The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to username enumeration. An unauthenticated attacker can interact with the UserManager servlet to enumerate valid usernames on the system. Since jsonProxy.php proxies requests to internal services without requiring authentication, attackers can gain unauthorized insights into valid usernames.

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Username Enumeration

The ABB BMS/BAS controller allows an unauthenticated attacker to disclose credentials in plain-text.

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Credentials Disclosure

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

A professional-grade tool set, appropriately dubbed "CloudScout," is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.

Source: Design Pics Inc. via Alamy Stock Photo

The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.

That's according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).

CloudScout is written in .NET, and it's designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.

ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  

"These modules are designed to access public cloud services … by hijacking authenticated Web sessions," according to ESET's analysis, released on Oct. 28. "This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services," thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.

Related:Mobile Apps With Millions of Downloads Expose Cloud Credentials

After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it's compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.

**Chinese APT Hones Cyberespionage Arsenal**

Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that's been operating since at least 2012, focused mainly on cyber espionage against civil society targets.

These include "independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China," ESET researchers noted. "At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea." It has also been seen targeting a handful of victims in Nigeria.

The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

According to ESET, "The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-f748-7hpg-88ch: NVIDIA Container Toolkit allows specially crafted container image to create empty files on the host file system

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

GHSA-mjjw-553x-87pq: NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability

In the latest attack against ISPs, second-largest French provider Free fell victim to unknown cyberattackers who attempted to sell the compromised data it stole from the company on an underground cybercrime forum.

Source: Timon Schneider via Alamy Stock Photo

Free, a French telecommunications company and the second largest Internet service provider (ISP) in the country, has disclosed a cyberattack it fell a victim to over the weekend. It's the latest in a line of attacks against ISPs and telcos of late.

A threat actor stole information from the company's internal management tool, gathering data on the company's subscribers, and attempted to sell the data on the Dark Web in a cybercrime forum, the ISP confirmed to Agence France-Presse (AFP) on Oct. 26.

The hacker, known as "drussellx," posted a message on the forum, putting two databases stolen from the ISP company up for auction. The databases reportedly contained information on more than 19 million customer accounts, and more than 5 million international bank account details.

The bad actors gained "unauthorized access to some of the personal data associated with the accounts of certain subscribers," according to Free, which has more than 22 million mobile and fixed subscribers. However, it stressed that no passwords, bank-card information, emails, SMSs, or voicemails were compromised, and that its services were not been impacted.

Internet service provider networks are increasingly being targeted by bad actors in attacks to steal data and set up base for new tactics and techniques. Take advanced persistent threat (APT) Salt Typhoon, for example, which has been targeting these networks in the US, likely due to the information they can garner, such as home addresses, billing information, SMSs, and more.

Another APT group, known as Evasive Panda (aka StormBambaoo and DaggerFly), also targets ISPs, using them as a launchpad to exploit software vendor update mechanisms by using DNS poisoning.

Now, in the wake of its own ISP attack, Free reports that it soon will be informing impacted customers via email regarding the breach. It has also filed a criminal complaint and informed France's National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).

French ISP Confirms Cyberattack, Data Breach Affecting 19M

Organization admins can delete pending invites created in an organization they are not part of.

GHSA-66c4-2g2v-54qw: Grafana org admin can delete pending invites in different org

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the…

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the infrastructure behind the notorious RedLine and META infostealer malware. Discover how these cyberattacks steal sensitive information and the impact they have on individuals and businesses worldwide.

An international law enforcement operation has successfully dismantled the infrastructure behind two notorious infostealer malware strains: RedLine and Meta. The operation, codenamed “Operation Magnus,” was led by the Dutch National Police, the U.S. Department of Justice (DOJ) and supported by Europol.

The investigation involved law enforcement agencies from across the globe, including Belgium (Belgian Federal Police, Belgian Federal Prosecutor’s Office), Australia (the Australian Federal Police), Portugal (Polícia Judiciária), and the United Kingdom (National Crime Agency).

Other US agencies involved in this operation include the FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division. These agencies collaborated under a Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus. 

Watch the video released by authorities

This operation resulted in full access (PDF) to the servers hosting the malware’s infrastructure, including source code, license servers, user data, and seizing domains and Telegram accounts. Authorities have created a dedicated website to provide resources for victims and the public

For your information, Infostealers are a type of malware designed to steal sensitive information from victims’ devices, such as login credentials, passwords, and credit card details. These stolen credentials are often sold on underground markets, enabling further cyberattacks and fraudulent activities.

Screenshot from RedLine’s infrastructure

RedLine and META are designed to infiltrate victim computers and steal sensitive information. This stolen data, often referred to as “logs,” can include usernames, passwords, financial information, and even cryptocurrency wallet details. Criminals use these stolen credentials for a variety of nefarious purposes, including launching further attacks, committing fraud, or bypassing multi-factor authentication (MFA). 

Investigations revealed RedLine and META may have infected millions of computers worldwide. Estimates suggest RedLine alone might be one of the most prevalent malware variants globally. Law enforcement has identified millions of unique credentials stolen by the malware, including usernames, passwords, and financial data.

As part of Operation Magnus, authorities unsealed a criminal complaint (PDF) against Maxim Rudometov, believed to be a developer and administrator of RedLine. The complaint accuses Rudometov of managing RedLine’s infrastructure, receiving payments through cryptocurrency accounts, and possessing the malware itself. He faces charges including access device fraud, conspiracy to commit computer intrusion, and money laundering, and if convicted, he could face a maximum sentence of 10 years in prison.

Maxim Rudometov, the alleged developer and administrator of RedLine.

Operation Magnus serves as a powerful example of international cooperation in combating cybercrime. By dismantling the RedLine and META infrastructure, law enforcement has significantly disrupted the activities of cybercriminals who rely on stolen data for their illicit operations. However, the ever-evolving nature of cybercrime necessitates continued vigilance and cooperation between law enforcement and cybersecurity experts.

1.  **VirusTotal Reveals Apps Most Exploited To Spread Malware**
2.  **Konni RAT Exploiting Word Docs to Steal Data from Windows**
3.  **FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices**
4.  **Police Dismantle Phishing-as-a-Service Platform BulletProftLink**
5.  **Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt**

Operation Magnus: Police Dismantles RedLine and META Infostealer Infrastructure

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools,…

Russian hackers launched a targeted malware campaign via Telegram, aimed at Ukrainian military recruits. Disguised as recruitment tools, the malware steals data and spreads disinformation, weakening Ukraine’s defence efforts.

A new report by Google’s Threat Intelligence Group (TAG) exposes a cyber campaign targeting Ukrainian men eligible for military service. The campaign, linked to Russian state-sponsored hackers, orchestrated by the UNC5812 group, utilizes a combination of malware and disinformation.

It is worth noting that at the beginning of October 2024, reports indicated that Russian cyber operations against Ukraine during the first half of the year shifted from broad-spectrum attacks to a more targeted approach, specifically focusing on Ukraine’s military and defence sectors.

For the latest campaign, the immediate objective is to compromise the devices of potential Ukrainian military recruits. Hackers are distributing malicious software to help Ukrainian military recruits locate recruitment centers. These programs are laced with malware that can steal sensitive information like browser data, keystrokes, and cryptocurrency wallet details. 

To achieve this, the attackers have established a deceptive online presence through a Telegram channel and website known as “Civil Defense.” Reportedly, the website was registered in April 2024, but the Telegram channel was created in September

These platforms entice users with promises of helpful information and tools related to military conscription. However, once victims download and install the offered software, they unwittingly expose their devices to various malware strains.

For Windows users, this typically involves the Pronsis Loader, which subsequently delivers the information-stealing PURESTEALER. Android users, on the other hand, are targeted with the CRAXSRAT backdoor, a versatile tool capable of data theft, surveillance, and remote control. 

To bypass security measures, the attackers have employed social engineering techniques, instructing victims to disable Google Play Protect and manually grant permissions to the malicious apps. The campaign also involves a concerted effort to spread disinformation and undermine public morale in Ukraine. 

The “Civil Defense” platform disseminates anti-mobilization narratives, promotes false information about the war, and encourages users to share videos of alleged unfair practices at recruitment centers. The website has a dedicated news section rife with fabricated stories depicting purported injustices surrounding mobilization. The content is posted on pro-Russian social media channels. 

The UNC5812 campaign is part of a broader pattern of Russian cyberattacks aimed at destabilizing Ukraine. By targeting potential recruits, the attackers seek to erode public support for the military and hinder Ukraine’s ability to defend itself. 

Researchers suspect that UNC5812 is purchasing promoted posts in Ukrainian-language channels to target potential victims. A channel with over 80,000 subscribers promoting the “Civil Defense” Telegram channel-website was observed on September 18th. An additional Ukrainian-language news channel promoting the posts as recently as October 8th suggests the campaign is actively seeking new Ukrainian-language communities for targeted engagement.

Civil Defense promoted in Ukrainian-language missile alert and news communities and Download page, translated from Ukrainian (Via Google)

Google has identified and blocked malicious websites and domains by adding them to Safe Browsing, actively scanning devices for harmful apps, and collaborating with Ukrainian authorities to block the campaign’s website within the country. Google Play Protect also actively scans devices for harmful apps, including those installed outside the Play Store.

Nevertheless, Google’s report sheds light on Russia’s multifaceted approach to weakening Ukraine’s war effort through cyber means. By staying informed and utilizing security measures provided by platforms like Google, users can help mitigate the impact of such campaigns.

1.  Russia Responsible for Widespread Power Outage in Ukraine?
2.  Ukraine Blocks Russian Industroyer 2 Attack on Energy Provider
3.  Hackers Claim Data Breach at Russian Cybersecurity Firm Dr.Web
4.  Russian APT29 Using NSO Group-Style Exploits in Attacks, Google
5.  Russian Midnight Blizzard Breached UK Home Office via Microsoft

Latest News