Backdoor.Win32.Cafeini.b malware suffers from a man-in-the-middle vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/851f8945d1b5923990f4722d627156a0_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Port Bounce ScanDescription: The malware runs an FTP server on TCP port 23. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.Family: CafeiniType: PE32MD5: 851f8945d1b5923990f4722d627156a0Vuln ID: MVID-2022-0569Disclosure: 04/26/2022Exploit/PoC:C:\>nmap -n -Pn -b test:test@192.168.18.125:23  -p21,22,80 192.168.18.237 -vStarting Nmap 7.80 ( https://nmap.org ) at 2022-04-20 14:50 UTC-11Resolved FTP bounce attack proxy to 192.168.18.125 (192.168.18.125).Attempting connection to ftp://test:test@192.168.18.125:23Connected:220 CAFEiNi 1.1 FTP serverLogin credentials accepted by FTP server!Initiating Bounce Scan at 14:50Removed 22Changed my mind about port 22Removed 21Changed my mind about port 21Discovered open port 80/tcp on 192.168.18.237Completed Bounce Scan at 14:50, 2.21s elapsed (3 total ports)Nmap scan report for 192.168.18.237Host is up.PORT   STATE  SERVICE21/tcp closed ftp22/tcp closed ssh80/tcp open   httpRead data files from: C:\Program Files (x86)\NmapNmap done: 1 IP address (1 host up) scanned in 11.39 secondsDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b Man-In-The-Middle

Trojan-Downloader.Win32.Small.ahlq malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/d859ba54086fd0313dc34b73b5b1eccb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.Small.ahlqVulnerability: Insecure Permissions Description: the malware creates a directory with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: SmallType: PE32MD5: d859ba54086fd0313dc34b73b5b1eccbVuln ID: MVID-2022-0567Disclosure: 04/26/2022Exploit/PoC:C:\>cacls TempC:\Temp BUILTIN\Administrators:(OI)(CI)(ID)F        NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F        BUILTIN\Users:(OI)(CI)(ID)R        NT AUTHORITY\Authenticated Users:(ID)C        NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)CC:\>dir Temp Volume in drive C has no label. Directory of C:\Temp04/14/2022  04:03 AM           761,344 vjrgq12Server_Setup.exe               1 File(s)        761,344 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Downloader.Win32.Small.ahlq Insecure Permissions

Third party file and theft

Doubts have arisen about the veracity of research that purportedly demonstrates a serious vulnerability involving VirusTotal, a Google-owned antivirus comparison and threat intel service.

VirusTotal (VT) offers a service that allows security researchers, sysadmins, and the like to analyze suspicious files, domains, IPs, and URLs through an aggregated service that bundles close to 70 antivirus products and scan engines.

Samples submitted through the service are automatically shared amongst the security community including, but not limited to, the vendors who maintain scanning engines used by VT.

Catch up on the latest cybersecurity industry news and analysis

In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within \[the\] VirusTotal platform and gain access to its various scans capabilities”.

The attack relies on a doctored DJVU file with a malicious payload added to the file’s metadata. This payload relies on the CVE-2021-22204 vulnerability in a metadata analysis tool, Exiftool, to then achieve remote code execution (RCE) and a remote shell.

Cysource researchers’ findings were submitted via Google’s VRP in April 2021 and resolved a month later.

But rather than demonstrating a way to weaponize VirusTotal, as they suggest, all Cysource has shown is a means to hack an unpatched, third-party antivirus toolbox, according to VirusTotal.

**Debunked**

In a rebuttal of the research posted as a thread on Twitter, Bernardo Quintero, VirusTotal’s founder, said that the code executions are happening on third-party scanning systems that take and analyze samples obtained from VT rather than VirusTotal itself.

VirusTotal makes no use of the vulnerable version of the Exiftool and, furthermore, none of the affected machines were maintained by VT, according to Quintero.

Quintero said that he informed the researchers of this in response to their initial disclosure last May. He criticised their decision to publish what he argues are misleading findings regardless as “fake news”.

“None \[of the\] reported machine was from VT and the ‘researchers’ knew it,” according to Quintero.

The Daily Swig has contacted Cysource for a response to this criticism and will update this story as and when more information comes to hand.

YOU MAY ALSO LIKE Java encryption implementation error made it trivial to forge credentials

VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

**Conversation**

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

schmichael added a commit to hashicorp/nomad that referenced this pull request

Jan 12, 2022

 jba mentioned this pull request

Apr 27, 2022

CVE-2022-29810: Redact SSH key from URL query parameter by macedogm · Pull Request #348 · hashicorp/go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Redact SSH key from URL query parameter #348**

Conversation 5 Commits 2 Checks 0 Files changed

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

Tenable today announced it will add external attack surface management to its various cybersecurity offerings with a $44.5 million acquisition of Bit Discovery.

The company said it will fold Bit Discovery's Internet-facing system security capabilities into its existing portfolio of internal asset management products to offer a more comprehensive attack surface view.

“Whatever is visible on the internet is very likely to be the first target and the hardest thing for organizations to continuously see and assess," Tenable's chief technology officer Glen Pendley said in a statement announcing the deal. "We believe attack surface management is vital to modern cybersecurity and an integral part of our vulnerability and Cyber Exposure solutions."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tenable Acquires External Attack Surface Management Vendor for $44.5M

By Waqas
The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve…
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Reported in Google’s VirusTotal

**The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.**

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

**How Could the Vulnerability be Exploited?**

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

> “Instead of ExifTool detecting the metadata of the file, it executes our payload.”
> 
> CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

**More Vulnerability News on Hackread.com**

1.  Hackers mining Monero on Microsoft SQL databases for last 2 years
2.  Hackers are using a 19-year-old WinRAR bug to install nasty malware
3.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5.  Google Drive accounted for 50% of malicious Office document downloads

**Google Released Patch after Eight Months**

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

![](https://secure.gravatar.com/avatar/cf728b76a63b387b11edeafcb1b9b654?s=100&d=wavatar&r=g)

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#mac