A recently identified command injection vulnerability in D-Link network-attached storage (NAS) devices exposes over 61,000 internet-connected units to potential exploitation.
The flaw, tracked as CVE-2024-10914, allows unauthenticated attackers to inject arbitrary commands by exploiting the name parameter in the cgi_user_add command.
The vulnerability affects legacy D-Link NAS devices, primarily used by small businesses, and holds a critical CVSS score of 9.2, calling for an immediate need for mitigation.
This vulnerability is especially concerning as D-Link has classified these devices as end-of-life (EOL) and end-of-service (EOS), meaning they will no longer receive security updates or patches. D-Link has recommended that users retire affected devices or, at minimum, isolate them from public internet access.
Affected Devices and Vulnerability Scope
The CVE-2024-10914 command injection vulnerability impacts several D-Link NAS models that are no longer supported. The affected devices include:
DNS-320 – Version 1.00
DNS-320LW – Version 1.01.0914.2012
DNS-325 – Versions 1.01, 1.02
DNS-340L – Version 1.08
The vulnerability lies in the account_mgr.cgi script, specifically when processing the name parameter within the cgi_user_add command. Due to insufficient input sanitization, attackers can manipulate this parameter to execute arbitrary shell commands, potentially compromising all data on the device.
According to a scan conducted on the FOFA platform by security researcher NetSecFish, more than 61,000 vulnerable devices are accessible from unique IP addresses globally, showcasing the extensive risk this flaw poses to users.
Exploitation Details
Exploiting CVE-2024-10914 requires minimal technical knowledge. Attackers can craft a simple HTTP GET request to the vulnerable device’s IP address, embedding malicious commands within the name parameter, as shown below:
The above command triggers the cgi_user_add function, injecting the shell command specified by the attacker, effectively granting unauthorized control over the device. This vulnerability (CWE-77) poses a severe risk, as command injection attacks can lead to complete device takeover, unauthorized access to stored data, and the potential for lateral movement within a network.
D-Link’s Response and Recommendations
D-Link released an advisory acknowledging the vulnerability and confirming that affected devices have reached end-of-life (EOL) status. As a result, they no longer receive firmware updates or security patches, meaning that no official fix will be provided.
“If a product has reached the End of Support (“EOS”) or End of Life (“EOL”), it typically does not receive further extended support or development. Typically, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased,” the company said.
D-Link advises users to replace these NAS devices with more secure and supported models to mitigate the risk of exploitation.
For users who cannot immediately retire these devices, D-Link has issued the following recommendations:
Isolate Vulnerable NAS Devices: Disconnect the affected NAS devices from the public internet to prevent external exploitation.
Restrict Access: Limit access to the device by configuring firewall rules or network access controls that restrict traffic to trusted internal networks only.
Update Access Credentials: Frequently update and strengthen device passwords to mitigate potential unauthorized access and ensure encryption is enabled for wireless connections.
Consider Third-Party Firmware: For advanced users, third-party firmware may provide additional security updates, though it voids any remaining warranty and is unsupported by D-Link.
Security Implications and Best Practices
With over 61,000 potentially exposed devices and no available patch, this vulnerability has significant implications. Organizations using these NAS devices to store or transfer sensitive information are advised to take immediate action to mitigate potential breaches.
Beyond D-Link’s recommendations, organizations can adopt additional best practices to minimize their exposure to this risk:
Network Segmentation: Place vulnerable devices in segmented network zones to prevent attackers from moving laterally if they gain initial access.
Regular Vulnerability Scanning: Implement frequent scanning to identify exposed or vulnerable devices within the network.
Monitor Network Traffic: Set up network monitoring to detect unusual traffic patterns or access attempts, which could indicate exploitation.
Cybersecurity Awareness: Inform employees and network administrators about this vulnerability to reinforce secure practices for managing NAS devices.
Conclusion
CVE-2024-10914 represents a critical risk to D-Link NAS device users, particularly as these devices will not receive security patches due to their EOL/EOS status. Immediate action is necessary to mitigate this risk, either by retiring affected devices or by enforcing strict access controls. For businesses and individuals relying on these legacy devices, upgrading to secure, supported hardware is the most effective solution to maintain data integrity and safeguard against potential threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-11 15:06:512024-11-11 15:06:51No Fix for Critical Command Injection Vulnerability in Legacy D-Link NAS Devices
A critical path traversal vulnerability, CVE-2024-10470, has been identified in the WPLMS Learning Management System (LMS) theme for WordPress. This vulnerability enables unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in the theme’s readfile and unlink functions.
The flaw affects all versions of WordPress up to and including 4.962 and carries a CVSS score of 9.8.
According to the bug description published on GitHub under the account moniker RandomRobbieBF, the flaw impacts WordPress sites running WPLMS even if the theme is not actively enabled. This likely puts thousands of LMS-driven websites at risk of unauthorized data access, site disruption, and potential full system compromise.
The CVE-2024-10740’s original finding is attributed to an independent researcher Friderika Baranyai, aka Foxyyy.
Vulnerability Details
CVE: CVE-2024-10470
Type: Path Traversal (CWE-22)
Affected Theme: WPLMS Learning Management System for WordPress
Affected Versions: <= 4.962
Severity: Critical (CVSS 9.8)
Impact: Confidentiality, Integrity, Availability
Found By: Friderika Baranyai, aka Foxyyy
Exploitation Details
This vulnerability allows attackers to delete critical files, such as wp-config.php, without needing authentication. Deleting this file, which contains essential WordPress configuration settings, could enable attackers to gain remote control over the affected server, leading to potential code execution and full site compromise.
While there is no publicly available proof-of-concept (PoC) or evidence of active exploitation, the nature of this vulnerability means that attackers could send crafted requests to delete or read files arbitrarily.
For example, the download_export_zip parameter within certain WPLMS theme scripts can be exploited to read or delete sensitive server files, leading to significant security risks for affected WordPress installations.
A sample crafted request, as described on GitHub, which could exploit this vulnerability is as follows:
POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1
Host: [Target-IP]
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
download_export_zip=1&zip_file=.htaccess
This request manipulates the zip_file parameter to target and potentially delete files like .htaccess, which could lead to server misconfiguration or unauthorized file access.
Mitigation and Recommendations
Website administrators are advised to take the following actions to address this bug:
Deactivate and Remove the WPLMS Theme: If possible, temporarily deactivate the WPLMS theme until a patch is available. Remove it if it’s not essential to your website’s functionality.
Apply Strong Access Controls: Restrict access to critical files, such as wp-config.php, and ensure that file permissions are strictly enforced to prevent unauthorized deletion or modification.
Implement File Integrity Monitoring: Regularly monitor the integrity of critical WordPress files. Immediate alerts on file deletion or modifications can provide timely warnings of potential exploitation.
Back Up WordPress Installations Regularly: Maintain regular backups of your website’s files and database to ensure rapid recovery in the event of an attack.
Web Application Firewall (WAF): Use a WAF to filter potentially malicious requests. This can help prevent attackers from exploiting path traversal vulnerabilities.
Monitor for Updates: Regularly check for updates from the WPLMS theme developer and apply any available patches as soon as they are released. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk.
Isolate WordPress Installations: For sites heavily dependent on the WPLMS theme, consider isolating the installation in a separate, highly controlled environment to reduce the risk of lateral movement if exploited.
Conclusion
The CVE-2024-10470 vulnerability in the WPLMS theme for WordPress represents a severe security threat to affected websites. By allowing unauthenticated file deletion, this flaw poses risks of unauthorized access, remote code execution, and potential full compromise of WordPress installations.
Administrators are urged to take immediate steps to secure their systems, including deactivating the theme if feasible, implementing access controls, and applying security patches as soon as they are available.
Following these recommendations, organizations can mitigate potential exploitation and protect their WordPress environments from unauthorized access and service disruption.
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-10 09:07:152024-11-10 09:07:15Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday alerted federal agencies regarding active exploitation of a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool widely used by administrators for firewall migration and configuration management.
This flaw, designated CVE-2024-5910, has been actively exploited by attackers since its patch release in July, underscoring the urgency for immediate remediation.
Expedition is a popular migration tool designed to assist administrators in transitioning firewall configurations from vendors such as Check Point and Cisco to Palo Alto’s PAN-OS. However, due to a missing authentication mechanism, this tool now presents a significant risk for compromised credentials and potentially severe network intrusions.
What is CVE-2024-5910 Vulnerability
The CVE-2024-5910 vulnerability in Palo Alto Networks’ Expedition tool is a missing authentication flaw, which allows an attacker with network access to exploit the vulnerability and take over an admin account.
Once exploited, attackers can potentially gain access to sensitive configuration secrets, credentials, and other data stored within the tool. This flaw carries a critical CVSSv4.0 base score of 9.3.
According to Palo Alto Networks, only Expedition versions below 1.2.92 are vulnerable, while all versions from 1.2.92 and onward are protected against this flaw. As CISA emphasized, the lack of authentication on such a critical function poses severe security risks, especially for government and enterprise environments relying on Expedition for firewall migration and tuning.
Technical Details and Vulnerability Summary
Vulnerability: CVE-2024-5910 (Missing Authentication for Critical Function)
Weakness Type: CWE-306, Missing Authentication for Critical Function
Impact: Admin account takeover, access to sensitive configuration data, potential firewall control
Likely Reason for Exploitation of CVE-2024-5910
Although Palo Alto Networks initially released a patch in July to fix CVE-2024-5910, the exploitation attempts likely escalated when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October.
This PoC showed how CVE-2024-5910 admin reset vulnerability could be chained with another command injection vulnerability – CVE-2024-9464. This combination allows for unauthenticated, arbitrary command execution on vulnerable Expedition servers, enabling attackers to execute commands remotely.
This chained vulnerability scenario magnifies the risk, as attackers can exploit the admin reset vulnerability to ultimately compromise PAN-OS firewall admin accounts, providing full control over firewall configurations and potentially allowing access to sensitive network areas.
CISA’s Known Exploited Vulnerabilities Catalog Update
Adding to the urgency, CISA has included CVE-2024-5910 in its Known Exploited Vulnerabilities (KEV) Catalog. This addition mandates all U.S. federal agencies to secure vulnerable Expedition servers against potential attacks by November 28. This move underscores the federal directive for securing essential digital infrastructure against known vulnerabilities, especially those that facilitate admin credential resets and remote command execution.
Recommendations and Mitigations
To secure systems against this exploit, it is strongly recommended that administrators:
Upgrade Expedition to Version 1.2.92 or Later: This release addresses CVE-2024-5910 and subsequent vulnerabilities, providing a robust safeguard against admin account takeover and unauthorized access.
Rotate All Credentials Post-Upgrade: After updating to the latest version, administrators should rotate all Expedition usernames, passwords, and API keys. Additionally, all firewall usernames, passwords, and API keys processed through Expedition should be reset to prevent any potential misuse of compromised credentials.
Restrict Network Access: As a mitigating measure, organizations unable to immediately apply the patch should restrict network access to Expedition servers to authorized users and hosts only. Network segmentation and access control lists (ACLs) should be employed to limit exposure.
Conclusion
The exploitation of CVE-2024-5910 exemplifies the persistent challenge organizations face in securing digital tools that facilitate network management and firewall configuration. Regular patching, vigilant credential management, and access control are fundamental to safeguarding critical infrastructure against similar vulnerabilities.
With CISA actively monitoring this threat and urging patching compliance, addressing this vulnerability is essential not only for regulatory compliance but for maintaining network security integrity.
By upgrading to the latest version of Expedition and implementing the outlined mitigations, organizations can strengthen their defenses against these specific exploits and prevent unauthorized access to network configurations.
Battle City, colloquially known as “that tank game”, is a symbol of a bygone era. Some 30 years ago, gamers would pop a cartridge into their console, settle in front of a bulky TV, and obliterate waves of enemy tanks until the screen gave out.
Today, the world’s a different place, but tank games remain popular. Modern iterations offer gamers not just the thrill of gameplay but also the chance to earn NFTs. Cybercriminals too have something to offer: a sophisticated attack targeting crypto-gaming enthusiasts.
Backdoor and zero-day exploit in Google Chrome
This story begins in February 2024, when our security solution detected the Manuscrypt backdoor on a user’s computer in Russia. We’re very familiar with this backdoor; various versions of it have been used by the Lazarus APT group since at least 2013. So, given we already know the main tool and methods used by the attackers — what’s so special about this particular incident?
The thing is that these hackers typically target large organizations like banks, IT companies, universities, and even government agencies. But this time, Lazarus hit an individual user, planting a backdoor on a personal computer! The cybercriminals lured the victim to a game site and thereby gained complete access to their system. Three things made this possible:
The victim’s irresistible desire to play their favorite tank game in a new format
A zero-day vulnerability in Google Chrome
An exploit that allowed remote code execution in the Google Chrome process
Before you start to worry, relax: Google has since released a browser update, blocked the tank game’s website, and thanked the Kaspersky security researchers. But just in case, our products detect both the Manuscrypt backdoor and the exploit. We’ve delved into the details of this story on the Securelist blog.
Fake accounts
At the start of the investigation, we thought the group had gone to extraordinary lengths this time: “Did they actually create an entire game just for a scam?” But we soon worked out what they’d really done. The cybercriminals based their game — DeTankZone — on the existing game DeFiTankLand. They really went all out, stealing the source code of DeFiTankLand and creating fake social media accounts for their counterfeit.
Around the same time, in March 2024, the price of the DefitankLand (sic) cryptocurrency plummeted — the developers of the original game announced that their cold wallet had been hacked, and “someone” had stolen $20,000. The identity of this “someone” remains a mystery. The developers believe it was an insider, but we suspect that the ever-present tentacles of Lazarus are involved.
Differences between the fake and the original are minimal
The cybercriminals orchestrated a full-blown promotion campaign for their game: they boosted follower counts on X (formerly Twitter), sent collaboration offers to hundreds of cryptocurrency influencers (also potential victims), created premium LinkedIn accounts, and organized waves of phishing emails. As a result, the fake game got even more traction than the original (6000 followers on X, versus 5000 for the original game’s account).
Social media content created by AI with the help of graphic designers
How we played tanks
Now for the most fun part…
The malicious site that Lazarus lured their victims to offered a chance, not only to “try out” a zero-day browser exploit, but also to play a beta version of the game. Now, here at Kaspersky, we respect the classics, so we couldn’t resist having a go on this promising new version. We downloaded an archive that seemed completely legitimate: 400MB in size, correct file structure, logos, UI elements, and 3D model textures. Boot her up!
The DeTankZone start menu greeted us with a prompt to enter an email address and password. We first tried logging in using common passwords like “12345” and “password” but that doesn’t work. “Fine, then”, we think. “We’ll just register a new account”. Again, no luck — the system wouldn’t let us play.
The start menu inspires confidence with a seemingly legitimate login form
So why were there 3D model textures and other files in the game archive? Could they really have been other components of the malware? Actually, it wasn’t that bad. We reverse-engineered the code and discovered elements responsible for the connection to the game server — which, for this fake version, was non-functional. So, in theory, the game was still playable. A bit of time spent, a little programming, and voilà — we replace the hackers’ server with our own, and the red tank “Boris” enters the arena.
The game reminded us of shareware games from 20 years ago — which made all the effort worthwhile
Lessons from this attack
The key takeaway here is that even seemingly harmless web links can end up with your entire computer being hijacked. Cybercriminals are constantly refining their tactics and methods. Lazarus is already using generative AI with some success, meaning we can expect even more sophisticated attacks involving it in the future.
Security solutions are also evolving with effective integration of AI — learn more here and here. All ordinary internet users have to do is make sure their devices are protected, and stay informed about the latest scams. Fortunately, the Kaspersky Daily blog makes this easy — subscribe to stay updated…
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-08 15:06:382024-11-08 15:06:38Kaspersky uncovers a crypto game created by Lazarus APT | Kaspersky official blog
Cyble Research & Intelligence Labs (CRIL) has investigated significant ICS vulnerabilities this week, providing essential insights derived from advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA). This week’s report highlights multiple vulnerabilities across critical ICS products, with specific focus on those from Rockwell Automation, Delta Electronics, and Solar-Log.
CISA released three security advisories addressing four ICS vulnerabilities across these products, underscoring the urgent need for mitigation.
Among the most notable is a Cross-Site Scripting (XSS) flaw in Solar-Log Base 15, a widely used photovoltaic energy management product, which poses heightened risks due to internet-facing deployments identified by Cyble’s ODIN scanner.
ICS Vulnerabilities Overview
CRIL has pinpointed the following critical ICS vulnerabilities requiring immediate action:
CVE-2023-46344 – Solar-Log Base 15
Type: Cross-Site Scripting (XSS)
Severity: Medium
Description: This vulnerability allows unauthorized access through internet-facing instances, enabling attackers to potentially compromise device security and functionality. Cyble’s ODIN scanner identified a significant number of Solar-Log Base 15 devices deployed in Germany, emphasizing the need for prompt patching.
Description: The Delta InfraSuite Device Master vulnerability allows critical systems to process untrusted data, which could lead to unauthorized access or system manipulation. This vulnerability impacts essential operational systems, necessitating immediate patching.
Type: Missing Authentication for Critical Function
Severity: Critical
Description: Rockwell Automation’s ThinManager vulnerability allows unauthorized users to access sensitive systems without proper authentication, potentially exposing operational systems to attacks. This flaw requires urgent attention due to its impact on operational continuity.
The severity overview indicates that these vulnerabilities span medium to critical levels, affecting critical infrastructure and necessitating prioritized mitigation.
Figure 1. Sectors impacted due to these vulnerabilities. (Source: CRIL)
Recommendations and Mitigations
To address these vulnerabilities effectively, organizations should consider the following best practices:
Stay Updated: Regularly monitor security advisories from vendors and regulatory bodies to stay informed of critical patches and vulnerabilities.
Risk-Based Vulnerability Management: Implement a risk-focused approach to manage and patch vulnerabilities based on their potential impact, especially for internet-facing ICS components.
Network Segmentation: Isolate critical assets using effective network segmentation to prevent lateral movement and reconnaissance attempts by potential attackers.
Continuous Vulnerability Assessments: Conduct regular vulnerability assessments, audits, and penetration testing to proactively identify and fix security loopholes.
Utilize Software Bill of Materials (SBOM): Maintain visibility into software components, libraries, and dependencies to detect vulnerabilities promptly.
Incident Response Preparedness: Develop and routinely test a robust incident response plan, ensuring it is aligned with the latest threat landscape.
Cybersecurity Training: Conduct ongoing training programs for employees, particularly those with access to OT systems, covering threat recognition, authentication protocols, and security best practices.
Conclusion
The vulnerabilities highlighted in this ICS intelligence report call for swift action from organizations to mitigate potential security risks. With threats evolving rapidly and exploit attempts on the rise, maintaining a proactive stance is essential. By prioritizing the recommendations and implementing necessary patches, organizations can safeguard critical infrastructure, enhance operational resilience, and minimize the risk of exploitation.
A recently discovered high-severity vulnerability, tracked as CVE-2024-10443 and dubbed “RISK:STATION,” poses a significant threat to Synology NAS users worldwide.
The vulnerability, affecting Synology DiskStation and BeeStation models, allows remote code execution without user interaction, heightening the potential for malicious exploitation.
CERT-In has released an advisory urging Synology users to apply critical security patches immediately to secure their devices and prevent unauthorized access.
Affected Systems and Risk Assessment
The flaw specifically impacts Synology Photos and BeePhotos components, which come pre-installed on many Synology NAS products. Vulnerable versions include:
BeePhotos for BeeStation OS 1.1 – versions below 1.1.0-10053
BeePhotos for BeeStation OS 1.0 – versions below 1.0.2-10026
Synology Photos 1.7 for DSM 7.2 – versions below 1.7.0-0795
Synology Photos 1.6 for DSM 7.2 – versions below 1.6.2-0720
Given that NAS devices are highly valuable targets in ransomware attacks, the risks associated with this vulnerability are extensive, including data theft, malware installation, and unauthorized system access.
System owners using affected versions are encouraged to upgrade to secure versions immediately.
Impact and Exploitation Risks
The “RISK:STATION” vulnerability represents an “unauthenticated zero-click” attack vector. Attackers exploiting this flaw can gain root-level control without any user interaction.
Synology’s QuickConnect feature, a remote-access service, further increases device exposure, as it allows attackers to reach NAS devices even behind firewalls. According to the researchers who were credited with finding this zero-click bug, this flaw carries a high potential for misuse and could impact an estimated one to two million devices globally.
Device Exposure and Enumeration Concerns
The vulnerability’s severity is amplified by Synology’s QuickConnect feature’s extensive reach. This service provides devices with a unique subdomain that enables remote access, even bypassing firewalls and NAT configurations.
Due to the ease of obtaining these subdomains through Certificate Transparency logs, adversaries can readily enumerate exposed Synology devices. QuickConnect domains often contain identifiable names or locations, raising privacy concerns and potentially making it easier for attackers to prioritize targets.
Mitigations and Recommended Actions
Synology has issued patches that effectively neutralize this vulnerability, covering both the SynologyPhotos and BeePhotos applications. Users should ensure they apply the following updates:
For Synology DiskStation (DSM 7.2):
Synology Photos 1.7 – Update to version 1.7.0-0795
Synology Photos 1.6 – Update to version 1.6.2-0720
For Synology BeeStation:
BeePhotos 1.1 – Update to version 1.1.0-10053
BeePhotos 1.0 – Update to version 1.0.2-10026
Alternatively, users can mitigate exposure by disabling QuickConnect, blocking ports 5000 and 5001, and disabling the SynologyPhotos or BeePhotos components if not actively in use.
Although these actions prevent internet-based exploitation, they do not secure devices within local networks, so a firmware update remains the most effective solution.
Conclusion
The CVE-2024-10443 vulnerability in Synology NAS devices showcases the need for proactive patching, particularly for high-value, internet-exposed assets. Synology users are urged to follow the recommended upgrade steps or apply alternative mitigation measures to secure their devices from exploitation. By addressing these vulnerabilities promptly, organizations can reduce the likelihood of unauthorized access, ransomware attacks, and data breaches on their network-attached storage devices.
Cisco has disclosed a severe vulnerability, tracked as CVE-2024-20418, in its Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points. The flaw, rated with a maximum CVSS score of 10.0, affects multiple Cisco Catalyst Access Point models.
Attackers exploiting this vulnerability can gain root-level control, enabling unauthorized command execution on vulnerable devices.
Vulnerability Details
This critical CVE-2024-20418 vulnerability stems from improper input validation within Cisco’s web-based management interface, which controls URWB Access Points. A remote attacker without authentication can exploit this flaw by sending specially crafted HTTP requests to vulnerable devices, thereby injecting commands with root privileges on the device’s operating system.
Cisco has responded by releasing updates to mitigate the risk, advising immediate software upgrades as there are no workarounds. Importantly, only devices operating in URWB mode are impacted.
According to the Office of Information Technology of the New York State, while government institutions and business are at high risk of the bug, home users could be the least affected.
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
What is Cisco’s Ultra-Reliable Wireless Backhaul (URWB)?
Cisco’s URWB technology provides the robust, low-latency wireless connectivity essential for critical, high-stakes applications across industrial and mobile environments. Designed to replace costly and complex wired infrastructure, URWB enables seamless, multigigabit performance with minimal packet loss, making it invaluable for sectors relying on autonomous systems.
Industries including ports, railways, and manufacturing leverage URWB for real-time applications, such as video monitoring and remote machinery control, benefiting from reduced deployment costs and greater flexibility. The technology supports dual-mode capability, allowing devices to toggle between URWB and Wi-Fi 6/6E based on project needs, thereby optimizing infrastructure investments.
Affected Devices
The following Cisco Catalyst Access Points running a vulnerable version of Cisco’s Unified Industrial Wireless Software are affected if URWB mode is enabled:
Catalyst IW9165D Heavy Duty Access Points
Catalyst IW9165E Rugged Access Points and Wireless Clients
Catalyst IW9167E Heavy Duty Access Points
To determine if URWB mode is enabled, Cisco advises using the show mpls-config command. If available, URWB mode is active, and the device is vulnerable.
Cisco has confirmed that other products, including the 6300 Series Embedded Services Access Points, Aironet models, and Catalyst 9100 Series Access Points, are unaffected.
Mitigation Steps
Cisco has issued free software updates addressing this vulnerability. However, users must ensure they are compliant with licensing and have sufficient memory and compatible configurations for successful upgrades.
Customers without service contracts should reach out directly to the Cisco Technical Assistance Center (TAC) for help obtaining the necessary updates. More details can be found on Cisco’s Security Advisory page.
Fixed Software Releases
For the Cisco Unified Industrial Wireless Software versions affected, the company has released the following fixed versions:
17.15 – First fixed in version 17.15.1
17.14 and earlier – Cisco advises migrating to the nearest fixed release.
Security practitioners managing industrial or critical infrastructure networks are strongly urged to update vulnerable devices promptly. Failure to patch could expose systems to high-risk attacks due to the root-level access that this vulnerability permits.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-07 12:06:402024-11-07 12:06:40Critical Bug in Cisco’s URWB Exposes Systems to Root Privilege Command Injection
Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.
Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary.
We also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY.
The attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s data to an attacker-controlled Azure storage blob.
The timeline of the attacker’s activity, from the initial compromise stage until the deployment of ransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17 days.
Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators’ tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries.
Who is Interlock?
Interlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting and double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the time of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according to the data leak site disclosure, indicating their targeting is opportunistic.
Like other ransomware players in the big-game hunting space, Interlock also operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims’ communications, and the email address, “interlock@2mail[.]co”.
In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain.
Recent attack methodologies
Throughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by the attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s environment for approximately 17 days, from the initial compromise until deployment and execution of the Interlock ransomware.
Initial access
The attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the victim was prompted to download from a compromised legitimate news website. When clicked, the fake browser updater executable “upd_2327991.exe” was downloaded onto the victim machine from a second compromised URL of a legitimate retailer.
Execution
Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.
Sample PowerShell command that downloads the RAT.
The RAT executes the command “cmd.exe /c systeminfo” and collects information from victim machine, listed below:
Host Name
Time Zone
OS Name
Total Physical Memory
OS Version
Available Physical Memory
OS Manufacturer
Virtual Memory
OS Configuration
Max Size
OS Build Type
Virtual Memory: Available
Registered Owner
Virtual Memory: In Use
Registered Organization
Page File Location(s)
Product ID
Domain
Original Install Date
Logon Server
System Boot Time
Hotfix(s)
System Manufacturer
Network Card(s)
System Model
Connection Name
System Type
Status
Processor(s)
DHCP Enabled
BIOS Version
DHCP Server
Windows Directory
IP address(es)
System Directory
Hyper-V Requirements
Boot Device
System Locale
Then, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the command and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online[.]shop”, sends the encrypted data stream of victim machine information to the C2 server, and waits to receive the response.
The RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which downloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts them with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file that is run using the LOLBin “rundll32.exe”.
A sample PowerShell command that downloads and runs the Keylogger.
Defense Evasion
Talos IR observed that EDR was disabled on some of the compromised servers in the victim environment during the investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged an EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the EDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some of the compromised systems.
Credential Access
The credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser profiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks files to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries to collect the login information of victims’ online accounts along with the associated account URLs. Finally, the data is written to a file “chrgetpdsi.txt” in the user profile temporary folder.
The keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine keyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was downloaded.
Discovery
The attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method used to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was used to obtain accounts with higher privileges.
Talos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised credentials to move between systems. Further analysis showed that the attacker has also used AnyDesk and possibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised machines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped and executed on the infected machines.
Sample RDP command executions observed during our analysis and with the redacted IP address details are shown below.
mstsc /v 10.*.*.*
.conhost.exe -d 10.*.*.*e$
Collection and Exfiltration
The attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and AzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the attacker used storage-explorer to navigate and identify sensitive information in the victim network and executed AzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to confirm how the storage-explorer and AzCopy were delivered to the victim machine.
Impact
The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!__README__!.txt” file in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the attacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects (GPOs), a Windows utility that allows users to manage Windows operating systems and applications.
In the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected machines. They also demand a response within 96 hours or else they threaten to release the victim’s data on their leak site and notify the media outlets, which could lead to financial and reputational damage.
The ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss the ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric characters generated for each victim.
Interlock ransomware analysis
Talos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable (ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.
The Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The ransomware appears on the victim’s machines in a packed executable format with the custom unpacker code located in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during the runtime of the ransomware.
When the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings, and Application programming interface (API) functions. After the initialization, it enumerates the logical disk drives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through “Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in them, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on encrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in the folders of the “C drive”.
During this enumeration process, the ransomware excludes specific folders and file extensions on the victim machine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below, in the Interlock binary.
Folder exclusion list of Windows Interlock variant:
$Recycle.Bin
Windows
Boot
$RECYCLE.BIN
Documents and Settings
AppData
PerfLogs
WindowsApps
ProgramData
Windows Defender
Recovery
WindowsPowerShell
System Volume Information
Windows Defender Advanced Threat Protection
File extension exclusion list of Windows Interlock variant:
.bat
.bin
.cab
.cmd
.com
.cur
.diagcab
.diagcfg
.diagpkg
.drv
.hlp
.hta
.ico
.msi
.ocx
.psm1
.src
.sys
.ini
.url
.dll
.exe
.ps1
Thumbs.db
The Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting from the root directory, and encrypts the files excluding those that are in the file extension exclusion list hardcoded in the binary.
File extension exclusion list of Linux Interlock variant:
boot
.cfg
.b00
.v00
.v01
.v02
.v03
.v04
.v05
.v06
.v07
.t00
Interlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable cryptographic library for encryption. The Windows Interlock ransomware variant uses the Cipher Block Chaining (CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses either CBC or RSA encryption technique.
Encryption routine in Windows variant
Encryption routine in ELF variant
After encrypting each of the targeted files in the victim machine Interlock drops the ransom note “!__README__!.txt” file in each of the enumerated folders.
Windows variant ransom note function
ELF variant ransom note function
We observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM daily on the victim machine as a SYSTEM user executing the configured command to run the ransomware, indicating the ransomware establishing the persistence.
schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd “$Path of the Interlock binary” && “$command” /st 20:00 /ru system > nul
The ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the encryption binary on the victim machine. To delete the encryption binary in the Windows variant, Interlock ransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications temporary folder with the file name “tmp41.wasd”.
Then, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove() function to delete the encryption binary.
The Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing the removeme function, which is an inline routine in the same encryptor binary.
Interlock TTPs overlap with Rhysida Ransomware
Talos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from Rhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor binaries’ behaviors.
We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory.
Additionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY, based on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique.
Finally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a helpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific and sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten, and attempt to intimidate the victim.
Rhysida ransom note.
Interlock ransom note.
Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042.
ClamAV detections are also available for this threat:
Win.Ransomware.Interlock-10036524-0
Unix.Ransomware.Interlock-10036662-0
Win.Trojan.Kryptik-10036729-0
Win.Downloader.Kryptik-10036730-0
Indicators of Compromise
IOCs for this threat can be found in our GitHub repository here.
Editor’s note: The current article is authored by the guest author RacWatchin8872, who is a threat intelligence analyst. You can find him on X.
This article covers two distinct methods used to infect systems with AsyncRAT via open directories. These techniques show how attackers are constantly adapting, finding new ways to use publicly accessible files to broaden AsyncRAT’s impact and reach.
Overview
AsyncRAT is a type of Remote Access Trojan (RAT) malware designed to stealthily infiltrate systems and give attackers remote control over infected devices. It is commonly used for spying, data theft, and manipulation of compromised systems.
Recently, two open directories surfaced, each employing unique methods to distribute and infect victims with AsyncRAT. These techniques highlight the persistent threat posed by this malware and its diverse infection strategies.
First Technique
Open Directory
While investigating malicious open directories exposed to the internet, I discovered one with an unusual structure.
The directory contained the following files:
A text file with an extensive string that turned out to be a VBS script
A JPG file that was actually a disguised ZIP archive
Figure 1: Open directory structure
Analysis of the Txt file
The text file’s extensive string conceals an obfuscated VBS script. It uses random variables to store parts of the text that will be used to download the JPG file.
Figure 2: Obfuscated VBS code
To make it easier to read we just need to make a few changes:
Replace the variables with the actual text
Use intuitive names for variables that are used to write or download files
Figure 3: Deobfuscated VBS code
Now we see that the VBS script creates an XML file OMjRRRRRRRRRRRRRRRRRRRRvbK.xml located at C:UsersPublic. The content of the XML file contains a PowerShell script that downloads the disguised JPG file, saves it, and extracts it to the same directory.
Once extracted, the process continues by executing another script, TesKKKeLAvaYdAfbBS.vbs. Then, it cleans up by deleting both the XML and ZIP files.
Analysis of the VBS file
The VBS script is also obfuscated and uses the same technique as the other text file. By examining the file, we can understand a few parts of its execution:
Figure 4: TesKKKeLAvaYdAfbBS.vbs obfuscated
To make it simple to read, we just need to make a few changes:
Replace the variables with the actual text
Use intuitive names for variables that are in use
Delete all the If statements that execute the same code regardless of the result
By making these changes, we can transform a 34-line VBS script into a simpler 6-line version that is easier to read.
Figure 5: Clean TesKKKeLAvaYdAfbBS.vbs
The VBS script will then execute the KKKKKKllLavIOOOOOtesAA.bat, which is the next stage.
Analyze malware and see detailed script execution inside ANY.RUN’s Interactive Sandbox
The BAT script is also obfuscated, but it is possible to understand its purpose by reading the values stored inside the variables vertically.
Figure 6: KKKKKKllLavIOOOOOtesAA.bat file
Its role is to execute PowerShell without a prompt window. It initiates the next stage by running KiLOvBeRNdautESaatnENn.ps1
Analysis of the PowerShell (PS1) file
The PS1 file is a simple script that creates a scheduled task named ‘tMicNet Work40,’ which runs UhLQoyDAMaCUTPaE.vbs every 2 minutes.
Figure 7: Scheduled task created by PowerShell
Analysis of the Second VBS file
UhLQoyDAMaCUTPaE.vbs has the same structure as the previous VBS (TesKKKeLAvaYdAfbBS.vbs), so we can use the same technique to make the script easier to read and analyze.
Figure 8: UhLQoyDAMaCUTPaE.vbs obfuscated
Using the same technique we will get this result:
Figure 9: UhLQoyDAMaCUTPaE.vbs deobfuscated
Analysis of The Second BAT file
aaaNOOTKiiiLAViiiiOOs.bat has the same structure as the previous BAT (KKKKKKllLavIOOOOOtesAA.bat), so by reading it vertically, we can figure out what the file does.
Figure 10: aaaNOOTKiiiLAViiiiOOs.bat
The BAT file executes the last stage, which is a Powershell file.
Analysis of the Last Stage
The final stage is obfuscated by changing the variable names to make the code harder to interpret. Instead of giving a straightforward name to the variable, they break the word into pieces, mix them up, and then call each position to reconstruct the variable name.
To simplify the analysis, we can deconstruct the code in a similar way, isolating each piece to make the script clearer and easier to understand.
Figure 11: Analysis of the last stage
The first part of the code is a function that receives a string and converts it from hexadecimal to a 32-bit integer.
Figure 12: First part of the final stage
The second part of the code contains two variables with large strings. Both strings use a replace function to retrieve the correct value, which are then sent to the ‘PARSer’ for further processing.
Figure 13: Second part of the last stage
The last part of the final stage is simply loading the files into memory to execute them.
Figure 14: Last part of the last stage
With the help of CyberChef, we can apply the same technique as shown in the second part of the final stage to retrieve the values inside the two variables and see what they really are.
The first variable is a DLL:
Figure 15: AsyncRAT DLL
The second variable is an EXE:
Figure 16: AsyncRAT EXE
By running both in the ANY.RUN sandbox, it is possible to gather information about the C2, ports, certificates, mutex, and more.
Figure 17: Text report generated by ANY.RUN sandbox
Try all PRO features of ANY.RUN’s Interactive Sandbox for free
The structure of the second open directory mirrors the first, containing two files: a TXT file and a JPG file.
The TXT file, with a shorter name, is a VBS script, while the JPG file hides a PowerShell script in disguise.
Figure 18: Open directory
Analysis of the Txt file
In this case, the TXT file contains a VBS script that is easier to interpret due to its comments. It includes an array storing commands to download the disguised JPG file.
Figure 19: VBS script
To simplify the script further, we can delete the array and store all the array values in a single variable.
Figure 20: Cleaning VBS script
The VBS script then calls cmd to execute PowerShell, which downloads and runs the JPG file.
Analysis of the Powershell file
The PowerShell file performs 2 main functions:
File creation and content writing: Creates three files essential to the infection process
Scheduled task setup: Schedules a task to ensure repeated execution, thereby maintaining the AsyncRAT infection
File Creation
The Powershell creates 3 files.
First file
This obfuscated file stores and executes the values of EXE and DLL files related to AsyncRAT directly in memory.
Figure 21: First file created by the Powershell file
After cleaning the file, it removes ‘%&%’ from both variables, converts them from hexadecimal, and then loads and executes them into memory.
Figure 22: Loading file into memory
By carrying out the above-mentioned processes via CyberChef, we get the following results:
Figure 23: AsyncRAT Exe
Figure 24: AsyncRAT DLL
Second file
The second file triggers PowerShell to execute the previous file (roox.ps1).
Figure 25: Second file created by Powershell file
Third file
The third and final file runs the previous file roox.bat while keeping the execution hidden from the victim. This ensures that the infection process remains invisible and minimizes any visible indicators, making it harder for the victim to detect the ongoing activity.
Figure 26: Third file created by Powershell file
Scheduled Task
The scheduled task, named thepiratMicrosoftEdgeUpdateTask, executes roox.vbs every two minutes, ensuring that the infection persists.
Figure 27: Scheduled task named thepiratMicrosoftEdgeUpdateTask
Upon running the PowerShell script inside the ANY.RUN sandbox, we can see the files being created and executed. We can also gather more information about the command and control (C2) infrastructure.
Figure 28: Files created by the Powershell script
Figure 29: C2 Ip and DNS
Conclusion
Our investigation uncovered two IPs actively spreading AsyncRAT through different methods. The first method follows a multi-stage process, employing several files and scripts to complete the infection.
The second method uses only two stages, one of which involves generating files that are triggered by a scheduled task, as shown in the image below:
Figure 30: Difference between two methods
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-07 10:06:502024-11-07 10:06:50AsyncRAT’s Infection Tactics via Open Directories: Technical Analysis
