Week in Overview(21 Aug-28 Aug)
XWiki Remote Code Execution (CVE-2023-35150)
The XWiki vulnerability (CVE-2023-35150) involves improper input validation within the “Invitation Application.” Authenticated attackers can exploit this flaw by manipulating requests, leading to arbitrary code execution. XWiki’s scripting feature, used to create web applications, includes an “Invitation Application” facilitating email notifications for user registration. The vulnerability arises when unvalidated user data renders a link based on unsanitized request-URIs. Successful exploitation allows an attacker to execute arbitrary code.
Malware Analysis and Dynamic Extraction of Xworm Payload
In this analysis, a Golang file is examined, dynamically extracting an Xworm payload. Techniques such as Procmon, Process Hacker, Entropy Analysis, and Debuggers are used. The 1.5GB Golang file is debloated using “pe-debloat” tool, reducing its size to 960KB. Process monitoring reveals the malware’s activities, including scheduled tasks, library loading, and code execution. The loaded .NET assemblies are scrutinized using Dnspy, revealing capabilities such as keylogging and system enumeration. Decoding encrypted configuration yields insight into Xworm malware’s intent.
Threat Analysis Report – StealC Malware Campaign via “Request Booking” Spam Email
This report delves into a malware campaign using “Request Booking” spam emails to spread the StealC malware. It covers the payload, URLs, and C2 server. The spam email prompts victims to download a password-protected ZIP file containing a malicious .cmd script. Upon execution, the script downloads a PowerShell script from GitHub, initiating malware infection. The report details the infection chain and offers detection guidance for the campaign’s artifacts.
Threat Analysis Report – Metamorfo (Casbaneiro) Campaign Targeting Mexico
This analysis focuses on a Metamorfo (Casbaneiro) campaign targeting Mexico. It outlines the attack’s execution chain, from phishing to payload execution. Victims are lured to a URL, leading to a .rar file and a series of scripts. AutoIT and other techniques are exploited for persistence, eventually leading to the execution of Metamorfo DLLs. The report provides insights into the attacker’s tactics and detection suggestions.
Incident Analysis Report – Nokoyawa Ransomware Campaign with HTML Smuggling and Rapid Execution
This incident analysis report examines a Nokoyawa ransomware campaign utilizing HTML smuggling for domain-wide ransomware deployment. The attack chain involves Excel macro and IcedID malware, with Nokoyawa ransomware executed within 12 hours of initial compromise. The report details the intrusion timeline, attacker actions, lateral movement, and the ransomware’s execution. The rapid progression from compromise to ransomware highlights the threat’s sophistication.
Key Findings
it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:
XWiki CVE-2023-35150
This vulnerability report delves into a recently patched remote code execution flaw identified in the XWiki free wiki software platform. The analysis, conducted by Simon Humbert and Lucas Miller of the Trend Micro Research Team, elucidates the nature of the vulnerability, its exploitation vectors, and its potential consequences. This report offers insights into the discovered vulnerability’s characteristics and the measures taken to mitigate its impact.
Vulnerability Overview:
Exploitation Details:
The vulnerability in XWiki arises due to improper input validation when processing a link within the Invitation Application. An authenticated attacker can exploit this flaw by submitting manipulated requests to the target server, eventually leading to the execution of arbitrary code.
XWiki’s Scripting and Invitation Application:
XWiki, a second-generation wiki with integrated application development capabilities, supports scripting languages like Velocity, Groovy, and Python. Its scripting feature allows users to create complex web applications within XWiki pages, making it a versatile platform. The “Invitation Application” facilitates email notifications for user registration, enabling the user to follow a link to register.
Vulnerability Exploitation:
The vulnerability stems from inadequate validation of user data presented by the “Invitation Application.” While requests to this application often include multiple parameters, the “action” parameter dictates the actions to be taken. If the “action” parameter is absent, the server constructs a link based on the request-URI without sanitization. An attacker can inject malicious script code into the request-URI, which is then executed during link rendering. This allows the attacker to execute arbitrary code.
Source Code Analysis:
The vulnerable code is found in the InvitationGuestActions.xml file. The XML snippet reveals the handling of various actions and configuration settings within the “Invitation Application.” Vulnerable code sections include the evaluation of script code and the rendering of links based on unsanitized request-URIs.
Detection Guidance:
To detect an ongoing attack exploiting this vulnerability, monitoring devices must parse traffic over HTTP (port 8080/TCP) and HTTPS (port 8443/TCP). Detection involves inspecting requests with the string /xwiki/bin/view in the request-URI. Specific request parameters with the names “sheet” (with the value “Invitation.InvitationGuestActions”) and “xpage” (with the value “view”) are also examined. Suspicion arises when the request-URI contains the characters {{ or their URL-encoded equivalent %7B%7B.
The following domains have been identified as affected by the data leakage incident:
Incident Overview:
A data leakage incident involves the unauthorized exposure or access to sensitive and confidential information belonging to an organization. In this case, the aforementioned domains have been identified as experiencing data leakage. The nature and scope of the compromised data may vary among the affected domains, but the potential impact on each organization’s security and reputation is significant.
The cl0p ransomware group has demonstrated an evolving and adaptable modus operandi in targeting organizations for financial gain. Their focus on targeting the MOVEit File Transfer System indicates a strategic shift towards exploiting critical data transfer systems, potentially leading to the encryption of sensitive files and significant operational disruption.
This threat analysis report examines a new variant of the StealC malware campaign, which is being distributed via “Request Booking” spam emails. The campaign utilizes malicious payloads to compromise victims’ systems and potentially steal sensitive information. The report provides a detailed breakdown of the attack vectors, malware samples, and potential impact, along with recommendations to enhance defenses against this evolving threat.
Attack Vector:
The attack vector for this StealC campaign involves “Request Booking” spam emails, luring victims to interact with malicious content. The email prompts recipients to open a malicious link, leading to the download and execution of malicious payloads.
Malware Samples:
Payload URL: The payload is distributed via the following URL: [https://drive.[google.com/u/0/uc?id=1k4VlfcGXyA5J7QPykz4oMO9GsCBDDyaY&export=download]
Command and Control (C2) Server: The malware communicates with a C2 server located at http://45.9.74.]92/7a03fb9d4773da33.php
Attack Breakdown:
Spam Email: Victims receive a “Request Booking” spam email, enticing them to interact with malicious content.
Malicious Link: Recipients are prompted to click on a malicious link leading to the payload download URL.
Payload Download: The malicious payload is downloaded from the provided URL.
Payload Execution: The payload is executed on the victim’s system, potentially compromising their security.
C2 Communication: The malware communicates with the C2 server, establishing a connection to a remote attacker.
This threat analysis report examines a recent cyberattack campaign attributed to the Metamorfo (also known as Casbaneiro) malware targeting Mexico. The campaign involves a multi-stage execution chain, encompassing phishing, payload download, malicious script execution, and the deployment of Metamorfo malware. This report provides a detailed breakdown of the attack stages, tactics, and potential impacts, along with recommendations to enhance defenses against such attacks.
Attack Chain Overview:
Attack Stages Breakdown:
This incident analysis report delves into a sophisticated Nokoyawa ransomware campaign that utilized HTML smuggling, IcedID malware, Cobalt Strike, and swift execution to compromise target organizations. The attack, which transpired in November 2022, showcases the threat actor’s use of various tactics to achieve a domain-wide ransomware compromise within a remarkably short timeframe. The report offers insights into the attack’s lifecycle, techniques employed, and recommendations for enhancing cybersecurity practices.
Attack Lifecycle:
Initial Compromise: The attack initiated with the delivery of an HTML file, potentially via email, using HTML smuggling to evade security measures. The HTML file led to the download of a password-protected ZIP file containing an ISO file.
Payload Delivery: Inside the ZIP file, the ISO file held the IcedID malware payload. A LNK file disguised as a document was visible to the user, who interacted with it.
Payload Execution: Clicking the LNK file triggered the execution of malicious commands, copying rundll32 and a malicious DLL from the ISO to the host. The DLL established a connection to IcedID command and control servers.
Lateral Movement: A series of commands led to IcedID establishing persistence on the host via a scheduled task. The malware collected system information using utilities like net, ipconfig, systeminfo, and nltest.
Cobalt Strike Engagement: After a few hours, IcedID spawned a cmd process that connected to a Cobalt Strike server, accessing LSASS and checking domain admins.
Domain Controller Access: The threat actor, using Cobalt Strike, identified domain administrators through net utility and initiated an RDP session to a domain controller. A Cobalt Strike beacon was placed on the domain controller.
Discovery and Lateral Movement: The threat actor conducted Active Directory discovery using AdFind, archived results, and performed nslookup across the network.
SessionGopher Usage: The threat actor employed encoded PowerShell (SessionGopher) on the domain controller to decrypt saved session information. Access to backup servers and file shares ensued.
Network Scan and File Movement: After a network scan, PsExec and WMIC facilitated file movement across systems. Key files included the ransomware binary and an executing batch script.
Ransomware Execution: Nokoyawa ransomware was executed on a domain controller using PsExec to initiate the process on other hosts in the domain. The ransomware attack commenced just over 12 hours after the initial infection.
This advisory report highlights a significant financial loss incurred by a victim who fell victim to a malicious Blur bid in a Non-Fungible Token (NFT) auction. The victim lost 333 ETH as a result of signing the malicious bid. This report provides an overview of the incident, describes the impact, and offers recommendations to prevent similar incidents in the future.
The victim participated in an NFT auction and encountered a malicious bid associated with a Blur token. This malicious bid offered 333 ETH to a suspicious NFT address, 0x7624acf79dfa4691c8fe099ffd4c66c02e478936. As a result, the victim lost the equivalent of 333 ETH due to the interaction with the malicious bid.
This advisory report provides an overview of recent threat activity involving OpenDir hosting, the deployment of CobaltStrike, the use of malicious PowerShell, and the targeting of Indian and Spanish websites with SQLMap. The identified IP address, 38.145.203.20, has been associated with these malicious activities, indicating a potential cyber threat that requires immediate attention and mitigation efforts.
Threat Overview:
Threat Details:
Threat Activity:
This advisory report highlights critical vulnerabilities associated with Juniper Junos OS, specifically CVE-2023-3684, CVE-2023-3685, CVE-2023-3686, and CVE-2023-3687. These vulnerabilities have the potential to lead to remote code execution (RCE) attacks. This report provides details about the vulnerabilities, affected systems, potential risks, and recommended mitigation steps.
A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] developed by @watchTowr to achieve Remote Code Execution in Juniper JunOS within SRX and EX Series products.
Networking hardware company Juniper Networks recently issued an “out-of-cycle” security update to address multiple vulnerabilities present in the J-Web component of Junos OS. These vulnerabilities have the potential to be exploited together, allowing attackers to achieve remote code execution on vulnerable installations.
The combined vulnerabilities have earned a cumulative Common Vulnerability Scoring System (CVSS) rating of 9.8, indicating their critical severity. These flaws impact all versions of Junos OS on SRX and EX Series.
According to the advisory released on August 17, 2023, Juniper Networks warned that “an unauthenticated, network-based attacker may be able to remotely execute code on the devices” by chaining the exploitation of these vulnerabilities.
The J-Web interface is utilized for configuring, managing, and monitoring Junos OS devices. The vulnerabilities are outlined as follows:
The potential exploit involves an attacker sending a carefully crafted request to modify certain PHP environment variables or upload arbitrary files via the J-Web interface, all without requiring any form of authentication.
The vulnerabilities have been addressed in various versions of Junos OS for both the EX Series and SRX Series. Users are highly recommended to apply the necessary updates to mitigate potential threats of remote code execution. Additionally, Juniper Networks suggests two mitigation approaches: users can either disable J-Web altogether or restrict access to the interface only from trusted hosts.
The repository’s title is “winrar_CVE-2023-38831_lazy_poc.” It’s hosted on GitHub, a platform used for version control and collaboration on software development projects. The repository appears to contain resources related to the CVE-2023-38831 vulnerability in WinRAR.
Purpose: The main purpose of this repository seems to be to showcase a “lazy” way to create a malicious WinRAR file that exploits the CVE-2023-38831 vulnerability. The repository provides instructions and resources for replicating this PoC.
Contents: The repository contains a set of files and folders, including a README.md file that provides detailed information about the vulnerability, the PoC, and how to use it for testing purposes. It also contains a compressed RAR file named “test.rar” that can be used to test the PoC. The README file likely guides users on how to use and understand these resources.
Motivation: The motivation behind creating and sharing such a PoC could vary. Some security researchers create PoCs to demonstrate the importance of addressing specific vulnerabilities and to encourage prompt patching by software vendors. However, the term “lazy” in the repository’s description suggests that the approach might not be comprehensive or optimized for ethical purposes.
Other exploit:
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
This report provides an in-depth analysis of a complex malware sample and demonstrates the dynamic extraction of an Xworm payload from a bloated Golang file. The analysis was conducted in collaboration with Huntress Labs, utilizing tools such as Procmon, Process Hacker, Entropy Analysis, Debloating, and debuggers. The objective was to uncover the payload, analyze its capabilities, and provide insights into the malware’s behavior.
Analysis Steps and Findings:
6. NET Assemblies: Process Hacker confirmed that the running Golang file loaded .NET assemblies into memory, one of which raised suspicions.
7. Dnspy and Source Code Inspection: Dnspy was attached to the Golang file, allowing inspection of the source code of the loaded .NET modules. By listing the .NET modules, “anything_v” stood out.
8. Keylogging and Enumeration: The “anything_v” module contained code suggesting keylogging and enumeration capabilities of the target computer.
9. Configuration Decryption: By jumping to the entry point of “anything_v,” an encrypted configuration was revealed. It also showed the capability to create Windows Defender exclusions.
10. Dynamically Decoding Configuration: By setting a breakpoint on the decryption function and using a watch window, the decrypted configuration content was obtained from memory.
11. Xworm Malware: The decrypted configuration strongly indicated that the initial bloated file served as a loader for the Xworm Malware.
12. Creating New Detections: The extracted information, including schtasks, config folders, executed commands, and C2 info, can be leveraged to create new detections. Suggestions include identifying .com files in scheduled tasks, detecting bloated .com files (>200MB), and monitoring .com files running from %appdata%.