On December 7, 2021, Google announced it had sued two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy -- a 14-year-old anonymity service that rents hacked PCs to cybercriminals -- suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy's founder is one of the men being sued by Google.

On December 7, 2021, **Google** announced it was suing two Russian men allegedly responsible for operating the **Glupteba** botnet, a global malware menace that has infected millions of computers over the past decade. That same day, **AWM Proxy** — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at **Kaspersky Lab** showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by **TDSS** (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at **ESET** found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned **Meris**, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “**RSOCKS**” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from **Riley Kilmer**, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

**IF YOUR PLAN IS TO RIP OFF GOOGLE…**

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in **AD1\[.\]ru**, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (**UA-3816536**).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar **Domenadom\[.\]ru**, and the website **web-site\[.\]ru**, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers **techplast\[.\]ru** and **tekhplast.ru** — also shared a different Google Analytics code (**UA-1838317**) with web-site\[.\]ru and with the domain “**starovikov\[.\]ru**.”

The name on the WHOIS registration records for the plastics domains is an “**Alexander I. Ukraincki**,” whose personal information also is included in the domains tpos\[.\]ru and alphadisplay\[.\]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “**uai@**” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). \[Full disclosure: Constella is currently an advertiser on this website\].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “**2222den**” and “**2222DEN**.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “**dennstr**.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site\[.\]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address **lycefer@gmail.com**. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and **starovikov\[.\]com**.

A cached copy of the contact page for Starovikov\[.\]com shows that in 2008 it displayed the personal information for a **Dmitry Starovikov**, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site\[.\]ru)was registered in 2005 to two men, one of whom was named **Dmitry Sergeevich Starovikov**.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

The Link Between AWM Proxy & the Glupteba Botnet

XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

Post Reply

*   Print view

Advanced search

2 posts • Page **1** of **1**

H00K1998

**Posts:** 5

**Joined:** Sat Jun 04, 2022 8:14 am

**There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy**

*   Quote

Post by **H00K1998** » Sat Jun 04, 2022 8:24 am

Hello, I seem to encounter a stack overflow vulnerability in the process of fuzz test (afl++), can you take a look

Enjoy:)

Attachments

poc-images.7z

(188.3 KiB) Downloaded 4 times

Top

derekn

**Posts:** 757

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy**

*   Quote

Post by **derekn** » Thu Jun 09, 2022 7:58 pm

That's due to an object loop in the PDF file. I'm planning to implement a more robust loop checker in Xpdf 5.

Top

Post Reply

*   Print view

Display: Sort by: Direction:

2 posts • Page **1** of **1**

Return to “Xpdf open source”

Jump to

*   XpdfReader
*   Xpdf open source

CVE-2022-33108: There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy

The No cON Name 2022 call for papers has been announced. It will be held in Barcelona, Spain, from November 24th through the 26th, 2022.

    No cON Name 2022 - Barcelona*****************************************  Call For Papers        ******************************************https://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hackingand Security Conference in Span. Our goal is to get highly qualified requestsfor both, speaker opportunities, as well as workshops, to show in one of  themost  respected hacker conferences in  Barcelona and Spain, NcN (No cONName). We will cellebrate as the last edition, 2 tracks:     * Privacy and net neutrality Track. (November 24th)     * Cybersecurity Track (November 25-26th)We will be accepting exclusively technical  presentations, proof of concept for,private  investigations  and  solutions  for  professionals related  to the  ITsecurity scene. Under no circumstance we will be selecting any proposal which iscommercially targeted, our main goal is to share knowledge in a well-establishedcommunity.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts,  screenshots,     evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be submitted  before thedeadline (September 1st, detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that  will  be     delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: september the 15th. All the material     that will be  presented to the organization  must be delivered, otherwise it     will be possible to  grant other applicants your place. You have to plan the     day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, twitter account, Facebook,etc.  Name & Surname*  Alias *  Email *  Phone nº *  Twitter id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation): Between  20 or 45 minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal *                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits *                  List  the   benefits  your presentation  will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   -  New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.   - Covid-19 App vulnerabilities     * DEADLINES   - CFP Requests closing: September 15th 2022.   - CFP Approval: September, 25th 2022.   - Materials presentation due: October, 1st  2022   - Conference's date: November, 24,25,26th 2022     * SENDING YOUR CFPAll requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/Fill in the form  and upload necessary files and you are  all set (some parts of website are in sspanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the follo-wing score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40%     presentation   - Stating your key-points of your proposal without going deep into detail  20%   - Briefing quality of your draft (proof of concept in  briefing is highly  15%     appreciated)   - State  field where your investigation  was made, ie:hardware, software,  10%     industry.   - Your speaking reputation                                                 10%   - Relevant topic proposed by the No cON Name staff               5%

No cON Name 2022 Barcelona Call For Papers

Red Hat Security Advisory 2022-5236-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:5236-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5236  
Issue date:        2022-06-28  
CVE Names:         CVE-2022-1729 CVE-2022-1966   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: race condition in perf_event_open leads to privilege escalation  
(CVE-2022-1729)

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-1966)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z15 source tree (BZ#2081074)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2086753 - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation  
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/cve/CVE-2022-1966  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrr1h9zjgjWX9erEAQgoug//X+2272c6fT57aJDp7fTx1jWR/C1btEgx  
1ntHeoWo63OEPOTEBBvzumm8Snc3ha3Si5rLUED4jFqrZF2x4tL5ysPdZVzmEhKb  
TbRs6qvO4DaC8DRiPDlCMRjTyr6LALFkukVZnNp27pdfIQaPAZT2rw5vqM9eBxaP  
ujhlJHF+UhxhjczV5maDObvtqv9tXw4aAcCSwLJ3G7DjIIjclYZVCZyQ2vutMR2v  
mdUcCYJ0FpT5AdgyqJAytVHBg3SuqocWECvcgo81v5OyVRpJSPISr8QJ9A7ArRmP  
Opgc9eGp0VUZST/YEn5moJohXQ3CP7A7plg9HUjo6wSqMjaoYuA6O55htGP4cMu0  
q2fnnrhQNDTqmMr3mdtnvJegzDbgkm4BiGUagpzu8KzCiDuQICWtKpD7yR5nWeeU  
8rCy4gG2umSyy3YIbYQBUw1dpDyQGZEx1rkCb7E9Q+dY6V+kfY9VOdayL9lwKjDB  
hiXCR4CJI7VhAUx8vBZJjjDKuZsPps/C/qgFnuAozXi9zseeCvi8oaqwAfFOlWN1  
9yJjElvhMj8/KZBK+sILO/mBjyTzZWrWseMkqgoULpmKwDjx5JsyOyfGiPbsEfnm  
IA1ytujJQbZLDODOIsx+9RqH20eMylVIzkVaNte1nBZoHJwY525CNMZmirnF9zHu  
SsJW0x6Eodc=  
=ZYzg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5236-01

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

@@ -298,6 +298,18 @@ public function \_\_construct(array $attributes = null)

$this\->setFontDir($rootDir . "/lib/fonts");

$this\->setFontCache($this\->getFontDir());

  

$ver = "";

$versionFile = realpath(\_\_DIR\_\_ . "/../VERSION");

if (file\_exists($versionFile) && ($version = trim(file\_get\_contents($versionFile))) !== false && $version !== '$Format:<%h>$') {

$ver = "/$version";

}

$this\->setHttpContext(\[

"http" => \[

"follow\_location" => false,

"user\_agent" => "Dompdf$ver https://github.com/dompdf/dompdf"

\]

\]);

  

if (null !== $attributes) {

$this\->set($attributes);

}

CVE-2022-0085: Add a default context · dompdf/dompdf@bb1ef65

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

Deliveries of prepared meals to thousands of vulnerable people in England continue to be disrupted following a “sophisticated” cyber-attack on food distributor Apetito.

Apetito’s impacted UK arm delivers ready meals to hospitals, care homes, schools, childcare facilities, and the homes of vulnerable people across the west of England.

In an update (PDF) posted to its website yesterday (June 27), Paul Freeston, chair and CEO of Apetito UK and North America, reiterated that the firm would be unable to fulfill deliveries until and including Thursday June 30 following the cyber-attack over the weekend.

He advised customers with “deliveries on these days to make contingency plans”.

Freeston added that “a limited number of test deliveries from a manual system will be made tomorrow”, and if successful, “we hope to extend \[this system\] further this week”.

**Emergency procedures**

Freeston said on Sunday that the company had activated “emergency procedures” to ensure “most” customers of meals on wheels (home-delivered hot food) should still receive a meal – “although it may not be the meal they chose”.

Apetito subsidiary Wiltshire Farm Foods, which delivers frozen ready meals to the homes of mostly vulnerable people, usually seniors, managed to make “a limited number of local deliveries” yesterday using “a manual work-around system” that would “continue this week”.

Read more of the latest cyber-attack news

As expected, Monday’s Apetito deliveries to businesses, including other ‘meals-on-wheels’ operators, proceeded normally “as these orders were already picked” before systems were disrupted.

On the production front, “a significant but restricted” program was up and running as of yesterday.

Meal orders submitted by businesses after 7.30pm on Friday “should be assumed not to have been received”, said Freeston.

Wiltshire Farm Foods is apparently unable to take orders over the phone or via its website and app, with fulfilment new orders expected to resume from July 4.

**‘Designed to extort money’**

Apetito, announced on Sunday (June 26) that it shut down many IT systems following the cyber-attack, which was “designed to extort money from the company”.

The company said it was “building new hardware and software to replace the affected systems”, which did not include its UK Microsoft systems, while “email communication is fully functional”.

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

It was also “seeking to establish whether any personally identifiable information (PII) has been compromised” and would alert customers and the Information Commissioner’s Office (ICO) if necessary.

Freeston said he was confident that payment card data was not compromised since this data was not held on Apetito’s systems.

“Our crisis management team is meeting multiple times each day to review progress, direct resources and respond to emerging issues”, he continued, adding that Apetito would continue providing updates at least daily.

“I would like to thank our customers and other contacts who are being so supportive during this issue. Our team continue to work tirelessly on the recovery and I am very grateful for their amazing efforts.”

Apetito declined to comment further when contacted by The Daily Swig.

YOU MIGHT ALSO LIKE Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.

Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.

According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.

****Bug Exploited to Plant Ransomware**  **

Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.

The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.

“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.

The exploit involves two GET requests. The first one targets a “get\_url” parameter of a PHP file and the second one originates from the device itself.

“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.

The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.

According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl\_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.

Once the reverse shell was established, the attacker created a web shell named “pdf\_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.

The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.

Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.

****Vulnerable Mitel Devices on Shodan****

The security researcher Kevin Beaumont shared a string “http.html\_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.

According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.

****Mitel Mitigation Recommendations** **

Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.

Mitel VoIP Bug Exploited in Ransomware Attacks

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

The number of new ransomware families and unique variants has fallen over the last year, according to new research from WithSecure.

The company, formerly known as F-Secure Business, says in its latest Ransomware Threat Update (PDF) that the number of new families and unique variants appearing each year peaked around 2017, but stayed relatively stable for most of the second half of the last decade.

Last year, though, saw a significant drop in the amount of new ransomware families discovered by the researchers.

The main reason, says the firm, appears to be a consolidation of efforts by attackers, who are increasingly exploiting off-the-shelf Ransomware-as-a-Service (RaaS) packages.

**RELATED** DBIR 2022: Ransomware surge increases global data breach woes

“These days, cybercriminals are often operating as organisations, and they want to maximise their ROI,” Paolo Palumbo, vice president of WithSecure’s Tactical Defense Unit, tells _The Daily Swig_.

“In this sense, they are focusing their resources on getting a foothold in a victim’s system, rather than developing their own ransomware. People often forget that this isn’t a game of who makes the best ransomware – it’s about getting money out of victims.”

**Rise of RaaS**

Importantly, Palumbo says that the fall in the number of ransomware families doesn’t necessarily imply a fall in the number of attackers.

“Like many other businesses, cybercriminals are taking advantage of specialist tech vendors who prepare readily-available platforms to conduct these types of scams and attacks,” he says.

“But we shouldn’t assume it makes the users of these systems incompetent or any less expert.”

Read more of the latest infosec research news

Ransomware was the most widespread threat type identified in 2021, accounting for nearly 17% of identified threats.

And WannaCry was the most prevalent ransomware family – by a considerable margin, accounting for more than half of non-generic ransomware detections.

This was followed by three RaaS families: GandCrab, REvil, and Phobos.

**Double extortion**

In terms of tactics, threat actors are increasingly finding new ways of extorting cash from victims, for example by stealing data before encryption and threatening to leak it, with Maze and REvil the most notable examples of what’s been dubbed ‘double extortion’.

Malicious Microsoft Office documents and downloads were the most commonly observed ransomware attack vectors in 2021, followed by exploiting vulnerabilities and accessing networks via exposed Remote Desktop Protocol (RDP) ports.

WithSecure points out that many of these vectors rely on unpatched vulnerabilities – particularly in internet-facing infrastructure – poor password hygiene, lack of multi-factor authentication to secure online accounts, and other weaknesses that organizations should be able to address.

Meanwhile, says Palumbo, governments have their part to play.

“The role of governments and agencies is extremely important and multi-faceted,” he says.

“They need to continue pushing the importance of cybersecurity education and hygiene for both individuals and organizations, making it more difficult for cybercriminals to take advantage and extort money.”

**DON’T MISS** Researchers crack MEGA’s ‘privacy by design’ storage, encryption

Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file.

A stored cross-site scripting (XSS) vulnerability exists in LightCMS that allows an user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

    %PDF-1.4
    %1111
    1 0 obj
    <<
    /CreationDate (D:20210619104632+08'00')
    /Creator (xss)
    /Producer (PDF-XChange Core API SDK $7.0.324.2$)
    >>
    endobj
    2 0 obj
    <<
    /Metadata 3 0 R
    /Pages 4 0 R
    /Type /Catalog
    >>
    endobj
    3 0 obj
    <<
    /Length 2983
    /Subtype /XML
    /Type /Metadata
    >>
    stream
    <?xpacket begin="﻿" id="W5M0MpCehiHzreSzNTczkc9d"?>
    <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.5.0">
    	<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
    		<rdf:Description rdf:about=""
    				xmlns:dc="http://purl.org/dc/elements/1.1/"
    				xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
    				xmlns:xmp="http://ns.adobe.com/xap/1.0/"
    				xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
    			<dc:format>application/pdf</dc:format>
    			<xmpMM:DocumentID>uuid:9c93bc08-8e4e-46cb-b28f-824c693821a4</xmpMM:DocumentID>
    			<xmpMM:InstanceID>uuid:2cd63bea-24ca-4ef8-a12c-015da3b28c96</xmpMM:InstanceID>
    			<xmp:CreateDate>2021-06-19T10:46:32+08:00</xmp:CreateDate>
    			<xmp:CreatorTool>迅捷PDF编辑器 7.0.324.2</xmp:CreatorTool>
    			<xmp:ModifyDate>2021-06-19T10:52:02+08:00</xmp:ModifyDate>
    			<pdf:Producer>PDF-XChange Core API SDK (7.0.324.2)</pdf:Producer>
    		</rdf:Description>
    	</rdf:RDF>
    </x:xmpmeta>

CVE-2022-33009: A stored cross-site scripting (XSS) vulnerability exists in LightCMS "contents" field · Issue #30 · eddy8/LightCMS

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

**Impact**

Incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the  
/config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM.

**Patches**

The issue is fixed in version 8.0.

**Workarounds**

None

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/LDAPAccountManager/lam/issues
*   Email us on lam-public mailinglist

**Credits**

Arseniy Sharoglazov and Andrey Medov

Tag

#pdf