InfoSec Weekly
November 26, 2023
Table Of Contents
New ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government
Description
An undisclosed government entity in Afghanistan recently faced a sophisticated cyberattack involving a newly discovered web shell named “HrServ.” This dynamic-link library (DLL) named “hrserv.dll” exhibits advanced features, including custom encoding methods, indicating a high level of sophistication. Kaspersky identified malware variants dating back to early 2021, hinting at a prolonged and covert campaign.
The attack utilized the PAExec tool to create a scheduled task masquerading as a Microsoft update, executing a Windows batch script that initiated the HrServ web shell as an HTTP server. The web shell’s obfuscation techniques, such as mimicking Google services in HTTP requests, make it challenging to distinguish malicious from benign network traffic.
The HrServ web shell, once activated, allows threat actors to perform various post-exploitation activities. The threat actor’s identity remains unknown, but typos in the source code suggest a non-native English speaker. While exhibiting traits of financially motivated malicious activity, the malware’s operational methodology shares similarities with advanced persistent threat (APT) behavior.
Infected Technology
Microsoft Windows servers and systems, exploiting vulnerabilities in Microsoft’s update mechanisms.
Source
https://thehackernews.com/2023/11/new-hrservdll-web-shell-detected-in-apt.html
Recommendation
Regularly update and patch software to address vulnerabilities.
Hackers Exploiting Windows SmartScreen Zero-day Flaw to Deploy Remcos RAT
Description
Microsoft’s recent Patch Tuesday addressed several security patches, including three zero-day vulnerabilities. Among these was CVE-2023-36025, impacting Windows SmartScreen. Rated at 8.8 (High) severity, it was actively exploited by threat actors. This particular vulnerability involved a security bypass that required user interaction for unauthorized exploitation.This vulnerability enables a threat actor to create specific files or links that evade SmartScreen’s protective alerts. In this case, the exploit involved a manipulated Internet Shortcut File (.URL) that bypasses SmartScreen’s validation process.This malicious file could first arrive via phishing emails or compromised websites. If a user downloads and clicks on the harmful internet shortcut file, it triggers the payload, granting the threat actor access.
Infected Technology
Microsoft Products
Source
https://cybersecuritynews.com/hackers-windows-smartscreen-zero-day/
Recommendation
Windows system administrators are highly advised to apply the latest security patches.
CVE ID
CVE-2023-36025
Critical Vulnerabilities Expose ownCloud Users to Data Breaches
Description
OwnCloud, an open-source file-sharing software, has identified three critical security vulnerabilities. The first flaw in graphapi versions 0.2.0 to 0.3.0 allows disclosure of sensitive credentials in containerized deployments. OwnCloud recommends deleting a specific file and disabling ‘phpinfo’ to address this issue. The second vulnerability, affecting core versions 10.6.0 to 10.13.0, enables file access without authentication if the victim’s username is known and no signing-key is configured. The third flaw in oauth2 prior to version 0.6.1 allows a subdomain validation bypass, with ownCloud advising users to disable “Allow Subdomains” as a workaround. Concurrently, a proof-of-concept exploit for a critical remote code execution vulnerability (CVE-2023-43177) in CrushFTP, allowing unauthorized access and password acquisition, has been addressed in version 10.5.2, released on August 10, 2023. CrushFTP highlights the severity of this vulnerability, emphasizing its potential to be exploited without authentication, posing a significant risk of session theft and escalation to an administrator user.
Infected Technology
OwnCloud Open-source file-sharing software
Source
https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html
Recommendation
Upgrade to CrushFTP verion 10.5.2
CVE ID
CVE-2023-43177
LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In
Description
Multiple threat actors, including affiliates of the LockBit ransomware group, are actively exploiting a recently disclosed critical security vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler application delivery control (ADC) and Gateway appliances. The joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) emphasizes the severity of the issue, with a CVSS score of 9.4. Known as Citrix Bleed, this vulnerability enables threat actors to bypass password requirements and multifactor authentication, leading to the hijacking of legitimate user sessions. This unauthorized access grants attackers elevated permissions, allowing them to harvest credentials, move laterally within the network, and access sensitive data and resources. Although Citrix addressed the vulnerability last month, it was weaponized as a zero-day exploit since at least August 2023. LockBit, among other threat actors, has been observed exploiting the flaw to execute PowerShell scripts and deploy remote management and monitoring tools for further malicious activities. This incident underscores the ongoing risk posed by vulnerabilities in exposed services, serving as a primary entry vector for ransomware attacks. In a broader context, a comparative study by Check Point reveals a rising trend in Linux-targeting ransomware attacks, primarily focused on medium and large organizations. The study notes a simplification trend in these Linux ransomware families, relying on basic encryption processes and legitimate system tools, making them both more reliant on external configurations and scripts and more adept at flying under the radar.
Infected Technology
Citrix NetScaler
Source
https://thehackernews.com/2023/11/lockbit-ransomware-exploiting-critical.html
Recommendation
Update to the lastest patched version.
CVE ID
CVE-2023-4966
Exploits CVE-2023-36884 and CVE-2023-36584 in Windows Search RCE Attack Chain
Description
CVE-2023-36884 and CVE-2023-36584 are being in an attack chain. CVE-2023-36884, rated 8.8 (High), is an RCE vulnerability, and CVE-2023-36584, rated 5.4 (Medium), is a security bypass vulnerability. The attack begins with a .docx file, leveraging malicious OLE objects in an RTF file to request content from specific URLs. The chain involves exploiting Windows Search, leaking NTLM credentials, and utilizing a new MotW bypass. Palo Alto’s comprehensive report details the attack chain, exploitation techniques, and indicators of compromise.
Infected Technology
Windows Search, OLE objects, CVE-2023-36884, CVE-2023-36584
Source
https://cybersecuritynews.com/office-document-to-exploit-windows-search/
Recommendation
Absence of in-tree storage plugins and upgrading to Kubernetes CSI v1.27
CVE ID
CVE-2023-36884, CVE-2023-36584
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us