Overview: The RussianPanda Research Blog unveiled insights into Atomic Stealer, the first MacOS stealer, exposing its functionalities and features.
Notable Points:
Monthly Subscription: Available for $3000 per month with access to a user-friendly panel.
Functions: Includes login keychain dump, system information extraction, MacOS password retrieval, MetaMask brute-forcer, and support for various browsers and wallets.
Technical Analysis: In the new version, encrypted strings pose challenges, but the tool aims for stealthier operations, leaving minimal traces.
Affected Systems: Junos OS on SRX firewalls and EX switches.
Exploitation Impact: Unauthenticated network threat actors could execute a denial-of-service (DoS) attack, gain root privileges, or conduct an RCE attack.
Mitigation: Juniper Networks released patches for affected versions (20.4R3-S9, 21.2R3-S7, 22.4R3, etc.). Urgent patching or J-Web interface disabling recommended.
GitLab Critical Security Release (16.3.4 and 16.2.7):
Vulnerability: Account-Take-Over (ATO) in GitLab instances without user interaction.
Exploitation Vector: Manipulation of email management during password resets, allowing an attacker to reset the administrator password.
Mitigation: GitLab recommends 2-factor authentication to prevent exploitation. Versions 16.1 to 16.7.1 are affected. Users urged to update to the patched versions.
MageCart Compromise of Khaadi:
Incident Overview: MageCart group compromises Khaadi, a fashion retailer, leading to a card-skimming attack.
Attack Vector: Malicious script injected into the payment page captures customer card details during transactions.
Impact: Financial losses for affected customers; highlights the persistent threat of MageCart attacks on e-commerce platforms.
Affected Component: Allegra Service Desk Module in Trackplus.
Exploitation Scenario: Attackers can execute arbitrary code on the affected system.
Mitigation: Organizations using Trackplus advised to apply patches promptly. CVE-2023-50164 impacts Trackplus versions susceptible to the vulnerability.
SystemBC PowerShell Backdoor Incident:
Incident Report: Discovery of a PowerShell backdoor orchestrated through SystemBC.
Attack Vector: Usage of PowerShell for stealthy and versatile malicious activities.
Detection and Response: Organizations encouraged to enhance PowerShell script visibility and deploy security measures to detect and mitigate SystemBC-related threats.
π¨ Vulnerability of the Week
Juniper Networks has addressed a critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2024-21591, in Junos OS on SRX firewalls and EX switches. This vulnerability could allow an unauthenticated, network-based threat actor to execute a range of attacks, including denial-of-service (DoS), RCE, or potentially gain root privileges on exposed devices.
Vulnerability Details:
CVE ID: CVE-2024-21591
Vulnerability Type: Out-of-bounds write
Severity: Critical
Impact: Unauthenticated attackers could exploit this vulnerability to carry out DoS attacks, RCE attacks, or potentially gain root privileges.
Discovery: Discovered during external security research.
Affected Versions: The vulnerability affects the following Junos OS SRX Series and EX Series versions:
Junos OS versions earlier than 20.4R3-S9
Junos OS 21.2 versions earlier than 21.2R3-S7
Junos OS 21.3 versions earlier than 21.3R3-S5
Junos OS 21.4 versions earlier than 21.4R3-S5
Junos OS 22.1 versions earlier than 22.1R3-S4
Junos OS 22.2 versions earlier than 22.2R3-S3
Junos OS 22.3 versions earlier than 22.3R3-S2
Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
Patch Information: Juniper Networks has released patches for the vulnerability in the following Junos OS versions: 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases. Administrators are strongly advised to apply the patches immediately.
Mitigation Steps: In cases where immediate patching is not feasible, administrators are urged to take the following mitigation steps:
Disable the J-Web interface.
Allow access to the J-Web interface only from trusted hosts.
Current State: As of now, Juniper SIRT (Security Incident Response Team) is not aware of any malicious exploitation of this vulnerability. However, Censys reports over 10,000 exposed J-Web interfaces online, mainly in Asia (South Korea, Hong Kong, China) and the US.
— RussianPanda πΌ πΊπ¦ (@RussianPanda9xx) January 16, 2024
RussianPanda’s latest blog post delves into the technical intricacies of Atomic Stealer, the first-known stealer targeting MacOS devices. Here are the key takeaways:
Background:
Discovery: Atomic Stealer emerged in March 2023, becoming the inaugural stealer designed for MacOS.
Monetary Model: Priced at $3000 per month, users gain access to the stealer’s panel by providing a Telegram Bot ID and build ID to the seller.
Functionality and Features:
Capabilities: The stealer boasts various functionalities, including keychain dumping, system information extraction, file grabbing (Desktop, Documents), MacOS password retrieval, a user-friendly web panel, MetaMask brute-forcing, crypto-checking for assets, and Telegram logs.
Supported Browsers: The stealer supports multiple browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, and OperaGX. Additionally, it targets various wallets and plugins.
Developer Identification: Cyble identified the Go source code path containing the username “iluhaboltov,” suggesting the developer’s name might be Ilya Boltov.
Technical Analysis:
Evolution: A new version of Atomic Stealer surfaced in December 2023, encrypting all strings using XOR operations.
Anti-VM Measures: The stealer implements anti-VM checks, with commands like “system_profiler SPHardwareDataType” to identify virtual machines.
Data Collection: Atomic Stealer collects a range of data, including Chromium-based browser information, passwords, system details, and display configurations.
Encryption Algorithm: The new version utilizes XOR operations in a specific algorithm to encrypt strings, making the decryption process more intricate.
Detection Rules and Indicators of Compromise:
Yara Rules: The blog provides Yara rules for detecting Atomic Stealer.
Indicators: Indicators of compromise include hash values for old and new versions of Atomic Stealer, C2 server IP addresses, and other reference links.
π Proxylife
A threat actor installed the PowerShell version of SystemBC as a backdoor on a recent engagement (different C2 address, but the same code as this sample here on VT [1])
An EDR product was installed on the affected host(s) after the attacker created a malicious scheduled task,β¦ pic.twitter.com/k9GrLFcAOC
During a recent engagement, a threat actor successfully installed the PowerShell version of SystemBC as a backdoor on the target system. Despite the different Command and Control (C2) address, the code matched a sample identified on VirusTotal [1]. Subsequently, an Endpoint Detection and Response (EDR) product was deployed on the affected host(s) after the attacker created a malicious scheduled task. This task periodically executed the SystemBC PowerShell code.
EDR Detection Failure: Notably, the EDR product failed to identify the malicious code or its associated behavior. This underscores the importance of thorough investigation during Incident Response engagements, emphasizing the need to rely on more than just tool-based detection.
Incident Analysis: The attacker utilized the following command to create the scheduled task:
schtasks.exe /create /sc ONSTART /tn System /tr “Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -File C:\Windows\Tasks\svchost64.ps1” /ru system
This command provides opportunities for detection through various means, and the report outlines several techniques for identifying the backdoor and traces of its installation.
Detection Opportunities:
PowerShellReadLine Log: The exact command executed by the attacker is logged within the PowerShellReadLine file, offering an initial point of detection [2].
Velocidex Hunts: Using Velocidex, specific hunts can be conducted to identify the persistence created by the attacker. Examples include hunts from DetectRaptor.Windows.Detection.Evtx [3].
AutoRuns: As a widely-used tool, AutoRuns can be employed to identify the persistence listed under Task Scheduler, providing a straightforward detection method.
Windows System TaskScheduler: By filtering for the latest installed tasks and scrutinizing those running PowerShell scripts from uncommon locations, suspicious activity related to the backdoor can be identified.
π₯· TTP Analysis
The fashion and lifestyle brand, Khaadi, operating in Pakistan, Great Britain, and UAE, is currently experiencing an ongoing compromise with MageCart, a notorious web skimming group. The compromised URLs and exfiltration URLs have been identified.
Incident Details: MageCart is actively exploiting a web skimming attack, affecting numerous e-commerce websites, including Khaadi. The attackers employ different modus operandi through various threat groups, demonstrating a high level of sophistication.
Group X:
Exploited a discontinued third-party JavaScript library called Cockpit.
Compromised over 40 e-commerce websites.
Data collected was encoded, encrypted, and sent to a Russian exfiltration server.
Some impacted websites did not remove the outdated script, contributing to the compromise.
Group Y:
Injected a Google Analytics lookalike script into home pages individually.
Loader script checks the checkout page, loading the skimmer only if necessary.
Custom version of a fake Google Analytics integration, similar to Group X.
Exfiltration to a different endpoint under the same domain.
Group Z:
Utilizes a similar methodology to Group Y and X.
Injects a malicious JavaScript initiator disguised as Google Tag Manager.
Skimmer code undergoes modifications in script structure and server structure.
Exfiltration occurs to two domains, identifying the service used to disguise and the target website.
Web Skimmer Operation Insights:
Attackers exploit defunct domains hosting popular JavaScript libraries.
Lack of website visibility into third-party scripts creates a security blind spot.
MageCart employs various tactics to inject skimming code, including disguising as discontinued libraries and injecting lookalike scripts.
Fashion and lifestyle brand @Khaadi, which operates in #Pakistan, #GreatBritain and #UAE has an ongoing compromise with #MageCart. I reported the infection weeks ago to them and CERT Pakistan but did not hear anything back. See compromised URLs and Exfil URL below: pic.twitter.com/YxDG5En5Ay
Description: A critical vulnerability has been identified in the Allegra Service Desk Module of Trackplus, tracked as CVE-2023-50164. This flaw allows remote attackers to execute arbitrary code on affected installations. Although authentication is required, the default enablement of the guest account registration exacerbates the risk.
The vulnerability originates from a flaw within the struts core dependency. Exploiting this flaw, an attacker can initiate a directory traversal, leading to the execution of arbitrary code within the application’s context.
Vendor Response: Trackplus has promptly responded to this security issue by issuing an update. Users are strongly advised to apply the necessary patches to secure their installations. Detailed information about the update can be found in the vendor’s release notes at Trackplus Release Notes.
2023-12-21: Vendor silently patches the vulnerability.
2024-01-15: Public release of advisory.
Proof of Concept: A proof of concept demonstrating the vulnerability is available in the form of a Python script, accessible at src-2024-0001.py.txt. Organizations and security professionals are urged to use this POC responsibly for testing and remediation purposes only.
Credit: This critical vulnerability was discovered by Steven Seeley of Source Incite. The dedication of security researchers such as Steven is vital in identifying and mitigating potential threats.
The vulnerability is rooted in the mishandling of emails during password reset procedures. An attacker can exploit this by providing two email addresses, where the reset code will be sent to both. By specifying the email address of the target account and the attacker’s email, the attacker can reset the administrator password. GitLab notes that two-factor authentication (2FA) mitigates this vulnerability since an attacker, even after resetting the password, won’t be able to log in without the second authentication factor.
This vulnerability was discovered by asterion04.
Payload: The payload is demonstrated using two methods:
Versions Concerned: GitLab versions from 16.1 to 16.1.5, 16.2 to 16.2.8, 16.3 to 16.3.6, 16.4 to 16.4.4, 16.5 to 16.5.5, 16.6 to 16.6.3, and 16.7 to 16.7.1 are affected.
π―οΈ The Topic of the Week
#100DaysOfYara Day 16: Do you like automatically generating Yara rules based on opcode? π»
Well me too and I've got you covered with YaraToolkit v0.4.2! I added a new feature adapted from MKyara by @jelleverg. I've loved this tool for quite some time, so it was natural to⦠pic.twitter.com/w8wpA5uN17
Are you a fan of automating Yara rule creation, especially when it comes to opcode analysis? Well, your #100DaysOfYara just got a major upgrade on Day 16! ππ»
What’s the Buzz?
Tool Unveiled: YaraToolkit v0.4.2 takes center stage, introducing a game-changing feature inspired by the renowned MKyara by @jelleverg.
Love for MKyara: The tool’s creator expresses admiration for MKyara, making it a natural choice for integration.
How to Unleash the Magic?
Sample Drop: Simply drop your code sample into the toolkit.
Offset Mastery: Specify the offset of your function or code snippet.
Size and Options: Choose the size and preferred options.
Abracadabra Moment: Witness the automated generation of Yara rules! π§ββοΈ
