November 26, 2023

New ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government

Description

An undisclosed government entity in Afghanistan recently faced a sophisticated cyberattack involving a newly discovered web shell named “HrServ.” This dynamic-link library (DLL) named “hrserv.dll” exhibits advanced features, including custom encoding methods, indicating a high level of sophistication. Kaspersky identified malware variants dating back to early 2021, hinting at a prolonged and covert campaign.

The attack utilized the PAExec tool to create a scheduled task masquerading as a Microsoft update, executing a Windows batch script that initiated the HrServ web shell as an HTTP server. The web shell’s obfuscation techniques, such as mimicking Google services in HTTP requests, make it challenging to distinguish malicious from benign network traffic.

The HrServ web shell, once activated, allows threat actors to perform various post-exploitation activities. The threat actor’s identity remains unknown, but typos in the source code suggest a non-native English speaker. While exhibiting traits of financially motivated malicious activity, the malware’s operational methodology shares similarities with advanced persistent threat (APT) behavior.

Infected Technology

Microsoft Windows servers and systems, exploiting vulnerabilities in Microsoft’s update mechanisms.

Source

https://thehackernews.com/2023/11/new-hrservdll-web-shell-detected-in-apt.html

Recommendation

Regularly update and patch software to address vulnerabilities.

Hackers Exploiting Windows SmartScreen Zero-day Flaw to Deploy Remcos RAT

Description

Microsoft’s recent Patch Tuesday addressed several security patches, including three zero-day vulnerabilities. Among these was CVE-2023-36025, impacting Windows SmartScreen. Rated at 8.8 (High) severity, it was actively exploited by threat actors. This particular vulnerability involved a security bypass that required user interaction for unauthorized exploitation.This vulnerability enables a threat actor to create specific files or links that evade SmartScreen’s protective alerts. In this case, the exploit involved a manipulated Internet Shortcut File (.URL) that bypasses SmartScreen’s validation process.This malicious file could first arrive via phishing emails or compromised websites. If a user downloads and clicks on the harmful internet shortcut file, it triggers the payload, granting the threat actor access.

Infected Technology

Microsoft Products

Source

https://cybersecuritynews.com/hackers-windows-smartscreen-zero-day/

Recommendation

Windows system administrators are highly advised to apply the latest security patches.

CVE ID

CVE-2023-36025

Critical Vulnerabilities Expose ownCloud Users to Data Breaches

Description

OwnCloud, an open-source file-sharing software, has identified three critical security vulnerabilities. The first flaw in graphapi versions 0.2.0 to 0.3.0 allows disclosure of sensitive credentials in containerized deployments. OwnCloud recommends deleting a specific file and disabling ‘phpinfo’ to address this issue. The second vulnerability, affecting core versions 10.6.0 to 10.13.0, enables file access without authentication if the victim’s username is known and no signing-key is configured. The third flaw in oauth2 prior to version 0.6.1 allows a subdomain validation bypass, with ownCloud advising users to disable “Allow Subdomains” as a workaround. Concurrently, a proof-of-concept exploit for a critical remote code execution vulnerability (CVE-2023-43177) in CrushFTP, allowing unauthorized access and password acquisition, has been addressed in version 10.5.2, released on August 10, 2023. CrushFTP highlights the severity of this vulnerability, emphasizing its potential to be exploited without authentication, posing a significant risk of session theft and escalation to an administrator user.

Infected Technology

OwnCloud Open-source file-sharing software

Source

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

Recommendation

Upgrade to CrushFTP verion 10.5.2

CVE ID

CVE-2023-43177

LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Description

Multiple threat actors, including affiliates of the LockBit ransomware group, are actively exploiting a recently disclosed critical security vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler application delivery control (ADC) and Gateway appliances. The joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) emphasizes the severity of the issue, with a CVSS score of 9.4. Known as Citrix Bleed, this vulnerability enables threat actors to bypass password requirements and multifactor authentication, leading to the hijacking of legitimate user sessions. This unauthorized access grants attackers elevated permissions, allowing them to harvest credentials, move laterally within the network, and access sensitive data and resources. Although Citrix addressed the vulnerability last month, it was weaponized as a zero-day exploit since at least August 2023. LockBit, among other threat actors, has been observed exploiting the flaw to execute PowerShell scripts and deploy remote management and monitoring tools for further malicious activities. This incident underscores the ongoing risk posed by vulnerabilities in exposed services, serving as a primary entry vector for ransomware attacks. In a broader context, a comparative study by Check Point reveals a rising trend in Linux-targeting ransomware attacks, primarily focused on medium and large organizations. The study notes a simplification trend in these Linux ransomware families, relying on basic encryption processes and legitimate system tools, making them both more reliant on external configurations and scripts and more adept at flying under the radar.

Infected Technology

Citrix NetScaler

Source

https://thehackernews.com/2023/11/lockbit-ransomware-exploiting-critical.html

Recommendation

Update to the lastest patched version.

CVE ID

CVE-2023-4966

Exploits CVE-2023-36884 and CVE-2023-36584 in Windows Search RCE Attack Chain

Description

CVE-2023-36884 and CVE-2023-36584 are being in an attack chain. CVE-2023-36884, rated 8.8 (High), is an RCE vulnerability, and CVE-2023-36584, rated 5.4 (Medium), is a security bypass vulnerability. The attack begins with a .docx file, leveraging malicious OLE objects in an RTF file to request content from specific URLs. The chain involves exploiting Windows Search, leaking NTLM credentials, and utilizing a new MotW bypass. Palo Alto’s comprehensive report details the attack chain, exploitation techniques, and indicators of compromise.

Infected Technology

Windows Search, OLE objects, CVE-2023-36884, CVE-2023-36584

Source

https://cybersecuritynews.com/office-document-to-exploit-windows-search/

Recommendation

Absence of in-tree storage plugins and upgrading to Kubernetes CSI v1.27

CVE ID

CVE-2023-36884, CVE-2023-36584