| title | date | draft | logo |
|---|---|---|---|
November 26, 2023 |
2023-11-26 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
An undisclosed government entity in Afghanistan recently faced a sophisticated cyberattack involving a newly discovered web shell named "HrServ." This dynamic-link library (DLL) named "hrserv.dll" exhibits advanced features, including custom encoding methods, indicating a high level of sophistication. Kaspersky identified malware variants dating back to early 2021, hinting at a prolonged and covert campaign.
The attack utilized the PAExec tool to create a scheduled task masquerading as a Microsoft update, executing a Windows batch script that initiated the HrServ web shell as an HTTP server. The web shell's obfuscation techniques, such as mimicking Google services in HTTP requests, make it challenging to distinguish malicious from benign network traffic.
The HrServ web shell, once activated, allows threat actors to perform various post-exploitation activities. The threat actor's identity remains unknown, but typos in the source code suggest a non-native English speaker. While exhibiting traits of financially motivated malicious activity, the malware's operational methodology shares similarities with advanced persistent threat (APT) behavior.
Microsoft Windows servers and systems, exploiting vulnerabilities in Microsoft's update mechanisms.
https://thehackernews.com/2023/11/new-hrservdll-web-shell-detected-in-apt.html
Regularly update and patch software to address vulnerabilities.
Microsoft's recent Patch Tuesday addressed several security patches, including three zero-day vulnerabilities. Among these was CVE-2023-36025, impacting Windows SmartScreen. Rated at 8.8 (High) severity, it was actively exploited by threat actors. This particular vulnerability involved a security bypass that required user interaction for unauthorized exploitation.This vulnerability enables a threat actor to create specific files or links that evade SmartScreen's protective alerts. In this case, the exploit involved a manipulated Internet Shortcut File (.URL) that bypasses SmartScreen's validation process.This malicious file could first arrive via phishing emails or compromised websites. If a user downloads and clicks on the harmful internet shortcut file, it triggers the payload, granting the threat actor access.
Microsoft Products
https://cybersecuritynews.com/hackers-windows-smartscreen-zero-day/
Windows system administrators are highly advised to apply the latest security patches.
CVE-2023-36025
OwnCloud, an open-source file-sharing software, has identified three critical security vulnerabilities. The first flaw in graphapi versions 0.2.0 to 0.3.0 allows disclosure of sensitive credentials in containerized deployments. OwnCloud recommends deleting a specific file and disabling 'phpinfo' to address this issue. The second vulnerability, affecting core versions 10.6.0 to 10.13.0, enables file access without authentication if the victim's username is known and no signing-key is configured. The third flaw in oauth2 prior to version 0.6.1 allows a subdomain validation bypass, with ownCloud advising users to disable "Allow Subdomains" as a workaround. Concurrently, a proof-of-concept exploit for a critical remote code execution vulnerability (CVE-2023-43177) in CrushFTP, allowing unauthorized access and password acquisition, has been addressed in version 10.5.2, released on August 10, 2023. CrushFTP highlights the severity of this vulnerability, emphasizing its potential to be exploited without authentication, posing a significant risk of session theft and escalation to an administrator user.
OwnCloud Open-source file-sharing software
https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html
Upgrade to CrushFTP verion 10.5.2
CVE-2023-43177
Multiple threat actors, including affiliates of the LockBit ransomware group, are actively exploiting a recently disclosed critical security vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler application delivery control (ADC) and Gateway appliances. The joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC) emphasizes the severity of the issue, with a CVSS score of 9.4. Known as Citrix Bleed, this vulnerability enables threat actors to bypass password requirements and multifactor authentication, leading to the hijacking of legitimate user sessions. This unauthorized access grants attackers elevated permissions, allowing them to harvest credentials, move laterally within the network, and access sensitive data and resources. Although Citrix addressed the vulnerability last month, it was weaponized as a zero-day exploit since at least August 2023. LockBit, among other threat actors, has been observed exploiting the flaw to execute PowerShell scripts and deploy remote management and monitoring tools for further malicious activities. This incident underscores the ongoing risk posed by vulnerabilities in exposed services, serving as a primary entry vector for ransomware attacks. In a broader context, a comparative study by Check Point reveals a rising trend in Linux-targeting ransomware attacks, primarily focused on medium and large organizations. The study notes a simplification trend in these Linux ransomware families, relying on basic encryption processes and legitimate system tools, making them both more reliant on external configurations and scripts and more adept at flying under the radar.
Citrix NetScaler
https://thehackernews.com/2023/11/lockbit-ransomware-exploiting-critical.html
Update to the lastest patched version.
CVE-2023-4966
CVE-2023-36884 and CVE-2023-36584 are being in an attack chain. CVE-2023-36884, rated 8.8 (High), is an RCE vulnerability, and CVE-2023-36584, rated 5.4 (Medium), is a security bypass vulnerability. The attack begins with a .docx file, leveraging malicious OLE objects in an RTF file to request content from specific URLs. The chain involves exploiting Windows Search, leaking NTLM credentials, and utilizing a new MotW bypass. Palo Alto's comprehensive report details the attack chain, exploitation techniques, and indicators of compromise.
Windows Search, OLE objects, CVE-2023-36884, CVE-2023-36584
https://cybersecuritynews.com/office-document-to-exploit-windows-search/
Absence of in-tree storage plugins and upgrading to Kubernetes CSI v1.27
CVE-2023-36884, CVE-2023-36584