On October 23, we hosted a webinar “How to Improve Threat Investigations with TI Lookup”. The session was led by Dmitry Marinov, CTO at ANY.RUN, who showed the audience effective methods for collecting the latest threat intelligence.
Here is a quick rundown of the main topics and examples of investigations covered during the event.
What is Threat Intelligence Lookup
Threat Intelligence (TI) Lookup is a centralized service for threat data exploration, collection, and analysis. It contains fresh threat data extracted from public malware and phishing samples uploaded to ANY.RUN’s Interactive Sandbox over the past 180 days. Each search request you make returns results that provide expanded context related to the threat data in your query.
Key features of TI Lookup include:
Search results take just 5 seconds for events spanning the last six months. You can quickly get in-depth information about how events work, whether they are linked to a threat, and how they are related to that threat.
With over 40 search parameters, TI Lookup provides examples and context from other investigations to help with decision-making. Unlike other solutions where you can work only with IOCs, Lookup can search among events and YARA rules, which is extremely helpful.
TI Lookup has a large amount of data from the ANY.RUN sandbox, where cybersecurity analysts from around the world analyze threats. New samples are uploaded and analyzed daily, providing data that you cannot find in any other open sources.
How TI Lookup Sources Data
A core component of the suite is the Public submissions database. It is a vast repository that houses millions of unique malware and phishing samples submitted daily by a global community of over 500,000 security professionals from different spheres and industries using ANY.RUN.
Every time a user runs a public analysis in the sandbox, the systems capture the key data from that analysis. This data is then immediately sent to Threat Intelligence Lookup. As a result, Threat Intelligence Lookup becomes a centralized hub where you can search through threat data extracted from millions of malware and phishing analysis sessions launched in the ANY.RUN sandbox.
Collect threat intel on the latest malware and phishing campaigns with TI Lookup
The first part of the query, threatName:”lumma”, instructs the search engine to find sandbox sessions where Lumma was detected.
The second part of the query, domainName:””, tells the system to retrieve all domain names identified in those sandbox sessions. The empty field essentially acts as a wildcard, indicating that you are interested in all domain names associated with the threat.
The service returns numerous domains that match our request. At the top, you can see domains with the malconf tag, which tells you that these domains were extracted directly from the configs of Lumma samples, the most reliable source of indicators of compromise. We can easily copy each indicator or download all of them in JSON format.
As you can see, apart from domains, the service also provides a large number of other types of indicators, including events, files, URLs, and others. That’s one of TI Lookup’s unique advantages – the diversity of data it provides.
Use Cases of TI Lookup
To demonstrate how TI Lookup can be used in real-world investigations, Dmitry outlined several use cases where the service can be particularly useful.
Checking a Suspicious IP Address
One of the most straightforward use cases is identifying threats using a suspicious IP address. For example, if you receive an alert about a connection to a suspicious IP address (e.g., 162.254.34.31) coming from one of the machines on your network, TI Lookup can quickly check if this IP address has been used in other malware attacks.
The service marks the queried IP address as malicious and offers extra context
TI Lookup provides a list of sandbox sessions where the IP address was detected
It also provides related indicators, including processes, files, and most importantly, sandbox sessions where you can see the analysis of actual attacks and collect more data.
Identifying a Malware Family Using a Mutex
Another way to use TI Lookup is to identify a threat by using unique indicators such as mutexes. For instance, you can use mutexes to identify the Remcos malware.
Synchronization events found in TI Lookup’s database with corresponding sandbox sessions
By entering the query syncObjectName:”RMC-“, the service shows specific mutexes and provides a list of sandbox sessions to explore the threat further.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Uncovering a Threat Using a File Path
You can also find threats using a file path.
The service provides a list of files that match the query and events with the tag “darkvision”
The service also returns Suricata IDS rules triggered in relation to the requested files’ activity
This allows you to see the context and related sandbox sessions for further investigation.
Connecting Unrelated Data Points
One of the most powerful features of TI Lookup is its ability to connect pieces of data that may seem unrelated. Consider a scenario where you have a command line artifact and a network artifact.
The command line artifact might be commandLine:”timeout /t 5 & del”, which indicates a command that delays execution for 5 seconds and then deletes a file. The network artifact might be destinationIP:”185.215.113.37″, which represents an IP address that the system is communicating with.
TI Lookup generates relevant results, offering instant threat context
The service provides plenty of context and shows that the malware in question is StealC. Some of the additional indicators provided include malicious IPs and URLs, which were used in StealC attacks.
You can always go back to the source by navigating to a sandbox session of your interest to observe the threat’s behavior, and even rerun the analysis using your own VM settings.
Collecting Fresh Samples with YARA Rules
Another handy feature of TI Lookup is YARA Search. Thanks to the built-in editor, you can create, edit, store, and use YARA rules to find samples that match them.
The YARA rule search TI Lookup’s database for matching samples
For example, using a YARA rule for AgentTesla, which is available by default in TI Lookup, the search returns numerous files that can be filtered by date. You can explore each result in detail by clicking on them and navigating to the sandbox session where it was detected.
You can also download a JSON file containing file hashes along with links to corresponding sandbox sessions.
Conclusion
The webinar gave a detailed look at TI Lookup, showing how it can help improve threat investigations. The tool’s ability to provide fast results, offer a wide range of search options, and give access to real samples and the latest data makes it very useful for cybersecurity professionals.
Stay tuned for more webinars from ANY.RUN by following us on social media like X, Facebook, and Discord. Subscribe to ANY.RUN’s YouTube channel for the upcoming release of a video recording of the webinar.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-12 11:07:132024-11-12 11:07:13How to Improve Threat Investigations with TI Lookup: Webinar Recap
Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated campaign employing PowerShell in a multi-stage infection process.
The attack initiates with a suspicious LNK file, which activates a PowerShell script designed to download and execute malicious payloads. This layered strategy enhances stealth, evades detection, and ensures prolonged persistence within the target system.
In the first stage, the LNK file runs an initial remote obfuscated PowerShell script that establishes persistence by deploying and executing a secondary PowerShell script and batch files.
The second-stage PowerShell script continues communication with the command-and-control (C&C) server and executes a third-stage PowerShell script.
The third and final stage PowerShell script sends requests for command chains and includes routines to execute received commands as directed by the C&C server.
An analysis of the Network infrastructure reveals the presence of a Chisel DLL, suggesting the Threat Actor (TA) may leverage the Chisel client for further C&C communications and to enable lateral movement operations within the compromised network.
The TA also likely utilizes the Netskope proxy for command and control (C&C) communication with the Chisel server.
Executive Summary
CRIL has recently identified a campaign engaging in a multi-stage infection chain. This chain employs several techniques, starting with the execution of PowerShell scripts. The campaign begins with a malicious LNK file that triggers the execution of a first-stage remote PowerShell script. This script aims to establish persistence on the victim’s system by dropping and running a second-stage PowerShell script. The second-stage script maintains communication with the C&C server, allowing it to download and execute an additional third-stage PowerShell script.
The third-stage script continuously interacts with the C&C server to receive command chains. It executes these commands based on the instructions provided, enabling a variety of malicious activities, such as data exfiltration or lateral movement. The presence of a Chisel DLL on the remote server suggests that the TA may utilize Chisel for advanced operations, including setting up a SOCKS proxy and facilitating lateral movement within the infected network, further strengthening their foothold and enabling stealthy communications.
Technical details:
The infection chain begins when the user inadvertently executes a malicious LNK (shortcut) file. However, the initial infection vector of the LNK file remains unidentified. This LNK file is crafted to run a PowerShell command, which downloads another Base64 encoded PowerShell command from the remote server and then executes it.
The Powershell command uses techniques to bypass Windows security mechanisms, such as setting the PowerShell execution policy to “Bypass,” which allows the script to run without restrictions typically enforced by the system’s security settings. Additionally, the PowerShell window is executed in hidden mode, ensuring that the user does not see any visual indicators of the malicious activity. Following is the PowerShell command:
The figure below shows the property of the shortcut file.
Figure 1 – Malicious Shortcut File
The figure below displays the Base64-encoded PowerShell script, highlighting the sophisticated methods used to conceal its true functionality.
Figure 2 – Base64 Encoded PowerShell Script
This de-obfuscated PowerShell script is a sophisticated piece of code engineered to establish persistence and download a PowerShell script from the C&C server. It employs various obfuscation techniques to evade detection and execute its malicious activities stealthily. The figure below shows the de-obfuscated PowerShell script.
In the First Stage, the PowerShell Script performs the following tasks
Initially, the PowerShell script creates a Hidden directory at “C:UsersMalWorkstationAppDataRoamingMicrosoftLogs” and sets the variable “$HASH” with a seemingly random string, “bdhbzaibdiBKJBJIBDI67869686806656..”. While the exact purpose of this variable is unclear, it could be a placeholder for future use.
To ensure secure communications, the PowerShell script configures the security protocol to TLS 1.2
It then retrieves the system’s hostname with the “hostname” command and proceeds to obfuscate this information, converting it to a Base64-encoded string
This command attempts to retrieve the proxy settings for the specified URL, “hxxp://google.es/,” and constructs the authorization header, appending Base64-encoded hostname.
If a proxy is configured on the victim’s machine, it uses the proxy to send a request to “hxxps://c2.innov-eula.com/” with the constructed Authorization header. If no proxy is configured, it sends the same request directly without using a proxy.
The response from the request is stored in the $R variable, which contains a PowerShell script. This script is then saved in the “Logs” folder with the filename “Log_29109314.ps1.” and then executed subsequently.
The PowerShell script creates two batch files, “Log_29109317.bat” and “Log_29109318.bat,” in the Logs folder. The “Log_29109317.bat” file runs the “Log_29109314.ps1” script, while the “Log_29109318.bat” file moves “Log_29109317.bat” to the startup folder for persistence.
The figure below shows the content of the Logs Folder.
Figure 4 – Contents of the Folder
Second Stage PowerShell Script
The second-stage PowerShell script operates similarly to the first one, establishing a connection to the C&C server using the proxies. Once connected, it retrieves the next stage of the attack, which is a PowerShell script encoded in Base64. The script then decodes and executes this Base64-encoded PowerShell script, continuing the attack chain. The figure below shows the contents of the second-stage PowerShell script.
Figure 5 – De-obfuscated Second Stage PowerShell Script
Third Stage PowerShell Script
In the Third Stage, the PowerShell Script performs the following tasks
The PowerShell script initializes critical variables like “$CHAIN” and “$JITTER” to control its operation. The “$CHAIN” variable tracks the current status of the communication with the Command and Control (C&C) server, while “$JITTER” introduces random delays at various stages to avoid detection by security systems.
The script then retrieves and encodes the infected machine’s hostname in Base64 and uses it to construct a web request for the system’s proxy settings via “hxxp://google.es/”.
If “$CHAIN” is “0”, it prepares an Authorization header with the hostname and retrieves data from “hxxps://c2.innov-eula.com/”, using proxy settings if needed. The response is stored in “$CHAIN” to establish communication with the remote server.
Next, the PowerShell script checks if “$CHAIN” contains invalid characters. If it does, it resets “$CHAIN” to “0” and introduces a random delay. Otherwise, it prepares an Authorization header with “$CHAIN” and hostname and sends a request to “hxxps://c2.innov-eula.com/”.
The server’s response is split and stored in “$CMD”. If the command is not “WAIT,” it executes a PowerShell command encoded in “$CMD[1]”. The response is then processed and split into chunks, which are sent back to the server in multiple requests.
The process continues, handling each chunk until the “END” command is received. The PowerShell script is shown below.
The figure below shows the de-obfuscated third-stage PowerShell script.
Figure 6 – De-obfuscated Third Stage PowerShell Script
Open Directory
At the time of execution, we were not able to observe any commands from the C&C server. However, after checking for the network infrastructure, we came across an open directory, “hxxps:/credit-agricole.webdev.innov-eula[.]com”, hosting the malicious LNK file along with other files as shown in the figure below.
Figure 7 – Open Directory
Chisel
The open directory contains a suspicious file named chisolo.dll, which is identified as Chisel—a fast TCP/UDP tunneling tool written in Go. Chisel operates over HTTP and is secured via SSH. It uses a single executable for both the client and server, making it particularly effective for bypassing firewalls.
Chisel has been widely adopted by various threat actors as a powerful tunneling tool, enabling them to pivot into compromised environments with stealth and efficiency. Notable groups such as Sandworm APT, Lorenz Ransomware, and Pysa Ransomware have leveraged Chisel in their campaigns to facilitate lateral movement and maintain persistence.
The Threat Actor can leverage the Chisel tool for various malicious purposes.
Scanning the Internal Network
After compromising the system using the previously mentioned infection, the TA deploys and executes the Chisel client on the compromised machine. This allows the TA to use the infected machine as a SOCKS proxy, enabling them to scan the internal network with tools like Nmap.
Accessing Protected Internal Networks
Once the internal networks are identified, the TA can use the compromised machine to create a tunnel using the Chisel client. This tunnel provides access to networks that are otherwise shielded from external connections, allowing the TA to infiltrate internal systems not exposed to the outside.
Enabling External Connections for Isolated Machines
The TA can also leverage the Chisel client to enable internet access for machines that are otherwise unable to connect. This allows the TA to download additional malicious samples for further exploitation and maintain persistence within the network.
The chisel client sample identified in this campaign has three export functions, as shown below.
Figure 8 – Chisel Client Export Functions
The export functions main and xlAutoOpen have code to start the Chisel client on the infected machine, as shown below.
Figure 9 – Routine to Start Chisel Client
Interestingly, the Threat Actor (TA) is using the IP address 163.116.128[.]80 over port 8080, associated with Netskope, as an explicit proxy. By routing their traffic through this Netskope proxy, we suspect that the TA is likely using this to obfuscate their communications with the C&C server – hxxps://ligolo.innov-eula[.]com.
This approach allows them to bypass traditional network defenses and evade detection, making it difficult for security teams to identify and block malicious C&C traffic. The figure below shows a code snippet used by the Chisel client containing a proxy IP address and C&C URL.
Figure 10 – Chisel Client C&C Routine
Although direct commands from the C&C server were not observed, the TA likely uses the C&C to issue commands to download and execute the Chisel client on the compromised machine. Once the Chisel tunnel is established between the C&C server and the victim’s machine, this tunnel enables the TA to control the compromised system more effectively. Through this channel, the TA can send specific commands to identify the internal network, move laterally across connected systems, and download additional malicious payloads. These actions enhance the TA’s control and facilitate further malicious activities within the internal environment. The setup effectively provides the TA with a hidden and flexible pathway into internal systems that would otherwise be isolated from external access.
Threat hunting Packages
Our exclusive threat-hunting packages, which include YARA and Sigma rules specifically designed to detect campaigns involving the Chisel tool and related malicious activities.
Additionally, our threat-hunting packages empower organizations to proactively identify and mitigate cyber threats, enabling them to stay ahead of cybercriminals. These packages help detect potential risks and malicious activities before they can cause harm, ensuring a stronger defense against evolving cyber threats.
We have over 15,000 threat-hunting packages and growing. To learn more about how you can gain access to our latest actionable threat intel, click here.
Conclusion
This sophisticated multi-stage PowerShell campaign uses an LNK file to activate a sequence of obfuscated scripts, which maintain persistence and ensure stealth by connecting with a command-and-control (C&C) server. The attack involves Chisel and a Netskope proxy for covert communication, enabling lateral movement within the network. This setup reflects advanced threat actor tactics aimed at prolonged control and evasion, suggesting a highly organized or financially motivated campaign.
Recommendations
Deploy endpoint detection and response (EDR) solutions that can identify and stop unusual PowerShell activity. Ensure that all endpoints are configured to log PowerShell command executions and unusual file behaviors, such as LNK file executions from non-standard locations.
Limit access to PowerShell and other scripting tools based on user roles. Where possible, apply “constrained language mode” to restrict the types of commands that can be executed.
Monitor network traffic for unusual connections, particularly those using uncommon ports or protocols (such as Chisel’s tunneling). Network segmentation can limit lateral movement, restricting an attacker’s access even if they compromise one segment.
Train users to recognize and avoid suspicious links or files, particularly those delivered via email or other messaging platforms. Regular phishing simulations and awareness training can help prevent the initial compromise.
Implement MFA on all sensitive systems. It can help prevent unauthorized access, even if credentials are compromised. This is especially important for privileged accounts that can execute PowerShell or access sensitive segments of the network.
Integrate threat intelligence feeds that include indicators of compromise (IOCs) related to C&C servers, known malicious IP addresses, and techniques like Chisel tunneling. This intelligence can aid in detecting and blocking attacks that match these patterns.
A recently identified command injection vulnerability in D-Link network-attached storage (NAS) devices exposes over 61,000 internet-connected units to potential exploitation.
The flaw, tracked as CVE-2024-10914, allows unauthenticated attackers to inject arbitrary commands by exploiting the name parameter in the cgi_user_add command.
The vulnerability affects legacy D-Link NAS devices, primarily used by small businesses, and holds a critical CVSS score of 9.2, calling for an immediate need for mitigation.
This vulnerability is especially concerning as D-Link has classified these devices as end-of-life (EOL) and end-of-service (EOS), meaning they will no longer receive security updates or patches. D-Link has recommended that users retire affected devices or, at minimum, isolate them from public internet access.
Affected Devices and Vulnerability Scope
The CVE-2024-10914 command injection vulnerability impacts several D-Link NAS models that are no longer supported. The affected devices include:
DNS-320 – Version 1.00
DNS-320LW – Version 1.01.0914.2012
DNS-325 – Versions 1.01, 1.02
DNS-340L – Version 1.08
The vulnerability lies in the account_mgr.cgi script, specifically when processing the name parameter within the cgi_user_add command. Due to insufficient input sanitization, attackers can manipulate this parameter to execute arbitrary shell commands, potentially compromising all data on the device.
According to a scan conducted on the FOFA platform by security researcher NetSecFish, more than 61,000 vulnerable devices are accessible from unique IP addresses globally, showcasing the extensive risk this flaw poses to users.
Exploitation Details
Exploiting CVE-2024-10914 requires minimal technical knowledge. Attackers can craft a simple HTTP GET request to the vulnerable device’s IP address, embedding malicious commands within the name parameter, as shown below:
The above command triggers the cgi_user_add function, injecting the shell command specified by the attacker, effectively granting unauthorized control over the device. This vulnerability (CWE-77) poses a severe risk, as command injection attacks can lead to complete device takeover, unauthorized access to stored data, and the potential for lateral movement within a network.
D-Link’s Response and Recommendations
D-Link released an advisory acknowledging the vulnerability and confirming that affected devices have reached end-of-life (EOL) status. As a result, they no longer receive firmware updates or security patches, meaning that no official fix will be provided.
“If a product has reached the End of Support (“EOS”) or End of Life (“EOL”), it typically does not receive further extended support or development. Typically, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased,” the company said.
D-Link advises users to replace these NAS devices with more secure and supported models to mitigate the risk of exploitation.
For users who cannot immediately retire these devices, D-Link has issued the following recommendations:
Isolate Vulnerable NAS Devices: Disconnect the affected NAS devices from the public internet to prevent external exploitation.
Restrict Access: Limit access to the device by configuring firewall rules or network access controls that restrict traffic to trusted internal networks only.
Update Access Credentials: Frequently update and strengthen device passwords to mitigate potential unauthorized access and ensure encryption is enabled for wireless connections.
Consider Third-Party Firmware: For advanced users, third-party firmware may provide additional security updates, though it voids any remaining warranty and is unsupported by D-Link.
Security Implications and Best Practices
With over 61,000 potentially exposed devices and no available patch, this vulnerability has significant implications. Organizations using these NAS devices to store or transfer sensitive information are advised to take immediate action to mitigate potential breaches.
Beyond D-Link’s recommendations, organizations can adopt additional best practices to minimize their exposure to this risk:
Network Segmentation: Place vulnerable devices in segmented network zones to prevent attackers from moving laterally if they gain initial access.
Regular Vulnerability Scanning: Implement frequent scanning to identify exposed or vulnerable devices within the network.
Monitor Network Traffic: Set up network monitoring to detect unusual traffic patterns or access attempts, which could indicate exploitation.
Cybersecurity Awareness: Inform employees and network administrators about this vulnerability to reinforce secure practices for managing NAS devices.
Conclusion
CVE-2024-10914 represents a critical risk to D-Link NAS device users, particularly as these devices will not receive security patches due to their EOL/EOS status. Immediate action is necessary to mitigate this risk, either by retiring affected devices or by enforcing strict access controls. For businesses and individuals relying on these legacy devices, upgrading to secure, supported hardware is the most effective solution to maintain data integrity and safeguard against potential threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-11 15:06:512024-11-11 15:06:51No Fix for Critical Command Injection Vulnerability in Legacy D-Link NAS Devices
A critical path traversal vulnerability, CVE-2024-10470, has been identified in the WPLMS Learning Management System (LMS) theme for WordPress. This vulnerability enables unauthenticated attackers to read and delete arbitrary files on the server due to insufficient file path validation in the theme’s readfile and unlink functions.
The flaw affects all versions of WordPress up to and including 4.962 and carries a CVSS score of 9.8.
According to the bug description published on GitHub under the account moniker RandomRobbieBF, the flaw impacts WordPress sites running WPLMS even if the theme is not actively enabled. This likely puts thousands of LMS-driven websites at risk of unauthorized data access, site disruption, and potential full system compromise.
The CVE-2024-10740’s original finding is attributed to an independent researcher Friderika Baranyai, aka Foxyyy.
Vulnerability Details
CVE: CVE-2024-10470
Type: Path Traversal (CWE-22)
Affected Theme: WPLMS Learning Management System for WordPress
Affected Versions: <= 4.962
Severity: Critical (CVSS 9.8)
Impact: Confidentiality, Integrity, Availability
Found By: Friderika Baranyai, aka Foxyyy
Exploitation Details
This vulnerability allows attackers to delete critical files, such as wp-config.php, without needing authentication. Deleting this file, which contains essential WordPress configuration settings, could enable attackers to gain remote control over the affected server, leading to potential code execution and full site compromise.
While there is no publicly available proof-of-concept (PoC) or evidence of active exploitation, the nature of this vulnerability means that attackers could send crafted requests to delete or read files arbitrarily.
For example, the download_export_zip parameter within certain WPLMS theme scripts can be exploited to read or delete sensitive server files, leading to significant security risks for affected WordPress installations.
A sample crafted request, as described on GitHub, which could exploit this vulnerability is as follows:
POST /wp-content/themes/wplms/setup/installer/envato-setup-export.php HTTP/1.1
Host: [Target-IP]
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
download_export_zip=1&zip_file=.htaccess
This request manipulates the zip_file parameter to target and potentially delete files like .htaccess, which could lead to server misconfiguration or unauthorized file access.
Mitigation and Recommendations
Website administrators are advised to take the following actions to address this bug:
Deactivate and Remove the WPLMS Theme: If possible, temporarily deactivate the WPLMS theme until a patch is available. Remove it if it’s not essential to your website’s functionality.
Apply Strong Access Controls: Restrict access to critical files, such as wp-config.php, and ensure that file permissions are strictly enforced to prevent unauthorized deletion or modification.
Implement File Integrity Monitoring: Regularly monitor the integrity of critical WordPress files. Immediate alerts on file deletion or modifications can provide timely warnings of potential exploitation.
Back Up WordPress Installations Regularly: Maintain regular backups of your website’s files and database to ensure rapid recovery in the event of an attack.
Web Application Firewall (WAF): Use a WAF to filter potentially malicious requests. This can help prevent attackers from exploiting path traversal vulnerabilities.
Monitor for Updates: Regularly check for updates from the WPLMS theme developer and apply any available patches as soon as they are released. The vulnerability is resolved in version 4.963, so updating to this version will eliminate the risk.
Isolate WordPress Installations: For sites heavily dependent on the WPLMS theme, consider isolating the installation in a separate, highly controlled environment to reduce the risk of lateral movement if exploited.
Conclusion
The CVE-2024-10470 vulnerability in the WPLMS theme for WordPress represents a severe security threat to affected websites. By allowing unauthenticated file deletion, this flaw poses risks of unauthorized access, remote code execution, and potential full compromise of WordPress installations.
Administrators are urged to take immediate steps to secure their systems, including deactivating the theme if feasible, implementing access controls, and applying security patches as soon as they are available.
Following these recommendations, organizations can mitigate potential exploitation and protect their WordPress environments from unauthorized access and service disruption.
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-10 09:07:152024-11-10 09:07:15Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday alerted federal agencies regarding active exploitation of a critical missing authentication vulnerability in Palo Alto Networks’ Expedition, a tool widely used by administrators for firewall migration and configuration management.
This flaw, designated CVE-2024-5910, has been actively exploited by attackers since its patch release in July, underscoring the urgency for immediate remediation.
Expedition is a popular migration tool designed to assist administrators in transitioning firewall configurations from vendors such as Check Point and Cisco to Palo Alto’s PAN-OS. However, due to a missing authentication mechanism, this tool now presents a significant risk for compromised credentials and potentially severe network intrusions.
What is CVE-2024-5910 Vulnerability
The CVE-2024-5910 vulnerability in Palo Alto Networks’ Expedition tool is a missing authentication flaw, which allows an attacker with network access to exploit the vulnerability and take over an admin account.
Once exploited, attackers can potentially gain access to sensitive configuration secrets, credentials, and other data stored within the tool. This flaw carries a critical CVSSv4.0 base score of 9.3.
According to Palo Alto Networks, only Expedition versions below 1.2.92 are vulnerable, while all versions from 1.2.92 and onward are protected against this flaw. As CISA emphasized, the lack of authentication on such a critical function poses severe security risks, especially for government and enterprise environments relying on Expedition for firewall migration and tuning.
Technical Details and Vulnerability Summary
Vulnerability: CVE-2024-5910 (Missing Authentication for Critical Function)
Weakness Type: CWE-306, Missing Authentication for Critical Function
Impact: Admin account takeover, access to sensitive configuration data, potential firewall control
Likely Reason for Exploitation of CVE-2024-5910
Although Palo Alto Networks initially released a patch in July to fix CVE-2024-5910, the exploitation attempts likely escalated when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October.
This PoC showed how CVE-2024-5910 admin reset vulnerability could be chained with another command injection vulnerability – CVE-2024-9464. This combination allows for unauthenticated, arbitrary command execution on vulnerable Expedition servers, enabling attackers to execute commands remotely.
This chained vulnerability scenario magnifies the risk, as attackers can exploit the admin reset vulnerability to ultimately compromise PAN-OS firewall admin accounts, providing full control over firewall configurations and potentially allowing access to sensitive network areas.
CISA’s Known Exploited Vulnerabilities Catalog Update
Adding to the urgency, CISA has included CVE-2024-5910 in its Known Exploited Vulnerabilities (KEV) Catalog. This addition mandates all U.S. federal agencies to secure vulnerable Expedition servers against potential attacks by November 28. This move underscores the federal directive for securing essential digital infrastructure against known vulnerabilities, especially those that facilitate admin credential resets and remote command execution.
Recommendations and Mitigations
To secure systems against this exploit, it is strongly recommended that administrators:
Upgrade Expedition to Version 1.2.92 or Later: This release addresses CVE-2024-5910 and subsequent vulnerabilities, providing a robust safeguard against admin account takeover and unauthorized access.
Rotate All Credentials Post-Upgrade: After updating to the latest version, administrators should rotate all Expedition usernames, passwords, and API keys. Additionally, all firewall usernames, passwords, and API keys processed through Expedition should be reset to prevent any potential misuse of compromised credentials.
Restrict Network Access: As a mitigating measure, organizations unable to immediately apply the patch should restrict network access to Expedition servers to authorized users and hosts only. Network segmentation and access control lists (ACLs) should be employed to limit exposure.
Conclusion
The exploitation of CVE-2024-5910 exemplifies the persistent challenge organizations face in securing digital tools that facilitate network management and firewall configuration. Regular patching, vigilant credential management, and access control are fundamental to safeguarding critical infrastructure against similar vulnerabilities.
With CISA actively monitoring this threat and urging patching compliance, addressing this vulnerability is essential not only for regulatory compliance but for maintaining network security integrity.
By upgrading to the latest version of Expedition and implementing the outlined mitigations, organizations can strengthen their defenses against these specific exploits and prevent unauthorized access to network configurations.
Battle City, colloquially known as “that tank game”, is a symbol of a bygone era. Some 30 years ago, gamers would pop a cartridge into their console, settle in front of a bulky TV, and obliterate waves of enemy tanks until the screen gave out.
Today, the world’s a different place, but tank games remain popular. Modern iterations offer gamers not just the thrill of gameplay but also the chance to earn NFTs. Cybercriminals too have something to offer: a sophisticated attack targeting crypto-gaming enthusiasts.
Backdoor and zero-day exploit in Google Chrome
This story begins in February 2024, when our security solution detected the Manuscrypt backdoor on a user’s computer in Russia. We’re very familiar with this backdoor; various versions of it have been used by the Lazarus APT group since at least 2013. So, given we already know the main tool and methods used by the attackers — what’s so special about this particular incident?
The thing is that these hackers typically target large organizations like banks, IT companies, universities, and even government agencies. But this time, Lazarus hit an individual user, planting a backdoor on a personal computer! The cybercriminals lured the victim to a game site and thereby gained complete access to their system. Three things made this possible:
The victim’s irresistible desire to play their favorite tank game in a new format
A zero-day vulnerability in Google Chrome
An exploit that allowed remote code execution in the Google Chrome process
Before you start to worry, relax: Google has since released a browser update, blocked the tank game’s website, and thanked the Kaspersky security researchers. But just in case, our products detect both the Manuscrypt backdoor and the exploit. We’ve delved into the details of this story on the Securelist blog.
Fake accounts
At the start of the investigation, we thought the group had gone to extraordinary lengths this time: “Did they actually create an entire game just for a scam?” But we soon worked out what they’d really done. The cybercriminals based their game — DeTankZone — on the existing game DeFiTankLand. They really went all out, stealing the source code of DeFiTankLand and creating fake social media accounts for their counterfeit.
Around the same time, in March 2024, the price of the DefitankLand (sic) cryptocurrency plummeted — the developers of the original game announced that their cold wallet had been hacked, and “someone” had stolen $20,000. The identity of this “someone” remains a mystery. The developers believe it was an insider, but we suspect that the ever-present tentacles of Lazarus are involved.
Differences between the fake and the original are minimal
The cybercriminals orchestrated a full-blown promotion campaign for their game: they boosted follower counts on X (formerly Twitter), sent collaboration offers to hundreds of cryptocurrency influencers (also potential victims), created premium LinkedIn accounts, and organized waves of phishing emails. As a result, the fake game got even more traction than the original (6000 followers on X, versus 5000 for the original game’s account).
Social media content created by AI with the help of graphic designers
How we played tanks
Now for the most fun part…
The malicious site that Lazarus lured their victims to offered a chance, not only to “try out” a zero-day browser exploit, but also to play a beta version of the game. Now, here at Kaspersky, we respect the classics, so we couldn’t resist having a go on this promising new version. We downloaded an archive that seemed completely legitimate: 400MB in size, correct file structure, logos, UI elements, and 3D model textures. Boot her up!
The DeTankZone start menu greeted us with a prompt to enter an email address and password. We first tried logging in using common passwords like “12345” and “password” but that doesn’t work. “Fine, then”, we think. “We’ll just register a new account”. Again, no luck — the system wouldn’t let us play.
The start menu inspires confidence with a seemingly legitimate login form
So why were there 3D model textures and other files in the game archive? Could they really have been other components of the malware? Actually, it wasn’t that bad. We reverse-engineered the code and discovered elements responsible for the connection to the game server — which, for this fake version, was non-functional. So, in theory, the game was still playable. A bit of time spent, a little programming, and voilà — we replace the hackers’ server with our own, and the red tank “Boris” enters the arena.
The game reminded us of shareware games from 20 years ago — which made all the effort worthwhile
Lessons from this attack
The key takeaway here is that even seemingly harmless web links can end up with your entire computer being hijacked. Cybercriminals are constantly refining their tactics and methods. Lazarus is already using generative AI with some success, meaning we can expect even more sophisticated attacks involving it in the future.
Security solutions are also evolving with effective integration of AI — learn more here and here. All ordinary internet users have to do is make sure their devices are protected, and stay informed about the latest scams. Fortunately, the Kaspersky Daily blog makes this easy — subscribe to stay updated…
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-08 15:06:382024-11-08 15:06:38Kaspersky uncovers a crypto game created by Lazarus APT | Kaspersky official blog
Cyble Research & Intelligence Labs (CRIL) has investigated significant ICS vulnerabilities this week, providing essential insights derived from advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA). This week’s report highlights multiple vulnerabilities across critical ICS products, with specific focus on those from Rockwell Automation, Delta Electronics, and Solar-Log.
CISA released three security advisories addressing four ICS vulnerabilities across these products, underscoring the urgent need for mitigation.
Among the most notable is a Cross-Site Scripting (XSS) flaw in Solar-Log Base 15, a widely used photovoltaic energy management product, which poses heightened risks due to internet-facing deployments identified by Cyble’s ODIN scanner.
ICS Vulnerabilities Overview
CRIL has pinpointed the following critical ICS vulnerabilities requiring immediate action:
CVE-2023-46344 – Solar-Log Base 15
Type: Cross-Site Scripting (XSS)
Severity: Medium
Description: This vulnerability allows unauthorized access through internet-facing instances, enabling attackers to potentially compromise device security and functionality. Cyble’s ODIN scanner identified a significant number of Solar-Log Base 15 devices deployed in Germany, emphasizing the need for prompt patching.
Description: The Delta InfraSuite Device Master vulnerability allows critical systems to process untrusted data, which could lead to unauthorized access or system manipulation. This vulnerability impacts essential operational systems, necessitating immediate patching.
Type: Missing Authentication for Critical Function
Severity: Critical
Description: Rockwell Automation’s ThinManager vulnerability allows unauthorized users to access sensitive systems without proper authentication, potentially exposing operational systems to attacks. This flaw requires urgent attention due to its impact on operational continuity.
The severity overview indicates that these vulnerabilities span medium to critical levels, affecting critical infrastructure and necessitating prioritized mitigation.
Figure 1. Sectors impacted due to these vulnerabilities. (Source: CRIL)
Recommendations and Mitigations
To address these vulnerabilities effectively, organizations should consider the following best practices:
Stay Updated: Regularly monitor security advisories from vendors and regulatory bodies to stay informed of critical patches and vulnerabilities.
Risk-Based Vulnerability Management: Implement a risk-focused approach to manage and patch vulnerabilities based on their potential impact, especially for internet-facing ICS components.
Network Segmentation: Isolate critical assets using effective network segmentation to prevent lateral movement and reconnaissance attempts by potential attackers.
Continuous Vulnerability Assessments: Conduct regular vulnerability assessments, audits, and penetration testing to proactively identify and fix security loopholes.
Utilize Software Bill of Materials (SBOM): Maintain visibility into software components, libraries, and dependencies to detect vulnerabilities promptly.
Incident Response Preparedness: Develop and routinely test a robust incident response plan, ensuring it is aligned with the latest threat landscape.
Cybersecurity Training: Conduct ongoing training programs for employees, particularly those with access to OT systems, covering threat recognition, authentication protocols, and security best practices.
Conclusion
The vulnerabilities highlighted in this ICS intelligence report call for swift action from organizations to mitigate potential security risks. With threats evolving rapidly and exploit attempts on the rise, maintaining a proactive stance is essential. By prioritizing the recommendations and implementing necessary patches, organizations can safeguard critical infrastructure, enhance operational resilience, and minimize the risk of exploitation.
A recently discovered high-severity vulnerability, tracked as CVE-2024-10443 and dubbed “RISK:STATION,” poses a significant threat to Synology NAS users worldwide.
The vulnerability, affecting Synology DiskStation and BeeStation models, allows remote code execution without user interaction, heightening the potential for malicious exploitation.
CERT-In has released an advisory urging Synology users to apply critical security patches immediately to secure their devices and prevent unauthorized access.
Affected Systems and Risk Assessment
The flaw specifically impacts Synology Photos and BeePhotos components, which come pre-installed on many Synology NAS products. Vulnerable versions include:
BeePhotos for BeeStation OS 1.1 – versions below 1.1.0-10053
BeePhotos for BeeStation OS 1.0 – versions below 1.0.2-10026
Synology Photos 1.7 for DSM 7.2 – versions below 1.7.0-0795
Synology Photos 1.6 for DSM 7.2 – versions below 1.6.2-0720
Given that NAS devices are highly valuable targets in ransomware attacks, the risks associated with this vulnerability are extensive, including data theft, malware installation, and unauthorized system access.
System owners using affected versions are encouraged to upgrade to secure versions immediately.
Impact and Exploitation Risks
The “RISK:STATION” vulnerability represents an “unauthenticated zero-click” attack vector. Attackers exploiting this flaw can gain root-level control without any user interaction.
Synology’s QuickConnect feature, a remote-access service, further increases device exposure, as it allows attackers to reach NAS devices even behind firewalls. According to the researchers who were credited with finding this zero-click bug, this flaw carries a high potential for misuse and could impact an estimated one to two million devices globally.
Device Exposure and Enumeration Concerns
The vulnerability’s severity is amplified by Synology’s QuickConnect feature’s extensive reach. This service provides devices with a unique subdomain that enables remote access, even bypassing firewalls and NAT configurations.
Due to the ease of obtaining these subdomains through Certificate Transparency logs, adversaries can readily enumerate exposed Synology devices. QuickConnect domains often contain identifiable names or locations, raising privacy concerns and potentially making it easier for attackers to prioritize targets.
Mitigations and Recommended Actions
Synology has issued patches that effectively neutralize this vulnerability, covering both the SynologyPhotos and BeePhotos applications. Users should ensure they apply the following updates:
For Synology DiskStation (DSM 7.2):
Synology Photos 1.7 – Update to version 1.7.0-0795
Synology Photos 1.6 – Update to version 1.6.2-0720
For Synology BeeStation:
BeePhotos 1.1 – Update to version 1.1.0-10053
BeePhotos 1.0 – Update to version 1.0.2-10026
Alternatively, users can mitigate exposure by disabling QuickConnect, blocking ports 5000 and 5001, and disabling the SynologyPhotos or BeePhotos components if not actively in use.
Although these actions prevent internet-based exploitation, they do not secure devices within local networks, so a firmware update remains the most effective solution.
Conclusion
The CVE-2024-10443 vulnerability in Synology NAS devices showcases the need for proactive patching, particularly for high-value, internet-exposed assets. Synology users are urged to follow the recommended upgrade steps or apply alternative mitigation measures to secure their devices from exploitation. By addressing these vulnerabilities promptly, organizations can reduce the likelihood of unauthorized access, ransomware attacks, and data breaches on their network-attached storage devices.
Cisco has disclosed a severe vulnerability, tracked as CVE-2024-20418, in its Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points. The flaw, rated with a maximum CVSS score of 10.0, affects multiple Cisco Catalyst Access Point models.
Attackers exploiting this vulnerability can gain root-level control, enabling unauthorized command execution on vulnerable devices.
Vulnerability Details
This critical CVE-2024-20418 vulnerability stems from improper input validation within Cisco’s web-based management interface, which controls URWB Access Points. A remote attacker without authentication can exploit this flaw by sending specially crafted HTTP requests to vulnerable devices, thereby injecting commands with root privileges on the device’s operating system.
Cisco has responded by releasing updates to mitigate the risk, advising immediate software upgrades as there are no workarounds. Importantly, only devices operating in URWB mode are impacted.
According to the Office of Information Technology of the New York State, while government institutions and business are at high risk of the bug, home users could be the least affected.
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
What is Cisco’s Ultra-Reliable Wireless Backhaul (URWB)?
Cisco’s URWB technology provides the robust, low-latency wireless connectivity essential for critical, high-stakes applications across industrial and mobile environments. Designed to replace costly and complex wired infrastructure, URWB enables seamless, multigigabit performance with minimal packet loss, making it invaluable for sectors relying on autonomous systems.
Industries including ports, railways, and manufacturing leverage URWB for real-time applications, such as video monitoring and remote machinery control, benefiting from reduced deployment costs and greater flexibility. The technology supports dual-mode capability, allowing devices to toggle between URWB and Wi-Fi 6/6E based on project needs, thereby optimizing infrastructure investments.
Affected Devices
The following Cisco Catalyst Access Points running a vulnerable version of Cisco’s Unified Industrial Wireless Software are affected if URWB mode is enabled:
Catalyst IW9165D Heavy Duty Access Points
Catalyst IW9165E Rugged Access Points and Wireless Clients
Catalyst IW9167E Heavy Duty Access Points
To determine if URWB mode is enabled, Cisco advises using the show mpls-config command. If available, URWB mode is active, and the device is vulnerable.
Cisco has confirmed that other products, including the 6300 Series Embedded Services Access Points, Aironet models, and Catalyst 9100 Series Access Points, are unaffected.
Mitigation Steps
Cisco has issued free software updates addressing this vulnerability. However, users must ensure they are compliant with licensing and have sufficient memory and compatible configurations for successful upgrades.
Customers without service contracts should reach out directly to the Cisco Technical Assistance Center (TAC) for help obtaining the necessary updates. More details can be found on Cisco’s Security Advisory page.
Fixed Software Releases
For the Cisco Unified Industrial Wireless Software versions affected, the company has released the following fixed versions:
17.15 – First fixed in version 17.15.1
17.14 and earlier – Cisco advises migrating to the nearest fixed release.
Security practitioners managing industrial or critical infrastructure networks are strongly urged to update vulnerable devices promptly. Failure to patch could expose systems to high-risk attacks due to the root-level access that this vulnerability permits.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-07 12:06:402024-11-07 12:06:40Critical Bug in Cisco’s URWB Exposes Systems to Root Privilege Command Injection