Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Files with TXZ extension used as malspam attachments

Published: 2024-05-27

Last Updated: 2024-05-27 06:38:59 UTC

by Jan Kopriva (Version: 1)

Malicious e-mail attachments come in all shapes and sizes. In general, however, threat actors usually either send out files, which themselves carry a malicious payload – such as different scripts, Office documents or PDFs – or they send out “containers”, which include such files – e.g., image files or archives. These container files, especially, can sometimes be quite unusual… Which is where today’s diary comes in.

While going over messages that were caught in my malspam traps over the course of May, I found multiple e-mails that carried files with TXZ extension as their attachments. Since this extension is hardly the most common one, I needed quick help from Google to find that it was associated with Tar archives compressed with XZ utils. It seems that even when it comes to malicious e-mail attachments, use of this extension is relatively unusual, since a quick check revealed that my malspam traps haven’t caught any such files in in 2021, only one file in 2022, and none in 2023.

As it turned out, however, both the 2022 file and the current files, that my malspam traps caught, were actually not TXZ files, but rather renamed RAR archives ...

Although threat actors commonly modify extensions of malicious files they send out, I was a little mystified by the change in this case, given the aforementioned less-then-common use of TXZ files, and – presumably – their limited support by archiving utilities. Further Google searching, however, soon revealed the reason for it ...

Read the full entry:

https://isc.sans.edu/diary/Files+with+TXZ+extension+used+as+malspam+attachments/30958/

Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs [Guest Diary]

Published: 2024-05-28

Last Updated: 2024-05-29 00:46:39 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Joshua Jobe, an ISC intern as part of the SANS.edu BACS program]

Introduction

Upon starting the Internship in January 2024, I wondered how I was going to tackle analyzing all the logs, how to parse and understand JSON files, and make sense of the plethora of details to even try to make an attack observation. Where do the files go, how do we correlate the filenames with the hashes, what’s the deal with webhoneypot logs? During the Introductory Call, Mentor Handler, Guy Bruneau, mentioned the DShield SIEM [1] he has been working on for everyone to use to enhance the internship experience. I felt this was the perfect opportunity to build something that will assist with correlating the ‘attacks’ on the sensors by ingesting the logs into a SIEM. This is especially useful for those that want to see the details in a way that is more organized and easier to extrapolate data. However, simply reviewing activity in the SIEM may not always be enough to build a complete picture for an attack observation. Likewise, simply parsing through the logs may not always give you a complete picture either.

This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious files, HTTP requests, Cowrie/Webhoneypot JSON logs and PCAPs.

Where to Start

After initially setting up the DShield Honeypot (sensor), it will inevitably take 2-3 weeks or more to begin seeing attacks, especially any that may involve uploading/downloading files. Be patient. Interesting IP addresses, files, URLs, TTY logs, etc. will show up. It is imperative that you follow the instructions to properly expose your sensor or sensors to the internet.

For example, I am running two sensors behind an Asus RT-AC86U router, since this router doesn’t natively allow the same port entries when Port Forwarding two internal IP addresses, I opted to setup one sensor with only TCP ports 8000, 2222, 2223, 8443 open with the second sensor open to the entire port range: TCP/UDP 1:65535. Utilizing the demilitarized zone (DMZ) is not currently an option due to how my network is setup. The sensor with the entire port range open tends to see more traffic.

Once you have your sensors up and running, I highly recommend setting up the DShield SIEM previously mentioned. Here are some recommendations to consider for the SIEM ...

Read the full entry:

https://isc.sans.edu/diary/Is+that+It+Finding+the+Unknown+Correlations+Between+Honeypot+Logs+PCAPs+Guest+Diary/30962/

Analysis of ?redtail? File Uploads to ICS Honeypot, a Multi-Architecture Coin Miner [Guest Diary]

Published: 2024-05-22

Last Updated: 2024-05-23 00:05:28 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Robert Riley, an ISC intern as part of the SANS.edu BACS program]

Introduction

Honeypot file uploads can be like opening pandoras box, never knowing what may get uploaded. Malware comes in all sorts of varieties and flavors, many suited for specific purposes and some for multiple. Today, we'll look at a malware named “redtail” and its purpose falls under the category, "Coin miners", software illegally uploaded to hosts for the purpose of covertly mining cryptocurrency for a remote actor by hijacking a host’s resources. The question we’d like answered is what capabilities do modern coin miners possess, and how can they be identified? Using this information from modern threat feeds could both give further insight into the threat actors perpetuating this attack, while also giving a glimpse into the current capabilities of coin miner malware actively being used in today’s threat landscape.

Description of the Subject

The “redtail” samples being evaluated are a look into a modern variant of coin miner malware being used in the wild today. The samples are interesting in that they have the capability to run on 4 different CPU architectures, showing just how much this malware could potentially infect a vast number of devices/hosts. We’ll be looking into the process of how the threat actor gained initial access, who are the threat actors, the different samples uploaded, and how these samples were identified as a coin miner ...

Read the full entry:

https://isc.sans.edu/diary/Analysis+of+redtail+File+Uploads+to+ICS+Honeypot+a+MultiArchitecture+Coin+Miner+Guest+Diary/30950/

Internet Storm Center Entries

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-4978 - Justice AV Solutions Viewer Setup 8.3.7.250-1 allows remote attackers to execute unauthorized PowerShell commands due to a malicious binary with an unexpected authenticode signature.

Product: Justice AV Solutions Viewer Setup

CVSS Score: 8.4

** KEV since 2024-05-29 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4978

ISC Podcast: https://isc.sans.edu/podcastdetail/8996

NVD References: https://twitter.com/2RunJack2/status/1775052981966377148

CVE-2024-5274 - Google Chrome prior to version 125.0.6422.112 is vulnerable to type confusion in V8, allowing remote attackers to execute arbitrary code via a specially crafted HTML page.

Product: Google Chrome

CVSS Score: 8.8

** KEV since 2024-05-28 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5274

NVD References:

- https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html

- https://issues.chromium.org/issues/341663589

CVE-2024-23108 - Fortinet FortiSIEM versions 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 are vulnerable to an os command injection allowing unauthorized code execution via crafted API requests.

Product: Fortinet FortiSIEM 7.1.1

CVSS Score: 0 AtRiskScore 40

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23108

ISC Podcast: https://isc.sans.edu/podcastdetail/9000

CVE-2024-4985 - GitHub Enterprise Server (GHES) was vulnerable to an authentication bypass issue with SAML single sign-on, allowing attackers to forge responses and gain admin privileges without authentication.

Product: GitHub GitHub Enterprise Server

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4985

ISC Podcast: https://isc.sans.edu/podcastdetail/8992

CVE-2023-3943 - ZkTeco-based OEM devices are vulnerable to stack-based buffer overflow attacks, allowing for the execution of arbitrary code due to the lack of protection mechanisms.

Product: ZkTeco-based OEM devices

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3943

NVD References: https://github.com/klsecservices/Advisories/blob/master/K-ZkTeco-2023-006.md

CVE-2024-27130 - QNAP operating system versions are vulnerable to a buffer copy without checking input size, allowing users to execute code via a network, which has been fixed in QTS 5.1.7.2770 build 20240520 and later and QuTS hero 5.1.7.2770 build 20240520 and later.

Product: QNAP QTS QuTS hero

CVSS Score: 7.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27130

ISC Podcast: https://isc.sans.edu/podcastdetail/8988

NVD References: https://www.qnap.com/en/security-advisory/qsa-24-23

CVE-2024-31989 - Argo CD's vulnerability allows unprivileged pods in different namespaces to potentially access Redis servers, highlighting the importance of enabling network policies to prevent unauthorized access.

Product: Argo CD

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-31989

NVD References:

- https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d

- https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678

- https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c

- https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff

- https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12

- https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07

- https://github.com/argoproj/argo-cd/commit/bdd889d43969ba738ddd15e1f674d27964048994

- https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0

- https://github.com/argoproj/argo-cd/security/advisories/GHSA-9766-5277-j5hr

CVE-2024-4443 - The Business Directory Plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2.

Product: The Business Directory Plugin Easy Listing Directories for WordPress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4443

NVD References:

- https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/fields/class-fieldtypes-select.php#L110

- https://plugins.trac.wordpress.org/changeset/3089626/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/982fb304-08d6-4195-97a3-f18e94295492?source=cve

CVE-2024-5147 - The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion via the 'grid_style' parameter, potentially allowing unauthenticated attackers to execute arbitrary files on the server and bypass access controls.

Product: WPZOOM Addons for Elementor (Templates, Widgets)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5147

NVD References:

- https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L105

- https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L112

- https://plugins.trac.wordpress.org/changeset/3090236#file6

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f006bb33-d017-445b-9c02-bd848c199671?source=cve

CVE-2024-3495 - The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection in versions up to 2.7.2, allowing unauthenticated attackers to extract sensitive information from the database.

Product: WordPress Country State City Dropdown CF7 plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3495

NVD References:

- https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L22

- https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L8

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3089374%40country-state-city-auto-dropdown%2Ftrunk&old=3068802%40country-state-city-auto-dropdown%2Ftrunk&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/17dcacaf-0e2a-4bef-b944-fb7e43d25777?source=cve

CVE-2024-5168 - Prodys' Quantum Audio codec versions 2.3.4t and below are vulnerable to improper access control, allowing unauthorized users to bypass authentication and make unauthorized API requests.

Product: Prodys Quantum Audio codec

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5168

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/improper-access-control-vulnerability-prodys-quantum-audio-codec

CVE-2024-5084 - The Hash Form - Drag & Drop Form Builder plugin for WordPress allows unauthenticated attackers to upload arbitrary files leading to potential remote code execution.

Product: HashThemes Hash Form – Drag & Drop Form Builder

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5084

NVD References:

- https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormBuilder.php#L764

- https://plugins.trac.wordpress.org/changeset/3090341/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/eef9e2fa-d8f0-42bf-95ac-ee4cafff0b14?source=cve

CVE-2024-4544 - The Pie Register - Social Sites Login plugin for WordPress allows unauthenticated attackers to login as any existing user on the site through an authentication bypass vulnerability.

Product: The Pie Register Social Sites Login (Add on) plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4544

NVD References:

- https://plugins.trac.wordpress.org/browser/pie-register/tags/3.8.3.3/pie-register.php#L2959

- https://www.wordfence.com/threat-intel/vulnerabilities/id/b98179c3-8b32-4d75-9f3f-2367215a740b?source=cve

CVE-2024-5314 & CVE-2024-5315 - Dolibarr ERP - CRM version 9.0.1 is susceptible to SQL injection

Product: Dolibarr ERP - CRM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5314

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5315

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms

CVE-2024-26289 - PMB Services PMB is vulnerable to remote code inclusion through deserialization of untrusted data from versions 7.5.1 to 7.5.6-2, 7.4.1 to 7.4.9, and 7.3.1 to 7.3.18.

Product: PMB Services PMB

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26289

NVD References:

- https://forge.sigb.net/projects/pmb/files

- https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md

CVE-2024-5407 - RhinOS 3.0-1190 is vulnerable to PHP code injection through the "search" parameter, potentially leading to a remote attacker gaining control of the system.

Product: RhinOS 3.0

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5407

NVD References:

- https://github.com/josepsanzcamp/RhinOS

- https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rhinos-saltos

CVE-2024-21785 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to unauthorized access via a leftover debug code in its Telnet Diagnostic Interface functionality.

Product: AutomationDirect P3-550E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21785

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1942

CVE-2024-22187 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to a write-what-where vulnerability in the Programming Software Connection Remote Memory Diagnostics functionality, allowing an attacker to send a specially crafted network packet for an arbitrary write without authentication.

Product: AutomationDirect P3-550E

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22187

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1940

CVE-2024-23601 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to code injection in scan_lib.bin, allowing for arbitrary code execution via a specially crafted file.

Product: AutomationDirect P3-550E

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23601

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1943

CVE-2024-24962 & CVE-2024-24963 - AutomationDirect P3-550E 1.2.10.9 stack-based buffer overflow vulnerabilities.

Product: AutomationDirect P3-550E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24962

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24963

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1939

CVE-2024-5150 - The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26, allowing unauthenticated attackers to log in as any existing user on the site, but the patch in version 1.7.26 causes the function to not work, this issue is fixed in version 1.7.27.

Product: WordPress Login with phone number plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5150

NVD References:

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241

- https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number

- https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5

- https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve

CVE-2024-22026 - EPMM before version 12.1.0.0 is susceptible to a local privilege escalation vulnerability that allows an authenticated user to execute arbitrary commands.

Product: Ivanti Endpoint Manager Mobile

CVSS Score: 6.7 AtRiskScore 25

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22026

ISC Podcast: https://isc.sans.edu/podcastdetail/8988

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-EPMM-May-2024?language=en_US

CVE-2024-27842 - The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.

Product: macOS Sonoma

CVSS Score: N/A

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27842

ISC Diary: https://isc.sans.edu/diary/Apple+Patches+Everything+macOS+iOS+iPadOS+watchOS+tvOS+updated/30916/

ISC Podcast: https://isc.sans.edu/podcastdetail/8980

NVD References: https://support.apple.com/en-us/HT214106