Some router models have identified a security vulnerability that allows attackers to bypass authentication.
To exploit this vulnerability, an attacker must know the WiFi password or have an Ethernet connection to a device on the victim’s network.Β
Firmware updates that address this vulnerability are available for the following routers: RAX35 (version 1.0.6.106), RAX38 (version 1.0.6.106), and RAX40 (version 1.0.6.106).
It is strongly recommended that users download and install the latest firmware update as soon as possible.Β
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
The document details an authentication bypass vulnerability in a NETGEAR product and emphasizes the crucial importance of completing all the recommended steps to patch the vulnerability.Β
Failing to do so might expose your system, and NETGEAR is not responsible for any avoidable consequences.
This is only informational and does not carry any guarantees, as NETGEAR reserves the right to update the information as needed.
A critical vulnerability has been identified with a CVSS score of 8.4, which indicates a high-severity issue that can be exploited remotely (Attack Vector: Low) without complex actions by an attacker (Attack Complexity: Low).Β
No special privileges are required (Privileges Required: None), and no user interaction is needed (User Interaction: None).
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The vulnerability allows an attacker to compromise the affected system’s confidentiality, integrity, and availability (Scope: Unchanged; Confidentiality: High; Integrity: High; Availability: High).Β
NETGEAR recommends updating devices with the most recent firmware to implement security patches, bug fixes, and new features.Β
For NETGEAR app-supported devices, update the firmware through the corresponding app: the Orbi app for Orbi products, the Nighthawk app for NETGEAR WiFi routers, and the Insight app for some NETGEAR Business products (requires an Insight subscription).
For manual update instructions for unsupported devices, refer to the user manual, firmware release notes, or product support page.Β
The document underwent two revisions recently, as on April 15th, an advisory containing security recommendations was published.
Subsequently, on April 21st, the document was updated to acknowledge contributions from relevant parties, likely addressing collaborators, reviewers, or external sources that were not previously credited.Β
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
Hackers often target CrushFTP servers as they contain sensitive data and are used for file sharing and storage.
This makes them attractive targets for data theft and ransomware attacks for the threat actors.
Besides this, the vulnerabilities in CrushFTP servers can be exploited to gain unauthorized access to networks or distribute malware to connected systems.
Silent Push researchers recently identified that on April 19th, CrushFTP disclosed a critical zero-day vulnerability tracked as CVE-2024-4040 with a CVSS score of 9.8 in versions before 10.7.1/11.1.0.Β
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
Technical Analysis
The unauthenticated exploit allows escaping the Virtual File System via the WebInterface, gaining admin access and remote code execution capabilities.
CrushFTP urged immediate upgrades, even for DMZ deployments.
Researchers monitored the vulnerability, populating data feeds with vulnerable domains, IPs hosting the service, and infrastructure actively exploiting CVE-2024-4040 for early detection.
Silent Push conducts daily internet-wide scans that help categorize the data using SPQL to locate the associated infrastructure and content.Β
Leveraging the CVE-2024-4040 information, queries identified exploitable internet-exposed CrushFTP web interfaces.
The resulting vulnerable domains and IPs were clustered into two Bulk Data Feeds for enterprise customers to analyze the affected infrastructure.
Here below, we have mentioned those two Bulk Data Feeds:-
CrushFTP Vulnerable Domains
CrushFTP Vulnerable IPs
SPQL, at its core, is a tool of analysis for DNS data that spans over 90 categories. The map shows where CrushFTP interfaces are vulnerable to CVE-2024-4040 on a global scale.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
While most are in the US and Canada, many can be found across Europe as well as throughout:-
South America
Russia
Asia
Australia
This helps potential targets understand how big this issue really is, and it gives security professionals an idea of what they are up against.
Enterprise users can download raw data, as well as export bulk data feeds in the form of API endpoints that list CrushFTP domains and IPs that are susceptible to attacks.Β
With this information, security teams can identify weaknesses within their networks and inform risk-scoring systems used to evaluate outside dangers.
Meanwhile, a feed for early detection can track intrusion attempts in real time while simultaneously logging infrastructure related to those attempts so that it can be automatically blocked.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
DDoS attacks are a significant and growing risk that can overpower websites, crash servers, and block out authorized users with never-ending waves of offensive traffic.
More than 13 million DDoS attacks were recorded in 2023 alone, which reveals the real danger of unmitigated attacks.Β
NetScout researchers recently discovered that threat actors executed 13,142,840 DDoS attacks targeted at organizations around the globe.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
Technical Analysis
The outcomes are not limited to inconveniences alone. They bring all activities to a standstill, which involves critical services and consequently risks lives.
Also, businesses undergo financial losses coupled with losing customers’ trust as network operators face continuous storms that lead to security exhaustion.Β
If these establishments do not have adequate safeguards in place, their only choice is to respond aimlessly when it’s already too late.
Such moves may cause even greater harm while achieving no tangible results.
However, researchers urged that instead of reacting to hostile attacks at the eleventh hour, it is much better to be armed with the right information and protection tools in advance.Β
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
For this reason, predictive and real-time threat intelligence that comes with advanced DDoS protection should be used to identify threats before they affect infrastructure.
Moreover, this allows immediate automated attack mitigation to reduce downtime by ensuring the continuity of operation for enterprises and the uninterrupted availability of vital services.Β
Converting reactive security into a proactive one enables businesses or organizations to plan strategically and ensures their security online against any threat to keep their systems protected.
Being aware of the changing threat environment is essential for predictive DDoS defense.
Recommendations
Here below, we have mentioned all the recommendations that will help in defending the DDoS attacks:-
Implement DDoS mitigation solutions
Regularly update and patch systems
Make sure to implement web application firewalls (WAFs)
Conduct regular security assessments
Develop and test incident response plans
Implement rate-limiting and traffic filtering
Use content delivery networks (CDNs)
Educate employees on security best practices
Collaborate with security professionals and law enforcement
Consistently implement redundancy and load balancing.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
In today’s digital world, where connectivity is rules all, endpoints serve as the gateway to a businessβs digital kingdom. And because of this, endpoints are one of hackers’ favorite targets.
According to the IDC, 70% of successful breaches start at the endpoint. Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT
Fake browser updates are being used to push a previously undocumented Android malware called Brokewell.
“Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware,” Dutch security firm ThreatFabric said in an analysis published Thursday.
The malware is said to be in active development,
Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in
Hackers have leveraged an old Microsoft Office vulnerability, CVE-2017-8570, to deploy the notorious Cobalt Strike Beacon, targeting systems in Ukraine.
It has been closely monitoring the situation and has successfully detected all stages of the attack.
The attack begins with the exploitation of CVE-2017-8570, a vulnerability first identified in 2017.
This vulnerability allows attackers to execute arbitrary code via specially crafted files, making it a potent tool for initial access.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
The attackers used a malicious PPSX (PowerPoint Slideshow) file, masquerading as an old US Army instruction manual for mine-clearing tank blades.
The file was cleverly designed to bypass traditional security measures.
It included a remote relationship to an external OLE object, utilizing a “script:” prefix before an HTTPS URL to conceal the payload, avoid on-disk storage, and complicate analysis.
This technique highlights the attackers’ sophistication and focus on stealth and persistence.
Deep Instinct Threat Lab has played a crucial role in uncovering and analyzing this cyberattack.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Despite the detailed analysis, the operation could not be attributed to any known threat actor.
This lack of attribution adds complexity to the defense against these attacks, as understanding the adversary is critical to predicting and mitigating their tactics and techniques.
Cobalt Strike Beacon: Custom Loader
Central to this campaign is using a custom loader for the Cobalt Strike Beacon, a popular tool among cyber attackers due to its powerful command-and-control (C&C) capabilities and flexibility in deploying further payloads.
The Cobalt Strike Beacon used in this attack was configured to communicate with a C&C server, cleverly disguised as a popular photography website but hosted under suspicious conditions.
The Beacon’s configuration included a cracked version of the software, indicated by a license_id of 0, and detailed instructions for C&C communications, including the domain name, URI, and public key for encrypted exchanges.
This setup not only facilitates robust control over the compromised systems but also complicates defenders’ efforts to intercept or disrupt communication.
Their technology has successfully detected all stages of the attack, from the initial document delivery to the execution of the Cobalt Strike Beacon.
This comprehensive detection capability is critical in a landscape where attackers constantly evolve their methods to evade detection.
Implications and Recommendations
This attack underscores the importance of vigilance and advanced detection capabilities in the cybersecurity domain.
Organizations are advised to update their systems regularly to patch known vulnerabilities like CVE-2017-8570.
Employ advanced threat detection solutions to identify and mitigate sophisticated threats, such as those posed by custom Cobalt Strike loaders.
As the situation develops, it remains crucial for cybersecurity communities to share information and collaborate on defense strategies, ensuring that they stay one step ahead of cyber adversaries.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
In a historic move, Microsoft has made the source code for MS-DOS 4.0, one of the most influential operating systems of all time, publicly available on GitHub.
This decision marks a significant milestone in the company’s commitment to open-source software and preserving computing history.
“Today, we are thrilled to release the source code for MS-DOS 4.0 under the MIT license, fostering a spirit of open innovation,” said a Microsoft spokesperson. “This operating system’s 8086 assembly code, written over 45 years ago, is a remarkable testament to the ingenuity and dedication of our predecessors.”
The Legacy of MS-DOS
MS-DOS, short for Microsoft Disk Operating System, was the dominant operating system for personal computers throughout the 1980s and early 1990s.
Developed by Microsoft and first released in 1981, MS-DOS provided a command-line interface that allowed users to interact with their computers and run applications.
Despite its simplicity, MS-DOS played a crucial role in the personal computer revolution, enabling the widespread adoption of home and office computing.
It served as the foundation for many popular software applications and games, shaping the early days of the software industry.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The Significance of the MS-DOS 4.0 Source Code Release
The release of the MS-DOS 4.0 source code is significant for several reasons:
Historical Preservation: By making the source code publicly available, Microsoft is ensuring that an important piece of computing history is preserved for future generations to study and learn from.
Educational Value: Aspiring programmers and computer science students can now study the inner workings of a classic operating system, gaining valuable insights into low-level programming, memory management, and system architecture.
Community Engagement: The open-source community can now contribute to the MS-DOS 4.0 codebase, potentially improving it, adding new features, or porting it to new platforms.
By releasing the MS-DOS 4.0 source code, Microsoft is embracing open-source principles and ensuring that this important piece of computing history is preserved for future generations.
The source code, now available on GitHub, provides a valuable resource for researchers, historians, and enthusiasts alike, allowing them to study and understand the inner workings of this iconic operating system.
Microsoft’s decision to open source MS-DOS 4.0 aligns with the company’s broader efforts to promote transparency and collaboration within the tech community. By making the source code publicly accessible, Microsoft encourages developers, researchers, and hobbyists to explore, learn from, and potentially build upon this historic codebase.
The release of the MS-DOS 4.0 source code on GitHub, a popular platform for open-source software development, presents exciting opportunities for collaboration and community engagement.
Developers and enthusiasts worldwide can now contribute to the project, propose improvements, fix bugs, or even create new applications based on the original codebase.
This move by Microsoft celebrates the company’s rich technological heritage and demonstrates its commitment to fostering open-source communities and encouraging innovation through shared knowledge and collaboration.
The release of the MS-DOS 4.0 source code is a significant milestone in preserving computing history and a testament to Microsoft’s embrace of open-source principles.
By making this iconic operating system’s source code publicly available, Microsoft is ensuring that MS-DOS’s legacy lives on, inspiring future generations of developers and researchers while promoting transparency and collaboration within the tech community.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which utilized SSLoad malware for its operations and Cobalt Strike Implants to pivot and take over the entire network.
In addition, the threat actors also used Remote Monitoring and management) software like ScreenConnect RMM for further control.
SSLoad is a well-designed malware that can stealthily infiltrate the systems, gather sensitive information, and exfiltrate the collected information back to the malware operators.
Moreover, the malware also leverages multiple backdoors and payloads to evade detection and maintain persistence.
Technical Analysis
This new attack campaign starts with a traditional phishing email containing a malicious link.
When users visit this link, it redirects them to mmtixmm[.]org URL to another download site where a JavaScript file is downloaded to the victim machine.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
If this JavaScript file is manually executed, it performs several operations that will download and execute further payloads on the victim machine.
The targeting of these phishing email campaigns appears to be random, as the victims were in multiple countries, including Asia, Europe, and the Americas.Β
Further investigations on the malware revealed that the attack takes place in different stages as follows:
Stage 1: Initial Execution – JavaScript
Stage 2: MSI File Execution
Stage 3: Malware Execution
Stage 4: Cobalt Strike Execution
Stage 5: RMM Software & Lateral Movement
Stage 1: Initial Execution – JavaScript
This initial stage involves the manual execution of the JavaScript file.
On analyzing the JS file out_czlrh.js, it was discovered that it consisted of 97.6% commented code with random characters to obfuscate the file.
However, removing the commented code revealed a crystal clear JS code that did not have any kind of obfuscation.
On analyzing the JS code, it was observed that the JS file performs multiple operations which starts with creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject.
After this, the JS code, which contains “GetObject(βwinmgmts:\\\\.\\root\\cimv2β),β tries to access WMI Object for simple command line operations.
In addition, the code also sets up variables to manage the number of connection attempts and gather the connection status of a network share.
Further, the script also maps all the available drives to a network share located at \\wireoneinternet[.]info@80\share\.
The JS code also executes the “net use” command via WMI to map the network drive correctly.
After this, there is a three-second wait, after which it again runs the same command to confirm the mapping of the network drive.
Once all these steps are successfully completed, the script constructs a command to install an MSI package (slack.msi) from the mapped network drive using msiexec.exe.
Stage 2: MSI Execution
This slack.msi file is similar to the BazarBackdoor, often used by the TrickBot malware gang.
The malware was capable of filtrating networks and deploying additional payloads. However, after executing this slack.msi file, the malware communicates with multiple domains
wireoneinternet[.]info
skinnyjeanso[.]com
titnovacrion[.]top
Maramaravilha[.]com
globalsolutionunlimitedltd[.]com
Moreover, only after this is the SSLoad malware downloaded and executed.
The payloads of the SSLoad consist of a semi-randomly named DLL file, which is located in \%APPDATA%\local\digistamp\mbae-api-na.dll.
This DLL is, however, executed by Rundll32.exe, after which the DLL copies itself to %APPDATA%\Custom_update\.Β
Stage 3: Malware Execution
In addition to the previous stage, the execution of the rundll32.exe command will also begin communication with two preconfigured C2 servers which are hxxps://skinnyjeanso[.]com/live/ and to hxxps://titnovacrion[.]top/live/. Following this, the malware begins to collect the system and user data for local host as well as the domain related information using following cmd.exe commands.
exe /c ipconfig /all
exe /c systeminfo
exe /c nltest /domain_trusts
exe /c nltest /domain_trusts /all_trusts
exe /c net view /all /domain
exe /c net view /all
exe /c net group βdomain adminsβ /domain
exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
exe /c net config workstation
exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname | findstr /v /b /c:displayname || echo no antivirus installed
exe /c whoami /groups
These collected information are then sent to the C2 servers via HTTPS connections. Once the threat actors receive this information from the infected system, they begin to execute some manual commands after confirming that the information is from a legitimate server and not from a honeypot. The manual commands executed by the threat actors are as follows:
exe -c β[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(βutf-8β); cd c:\; powershellβ
exe /groups
exe group βdomain adminsβ /dom
exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
These commands were executed to manipulate and prob the server environment for the next stage of malware activities.
Stage 4: Cobalt Strike Beacon
This stage of the malware involves deploying the Cobalt Strike beacon on the systems after executing the manual commands.
Once this beacon is deployed, it becomes the primary means of communication for the C2. However, this beacon is dropped and executed via the following rundll32.exe command.
Additionally, the threat actors also used this Cobalt Strike to download and install a ScreenConnect RMM software instance on the victim system using the following commands:
exe /c whoami /groups
exe /c wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
Every single compromised system is controlled with the ScreenConnect RMM Software so as to maintain complete control on the system.
However, After this, the Lateral movement takes place by harvesting the credentials and other critical system details.
The enumeration of the environment is done using multiple PowerShell commands such as Invoke-ShareFinder, Find-DomainShare, and Get-DomainFileServer PowerShell commandlets.
The credential extraction is performed through which they can also obtain a domain admin account NTLM hash.Β
Indicators Of Compromise
C2 Address
85.239.54[.]190
23.159.160[.]88
23.95.209[.]148
45.95.11[.]134
bjSdg0.pintaexoticfashion.co[.]in
l1-03.winupdate.us[.]to
23-95-209-148-host.colocrossing[.]com:443
mmtixmm[.]org
wireoneinternet[.]info
skinnyjeanso[.]com
titnovacrion[.]top
simplyfitphilly[.]com
kasnackamarch[.]info
sokingscrosshotel[.]com
danteshpk[.]com
stratimasesstr[.]com
winarkamaps[.]com
globalsolutionunlimitedltd[.]com
maramaravilha[.]com
krd6[.]com
hxxps://t0talwar.screenconnect[.]com
Furthermore, a complete list of files/hashes used for this attack campaign can be found here.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security AwarenessΒ Training -> Try Free DemoΒ
Palo Alto Networks has issued urgent remediation advice after discovering a critical vulnerability, designated CVE-2024-3400, which threat actors have exploited to gain unauthorized access to several firewall products.
The cybersecurity giant has outlined detailed steps for organizations to mitigate the risks associated with this breach and secure their networks against further attacks.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
CVE-2024-3400 is a severe security flaw affecting specific versions of Palo Alto Networks’ firewall operating system, PAN-OS.
The vulnerability allows threat actors to execute commands interactively, potentially leading to unauthorized data access, system manipulation, and the introduction of malicious code.
This vulnerability’s exploitability has made it a prime target for cybercriminals, emphasizing the need for immediate and decisive action from affected organizations.
Investigations have revealed that the exploitation of CVE-2024-3400 involves sophisticated threat actors who have managed to install backdoors and execute arbitrary commands on compromised devices.
This level of access could enable attackers to exfiltrate sensitive data, disrupt network operations, and maintain persistent access to the victim’s environment, posing significant security and business continuity risks.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Suggested Remediation
Palo Alto Networks has recommended a two-pronged approach to remediate the impact of CVE-2024-3400:
Update to the Latest PAN-OS Hotfix: Organizations are urged to immediately update their firewall systems to the latest hotfix provided by Palo Alto Networks.
This update addresses the vulnerabilities the attackers exploit and closes the security gaps that allow initial access.
Perform a Factory Reset: Due to the invasive nature of the attacks and the potential for residual malicious modifications, a factory reset of the affected firewalls is strongly advised.
This reset will eradicate any configurations, including those potentially manipulated by threat actors, and restore the devices to their original state.
How to Perform Private Data Reset and Factory Reset
To ensure the thorough removal of any threat actor presence and to safeguard against future vulnerabilities, organizations should follow these steps:
Backup Configuration: Before proceeding with the reset, ensure all current configurations are backed up, as they will be erased during the factory reset process.
Initiate Factory Reset: Access the firewallβs management interface and select the factory reset option.
This process will return the firewall to its original factory settings, removing all user data, configurations, and, critically, any unauthorized changes made by attackers.
Restore and Review: After the reset, carefully restore the necessary configurations from backups. Reviewing these configurations to ensure no malicious alterations are reintroduced into the system is crucial.
This incident underscores the importance of comprehensive security practices, including regular updates, monitoring for unusual activity, and swift response to security advisories.
Palo Alto Networks has also emphasized the value of conducting regular security audits and employing advanced threat detection tools to identify and mitigate potential vulnerabilities before they can be exploited.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo