Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50777: Jenkins Security Advisory 2023-12-13

Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

CVE-2023-50764: Jenkins Security Advisory 2023-12-13

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-50769: Jenkins Security Advisory 2023-12-13

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-50773: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.

CVE-2023-50775: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2023-50766: Jenkins Security Advisory 2023-12-13

By Deeba Ahmed
Hidden Code, Hidden Profits - Tracked Before You Click - SDBN Takes Adobe to Court Over Alleged Illegal Tracking of Dutch Cizitens.
This is a post from HackRead.com Read the original post: Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Dutch privacy watchdog SDBN alleges that Adobe is spying on and collecting data from ‘virtually every Dutch internet user’ through the illegal placement of tracking cookies.

Dutch privacy watchdog Stichting Data Bescherming Nederland (**SDBN**) is suing Adobe for illegally tracking and sharing the personal data of millions of Dutch citizens.

For your information, SDBN is a Netherlands-based non-profit foundation striving to safeguard users’ privacy and data protection. Apart from Adobe, the organization is also actively pursuing lawsuits against Amazon and X (formerly Twitter).

Adobe, a United States-based design software company known for its creativity and multimedia software products, is accused of secretly collecting vast amounts of data from users visiting prominent websites and apps, including Dutch telecommunications company KPN, Stichting Pensioenfonds ABP (National Civil Pension Fund), and the Dutch Tax Authority.

According to SDBN, the collected data is then shared with multiple third parties without obtaining user consent. Moreover, the company allegedly used tactics like hidden tracking cookies and app SDKs to collect data.

In a press release that the organization shared with Hackread.com, users are kept in the dark about their digital footprints, and sometimes Adobe plants cookies before they can say no. These profiles are shared with other companies for targeted advertising.

This practice violates the General Data Protection Regulation (**GDPR**), putting users at risk of data exposure, identity fraud, and other privacy concerns. SDBN claims that Adobe is snooping on nearly every Dutch citizen, even those who have never used Adobe products.

> _“Via websites and apps, Adobe itself illegally collects an enormous amount of data on virtually every Dutch internet user, irrespective of whether they have ever used an Adobe product”._
> 
> SDBN

It warns that this data trade is not risk-free and could expose sensitive information and identity. They are taking Adobe to court, demanding an end to the covert tracking and compensation for millions of affected Dutch citizens.

Adobe profited financially from this unlawful data collection. Hence, SDBN filed a class action lawsuit demanding Adobe to cease illegal data collection, destroy all the illegally collected data, and disclose all parties with whom data has been shared. The lawsuit aims to stop tracking cookies on popular websites and hidden code in apps like Marktplaats and Buienradar. 

SDBN also demands justice for an estimated seven million Dutch citizens whose data was shared, demanding Adobe to remove every illegally collected data and give impacted users compensation for the privacy invasion. 

Dutch internet users can join the fight by signing up for a free mass claim on SDBN’s website. If a Dutch internet user has visited the aforementioned websites or used the listed apps, they may be eligible to join the lawsuit and claim compensation.

SDBN’s chairperson Anouk Ruhaak, stated that the design software vendor’s involvement in mass data collection and trading is surprising.

“While Adobe is primarily recognized as a design software supplier, what’s surprising is its simultaneous involvement in the digital personal data market – tracking your online activities. Have you made online Christmas purchases? Well, Adobe likely has a detailed record of what you browsed and where you bought your Christmas stockings or perfume.”

SDBN also shared a list of websites and apps which it claims are used by Adobe to track users. These included the following sites:

*   Abp.nl
*   Albelli.nl
*   Bruna.nl
*   Douglas.nl
*   Expedia.nl
*   Gamma.nl
*   Karwei.nl
*   ketnet.be
*   Kijk.nl
*   Kpn.com
*   Kwf.nl
*   Tui.nl
*   Unibet.nl
*   Unive.nl
*   Wsj.com
*   Footlocker.nl
*   Hallmark.com
*   Beterhoren.nl
*   Belastingdienst.nl

****Examples of mobile apps (iOS and Android) that allegedly contain Adobe tracking software include:****

*   Asos
*   RTL XL
*   MijnKPN
*   Ziggo GO
*   Buienradar
*   Marktplaats
*   PlayStation
*   TomTom Go Navigation
*   Essent Verbruiksmanager

****_RELATED ARTICLES_****

1.  **Canada Bans WeChat and Kaspersky Due to Spying Concerns**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **$4 billion lawsuit claims Google tracked iPhone users’ activities**
4.  **Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews**
5.  **Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit**

Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Threat actors are increasingly placing malicious ads for Zoom within Google searches.

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

*   Case #1 is about a new loader which we have not seen mentioned publicly before called **_HiroshimaNukes_**. It drops an additional payload designed to steal user data.
*   Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called **_Hunting panel 1.40_**. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

**Advertiser profiles**

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

**Cloaking via new services**

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

*   aksdquwrqr\[.\]onelink\[.\]me
*   ntcrgfmmc3\[.\]onelink\[.\]me
*   169-zoona32\[.\]onelink\[.\]me
*   zoromonm\[.\]onelink\[.\]me
*   notetrest\[.\]onelink\[.\]me
*   putin-777\[.\]onelink\[.\]me
*   zoomus\[.\]onelink\[.\]me
*   mmozl\[.\]onelink\[.\]me
*   arnold\[.\]onelink\[.\]me
*   desktop-client\[.\]onelink\[.\]me
*   slovo-pacana\[.\]onelink\[.\]me
*   l\[.\]hyros\[.\]com/c8KqPHYKdt

Ad and redirection mechanism

**Case #1: HiroshimaNukes**

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

**Distribution**

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at _zoommaster\[.\]life_ that checks the IP address of the visitor and performs a redirect to _zoom.us_ (legitimate) site or _zoom-us\[.\]tech_ (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called _ZoomInstaller.zip_ which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _\_Zoom.exe_ file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

**DLL side-loading**

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _\_Zoom.exe_ side-loads _librcrypto-3-zm.dll_:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (_ffmpeg.dll_). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\\Projects\\General\\HiroshimaNukesDropper\\V2\\Dll\\x64\\Release\\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (_zoom\_crypted.exe_) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\\Local Storage\\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\\Local Storage\\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\\Local Storage\\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\\Local Storage\\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\\Client\\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

**Case #2: FakeBat and Hunting panel**

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

**Distribution**

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is **zoom.us** (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search

Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the _ms-appinstaller_ URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

**Malware payload**

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

**Panel and API**

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api\[.\]huntingpanel\[.\]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

**Protection**

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

**Acknowledgements**

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

**Indicators of Compromise**

**Case #1 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

zoom-us\[.\]tech

Download URL

zoom-us\[.\]tech/ZoomInstaller.zip

Fake Zoom archive (ZoomInstaller.zip)

fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

Malicious DLL (libcrypto-3-zm.dll)

30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

Stealer payload

5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

Stealer C2

94.131.110\[.\]127

**Case #2 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

z00nn.one-platform-to-connect\[.\]group

Fake Zoom site

info-zoomapp\[.\]com

Fake Zoom site

zoomnewsonly\[.\]site

Fake Zoom site

zoonn\[.\]virtual-meetings\[.\]cn\[.\]com

Fake Zoom site

promoapp-zoom\[.\]com

Download URL

youstorys\[.\]com/fonts/Zoom-x64.msix

Download URL

windows-rars\[.\]shop/bootstrap/Zoom-x64.msix

Download URL

scheta\[.\]site/apps.store/ZoomInstaller.msix

Installer (Zoom-x64.msix)

dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893

Installer (Zoom-x64.msix)

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Installer (ZoomInstaller.msix)

462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

Encrypted payload URL

winkos\[.\]net/ld/zm.tar.gpg

FakeBat C2

2311foreign\[.\]xyz

 Malvertisers zoom in on cryptocurrencies and initial access 

PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: PDF24 Creator (geek Software GmbH)  
  vulnerable version: <=11.15.1  
       fixed version: 11.15.2  
          CVE number: CVE-2023-49147  
              impact: High  
            homepage: https://tools.pdf24.org/en/creator/  
               found: 2023-10-16  
                  by: Lukas Donaubauer (Office Munich)  
                      Mario Keck (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,  
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for  
many PDF problems, online and as software for download. Solutions include the  
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
The configuration of the PDF24 Creator MSI installer file was found to  
produce a visible cmd.exe window running as the SYSTEM user when using  
the repair function of msiexec.exe. This allows a local attacker to use  
a chain of actions, to open a fully functional cmd.exe with the privileges  
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set to the default browser.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.  
Afterwards, any low-privileged user can run the following command to start the  
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets  
called with SYSTEM privileges and performs a write action on the file  
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply  
setting an oplock on the file as soon as it gets read. To do that, one can use the  
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe  
is executed doesn't close. The attacker can then perform the following actions to  
spawn a SYSTEM shell:  
- right click on the top bar of the cmd window  
- click on properties  
- under options click on the "Legacyconsolemode" link  
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)  
- in the opened browser window press the key combination CTRL+o  
- type cmd.exe in the top bar and press Enter

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)  
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is  
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.

Vendor contact timeline:  
------------------------  
2023-10-20: Contacting vendor through team@pdf24.org; no response.  
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org  
             No response.  
2023-11-17: Requesting CVE number  
2023-11-23: Received CVE number  
2023-11-27: Sending vendor CVE number and setting preliminary deadline for  
             advisory release (11th December)  
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.  
2023-11-28: Vendor response, seems our emails ended up in spam.  
             Sending advisory unencrypted upon vendor request.  
2023-12-04: Asking for a status update. Further questions from vendor.  
             Providing more details, clarification regarding Windows 11, browser  
             usage and recommendation for fix.  
2023-12-08: Vendor releases fixed version 11.15.2.  
2023-12-11: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version 11.15.2 which can be downloaded from the  
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:  
https://creator.pdf24.org/changelog/en.html

Workaround:  
-----------  
Use the available EXE installer.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023

PDF24 Creator 11.15.1 Local Privilege Escalation

Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214041.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

ExtensionKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3quQACgkQX+5d1TXa  
IvoPPhAAgReQjt/dYzFqQbyMQQPLK1iDWh9s0M+PbHz5x+eS6vSX/OpkLNFy6MC1  
kHQI1EaV37/3sRqko8eX+f/deKqPi59tSV3BALedLV2v8F+4ioXIzsyGWsSYzor4  
U1l4h7fNA64060MR35dlvYnB2FsNnyVI6hlhEyfEEZXVMX4cX0KX5l5a7m/wKmQK  
tpDOak7WVEIj5aLk/e0IQBjpOJW8c2Moa8PTtERr1jJsp+PVrXNu9zZfHWhsCn02  
KPa26RRDtiru7KpXlRy2vzOQeCgJmRZH1CKVWKSiLEjTZnKWM1IF1LTYBJalDGbS  
nOvV6BcVD4rdbbi4cYlPic+Z65YKw+ctW0bNAgnim8RyOF28VNQX8DOcYKZnyqPS  
jYLG5rAq0oKtJztwDkIKc2nc0FrxZzV3f4QwTaFWbVzN0koYJJpVKDs5GgGQ/2MG  
4MtuxRuK2j5eibLInW33K58XCVpAidhiU5YaeIG5dbzf0YKXsUmKImmXap5SKnSe  
fwf6kEFR7keGiu8tlEOnBonDIOhFyWeiK785WhxdwrWMJNHQUegTTYItNrtrzaZr  
Q/lDfMQ9/1L38Jj/OuR1WSdBpDKmT9jepE2mLZb4fQasALJlGh9g1uFTaTl883QG  
uADzZx+TIGO2RIlMGPxwwr4+I2kpi1x/amwRjzCzvwr9+nQDyyk=  
=MttV  
-----END PGP SIGNATURE-----

Tag

#web