Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-33

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Advantech R-SeeNet v2.4.23

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**Thank You**

Thank you for your interest in Tenable Cloud Security. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-5642: Advantech R-SeeNet snmpmon.ini Unauthenticated Read Write

The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.

North Korea's Kimsuky advanced persistent threat (APT) continues to evolve its attack methods and grow in sophistication, expanding its ability to control victims' systems with the use of legitimate system remote-desktop tools and novel custom malware in its latest attacks.

The threat group — one of several that work at the behest of North Korean Supreme Leader Kim Jong-Un — recently has been spotted abusing Remote Desktop Protocol (RDP) and other tools that allow it to remotely take over targeted systems, even installing open source software to an environment if RDP is not present, researchers from South Korea's AhnLab revealed in a blog post Oct. 18.

"The Kimsuky threat group is continuously abusing RDP to obtain control over infected systems and exfiltrate information," according to the post by the AhnLab Security Response Center. "RDP can also be used in the initial access process using brute force and dictionary attacks, or during lateral movement."

Kimsuky, active since 2013 to commit cyber espionage on the behalf of Jong-Un's regime, is also evolving tactics beyond this protocol to gain remote control of compromised desktop systems in recent attacks, according to the researchers.

In addition to RDP abuse, the group is wielding the open-source virtual network computing (VNC) tool TightVNC, which is similar to RDP in that it's a screen-sharing system for remote control of other computers. In some cases, the group even tapped Chrome Remote Desktop, which is supported by the Google Chrome browser, to control infected systems, the researchers said.

**Malware Mix**

Overall, recent attacks show Kimsuky continuing to use spear phishing as its initial method of access to compromise systems with BabyShark, its oft-used custom malware for persistence and the collection of system info, before attackers move on to installing other custom-built and open source malware.

The group also has added new post-compromise malware to its arsenal, leveraging RevClient to send commands from its command-and-control (C2) server to add user accounts to a victim's system, and public malware TinyNuke, a banking Trojan.

As is typical, the ultimate goal after gaining control of systems is to steal internal information and technology from its targets, which are typically research, defense, diplomatic, and academic sectors in South Korea but also other countries that demonstrate a political or strategic interest for the regime.

**Multiple-Session RDP**

One particularly interesting bit of novel RDP functionality that Kimsuky has been seen wielding recently is the ability to support multiple sessions of RDP on a Windows system — something that Windows desktop OS natively does not allow.

"Ordinarily in Windows desktop environments, only one session is supported when connecting via RDP, unlike servers," according to the post. "As only one session is supported for one system, even if the user accounts are different, when the threat actor remotely connects to a system, the existing user's session is terminated."

In previous attacks, Kimsuky used Mimikatz and other malware to patch the memory of the currently running RDP service process to bypass the single-session limit. However, in recent attacks, the group now is using malware named "multiple.exe" to support multiple-session RDP, as well as to add user accounts for further control.

The novel malware RevClient that the group deploys in recent attacks also has features similar to "multiple.exe" but executes multiple-session capability in a different way, according to the researchers. Kimsuky also is leveraging RevClient to receive commands from C2 to perform user account-related tasks as part of its overall control of a compromised system.

**Defending Against RDP Abuse**

With lines beginning to blur between Kimsuky and other North Korea-sponsored groups like Lazarus as they organize and align to share tools and tactics, it's important that organizations do what they can to protect themselves against these evolving threats, according to AhnLab.

RDP is an especially sensitive attack surface because it's one of the services that come pre-installed in Windows systems, demanding adequate management to detect or prevent such incidents of compromise.

To do this, users should refrain from opening attachments on suspicious emails or when installing external software and instead only purchase or download them from official websites, the researchers noted. Desktop users also should set complex passwords for their accounts and change them periodically to diminish chances that they can be brute-forced.

Updating to the latest and most secure versions of the Windows OS and employing endpoint security products as well as sandbox-based APT solutions can also help protect systems against cyberattacks.

North Korea's Kimsuky Doubles Down on Remote Desktop Control

Categories: Threat Intelligence
Tags: malvertising

Tags: keepass

Tags: punycode

Tags: malware

Tags: ads

Tags: google

Threat actors are doubling down on brand impersonation by using lookalike domain names.



(Read more...)




The post Clever malvertising attack uses Punycode to look like KeePass's official website appeared first on Malwarebytes Labs.

Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.

The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.

We have reported this incident to Google but would like to warn users that the ad is still currently running.

**Malicious ad for KeePass**

The malicious advert shows up when you perform a Google search for 'keepass', the popular open-source password manager. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website.

By simply looking at the ad, you would have no idea that it is malicious. 

_Figure 1: Malicious ad for KeePass followed by legitimate organic search result_

People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim. The threat actors have set up a temporary domain at keepasstacking\[.\]site that performs the conditional redirect to the final destion:

_Figure 2: Network traffic showing the sequence of redirects upon clicking the ad_

**ķeepass.info**

Looking at the network traffic log above, we can see that the destination site uses Punycode, a special encoding to convert Unicode characters to ASCII. The deception is complete for users who may want to verify that they are on the right website.

_Figure 3: The fake KeePass site with a barely noticeable different font_

While it is barely noticeable, there is a small character under the 'k'. We can confirm it by converting the internationalized domain name _xn--eepass-vbb\[.\]info_ to _ķeepass\[.\]info_:

_Figure 4: Converting Punycode to ASCII_

**Decoy site links to malicious download**

While the decoy site is not an exact replica of the real one, it still looks very convincing:

_Figure 5: Comparing the legitimate site (left) with the fake one (right)_

Victims wanting to download KeePass will retrieve a malicious .msix installer that is digitally signed:

_Figure 6: The malicious MSIX installer showing a valid digital signature_

Extracting the installer's content reveals malicious PowerShell code that belongs to the FakeBat malware family:

_Figure 7: The contents of the MSIX installer_

This script communicates with the malware's command and control server to advertise the new victim before downloading a payload that sets the stage for future recon by human threat actors.

_Figure 8: Process view showing execution of the MSIX installer_

**A more sophisticated threat**

While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising. Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain.

As we have noted recently, malvertising via search engines is getting more sophisticated. For end users this means that it has become very important to pay close attention where you download programs from and where you should avoid them. In a business environment, we recommend IT admins provide internal repositories where employees can retrieve software installers safely.

**Indicators of Compromise**

Ad domain/redirect

keepasstacking\[.\]site

Fake KeePass site

xn--eepass-vbb\[.\]info

Malicious KeePass download URL

xn--eepass-vbb\[.\]info/download/KeePass-2.55-Setup.msix

Malicious KeePass installer

181626fdcff9e8c63bb6e4c601cf7c71e47ae5836632db49f1df827519b01aaa

Malware C2

756-ads-info\[.\]xyz

Payload

refreshmet\[.\]com/Package.tar.gpg

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Clever malvertising attack uses Punycode to look like KeePass's official website

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Gallery – Image and Video Gallery with Thumbnails plugin <= 2.0.3 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Responsive Image Gallery, Gallery Album Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 3 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45630: WordPress Gallery – Image and Video Gallery with Thumbnails  plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado SpiderVPlayer plugin <= 1.5.22 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Elliot for reporting this vulnerability. Buy a coffee ☕

Elliot discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Video Player Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45632: WordPress SpiderVPlayer plugin <= 1.5.22 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in QROkes QR Twitter Widget plugin <= 0.2.3 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress QR Twitter Widget Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45628: WordPress QR Twitter Widget plugin <= 0.2.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Hector Cabrera WordPress Popular Posts plugin <= 6.3.2 versions.

**Solution**

 Fixed

Update the WordPress WordPress Popular Posts plugin to the latest available version (at least 6.3.3).

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WordPress Popular Posts Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.3.3.

**Other vulnerabilities in this plugin**

 0 present

 6 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45607: WordPress Popular Posts plugin <= 6.3.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Scott Reilly Get Custom Field Values plugin <= 4.0.1 versions.

**Solution**

 Fixed

Update the WordPress Get Custom Field Values plugin to the latest available version (at least 4.1).

Satoo Nakano discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Get Custom Field Values Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.1.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45604: WordPress Get Custom Field Values plugin <= 4.0.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Shopfiles Ltd Ebook Store plugin <= 5.785 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Ebook Store Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45602: WordPress Ebook Store plugin <= 5.785 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Theme Blvd Tweeple plugin <= 0.9.5 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Elliot for reporting this vulnerability. Buy a coffee ☕

Elliot discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Tweeple Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web