Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Take Downs and the Rest of Us: Do they matter?

Published: 2024-02-27

Last Updated: 2024-02-27 17:19:25 UTC

by Johannes Ullrich (Version: 1)

Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials.

Why do nation-state actors go after "simple" home devices? Usually, these attacks are associated with simple "vandal ware" like Mirai and similar bots. Often, a Miner may be deployed as part of the attack. But even for more sophisticated attackers, these devices are attractive:

  • They may provide access to more interesting networks. The Ubiquity Edge router attacked by this Moobot variant is often used as a perimeter device for smaller remote networks. This may provide access to a remote site of a power network or industrial equipment deployed remotely. Disabling this equipment may cause significant cost if a technician must visit the remote site.
  • Due to the enormous scan volume for these default credentials, the attacker can hide in the noise created by vandals and miners. The attack tools are essentially identical. Even if the attack is discovered, it is likely considered a "nuisance attack" and not attributed to a particular actor. For a sophisticated attacker, winning with a simple default password is far preferred over winning using a zero-day vulnerability. Each time a vulnerability is exploited, the attacker risks being discovered, and the zero-day vulnerability may be fixed.
  • "Innocent" home devices make a great attack platform. Some networks will, for example, block access from certain countries or specific hosting providers. Having access to a diverse set of commodity devices in different networks is a great asset to building up an attack infrastructure of proxies to obfuscate the source of the attack.

Read the full entry: https://isc.sans.edu/diary/Take+Downs+and+the+Rest+of+Us+Do+they+matter/30694

Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary]

Published: 2024-02-25

Last Updated: 2024-02-26 01:13:50 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Keegan Hamlin, an ISC intern as part of the SANS.edu BACS program]

Part of the SANS undergraduate program is a 20-week internship with the SANS Internet Storm Center. During that time, interns are tasked with setting up a DShield sensor to act as a honeypot, capturing data and generating logs for SSH/Telnet, Firewall activity, Web requests, and most interesting to me, file uploads. With those logs, we are expected to create attack observations, explaining what vulnerability is being exploited, what the attacker is attempting to accomplish, and how to defend against this attack. I wanted to give myself a project to help aid with creating these attack observations, and in my case, a way to quickly get information on the uploaded files. At the beginning of the internship, I had given myself a personal goal, which was to do something to build my Python skills. I thought this might be the opportunity to do that.

VirusTotal is a go-to source to upload or search for hashes of suspicious files and it is what I typically use when investigating files uploaded to the honeypot. They offer an API to automate this process, and it integrates well with Python.

Simple Command Line Query

I began by following the steps listed in the VirusTotal quick start page for their Python integration tool ...

Read the full entry: https://isc.sans.edu/diary/Utilizing+the+VirusTotal+API+to+Query+Files+Uploaded+to+DShield+Honeypot+Guest+Diary/30688/

[Guest Diary] Friend, foe or something in between? The grey area of 'security research'

Published: 2024-02-22

Last Updated: 2024-02-22 00:21:39 UTC

by Rachel Downs, SANS BACS Student (Version: 1)

[This is a Guest Diary by Rachel Downs, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.

Scanning on port 502

I’ve been running my DShield honeypot for around 3 months, and recently opened TCP port 502. I was looking for activity on this port as it could reveal attacks targeted towards industrial control systems which use port 502 for Modbus TCP, a client/server communications protocol. As with many of my other observations, what started out as an idea to research one thing soon turned into something else, and ended up as a deep dive into security research groups and the discovery of a lack of transparency about their actions and intent.

I analysed 31 days of firewall logs between 2023-12-05 and 2024-01-04. Over this period, there were 197 instances of scanning activity on port 502 from 179 unique IP addresses.

Almost 90% of scanning came from security research groups

Through AbuseIPDB and GreyNoise, I assigned location, ISP and hostname data (where available) to each IP address. GreyNoise assigns actors to IP addresses and categorises these as benign, unknown or malicious. Actors are classified as benign when they are a legitimate company, search engine, security research organisation, university or individual, and GreyNoise has determined the actor is not malicious in nature. Actors are classified as malicious if harmful behaviours have been directly observed by GreyNoise, and if an actor is not classified as benign or malicious it is marked as unknown.

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Friend+foe+or+something+in+between+The+grey+area+of+security+research/30670/

Internet Storm Center Entries


Update: MGLNDD_* Scans (2024.02.24)

https://isc.sans.edu/diary/Update+MGLNDD+Scans/30686/

Simple Anti-Sandbox Technique: Where's The Mouse? (2024.02.23)

https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/

Large AT&T Wireless Network Outage #att #outage (2024.02.22)

https://isc.sans.edu/diary/Large+ATT+Wireless+Network+Outage+att+outage/30680/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-1709 - ConnectWise ScreenConnect is vulnerable to an Authentication Bypass flaw that could enable attackers to bypass authentication controls and access sensitive data or critical systems.

Product: ConnectWise ScreenConnect

CVSS Score: 10.0

** KEV since 2024-02-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1709

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8864

NVD References: 

- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

- https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/

- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2

- https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8

- https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/



CVE-2024-1708 - ConnectWise ScreenConnect 23.9.7 and prior may allow an attacker to execute remote code or impact critical systems due to a path-traversal vulnerability.

Product: ConnectWise ScreenConnect

CVSS Score: 8.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1708

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8864

NVD References: 

- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass



CVE-2024-1597 - pgjdbc, the PostgreSQL JDBC Driver, is vulnerable to SQL injection when using PreferQueryMode=SIMPLE, allowing attackers to alter queries and bypass parameterized query protections in certain versions.

Product: pgjdbc PostgreSQL JDBC Driver

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1597

NVD References: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56



CVE-2023-50257 - eProsima Fast DDS (formerly Fast RTPS) is vulnerable to a Disconnect Vulnerability in RTPS Packets Used by SROS2, allowing malicious attackers to forcibly disconnect and deny Subscribers connections.

Product: eProsima Fast DDS

CVSS Score: 9.6 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50257

NVD References: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98



CVE-2023-6260 - Brivo ACS100 and ACS300 are vulnerable to OS Command Injection, allowing attackers to bypass physical security measures from version 5.2.4 to 6.2.4.3.

Product: Brivo ACS100

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6260

NVD References: 

- https://sra.io/advisories/

- https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3



CVE-2024-1297 - Loomio version 2.22.0 is vulnerable to OS Command Injection, allowing attackers to execute arbitrary commands on the server.

Product: Loomio version 2.22.0

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1297

NVD References: https://github.com/loomio/loomio



CVE-2024-1644 - Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.

Product: SuiteCRM 

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1644

NVD References: https://github.com/salesagility/SuiteCRM/



CVE-2024-1651 - Torrentpier version 2.4.1 is vulnerable to insecure deserialization, allowing for arbitrary command execution on the server. 

Product: TorrentPier version 2.4.1

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1651

NVD References: https://github.com/torrentpier/torrentpier



CVE-2024-1608 - OPPO Usercenter Credit SDK is vulnerable to an escalation of privilege through loose permission checks, allowing for potential internal information leaks without user interaction.

Product: OPPO Usercenter Credit SDK

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1608

NVD References: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1759867611954552832



********

CVE-2024-25610, CVE-2024-25147, CVE-2024-25152, CVE-2024-25601, CVE-2024-25602, CVE-2024-25603, CVE-2024-26266, CVE-2024-26269, CVE-2023-40191, CVE-2023-42496, CVE-2023-42498, CVE-2023-47795 - Multiple XSS vulnerabilities in Liferay Portal

Product: Liferay Portal

CVSS Score: 9.0 - 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25610

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25147

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25152

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25601

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25602

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25603

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26266

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40191

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42496

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42498

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26269

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47795

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25610

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25147

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25152

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25601

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25602

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25603

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-40191

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42496

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-42498

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26266

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26269

NVD References: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-47795



CVE-2023-45318 - Weston Embedded uC-HTTP git commit 80d4004 is vulnerable to a heap-based buffer overflow in its HTTP Server functionality, enabling arbitrary code execution via a specially crafted network packet.

Product: Weston Embedded uC-HTTP

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45318

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843



CVE-2024-21795, CVE-2024-21812, CVE-2024-22097, CVE-2024-23305, CVE-2024-23310, CVE-2024-23313, CVE-2024-23606,CVE-2024-23809    - The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111) have multiple vulnerabilities.

Product: The Biosig Project libbiosig

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21795

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21812

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22097

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23305

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23310      

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23313

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23606

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23809

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1920

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1921

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1917

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1918

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1922

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1925

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1919



CVE-2024-22245 - VMware Enhanced Authentication Plug-in (EAP) is vulnerable to Arbitrary Authentication Relay and Session Hijack exploits, enabling malicious actors to manipulate web browser-installed EAP to request and relay service tickets for any Active Directory Service Principal Names (SPNs).

Product: VMware Enhanced Authentication Plug-in (EAP)

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22245

NVD References: https://www.vmware.com/security/advisories/VMSA-2024-0003.html



CVE-2024-22250 - Deprecated VMware Enhanced Authentication Plug-in poses a Session Hijack vulnerability, allowing local malicious actors to hijack privileged EAP sessions on Windows systems.

Product: Deprecated VMware Enhanced Authentication Plug-in

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22250

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8862

NVD References: https://www.vmware.com/security/advisories/VMSA-2024-0003.html



CVE-2024-1631 - Impact: Ed25519KeyIdentity.generate in the library may use an insecure seed for key pair generation, compromising the private key and potentially leading to loss of funds or access to associated resources.

Product: DFINITY Internet Computer Blockchain

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1631

NVD References: 

- https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3

- https://www.npmjs.com/package/@dfinity/identity/v/1.0.1



CVE-2023-46241 - `discourse-microsoft-auth` enables authentication via Microsoft, allowing potential attacks to take control of Discourse accounts on sites with this plugin enabled.

Product: discourse-microsoft-auth

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46241

NVD References: 

- https://github.com/discourse/discourse-microsoft-auth/commit/c40665f44509724b64938c85def9fb2e79f62ec8

- https://github.com/discourse/discourse-microsoft-auth/security/advisories/GHSA-2w32-w539-3m7r

- https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types



CVE-2024-23346 - Pymatgen library has a critical security vulnerability in the JonesFaithfulTransformation.from_transformation_str() method that allows execution of arbitrary code.

Product: Pymatgen

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23346

NVD References: 

- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108

- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a

- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f



CVE-2024-1212 - Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Product: Vendor: Kemp LoadMaster 

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1212

NVD References: 

- https://freeloadbalancer.com/

- https://kemptechnologies.com/

- https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212

NVD References: https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212



CVE-2024-25124 - Fiber web framework in go may expose applications to CORS vulnerabilities prior to version 2.52.1.

Product: Fiber

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25124

NVD References: http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html



CVE-2023-51388 - Hertzbeat is vulnerable to script injection due to unconfigured security policies in AviatorEvaluator used in `CalculateAlarm.java`, fixed in version 1.4.1.

Product: Hertzbeat CalculateAlarm

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51388

NVD References: 

- https://github.com/dromara/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2

- https://github.com/dromara/hertzbeat/security/advisories/GHSA-mcqg-gqxr-hqgj



CVE-2023-51389 - Hertzbeat is vulnerable to YAML deserialization due to lack of security configuration, fixed in version 1.4.1.

Product: Hertzbeat SnakeYAML

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51389

NVD References: 

- https://github.com/dromara/hertzbeat/commit/97c3f14446d1c96d1fc993df111684926b6cce17

- https://github.com/dromara/hertzbeat/security/advisories/GHSA-rmvr-9p5x-mm96



CVE-2023-51653 - Hertzbeat is vulnerable to JNDI injection through `JmxCollectImpl.java`, allowing for remote code execution via `/api/monitor/detect` interface when URL is set to `service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari` in version 1.4.0.

Product: Hertzbeat real-time monitoring system

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-51653

NVD References: 

- https://github.com/dromara/hertzbeat/commit/f794b0d82be49c596c04a042976446559eb315ef

- https://github.com/dromara/hertzbeat/security/advisories/GHSA-gcmp-vf6v-59gg



CVE-2024-1783 - Totolink LR1200GB 9.1.0u.6619_B20230130/9.3.5u.6698_B20230810 is vulnerable to a critical stack-based buffer overflow via remote exploitation of the loginAuth function in the Web Interface component (CVE-2021-254574).

Product: Totolink LR1200GB

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1783

NVD References: 

- https://gist.github.com/manishkumarr1017/30bca574e2f0a6d6336115ba71111984

- https://vuldb.com/?ctiid.254574

- https://vuldb.com/?id.254574



The following vulnerability needs a manual review:


CVE-2023-50387