program on the use of “advanced AI models for cyber defense.”
The order asks science and research agencies to prioritize research on AI cybersecurity that meets the following criteria:
Human-AI interaction methods to assist with defensive cyber analysis
AI coding security assistance, including the security of AI-generated code
Designing secure AI systems
Methods for “prevention, response, remediation, and recovery of cyber incidents involving AI systems.”
Conclusion
Biden’s cybersecurity order is the culmination of four years which began even before the Colonial Pipeline incident with the SolarWinds software supply chain attack.
The order includes longer-term goals, including a three-year plan for modernizing federal information systems, networks, and practices, with a focus on zero-trust architectures, EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-17 11:07:122025-01-17 11:07:12AI Takes the Center Stage in Biden’s Landmark Cybersecurity Order
