Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.
Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming,

Vulnerability / Data Breach

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.

Tracked as **CVE-2024-34102** (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named "spacewasp," was patched by Adobe in June 2024.

Dutch security firm Sansec, which has described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour.

The flaw has since come under widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024.

Some of these attacks involve weaponizing the flaw to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have then been observed taking advantage of the Magento REST API to inject malicious scripts.

This also means that applying the latest fix alone is insufficient to secure against the attack, necessitating that site owners take steps to rotate the encryption keys.

Subsequent attacks observed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (aka glibc), to achieve remote code execution.

"CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system," Sansec noted.

The end goal of the compromises is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to steal payment data entered by users on the sites.

The latest findings show that several companies, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have fallen victim to CosmicSting attacks, with at least seven distinct groups partaking in the exploitation efforts -

*   **Group Bobry**, which uses whitespace encoding to hide code that executes a payment skimmer hosted on a remote server
*   **Group Polyovki**, which uses an injection from cdnstatics.net/lib.js
*   **Group Surki**, which uses XOR encoding to conceal JavaScript code
*   **Group Burunduki**, which accesses a dynamic skimmer code from a WebSocket at wss://jgueurystatic\[.\]xyz:8101
*   **Group Ondatry**, which uses custom JavaScript loader malware to inject bogus payment forms that mimic the legitimate ones used by the merchant sites
*   **Group Khomyaki**, which exfiltrates payment information to domains that include a 2-character URI ("rextension\[.\]net/za/")
*   **Group Belki**, which uses CosmicSting with CNEXT to plant backdoors and skimmer malware

"Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce," Sansec said. "They should also rotate secret encryption keys, and ensure that old keys are invalidated."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

Source: Xavierlorenzo via Alamy Stock Photo

October is National Cybersecurity Awareness Month in the U.S. when IT teams prep their annual security education and awareness training program. For many employees, this may be their only interaction with the security team outside of onboarding, submitting a help ticket, or a potential incident. But every person plays a part in the security function of the business every day, whether they realize it or not. As they do, they have the potential to be an asset or risk to the team’s security posture.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), 68% of all breaches include the human element, with people being involved either via error, use of stolen credentials or social engineering. While exploiting technical vulnerabilities is rising in frequency as the initial way-in for an attacker, stolen credentials and phishing still account for the lion’s share of recorded breaches.

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

**Putting a Price on Trust**

Security is a core business function, as crucial to an organization's success as finance, revenue generation or product departments. It's also a key factor in shaping an organization's reputation, specifically influencing public and internal perceptions of whether the organization is trusted and reliable. To understand the profound impact of perceived security (or insecurity) on both public image and the bottom line, one need only examine customer reviews or stock prices of major businesses before and after a publicized breach or outage.

Security has a particularly significant impact on whether the company is seen as reliable and safe for business. The difference between a successful security program and a vulnerable one comes down to whether that value is communicated regularly and effectively.

**What's Measured Matters**

In some organizations, a CISO or CIO can advocate for security at the executive level, informing other leaders and stakeholders of its needs and value. In most businesses, however, this responsibility falls to the IT team leader, adding to their already substantial workload.

While it may seem like self-promotion or extraneous work, it’s extremely valuable to take the extra time to summarize threats stopped, processes improved, projects completed and team members modeling strong security behavior. This effort ensures that the benefits and value of the security program remain a priority for leadership, rather than being overshadowed by the next quarter's budget concerns or the hope of avoiding bad news.

Before starting from scratch, find existing resources by asking vendors and partners what performance reports and metrics they can provide. Many tools should already have audit or other templated reporting functions, and some may even offer custom summaries or executive briefings designed to update leaders on progress.

When choosing metrics, ask whether they truly advance effective security goals. As one example, a common phishing training misstep is solely tracking the number of people who click the link before and after training. While reducing risky clicks is valuable, reducing that number to zero is unlikely. Instead, focusing on how quickly someone reports a phish can materially reduce the time it takes to detect and stop a real-world attack. Now, training can emphasize the importance of reporting suspicious activity, even if an employee initially fell for the phish. This approach encourages openness rather than silence born from fear or embarrassment, and rewarding proactive behavior can significantly increase the likelihood of team members reaching out when something’s up.

Remember, what gets measured gets managed. Carefully selecting and tracking meaningful security metrics improves security posture and demonstrates the tangible value of a security program to the organization. This data-driven approach can help secure necessary resources and support for ongoing security initiatives, turning the security function from a cost center into a value driver for the business.

**Shedding the "Department of No" Reputation**

There’s an oft-repeated cliche of security as The Department of No: a roadblock to productivity, best unseen and unheard. And if most security interactions are perceived as “tedious and/or confusing” or “frustrating and/or terrifying,” people will go out of their way to avoid future interactions.

In reality, security works tirelessly to keep the organization and people within it safe and protected from innumerable risks. What may feel like an arbitrary refusal from a teammate’s perspective may very well be backed by good policy.

Improving this perception doesn't mean abandoning controls or approving every request. Instead, it requires clearly explaining why policies are in place, regularly collecting feedback on processes that prove to be roadblocks and showcasing wins as part of the normal business cadence.

Errors can be more than additional help tickets for IT teams to triage or irregularities to investigate: they can provide invaluable feedback where a process is unintuitive or misunderstood. Talking through “why” someone wanders off the authorized path can help identify confusing documentation, unconsidered use cases or other qualitative feedback that slips through what can be captured in a system log.

**What Have You Done For Them Lately?**

Most people don't have security experts on call in their personal life, and this gives security teams a unique opportunity to help, while building on their relationship with the team at large. Instead of just rolling out click-through training modules to meet insurance and compliance requirements, treat education like another opportunity to provide an employee benefit.

Inform employees about trending attacks and scams, so they can be aware and inform potentially vulnerable family members. Teach them about good security hygiene, not only on work systems but also on sites they’re likely to use in their daily life like social media or personal banking. Not only does this practice help keep your team safe from threats when they aren't at work, it also feeds back into organizational security by making them harder targets for attackers. It would be great if attackers took off nights and weekends, but in reality, we know they’ll go after access wherever (and through whomever) it’s available.

Sharing a few tips every week during team meetings, on team chat and at all-hands updates is also more digestible for people. It’s easier to absorb a few tips each week than resist the urge to tune out a dry, monotone hours-long training session.

This approach also improves retention. According to Hermann Ebbinghaus's research on memory and the “forgetting curve”, we forget the vast majority of newly learned information within a couple of days of learning it. However, the second iteration of reviewing that same information will increase both the percentage of information recalled, and how long it will be remembered. Regular refreshers and expansions on a topic will result in a more complete understanding and a resilient recall of the topic.

**Stronger Together**

Shifting the relationship of security from one of avoidance to one of reinforcement, safety and reliable guidance will motivate people to listen more carefully to security messaging. Greater understanding and buy-in cultivate a stronger security mindset across teams, defining security as a shared, proactive function rather than a specialized, reactive one.

Security is a collective effort, and helping your team stay safer inside and outside of work will benefit both them and the organization. By redefining security as a trusted ally rather than a dreaded email or meeting invite, we can create a more resilient and secure environment for all. Remember, when it comes to security, we are indeed stronger together!

**About the Author**

Security Strategist, Blumira

Zoe Lindsey is a security strategist at Blumira with over a decade of experience in information security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.

Normalizing Security Culture: Don’t Have to Get Ready If You Stay Ready

PRESS RELEASE

VIENNA, Va., Oct. 1, 2024 /PRNewswire/ -- The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today announced that Pam Lindemoen will join the organization as Chief Security Officer & VP of Strategy. In this role, she will oversee the organization's security operations, including cybersecurity and information security, while also leading strategic planning and partner engagement. With nearly 30 years of experience, Lindemoen brings a wealth of knowledge in information security, application development, and infrastructure to the organization.

"We're thrilled to welcome Pam Lindemoen to the RH-ISAC team," said Suzie Squier, president of RH-ISAC. "Her extensive experience in navigating complex regulatory environments and fostering robust security postures will be invaluable to our members. Pam's strategic vision and proven track record in developing comprehensive cybersecurity programs align perfectly with our mission to enhance the security of consumer-facing industries through collaboration."

Lindemoen's expertise spans various industries, including healthcare, technology, financial services, and manufacturing. Most recently, she served as CISO Advisor at Cisco. In this role, among other duties, she was instrumental in facilitating the CISO Leadership Development Program that RH-ISAC provided to develop talent in the industry. Lindemoen also serves on the advisory board for Cyber Florida: The Florida Center for Cybersecurity.

Lindemoen's appointment comes at a critical time for the retail and hospitality industries, which face increasing cybersecurity threats and complex regulatory requirements. Her multifaceted expertise in information security, application development, and infrastructure positions her uniquely to address the diverse challenges faced by RH-ISAC members. As CSO, Lindemoen will play a key role in shaping the organization's strategic initiatives and supporting members in their cybersecurity efforts.

Learn more about RH-ISAC and memberships at rhisac.org.

ABOUT RH-ISAC  
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org.

You May Also Like

Retail &amp; Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

Source: Kay Roxby via Alamy Stock Photo

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more\_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more\_eggs infection.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

"A spear-phishing email was initially sent from allegedly from 'John Cboins' using a Gmail address to a senior executive at the company," the researchers wrote. That email contained no attachments or URLs but instead was a social engineering ploy demonstrating "that the threat actor was attempting to gain the user's confidence," they wrote.

Soon after that communication, a recruitment officer downloaded what was supposed to be a resume, John Cboins.zip, from a URL using Google Chrome, though "it was not determined where this user obtained the URL," the researchers noted.

Further investigation of the URL revealed what appeared to be a typical website of a job applicant that even utilizes a CAPTCHA test and would not likely raise suspicions, thus capable of easily deceiving an unsuspecting recruiter into thinking he or she was corresponding with a legitimate candidate, they said.

**Same Payload, Different Nesting Methods**

Various security researchers have observed more\_eggs being used in attacks as early as 2017 against a variety of targets, including Russian financial institutions and mining firms, and other multinational organizations. As mentioned, more\_eggs is part of the Golden Chickens toolkit, which is distributed by Venom Spider, an underground MaaS provider also known as badbullzvenom, according to Trend Micro.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

While the backdoor is historically a common denominator among different threat campaigns by Venom Spider, the methods used for distributing the malware vary. Some attacks involved phishing schemes with malicious documents that contained JavaScript and PowerShell scripts, while others used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains that host malicious .zip files, the researchers noted.

Attackers also have used phishing emails to distribute .zip files disguised as images to initiate a more\_eggs infection, while a June campaign again leveraged LinkedIn to trick recruiters into accessing a fake job resume site that distributed the malware as a malicious .lnk file.

There appear to be two active campaigns currently spreading the malware that target victims who "are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain," the researchers wrote.

**Prevent Hatching of "More\_Eggs"**

Traditional anti-malware solutions should immediately detect and eliminate an infection by more\_eggs on a corporate network. However, factors such as an organization’s operational needs, human fallibility, and potential misconfigurations can pose a risk of the malware slipping past these detections, according to Trend Micro.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The advanced social engineering techniques employed — such as using a convincing website and a malicious file disguised as a resume to start the infection — underscore the critical need for organizations to maintain continuous vigilance," the researchers wrote. "It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats."

Trend Micro shared various indicators of compromise (IoCs) related to the campaigns in the post. Organizations with managed detection and response (MDR) systems in place can use them to set up custom filters and models tailored to detect a specific threat like more\_eggs that then can be fed to a security playbook to automate response to an alert, according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft.
"For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft.

"For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report.

"Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers."

Perhaps what makes it even more lucrative is that these services are provided for free. That said, the credentials harvested using the phishing sites are also exfiltrated to the operators of the PhaaS platform, a technique that Microsoft calls double theft.

PhaaS platforms have become an increasingly common way for aspiring threat actors to enter the world of cybercrime, allowing even those with little technical expertise to mount phishing attacks at scale.

Such phishing kits can be purchased off of Telegram, with dedicated channels and groups catering to each and every aspect of the attack chain, right from hosting services to sending phishing messages.

Sniper Dz is no exception in that the threat actors operate a Telegram channel with over 7,170 subscribers as of October 1, 2024. The channel was created on May 25, 2020.

Interestingly, a day after the Unit 42 report went live, the people behind the channel have enabled the auto-delete option to automatically clear all posts after one month. This likely suggests an attempt to cover up traces of their activity, although earlier messages remain intact in the chat history.

The PhaaS platform is accessible on the clearnet and requires signing up an account to "get your scams and hack tools," according to the website's home page.

A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. The video has more than 67,000 views to date.

The Hacker News has also identified tutorial videos uploaded to YouTube that take viewers through the different steps required to download templates from Sniper Dz and set up fake landing pages for PUBG and Free Fire on legitimate platforms like Google Blogger.

However, it's not clear if they have any connection to the developers of Sniper Dz, or if they are just customers of the service.

Sniper Dz comes with the ability to host phishing pages on its own infrastructure and provide bespoke links pointing to those pages. These sites are then hidden behind a legitimate proxy server (proxymesh\[.\]com) to prevent detection.

"The group behind Sniper Dz configures this proxy server to automatically load phishing content from its own server without direct communications," the researchers said.

"This technique can help Sniper Dz to protect its backend servers, since the victim's browser or a security crawler will see the proxy server as being responsible for loading the phishing payload."

The other option for cybercriminals is to download phishing page templates offline as HTML files and host them on their own servers. Furthermore, Sniper Dz offers additional tools to convert phishing templates to the Blogger format that could then be hosted on Blogspot domains.

The stolen credentials are ultimately displayed on an admin panel that can be accessed by logging into the clearnet site. Unit 42 said it observed a surge in phishing activity using Sniper Dz, primarily targeting web users in the U.S., starting in July 2024.

"Sniper Dz phishing pages exfiltrate victim credentials and track them through a centralized infrastructure," the researchers said. "This could be helping Sniper Dz collect victim credentials stolen by phishers who use their PhaaS platform."

The development comes as Cisco Talos revealed that attackers are abusing web pages connected to backend SMTP infrastructure, such as account creation form pages and others that trigger an email back to the user, to bypass spam filters and distribute phishing emails.

These attacks take advantage of poor input validation and sanitization prevalent on these web forms to include malicious links and text. Other campaigns conduct credential stuffing attacks against mail servers of legitimate organizations so as to gain access to email accounts and send spam.

"Many websites allow users to sign up for an account and log in to access specific features or content," Talos researcher Jaeson Schultz said. "Typically, upon successful user registration, an email is triggered back to the user to confirm the account."

"In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer's link."

It also follows the discovery of a new email phishing campaign that leverages a seemingly harmless Microsoft Excel document to propagate a fileless variant of Remcos RAT by exploiting a known security flaw (CVE-2017-0199).

"Upon opening the \[Excel\] file, OLE objects are used to trigger the download and execution of a malicious HTA application," Trellix researcher Trishaan Kalra said. "This HTA application subsequently launches a chain of PowerShell commands that culminate in the injection of a fileless Remcos RAT into a legitimate Windows process."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

**Student Management System 1.0 Insecure Cookie Handling**

Posted Sep 30, 2024

Authored by indoushka

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

tags | exploit, insecure cookie handling

SHA-256 | d658fbfc8c6a719141fdd1f2794283b78eab23b21c7970420e8965f026849eba

Download | Favorite | View

**Student Management System 1.0 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Student Management System 1.0 Insecure Cookie Handling Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] The default username is admin & The chosen password is user123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,997)
*   Arbitrary (17,113)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,047)
*   Code Execution (7,925)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,434)
*   DoS (25,304)
*   Encryption (2,395)
*   Exploit (54,342)
*   File Inclusion (4,278)
*   File Upload (1,022)
*   Firewall (822)
*   Info Disclosure (2,924)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,310)
*   Local (14,864)
*   Magazine (587)
*   Overflow (13,228)
*   Perl (1,435)
*   PHP (5,284)
*   Proof of Concept (2,413)
*   Protocol (3,751)
*   Python (1,662)
*   Remote (31,922)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,052)
*   Shell (3,308)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,738)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,133)
*   Web (10,144)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,306)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,130)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,374)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,912)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,882)
*   UNIX (9,461)
*   UnixWare (188)
*   Windows (6,780)
*   Other

Student Management System 1.0 Insecure Cookie Handling

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks.
"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks.

"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher Pedro Umbelino said in a report published last week.

Making matters worse, the analysis found that thousands of ATGs are exposed to the internet, making them a lucrative target for malicious actors looking to stage disruptive and destructive attacks against gas stations, hospitals, airports, military bases, and other critical infrastructure facilities.

ATGs are sensor systems designed to monitor the level of a storage tank (e.g., fuel tank) over a period of time with the goal of determining leakage and parameters. Exploitation of security flaws in such systems could therefore have serious consequences, including denial-of-service (DoS) and physical damage.

The newly discovered 11 vulnerabilities affect six ATG models, namely Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of the 11 flaws are rated critical in severity -

*   CVE-2024-45066 (CVSS score: 10.0) - OS command injection in Maglink LX
*   CVE-2024-43693 (CVSS score: 10.0) - OS command injection in Maglink LX
*   CVE-2024-43423 (CVSS score: 9.8) - Hard-coded credentials in Maglink LX4
*   CVE-2024-8310 (CVSS score: 9.8) - Authentication bypass in OPW SiteSentinel
*   CVE-2024-6981 (CVSS score: 9.8) - Authentication bypass in Proteus OEL8000
*   CVE-2024-43692 (CVSS score: 9.8) - Authentication bypass in Maglink LX
*   CVE-2024-8630 (CVSS score: 9.4) - SQL injection in Alisonic Sibylla
*   CVE-2023-41256 (CVSS score: 9.1) - Authentication bypass in Maglink LX (a duplicate of a previously disclosed flaw)
*   CVE-2024-41725 (CVSS score: 8.8) - Cross-site scripting (XSS) in Maglink LX
*   CVE-2024-45373 (CVSS score: 8.8) - Privilege escalation in Maglink LX4
*   CVE-2024-8497 (CVSS score: 7.5) - Arbitrary file read in Franklin TS-550

"All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access," Umbelino said. "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it."

**Flaws Discovered in OpenPLC, Riello NetMan 204, and AJCloud**

Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution.

"By sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes, it is possible to write past the boundary of the allocated log\_msg buffer and corrupt the stack," Cisco Talos said. "Depending on the security precautions enabled on the host in question, further exploitation could be possible."

Another set of security holes concern the Riello NetMan 204 network communications card used in its Uninterruptible Power Supply (UPS) systems that could enable malicious actors to take over control of the UPS and even tamper with the collected log data.

*   CVE-2024-8877 - SQL injection in three API endpoints /cgi-bin/db\_datalog\_w.cgi, /cgi-bin/db\_eventlog\_w.cgi, and /cgi-bin/db\_multimetr\_w.cgi that allows for arbitrary data modification
*   CVE-2024-8878 - Unauthenticated password reset via the endpoint /recoverpassword.html that could be abused to obtain the netmanid from the device, from which the recovery code for resetting the password can be calculated

"Inputting the recovery code in '/recoverpassword.html' resets the login credentials to admin:admin," CyberDanube's Thomas Weber said, noting that this could grant the attacker the ability to hijack the device and turn it off.

Both vulnerabilities remain unpatched, necessitating that users limit access to the devices in critical environments until a fix is made available.

Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.

"A built-in P2P command, which intentionally provides arbitrary write access to a key configuration file, can be leveraged to either permanently disable cameras or facilitate remote code execution through triggering a buffer overflow," Elastic Security Labs said, stating its efforts to reach the Chinese company have been unsuccessful to date.

**CISA Warns of Continued Attacks Against OT Networks**

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged increased threats to internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.

"Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm," CISA said.

Earlier this February, the U.S. government sanctioned six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.

These attacks involved targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords.

Industrial cybersecurity company Claroty has since open-sourced two tools called PCOM2TCP and PCOMClient that allow users to extract forensics information from Unitronics-integrated HMIs/PLCs.

"PCOM2TCP, enables users to convert serial PCOM messages into TCP PCOM messages and vice versa," it said. "The second tool, called PCOMClient, enables users to connect to their Unitronics Vision/Samba series PLC, query it, and extract forensic information from the PLC."

Furthermore, Claroty has warned that the excessive deployment of remote access solutions within OT environments – anywhere between four and 16 – creates new security and operational risks for organizations.

"55% of organizations deployed four or more remote access tools that connect OT to the outside world, a worrisome percentage of companies that have expansive attack surfaces that are complex and expensive to manage," it noted.

"Engineers and asset managers should actively pursue to eliminate or minimize the use of low-security remote access tools in the OT environment, especially those with known vulnerabilities or those lacking essential security features such as MFA."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process.

Thursday, September 26, 2024 14:00

The recent attacks in the Middle East triggering explosions on pagers has raised new fears around physical hardware supply chain attacks. 

In cybersecurity, we typically consider supply chain attacks to target software, in which adversaries infect a legitimate tool with a malicious, fake update that then spreads malware to affected devices. Think SolarWinds, Log4j, MOVEit, etc. 

In the case of hardware supply chain attacks, malicious actors infiltrate the supply of devices, or the physical manufacturing process of pieces of hardware and purposefully build in security flaws, faulty parts, or backdoors they know they can take advantage of in the future, such as malicious microchips on a circuit board.  

For Cisco’s part, the Cisco Trustworthy technologies program, including secure boot, Cisco Trust Anchor module (TAm), and runtime defenses give customers the confidence that the product is genuinely from Cisco. 

As I was thinking about the threat of hardware supply chain attacks, I was left wondering who, exactly, should be tasked with solving this problem. And I think I’ve decided the onus falls on several different sectors. 

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. Entering a manufacturing facility or other stops along the logistics chain would require some level of network-level manipulation, such as faking a card reader or finding a way to trick physical defenses — that’s why Cisco Talos Incident Response looks for these types of things in Purple Team exercises.  

But it’s also a question of logistics and storage. Could a device be tampered with while it’s just being stored in a warehouse awaiting shipment? What about entering the back of a tractor-trailer that’s hauling the devices? Or even just being able to sneak photos of the devices’ information, say, for example, the EID on a cellphone or its SIM card.  

The process to protect against supply chain hardware attacks is not straightforward, unfortunately. There is little synchronization and partnership between logistics, cybersecurity, and manufacturing companies.  

There are also new technologies that can protect against physical tampering, like smart containers, real-time monitoring systems and automated security checkpoints, but these are all expensive solutions for security teams (at the physical and network levels) that are already stretched for budget and human capital.  

The cybersecurity industry certainly has a role to play in addressing supply chain attacks of all kinds, but it’s also not something this community alone can solve.  

**The one big thing **

Attackers are abusing features of legitimate internet websites to transmit spam. This web infrastructure and its associated email infrastructure are otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders, according to new research from Talos.  

**Why do I care? **

As a spammer, one of the problems with spinning up your own architecture to deliver mail is that once the spam starts flowing, these sources (IPs/domains) can be blocked. Realizing this, many spammers have elected to attack webpages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited emails. Adversaries are still finding new ways to leverage preexisting tools and structures in email systems to send spam and malicious attachments that defenders wouldn’t normally consider.  

**So now what? **

There are several steps users can take to avoid receiving large amounts of spam or being duped by bad actors using “traditional” email tools. A strong password for your email account, or even better, a password manager, can keep your email account secure. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim. For admins and defenders, educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email. 

**Top security headlines of the week **

**Representatives from cybersecurity company CrowdStrike spoke to U.S. Congress this week about a faulty update that shut down Windows machines across the country earlier this year.** The incident caused disruptions across multiple industries, including commercial flights, public transportation, retail and more. Lawmakers questioned whether the affected software should have access to core systems on computers, and the threat that AI-written code could present in the future. Executives from CrowdStrike took responsibility for the outage. They said the company was doing everything possible to prevent a similar incident from happening again and executing a broad “lessons learned” process. The incident forced over 8 million Microsoft Windows machines into the dreaded “Blue Screen of Death.” For the first 24 hours of the incident, rebooting the systems only worked if the user carried out a specific process that was complicated and needed to be explained by an expert. Eventually, an automatic update rolled out and fixed the issue. (Washington Post, BBC) 

**Security researchers have discovered a new Iranian state-sponsored actor that is providing initial access for other well-known APTs in the same country.** UNC1860 is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS) and provides access to other Iranian threat actors like OilRig and Scarred Manticore. The group’s focus is reportedly solely focused on breaching networks and obtaining an initial foothold, targeting a range of sectors including government, media, education, critical infrastructure and telecommunications. Researchers say UNC1860 has teamed up for attacks targeting organizations in Iraq, Saudi Arabia and Qatar, and laid the groundwork for wiper attacks in Albania and Israel. The group’s activities had gone largely undetected thus far because their implants are entirely passive, and don’t send any information out of the target network. The APT also doesn’t rely on any kind of command and control (C2) infrastructure. (Dark Reading, SecurityWeek) 

**Popular AI chat tool ChatGPT contains a flaw that could allow adversaries to implant false “memories” and steal user data in perpetuity.** A security researcher discovered a proof of concept in which they could store false information and malicious instructions in a user’s long-term memory settings through indirect prompt injection. The researcher first reported the vulnerability to OpenAI, the creator of ChatGPT, in May, but at the time the issue was labeled as a safety issue and not a security issue, closing out the case. After developing the POC, the company eventually released a partial fix earlier this month that prevents memories from being abused as an exfiltration vector. However, an adversary could still implant long-term information into ChatGPT through prompt injections targeting the memory tool, just not through the traditional ChatGPT web interface that most users access the tool through. (Ars Technica, wunderwuzzi's blog) 

**Can’t get enough Talos? ****Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG

Are hardware supply chain attacks “cyber attacks?”

Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.

Thursday, September 26, 2024 09:00

*   Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. 
*   This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders. 
*   The breadth of different sources of spam suggests that the attackers have automated the process of initially identifying web infrastructure vulnerable to abuse. However, the complexity of executing each individual attack suggests more human involvement. 
*   Attackers are also testing credentials obtained from data breaches by credential stuffing IMAP and SMTP accounts. 

Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. 

There are many ways spammers accomplish this task: One is to abuse web pages connected to backend SMTP infrastructure, and another uses breached email/password credentials to try and log into email accounts they can use to send spam. Cisco Talos has new research that explores both styles of attack and delves into some of the tools used by spammers. 

**Web form abuse **

The HTML <form> tag was released with HTML version 2.0, nearly 30 years ago. Since then, spammers have found creative ways to abuse web forms. The lack of proper input validation left many of these forms open to manipulation by attackers. Over time, these HTML form attacks became more sophisticated, sometimes employing cross-site scripting or SQL injection. Many administrators learned the hard way that their forms were vulnerable and were forced to harden their forms as a result. However, spammers are a persistent bunch, and they look for anything they can use to facilitate malicious activities. Creative spammers have realized that \*any\* web form that triggers an email back to the user can be abused. 

**Online account registration **

Many websites allow users to sign up for an account and log in to access specific features or content. Typically, upon successful user registration, an email is triggered back to the user to confirm the account. In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link. 

An example spam message exploiting an account signup form

**Event signup **

Like account registration, many websites let users register to participate in an event. Again, poor input validation and sanitization is prevalent on many of these sites, allowing the spammers to overload the name field with text and URLs. 

An example spam message exploiting an event registration form

Contact forms sometimes send users a copy of their form responses. This could be a checkbox on the form or an automatic reply. Again, the spammers rely on poor input validation and sanitization to transmit text and URLs to the victim. 

An example spam message exploiting a web site contact form

**Google Quizzes, Calendar, Groups and other apps **

Talos previously reported on spammers abusing Google Quizzes. But that is not the only Google software that spammers have been abusing. Google Drawings, Sheets, Forms, Calendar and Groups all contain similar vulnerabilities that allow spammers to send unsolicited emails to victims. Additionally, by using a variety of Google applications, and ones that are located in different countries, they can largely avoid detection by Google. 

These messages from Google require some significant pre-attack setup. For example, to send spam from Google Quizzes, the attackers must set up a quiz and configure it correctly, then they must fill out the quiz, masquerading as the victim. Then, the attackers must log back into the Google Quiz they created to “grade” the results and send the quiz score email back to the victim. This suggests a significant human interaction on the part of the spammers. 

An example spam message sent via Google Drawings

An example spam message sent via Google Sheets

An example spam message sent via Google Forms

An example spam message sent via Google Calendar

An example spam message sent via Google Groups

Unfortunately for defenders, there is very little we can do to defend against such spam messages. Most of the emails sent by these contact forms are legitimate, so the malicious email blends in with the otherwise legitimate traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate.   

**SMTP server credential stuffing **

Have you ever wondered what cyber criminals do with all the information they’ve obtained in a data breach? If the stolen dataset contains email address usernames and passwords, then it is quite probable that those same credentials will work in other places. Trying the same set of credentials at other sites is known as “credential stuffing.”  

One of the main ways cybercriminals leverage stolen credentials is attempting to access the victim’s email. POP/IMAP servers are often juicy targets, because if an attacker can access a person’s email inbox, then they can find other accounts used by the victim, account usernames/passwords, cryptocurrency wallet keys or perhaps other lucrative, sensitive personal information. Attackers can also leverage access to the victim’s inbox to receive email-based multifactor authentication codes or password resets. 

One of the other, lesser-known ways attackers leverage stolen credentials is on the outbound side of the victim’s mailbox. If an attacker can log into the outbound smtp server as the victim, they can send out email using the victim’s email server. This provides the cybercriminal with a legitimate mail server and domain which are not likely blocked by various spam real-time blackhole lists (RBLs). 

How do cybercriminals locate mailboxes that have working credentials? Typically, the attacker will set up a personal mailbox somewhere (Yahoo, Gmail, etc.) and then send themselves test messages using the stolen credentials at the outbound SMTP server matching the email address’ domain. Some criminals have turned this into an online business by finding working SMTP server credentials and selling them to others. 

__A test email from Smart Tools Shop. The price of working SMTP server credentials is $6__

__The Smart Tools Shop interface shows the typical prices of SMTP server credentials__ 

There are also open-source tools used for these sorts of activities. Among the tools Talos sees most frequently are MadCat and MailRip, both of which are available to download and run on GitHub. 

The MadCat SMTP cracker tool found on Github

 MadCat is an open-source SMTP tool that includes credential-stuffing capabilities. The test emails can be recognized from the Subject header: “Subject: You get a new smtp”. Among some of MadCat’s advertised features is the ability to skip emails hosted by known security vendors such as Cisco. This feature is implemented rather poorly, however, because the code used to skip “dangerous emails” is simply a regular expression with words like “cisco,” “cloudflare,” “proofpoint,” etc., as if spam traps implemented by security organizations are all run out of the main corporate domain name (S_poiler alert: they are not_). 

__MailRip is another open-source tool capable of credential stuffing in outbound SMTP servers__

Another tool that Talos frequently sees performing credential stuffing is a program named MailRip. Although it contains a disclaimer that the code is not to be used “for any kind of illegal activity,” it is a tool primarily designed to facilitate checking username/password combos on IMAP servers and outbound SMTP servers. 

Besides these commercial and open-source tools, Talos also sees attackers who have “rolled their own” tools used for this activity. Typically, the Subject headers are a giveaway that the messages are test emails looking for valid SMTP accounts. However, some of the subject headers and email bodies of test messages are encoded/encrypted. Below are some of the more frequent Subject headers Talos has encountered. 

**Common Credential Stuffing Test Message Subject headers:**   
Subject: Mail Inbox Test IDF50F22   
Subject: You get a new smtp **_(from MadCat SMTP cracker tool)_**   
Subject: smtp id 2496130   
Subject: g1ukczr0iz3b6o6xsk0al0tyqy8ggr **_(encrypted/encoded Subject/Body)_**   
Subject: test   
Subject: Testing: mx.example.com   
Subject: new SMTP from MadCat checker   
Subject: Smart Tools Shop - Test SMTP ID: 1016587   
Subject: MailRip Test Result ID0BAB7A **_(from MailRip Tool)_**   
Subject: !XProad mx.example.com|2525|nywepaq@example.com|f29r21caT4. **_(from Laravel Monster Tool)_**   
Subject: SMTP Check #131085 - Jemex Shop   
Subject: TESTING RELAY!   
Subject: SMTP Check #6148 - Spyxe Shop   
Subject: Your Account ID #62363   
Subject: Mail Test Result ID0CD637.    
Subject: aloha: 127.0.0.255   
Subject: Mail Auto-Email ID86E8A6   
Subject: Mail Email Test ID23CB4D   
Subject: Mail Test Result IDD762AB   
Subject: =?utf-8?q?New\_working\_smtp\_=2350131001?=  

**Thwarting SMTP server credential stuffers **

One way Talos has tried to thwart these types of attacks is to make them believe that the actors have found a working outbound email account.  

To accomplish this, Talos has configured some of our spam traps to deliver those messages we have identified by Subject as test messages from the credential stuffers, while every other email is sent to various internal anti-spam systems for processing. Once the credential stuffers believe they have found a valid account, they typically turn on the spam firehose, which causes all the connecting IP addresses to be dinged for sending spam, which significantly affects those addresses' ability to deliver mail to the inbox. 

 The anti-spam industry has largely been successful at driving a wedge between legitimate senders and spammers, causing spammers to seek out new ways to deliver their mail.  

Rather than send directly, these spammers have chosen to try and blend in with legitimate traffic to make their spam more difficult to block.  

**Defenses **

**_Create Unique Passwords:_** People are terrible at creating and remembering good passwords. For the past several decades, even, the most popular unsafe password has been “123456”. Despite years of guidance from the security community that people should use a unique password for every website, many users will re-use the same credentials at several different sites. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim.  

**Use a password manager:** All those unique passwords you have been creating are going to be hard to remember. But avoid storing credentials in a browser. These can be stolen by attackers quite easily. A perfect tool exists for storing your passwords: a password manager. It is best to use a dedicated password manger such as KeePass, LastPass or 1Password. 

**Educate Users:** Unfortunately for defenders, there is very little we can do to defend against spam messages sent from legitimate forms. Most of the emails sent via forms are legitimate, so the malicious email blends in with the otherwise legitimate email traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate. Educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email.

Simple Mail Transfer Pirates:   How threat actors are abusing third-party infrastructure to send spam

Researchers have uncovered one of the first examples of threat actors using artificial intelligence chatbots for malware creation, in a phishing attack spreading the open source remote access Trojan.

Source: Irene R via Shutterstock

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It's one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the AsyncRAT, an easily accessible, commercial malware that can be used for controlling a victim's computer.

The researchers first noticed the behavior when investigating a suspicious email in June. It had "an unusual French email attachment" posing as an invoice, HP Wolf Security revealed in its "Threat Insights Report" (PDF) for this month. The researchers ultimately discovered a campaign that was using both scripting types — code that was not, as it usually is, obfuscated — to spread AsyncRAT.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," according to the report.

It's widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because legitimate chatbot tools have guardrails that prevent malicious use. However, security experts have known since the advent of the technology that it was only a matter of time before threat actors would find a way around those gates, and malicious chatbot development is a phenomenon on the Dark Web.

Related:Dark Reading Confidential: The CISO and the SEC

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone's inbox," according to the report.

**Investigating a Malicious Email Campaign**

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an HTML-smuggling attack; however, it didn't behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.

Related:How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys the AsyncRAT. "The VBScript writes various variables to the Windows Registry, which are reused later in the chain," according to the report.

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.

**Unpacking GenAI-Generated Scripts**

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.

"In fact, the attacker had left comments throughout the code, describing what each line does — even for simple functions," according to the report. "Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible."

Related:Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

This behavior and the scripts' structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker used GenAI to develop the scripts, according to HP Wolf Security.

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco