Threat Intel Roundup: Exchange, LOCKBIT, TA558, GhostRAT

  • Home
  • Report
  • Threat Intel Roundup: Exchange, LOCKBIT, TA558, GhostRAT
Threat Intel Roundup: Exchange, LOCKBIT, TA558, GhostRAT

Technical Summary

Vulnerabilities in CODESYS V3 SDK Could Lead to OT Environments Being Exploited Using RCE & DoS Attacks:

Multiple high-severity vulnerabilities have been identified within the CODESYS V3 software development kit (SDK), used to program programmable logic controllers (PLCs). These vulnerabilities affect versions prior to Exploitation could result in remote code execution (RCE) and denial of service (DoS) attacks on operational technology (OT) infrastructures. Attackers would require user authentication and deep knowledge of the CODESYS V3 proprietary protocol. Applying security updates, firmware updates, network segmentation, and access controls are recommended to mitigate these vulnerabilities.

Cloud Data Exposure Report: High-Profile Organizations and Sensitive Data Leaks:

Prominent organizations have suffered cloud data exposure incidents, potentially leading to the compromise of sensitive information. Affected entities include Cloud *Tucket, ExOTiCA, truthfinder, CAPITA, O TOYOTA Org, Luxottica, Truth Finder, Capita, and Toyota. Data exposed includes customer PII, user credentials, files, and vehicle information. These breaches could result in privacy violations, identity theft, and financial losses. Proper configuration, encryption, and access controls are essential to prevent unauthorized access to sensitive data.

Deep Analysis: CVE-2023-38182:

CVE-2023-38182 is a critical vulnerability affecting CODESYS V3 software. It enables attackers to execute arbitrary code remotely on systems running vulnerable versions of the software, posing risks to system integrity and confidentiality. Exploitation involves a security issue within the tag decoding mechanism, leading to multiple vulnerabilities. Successful exploitation requires user authentication and bypassing security measures like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Applying security patches is crucial to mitigate the risks posed by this vulnerability.

Lockbit3’s announcement of new victims serves as a stark reminder of the persistent ransomware threat. Organizations must prioritize robust cybersecurity measures, including preventive strategies and well-defined incident response plans. Collaborative efforts involving industries, governments, and cybersecurity experts are vital to counteract the escalating danger posed by ransomware attacks. Vigilance, preparation, and awareness are essential in the ongoing battle against these malicious actors.

Key Findings

it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:

  • GhostRAT OpenDIR
  • Exchange RCE
  • LOCKBIT New Victims
  • defcon

🚨 Vulnerability of the Week

Exchange CVE-2023-38182

This report draws attention to the latest Microsoft Patch Tuesday release, encompassing critical updates to address vulnerabilities in Microsoft products. Notably, two vulnerabilities, CVE-2023-38182 and CVE-2023-35388, require immediate attention due to their potential impact on system security.

2. Patch Tuesday Overview: Microsoft’s Patch Tuesday is a recurring event where the company releases security patches to address vulnerabilities in its software ecosystem. The aim is to enhance cybersecurity and protect users’ systems from potential threats and exploits.

Highlighted Vulnerabilities: This Patch Tuesday release includes two vulnerabilities that deserve special attention:

  • CVE-2023-38182: This vulnerability presents a significant risk and requires immediate action. While specific details may vary, its critical nature suggests that attackers could exploit this vulnerability to compromise system integrity and confidentiality.
  • CVE-2023-35388 (Exchange RCE): This Remote Code Execution (RCE) vulnerability affecting Microsoft Exchange Server could enable attackers to execute arbitrary code on vulnerable systems. Such vulnerabilities are highly sought after by threat actors for launching devastating attacks.

CVE-2023-38182 is a security vulnerability that affects certain versions of Microsoft products. The vulnerability falls under the category of remote code execution (RCE), implying that a malicious actor could exploit the flaw to execute arbitrary code on the targeted system. Such vulnerabilities are particularly concerning due to their potential to grant attackers unauthorized access and control over affected systems.

Exploitation Scenario: The exploitation of CVE-2023-38182 could involve a threat actor crafting a specifically crafted input or interaction that triggers the vulnerability. Upon successful exploitation, the attacker may gain unauthorized access to the system and execute arbitrary code. This could potentially lead to complete control over the affected system, data breaches, or other malicious activities.

Mitigation and Remediation: To address the CVE-2023-38182 vulnerability, Microsoft has released security updates and patches. These patches are designed to mitigate the risk associated with the vulnerability by fixing the underlying flaw. Users and organizations are strongly advised to promptly apply the provided updates to safeguard their systems from potential exploitation.

β›³οΈŽ Leakage Insight

This report details recent developments in the activities of the Lockbit3 ransomware group. The group has announced the targeting of nine new victims on its blog site. The list of victim organizations includes a variety of countries and industries.

Targeted Countries and Victims: Lockbit3 has reportedly targeted organizations in the following countries:

  • United Arab Emirates πŸ‡¦πŸ‡ͺ (2 victims)
  • Turkey πŸ‡ΉπŸ‡· (1 victim)
  • Thailand πŸ‡ΉπŸ‡­ (1 victim)
  • South Africa πŸ‡ΏπŸ‡¦ (1 victim)
  • Sweden πŸ‡ΈπŸ‡ͺ (1 victim)
  • Germany πŸ‡©πŸ‡ͺ (1 victim)
  • United Kingdom πŸ‡¬πŸ‡§ (1 victim)
  • Netherlands πŸ‡³πŸ‡± (1 victim)

Targeted Organizations: The following organizations have been reported as victims of the Lockbit3 ransomware group:


Implications: Lockbit3’s announcement of new victims underscores the persistent and evolving threat posed by ransomware groups. The geographic diversity of the victims indicates that these attacks have a global impact and are not limited to specific regions.

πŸ’¦ Malware Distribution Sites

This report provides an analysis of the Android application “Modulonubank.apk,” identified by the hash 8d492ac234ee9efe18fc2ee67d689591ac73b813e6cc307d559c9d6ba852b9ef. The application was retrieved from the URL: https://nucredito.onrender[.]com/Modulonubank.apk. The analysis aims to identify the potential risks and capabilities associated with this APK file.

APK Analysis: The APK file “Modulonubank.apk” appears to be a potentially malicious Android application. Key aspects of the analysis include:

  • FileHash: 8d492ac234ee9efe18fc2ee67d689591ac73b813e6cc307d559c9d6ba852b9ef
  • Source URL: https://nucredito.onrender[.]com/Modulonubank.apk

πŸ™ Proxylife

This report examines a cybersecurity incident involving a sophisticated execution technique that deploys a malicious payload through an HTA (HTML Application) file. The incident also discusses the utilization of cmstp.exe to install a fake connection manager service profile, leading to the deployment of the NetSupport remote administration tool. The report provides insights into the execution process, artifacts involved, and detection mechanisms.

Attack Analysis: The attack comprises several stages and techniques:

  • Initial Obfuscated PowerShell Scripts: The attack begins with obfuscated PowerShell scripts aimed at evading detection. These scripts are likely used to establish initial foothold and download further payloads.
  • cmstp.exe Exploitation: A significant technique involves the exploitation of cmstp.exe, a legitimate utility for connection manager profiles. In this case, the attacker leverages cmstp.exe to install a fake service profile named “Notepad,” effectively masquerading as legitimate behavior.
  • RunPreSetupCommandsSection: The use of the “RunPreSetupCommandsSection” allows the attacker to execute malicious commands while appearing to be part of a legitimate setup process, thus effectively disguising their actions.
  • Decoy Chrome PNG Image: The attacker downloads and displays a decoy Chrome PNG image. This serves as a distraction while the malicious activities occur in the background.
  • Artifact Downloads: The attacker downloads artifacts from specific domains, some of which are listed below:
    • (
      • (Status: Offline)
      • client32.exe (Status: Offline)
    • (
      • 152759.png (Non-Malicious)

Sigma Rule and Source Analysis: The provided SIGMA rule, available at, assists in detecting similar execution techniques and malicious activities. It aids in identifying the cmstp.exe exploitation for malicious purposes.

4. Artifacts and Links:

πŸ₯· TTP Analysis

This report delves into a recent cybersecurity incident involving the return of the TA558 attacker group. The attackers have employed a malicious JavaScript technique, which leads to the download of an image file that conceals encoded data. This data is extracted and decoded to facilitate the injection of a malicious Quasar RAT payload into the Windows Registry through Regsvcs.

Attack Analysis: The attack unfolds through the following stages:

  • Initial Attack Vector: The TA558 attacker group utilizes malicious JavaScript to initiate the attack. This scripting language is known for its flexibility in executing dynamic and obfuscated payloads.
  • Concealed Image Payload: The attackers employ a deceptive technique by downloading an image file that seemingly depicts Spiderman. However, the image file is modified to include “<BASE64_START>” and “<BASE64_END>” tags, indicating the presence of concealed data within the image.
  • PowerShell Extraction: The malicious JavaScript spawns a PowerShell process to extract and decode the concealed data within the Spiderman image. The decoded data stream is transformed into a helper Dynamic-Link Library (DLL).
  • DLL Injection: The decoded data, which contains the Quasar RAT payload, is injected into the Windows Registry through Regsvcs. This technique allows the attacker to maintain persistence within the compromised system and execute the malicious payload at startup.

Artifacts and Links:

  • Malicious JavaScript: Link
  • Spiderman Image: Link
  • Twitter Post: Link


  • The TA558 attacker group’s return signifies their determination to persistently target victims with advanced attack techniques.
  • The use of image files as carriers of encoded data highlights the evolving sophistication of evasion techniques employed by threat actors.

πŸ‘Ή Scam Contract

This report provides an overview of a recent cybersecurity incident involving unauthorized token transfer and a social media scam. The incident involves a Twitter post from the account “realScamSniffer” and a victim who lost $286k USDC (USD Coin) due to a fraudulent transaction facilitated through ERC-20 Permit.

The Twitter post from the account “realScamSniffer” on link to the post indicates potential involvement in exposing or investigating scams. However, without direct access to the content of the post, a thorough analysis cannot be conducted. It is advised to approach such accounts with caution and verify the credibility of their claims before taking any actions based on the information provided.

Unauthorized Token Transfer: A victim reportedly lost $286k USDC (USD Coin) in a scam involving an unauthorized token transfer. The victim granted token approval to the scammer through ERC-20 Permit, which allowed the scammer to transfer the victim’s funds without their consent. ERC-20 Permit is a feature that enables smart contracts to transfer tokens on behalf of the token holder for specific purposes.


  • Investigate Transactions: The victim and relevant parties should analyze the transaction details, blockchain addresses, and smart contract interactions associated with the unauthorized token transfer. This information can provide insights into the attack vector and potential avenues for recovery.
  • Blockchain Security Measures: Ensure that smart contracts and token approval mechanisms are designed with security in mind. Implement multi-factor authorization, time locks, or other mechanisms to reduce the risk of unauthorized token transfers.
  • Educate Users: Educate users about the risks of granting token approval to unknown or unverified parties. Advise them to thoroughly review smart contract permissions and consider using permissionless protocols that require manual confirmation for every transaction.
  • Contact Authorities: In cases of significant financial losses, consider reporting the incident to relevant law enforcement agencies, as well as blockchain and cryptocurrency regulatory bodies if applicable.
  • Raise Awareness: Utilize social media, forums, and other platforms to raise awareness about the incident and caution others about potential scams and unauthorized token transfers.

πŸ“ Opendir

This report aims to provide an analysis of the potential cybersecurity threats associated with the keywords “opendir hosting,” “GhostRAT,” “PacketSender,” “ProcDump,” and “webshell.” The report also investigates the connections involving IP addresses,, and, along with the executable files “Google Service Installer.exe.exe” and “x.aspx.”

IP Address Connections:

a. IP Address:

  • The IP address suggests potential web hosting or server activities. Further analysis is required to determine the nature of the content hosted and whether it is legitimate or malicious.

b. IP Address:

  • The connection from “Google Service Installer.exe.exe” to raises concerns about a potential GhostRAT malware infection. GhostRAT is a remote access trojan known for unauthorized access, data theft, and remote control capabilities.

c. IP Address:

  • The connection involving “x.aspx” and requires further investigation to ascertain its purpose and legitimacy. “x.aspx” might indicate a webshell or a script that could potentially execute arbitrary commands on a compromised system.

File Analysis:

a. Google Service Installer.exe.exe (GhostRAT)

  • “Google Service Installer.exe.exe” is associated with the GhostRAT malware. This malware is designed to exploit vulnerabilities, gain unauthorized access, and potentially enable remote control of the infected system.

b. x.aspx

  • The presence of “x.aspx” suggests the potential use of a webshellβ€”a script that allows attackers to execute commands on a web server remotely. Webshells can be used for various malicious purposes, including data theft and system compromise.

πŸŸ₯ 1Day

A severe security flaw has been uncovered in Desktop, posing a significant risk to users of the popular diagramming and charting application. This 1-day vulnerability allows an attacker to execute arbitrary code remotely, potentially compromising the security and integrity of systems where the application is installed. The discovery of this vulnerability highlights the importance of timely updates and diligent security practices to mitigate potential risks.

The vulnerability was identified as a Remote Code Execution (RCE) flaw in Desktop. Remote Code Execution refers to the ability of an attacker to execute malicious code on a target system remotely, without requiring any prior authentication or user interaction. In the context of Desktop, this flaw allows an attacker to exploit a security weakness and execute arbitrary code, potentially gaining unauthorized access to the system.

The vulnerability was discovered and reported by security researcher @kevin_mizu. Their prompt action in identifying and responsibly disclosing the flaw is crucial in ensuring that Desktop’s developers can address the issue and provide an effective fix to users.

The vulnerability was reported through the security bounty program, hosted by Such programs incentivize security researchers to identify and report vulnerabilities responsibly, encouraging responsible disclosure and prompt remediation by the affected software vendor.

🌢️ Trending Exploit

This report delves into a critical cybersecurity concern, focusing on multiple high-severity vulnerabilities identified within the CODESYS V3 software development kit (SDK). CODESYS V3, widely used to engineer programmable logic controllers (PLCs), faces significant vulnerabilities across versions before The exploitation of these vulnerabilities could enable attackers to execute remote code execution (RCE) and denial of service (DoS) attacks on operational technology (OT) infrastructures.

Vulnerability Details: The vulnerabilities uncovered by Microsoft’s cyber-physical system team within CODESYS V3 SDK are particularly alarming due to their potential impact. Key points include:

  • Affected Versions: All CODESYS V3 versions prior to
  • Impact: Remote Code Execution (RCE) and Denial of Service (DoS)
  • Vulnerability Type: Tag decoding mechanism flaw leading to multiple vulnerabilities

Exploitation and Attack Scenario: Attackers aiming to exploit these vulnerabilities require user authentication and in-depth knowledge of CODESYS V3’s proprietary protocol. While exploitation demands overcoming authentication barriers and bypassing security measures like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), the researchers managed to achieve Remote Code Execution (RCE) in 12 buffer overflow vulnerabilities. Successful exploitation provides attackers control over PLCs.

Consequences and Implications: Exploiting these vulnerabilities presents a range of potentially devastating outcomes:

  • Remote Code Execution (RCE): Attackers could take control of PLCs, impacting their operations and potentially disrupting industrial processes.
  • Denial of Service (DoS): Attackers could initiate DoS attacks, causing PLCs to halt operations and interrupt industrial functions.

πŸ•―οΈ The Topic of the Week

This report sheds light on recent incidents of cloud data exposure affecting several notable organizations, including Cloud *Tucket, ExOTiCA, truthfinder, CAPITA, O TOYOTA Org, Luxottica, Truth Finder, Capita, and Toyota. These incidents have resulted in unauthorized access to sensitive data, including customer personally identifiable information (PII) and other confidential records. The information provided in this report offers insights into the causes, scale, and potential consequences of these data breaches.

Affected Organizations and Data Leaks: Several organizations have been impacted by cloud data exposure, resulting in the leakage of sensitive information:

  • *Cloud Tucket:
    • Data Exposed: Customer PII
    • Cause: Speculated to be misconfigured cloud settings
  • ExOTiCA:
    • Data Exposed: User PII / Credentials
    • Cause: Unsecured S3 bucket containing live database
  • truthfinder:
    • Data Exposed: Files containing customer PII
    • Cause: Open S3 bucket of DB backup enabled with internal file repository
    • Data Exposed: Toyota unique ID, email, password
    • Cause: Connect activity for a 3rd party vendor
  • O TOYOTA Org:
    • Data Exposed: Real-time vehicle location data
    • Cause: Full DB download with internal file repository
  • Luxottica:
    • Data Exposed: Customer PII, including name, email, address, phone number
    • Cause: Luxottica’s open S3 bucket used for retail operations

Leave a Reply

Your email address will not be published. Required fields are marked *