Threat Intel Roundup: CoinEx, Azure Dataleak, Kafka, Lumma

  • Home
  • Report
  • Threat Intel Roundup: CoinEx, Azure Dataleak, Kafka, Lumma
Threat Intel Roundup: CoinEx, Azure Dataleak, Kafka, Lumma

Week in Overview(14 Sep-19 Sep)

Technical Summary

Silent Skimmer Campaign

  • Nature: Financially motivated campaign targeting online payment businesses.
  • Regions Affected: APAC and NALA.
  • Method: Compromises web servers, exploits vulnerabilities for initial access, and deploys payment scraping mechanisms.
  • Duration: Active for over a year.
  • Key Tools: Obfuscated JavaScript files, Godzilla Webshells, PowerShell RATs, Cobalt Strike Beacon.

CVE-2023-34040 – Spring Kafka Deserialization RCE Vulnerability

  • Nature: Deserialization vulnerability leading to remote code execution.
  • Affected Software: Spring Kafka.
  • Impact: Allows unauthorized attackers to execute arbitrary code on the server where Spring Kafka is running.
  • Mitigation: Update to the latest patched version of Spring Kafka.

North Korean Lazarus Group’s Involvement in Cryptocurrency Hacks

  • Nature: State-sponsored cyber-espionage group.
  • Origin: North Korea.
  • Recent Activity: Involved in a series of cryptocurrency hacks.
  • Tactics: Spear-phishing campaigns, advanced malware strains, and exploiting software vulnerabilities.

Microsoft AI Data Exposure of 38 Terabytes

  • Nature: Data exposure incident.
  • Data Involved: 38 Terabytes of AI training data.
  • Cause: Misconfigured cloud storage.
  • Impact: Potential misuse of AI data, intellectual property theft, and competitive disadvantage.
  • Mitigation: Secure cloud storage configurations and regular audits.

Exploitation of “search-ms” URI Protocol Handler Distributing XWorm Malware

  • Nature: Malware distribution via URI protocol handler.
  • Affected Protocol: “search-ms”.
  • Malware: XWorm.
  • Impact: Unauthorized system access, data theft, and potential system damage.
  • Mitigation: Update software to the latest versions, avoid clicking on unknown links, and use updated antivirus solutions.

Lumma Stealer Malware Variant (14.09) Detection and Mitigation

  • Nature: Information-stealing malware.
  • Variant: 14.09.
  • Tactics: Harvests user credentials, browser history, and other sensitive information.
  • Impact: Data theft, unauthorized access to accounts, and potential financial loss.
  • Mitigation: Regular system scans, avoid downloading files from untrusted sources, and update to the latest security patches.

Key Findings

it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:

  • Silent Skimmer Campaign
  • Lumma Stealer Malware Variant
  • CVE-2023-34040 – Spring Kafka Deserialization Remote Code Execution Vulnerability
  • North Korean Lazarus Group’s Involvement in Recent Cryptocurrency Hacks
  • Microsoft AI Data Exposure of 38 Terabytes
  • Exploitation of “search-ms” URI Protocol Handler Distributing XWorm Malware
  • Open Directory Exploitation with Rhadamanthys Malware

🚨 Vulnerability of the Week

Apache Kafka CVE-2023-34040

A critical vulnerability has been identified in Spring Kafka, which allows for remote code execution through deserialization. This advisory provides a detailed breakdown of the vulnerability, its potential implications, and recommended best practices to detect and prevent unauthorized exploitation.

Vulnerability Details

Nature of Vulnerability:

  • Remote Code Execution through deserialization in Spring Kafka.

Key Points from the Security Announcement:

  • The vulnerability arises when the ErrorHandlingDeserializer is configured as a key and/or value in Kafka records.
  • Setting the boolean type properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull to true can trigger the vulnerability.
  • Users can publish to Kafka topics without any authentication.

Background on Kafka

Before delving into the vulnerability, it’s essential to understand some fundamental concepts related to Kafka:

  • Producer: Objects that publish records to Kafka topics.
  • Topic: Categories of records managed by Kafka.
  • Broker: Servers where published messages are stored, forming a Kafka cluster.
  • Consumer: Objects that subscribe to and process messages from Kafka topics.

Kafka records, also known as messages or events, consist of headers and bodies. Headers are essentially metadata, while body data typically contains relevant business data stored as key/value structures.

Reproduction Steps

  • Setup Kafka and Zookeeper:
    • Install Zookeeper using Docker.
    • Deploy Kafka server using Docker.
  • Spring Boot Project Configuration:
    • Import the affected Kafka dependency.
    • Update the application.yaml configuration.
    • Implement the Kafka producer and consumer classes.
    • Configure the consumer class to set checkDeserExWhenKeyNull and checkDeserExWhenValueNull to true.
  • Triggering the Vulnerability:
    • Set a breakpoint at the getExceptionFromHeader function and start the server.
    • The record object will be deserialized upon entering the invokeIfHaveRecords function.
    • The byteArrayToDeserializationException function is then called, where the resolveClass function is overridden to restrict arbitrary Java class deserialization. Only the class can be deserialized.
    • A malicious class can be crafted, inheriting from the Throwable parent class. The serialized payload of this class can be used to fill the springDeserializerExceptionKey value in JSON data, triggering remote code execution upon sending an HTTP request.

⛳︎ Leakage Insight

Microsoft has recently addressed a significant security oversight that resulted in the exposure of 38 terabytes of confidential data. This advisory provides a detailed breakdown of the incident, its potential implications, and recommended best practices to prevent similar occurrences.

Incident Details

Date of Discovery:

  • June 22, 2023

Nature of Data Exposed:

  • The data leak was identified on Microsoft’s AI GitHub repository named “robust-models-transfer.”
  • The exposed data included open-source training data, disk backups of two former employees’ workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.
  • The repository was related to a 2020 research paper titled “Do Adversarially Robust ImageNet Models Transfer Better?”

Cause of Exposure:

  • An overly permissive SAS (Shared Access Signature) token on Azure led to the exposure. This token not only granted read access but also allowed for data deletion and overwriting.
  • The repository’s file mistakenly directed developers to an Azure Storage URL that granted access to the entire storage account.

💦 Malware Distribution Sites

A new variant of the Lumma Stealer malware, dated 14.09, has been identified. This advisory provides details on the indicators of compromise, the malware’s behavior, and recommended mitigation steps.

Indicators of Compromise (IoCs)

Files and Hashes:

  • “”: 78b33da96286a5b73cc7565769facfda50cdf8c1658da03fb30a7dc058387584
  • “IMG_2021_07_11_536734643256_squeeze-vulgarity-freak.IMG.lnk”:
    • 8d90371c385fb89ca8347050ed1b93506c9c120c7d983bbe7822cabf61a60997
    • 64ae2a698cc1b637608494864158c8bac1a8f4316667eabdd8954c6defac8c5f
    • 7b4260fec38e397f673ccbf10259d8655ae1bf657525b2c8ff4ca0c30e47b344


  • https://cdn.discordapp[.]com/attachments/1151961825806667917/1151961899693514835/promot_s.msi
  • https://cdn.discordapp[.]com/attachments/1149055434079084564/1149400241485926410/forex.msi

Command and Control (C2) Server:

  • treepledeeple[.]fun

Additional Information:

The Lumma Stealer malware is known for its capabilities to exfiltrate sensitive information from infected machines. This new variant appears to be distributed via malicious ZIP archives and LNK files. Once executed, it communicates with a C2 server to transmit stolen data and receive further instructions.

🐙 Proxylife

A novel exploitation technique leveraging the “search-ms” URI Protocol Handler has been identified, which is being used to distribute the XWorm malware. This advisory provides a comprehensive breakdown of the attack vector, its potential impact, and recommended mitigation steps.

Attack Details

Attack Vector:

  • A deceptive PDF decoy containing a link to a ‘Full Document’ is being circulated. Upon interaction, victims are redirected to the DNMSystems website.
  • The link within the website, disguised as a PDF icon, is actually a malicious VBS script.

Exploitation Technique:

Malware Behavior:

  • Upon clicking the malicious link, the WScript process initiates, executing the VBS script from a remote server.
  • The primary function of the VBS script is to fetch a zip-archive containing Xworm (DLL+Shellcode) and create a BAT file to execute it on the victim’s machine.
  • The archive has two files for different launch methods, determined by the VBS script. In this instance, a DLL is used, expanded to approximately 300Mb in size.

🥷 TTP Analysis

BlackBerry’s Threat Research and Intelligence team has identified an ongoing campaign, named “Silent Skimmer,” targeting online payment businesses in the APAC and NALA regions. The threat actor compromises web servers, exploiting vulnerabilities to gain initial access and subsequently deploying payment scraping mechanisms to extract sensitive financial data from users.

Key Points:

  • Duration and Target: The campaign has been active for over a year, targeting diverse industries that host or create payment infrastructure, including online businesses and Point of Sales (POS) providers.
  • Threat Actor Profile: Evidence suggests the threat actor is proficient in the Chinese language and primarily operates in the Asia-Pacific (APAC) region.
  • Tactics, Techniques, and Procedures (TTPs): The campaign uses various TTPs, including Privilege Escalations, Remote Code Execution (RCE), Remote Access, and more.
  • Weaponization: The attacker employs tools such as Obfuscated JavaScript files, Godzilla Webshells, PowerShell RATs, and Cobalt Strike Beacon, among others.
  • Attack Vector: The primary attack vector is exploiting public-facing applications.
  • Technical Analysis: The attacker gains initial access by exploiting web applications, especially those hosted on Internet Information Services (IIS). They deploy various tools and techniques, including open-source tools and Living Off the Land Binaries and Scripts (LOLBAS).
  • Network Infrastructure: The threat actor uses an HTTP file server deployed on a temporary virtual private server (VPS), primarily hosted on the Microsoft Azure cloud computing platform.
  • Targets: The campaign targets regional websites with payment data and web servers running IIS and vulnerable web applications.
  • Attribution: The threat actor or group behind this campaign remains unidentified. However, evidence suggests they are Chinese-speaking and operate predominantly in Asia.
  • Conclusion: The threat actor is actively exploring new targets, moving from Asia to North America. The technical complexity of its operation suggests this may be an advanced or experienced actor.

👹 Scam Contract

The North Korean Lazarus Group has been identified as the perpetrator behind a series of significant cryptocurrency hacks, including the recent $54M CoinEx hack. This advisory provides a detailed breakdown of the group’s activities, the potential implications, and recommended best practices to prevent similar breaches.

Incident Details

Attribution to North Korea:

  • The Lazarus Group, linked to North Korea, has been connected to the $54M CoinEx hack. This connection was made after they inadvertently linked their address to the $41M Stake hack on OP & Polygon.

Address Associated with Lazarus Group:

  • 0x75497999432b8701330fb68058bd21918c02ac59

Scale of Operations:

  • In just 104 days, the Lazarus Group has illicitly acquired $240M worth of cryptocurrency.
  • The most recent exploit being the $54M hack of CoinEx.
  • In total, there have been 5 significant hacks in the past 3 months attributed to this group.

List of Known Hacks:

  • Stake exploit
  • Atomic wallet hack
  • CoinsPaid and Alphapo hack
  • CoinEx hack

Modus Operandi:

  • The group is now focusing on Centralized Exchanges (CEXs) using social engineering attacks.

📝 Opendir

n open directory has been identified, potentially exploited with the Rhadamanthys malware. This advisory provides details on the indicators of compromise, the malware’s behavior, and recommended mitigation steps.

Indicators of Compromise (IoCs)

Open Directory IP:

  • 5.42.67[.]10

Malicious Files and URLs:

The identified open directory appears to be hosting malicious files associated with the Rhadamanthys malware. The malware is known for its stealthy operations and potential data exfiltration capabilities. The identified files, wininstal.exe and buildcreate.exe, have been analyzed, revealing connections to suspicious domains and IP addresses.

🟥 1Day

A vulnerability, named ThemeBleed, has been discovered in Windows 11’s handling of .theme files. This advisory provides a comprehensive breakdown of the vulnerability, its potential implications, and recommended best practices to prevent similar occurrences.

Vulnerability Details

Nature of Vulnerability:

  • The vulnerability pertains to the handling of .msstyles files within .theme files on Windows 11.
  • A series of issues can lead to arbitrary code execution when a user loads a .theme file.

Bug Components:

  • Background: .theme files on Windows allow OS appearance customization. The vulnerability specifically deals with the handling of .msstyles files.
  • Version 999 Check: A special case for version 999 in .msstyles files triggers a function ReviseVersionIfNecessary.
  • Time-of-Check-Time-of-Use (TOCTOU) Vulnerability: A race condition exists between verifying the signature of a _vrf.dll file and loading it, allowing an attacker to replace a verified file with a malicious one.
  • Mark-of-the-Web Bypass: Packaging a .theme file in a .themepack file bypasses security warnings.

Proof of Concept (PoC):


  • Arbitrary code execution: An attacker can execute arbitrary code on a victim’s machine without memory corruption.
  • Bypass of security warnings: The vulnerability allows bypassing of Mark-of-the-Web warnings, potentially leading users to unknowingly execute malicious themes.

🌶️ Trending Exploit

A significant vulnerability has been identified in Owl Labs Meeting Owl version This advisory provides a detailed description of the vulnerability, its potential impact, and recommended mitigation steps.

Vulnerability Details

CVE Identifier:

  • CVE-2022-31462

Affected Product:

  • Owl Labs Meeting Owl version

Vulnerability Description:

  • The product allows attackers to control the device via a backdoor password. This password is derived from the device’s serial number, which can be easily obtained from Bluetooth broadcast data.


🕯️ The Topic of the Week

In light of the recent data leak incident on Azure, a potential key access vulnerability has been identified. This advisory provides a detailed breakdown of the vulnerability, its potential implications, and recommended best practices to detect and prevent unauthorized access.

2. Vulnerability Details

Nature of Vulnerability:

  • Unauthorized access to storage account keys in Azure, potentially allowing malicious actors to access sensitive data.

Detection Method:

  • AzureActivity logs can be queried to identify potential unauthorized key access attempts over the past 31 days.

Query for Detection:


| where TimeGenerated >= ago(31d)


| extend Storage = tostring(parse_json(Properties).resource)

| extend APP = tostring(parse_json(Claims).appid)

| extend Role = tostring(parse_json(tostring(parse_json(Authorization).evidence)).role)

| summarize count() by Storage, APP, CallerIpAddress, Role

Refinement Options:

  • To narrow down the results to successful key access attempts, add: | where ActivityStatusValue == “Success”
  • For a summarized overview of an account’s interaction with Azure, use the following query:

| summarize Operations=count(), IPs=dcount(CallerIpAddress), FirstExecution=min(TimeGenerated), LastExecution=max(TimeGenerated), IPUsed=make_set(CallerIpAddress), max(Category) by OperationNameValue

| extend DaysDelta = datetime_diff(‘day’, LastExecution, FirstExecution) | extend DaysDelta = iff(DaysDelta == 0, 1, DaysDelta)

Leave a Reply

Your email address will not be published. Required fields are marked *