NoMachine for Windows prior to version 6.15.1 and 7.5.2 suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform DLL Hijacking via any writable directory listed under the system path and ultimately execute code as NT AUTHORITY\SYSTEM.

CVE-2021-33436

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases.

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases. This was mitigated within 48 hours (on January 13, 2022).

**Customer Impact Customer Impact**

All Flexible Server Postgres servers deployed using the public access networking option were impacted with this security vulnerability. Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted.  
Our analysis revealed no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability.  
No action is required by customers. In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances. For information about this, please see the Flexible Server networking documentation.

**Microsoft’s Response Microsoft’s Response**

Microsoft took the following steps after this issue was brought to our attention:

1.  We took a proactive approach to first address the most critical vulnerability by preventing cross-tenant attack that addresses any lateral data access. These fixes were rolled out worldwide on January 13, 2022.
    
    *   Provide complete isolation between different tenants’ underlying virtual machine instances.
    *   Fixing the pg\_ident.conf issue to allow replication permissions only when the exact subject name is matched instead of a prefix match.
2.  During that patch rollout, we also addressed all new server creations to have blocked both elevated privileged access and remote code access.
    
3.  After fixes were deployed, our security teams and Wiz validated the fixes.
    
4.  We finished updating the entire fleet of existing servers which addressed the remaining issues by February 25, 2022. The fixes included:
    
    *   Blocking the copy program in Postgres to mitigate the reported Remote Code Execution in the Flexible Server PostgreSQL service
    *   Fixing the verbose Postgres error message that displayed the certificate name

**Technical details Technical details**

The following were the steps used to gain elevation of privilege and remote code execution:

1.  An issue with how extensions were handled in our specific implementation of Postgres pg\_admin could potentially allow pg\_admin to elevate to Superuser
2.  Due to the insufficient network isolation between Flexible Server instances, it was possible for an attacker to discover and try to connect to other Flexible Server instances within the region.
3.  With an overly permissive regular expression used to map certificate common names to users, it was possible to bypass the certificate authentication used for replication connections between Flexible Server Postgres instances.

Wiz has posted a blog about this issue available here. We would like to thank Wiz who found this issue and worked closely with Microsoft to help secure our customers.

Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

Network-attached storage (NAS) appliance maker QNAP on Wednesday said it's working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.
<!-

Network-attached storage (NAS) appliance maker QNAP on Wednesday said it's working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.

On March 22, 2022, its maintainers released version 3.1.13 of the software to resolve major security issues - CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that could be exploited to achieve arbitrary code execution.

"This vulnerability \[CVE-2022-23121\] can be exploited remotely and does not need authentication," NCC Group researchers noted last month. "It allows an attacker to get remote code execution as the 'nobody' user on the NAS. This user can access private shares that would normally require authentication."

QNAP noted that the Netatalk vulnerabilities impact the following operating system versions -

*   QTS 5.0.x and later
*   QTS 4.5.4 and later
*   QTS 4.3.6 and later
*   QTS 4.3.4 and later
*   QTS 4.3.3 and later
*   QTS 4.2.6 and later
*   QuTS hero h5.0.x and later
*   QuTS hero h4.5.4 and later, and
*   QuTScloud c5.0.x

Until the updates are available, the Taiwanese company is recommending users to disable AFP. The flaws have been patched so far in QTS 4.5.4.2012 build 20220419 and later.

The disclosure arrives less than a week after QNAP said it's investigating its product lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available

Visa has invested heavily in data analytics and artificial intelligence over the past five years to secure the movement of money and keep fraud rates low.

As more financial transactions move online, organizations are faced with the challenge of ensuring payment methods are safe, secure, and private, as well as being able to differentiate between legitimate customer behavior and fraudulent activities. For Visa, advanced analytics and artificial intelligence plays a significant role.  

The shift to digital commerce – driven partly by pandemic-related lockdowns and restrictions but also because organizations are introducing new offerings as part of their digital transformation initiatives – have transformed how money moves around the world, says Dustin White, chief risk data officer at Visa. Individuals increasingly rely on new tools to send money to other individuals or to pay for goods and services from retailers and other types of sellers. There are new payment schemes, such as buy-now-pay-later, tap-to-pay, and no-touch payments, and they bring different challenges and risks than traditional face-to-face transactions, he says.

"To say the task of securing the global movement of money is complex would be an understatement, particularly now," wrote Visa’s chief risk officer Paul Fabara in a recent blog post.

E-commerce volume on Visa’s network has grown by more than 50% since late 2019, and peer-to-peer payments on Visa’s network have more than doubled, the company says. Even as shoppers returned to stores in 2021, online trends held steady as shoppers "still shopped with fervor online," according to Digital Commerce 360’s analysis of Commerce Department data.

Criminals go where the money is; they have noticed the e-commerce shift and increased use of digital payments. However, even though the attack surface has increased, fraud rates on Visa’s networks remain at historic lows, White says. Fraud rates are currently at about 7 cents per $100 in transactions, despite over 2 million daily attempts by fraudsters. White credits Visa’s hefty investments in advanced analytics and artificial intelligence (AI) for keeping fraud low.

**Digging Deep in the Data Reservoir**  
Visa has invested $9 billion in cybersecurity over the past five years, with $500 million specifically on data analytics and AI capabilities. The company has 60 petabytes (1 petabyte is 1,000 terabytes) of data and has embedded AI and analytics in more than 60 different services to spot and block fraud on its networks.

*   The Visa Advanced Authorization (VAA) score uses AI and machine-learning techniques to determine whether a transaction is legitimate or fraudulent within 300 milliseconds, White says. VAA alone prevented $26 billion worth of fraud in 2021.
*   The company analyzes data to look for "common patterns" of behavior associated with legitimate transactions and to identify fraud. For example, insights such as a customer applying for credit copy and pasted in the Social Security number rather than typing in the digits could indicate that the personal data being used may be stolen.
*   Visa Behavioral Analytics has analyzed more than 400 million authentication requests against 12 million unique devices over the past two years to detect account takeovers and bot-based attacks, White says.
*   Visa Account Intelligence uses AI and machine learning to detect fraud before it starts. In one case, Visa Account Intelligence helped prevent $2.2 billion in potential client fraud.

**Enhancing Capabilities With AI**  
False declines, or when a transaction doesn’t go through because of a mistake, can also be costly. About 89% of customers will cut back on using that item – a credential or a particular payment method – after a false decline, which would result in lost revenue streams for providers and merchants, White says. Visa applies deep-learning techniques to reduce false declines by as much as 30%, the company says.

Security analysts use natural processing to uncover cyberattacks and insider threats and apply machine-learning models to predict and fix most likely points of network vulnerability. Vulnerability testing has saved approximately $31 million in prevented fraud in fiscal year 2021.

Visa’s investments in AI match overall activity in the financial-services sector. Financial institutions have spent more than $217 billion on AI applications to help prevent fraud and assess risk, according to the Preventing Financial Crimes Playbook. Those figures are from 2020, and the pace of investments has continued to grow since. Banks are aware of the benefits of using AI, as shown in a recent UBS Evidence Lab report, where 75% of respondents at banks with over $100 billion in assets said they’re implementing AI strategies.

White cautions against treating AI as the end-all to fix everything and advocates a multilayered approach. Visa still maintains Cyber Fusion Centers staffed with analysts to handle continuous security monitor, incident response investigation, and threat intelligence. Machine learning is the most beneficial when it is implemented to improve existing tools and processes or deployed to address a specific situation. 

"No one solution is going to thwart all of the attacks on infrastructure," White says.

A Peek into Visa's AI Tools Against Fraud

Acquisition expands security software-as-a-service capabilities.

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

April 29, 2022

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

by Dark Reading Staff, Dark Reading

April 29, 2022

1 min read

Article

Explainable AI for Fraud Prevention

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

April 28, 2022

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

by David Utassy, Data Scientist, SEON

April 28, 2022

4 min read

Article

Tenable Acquires External Attack Surface Management Vendor for $44.5M

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

April 26, 2022

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

by Dark Reading Staff, Dark Reading

April 26, 2022

1 min read

Article

API Attacks Soar Amid the Growing Application Surface Area

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

April 26, 2022

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

by Robert Lemos, Contributing Writer

April 26, 2022

5 min read

Article

Ukraine Invasion Driving DDoS Attacks to All-Time Highs

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

April 25, 2022

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

by Dark Reading Staff, Dark Reading

April 25, 2022

2 min read

Article

Sophos Buys Alert-Monitoring Automation Vendor

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

April 22, 2022

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

by Dark Reading Staff, Dark Reading

April 22, 2022

1 min read

Article

Devo Acquires Threat Hunting Company Kognos

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

April 21, 2022

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

by Dark Reading Staff, Dark Reading

April 21, 2022

1 min read

Article

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

April 20, 2022

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

by Robert Lemos, Contributing Writer

April 20, 2022

5 min read

Article

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

April 18, 2022

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

by Robert Lemos, Contributing Writer

April 18, 2022

5 min read

Article

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

April 15, 2022

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

by Hollie Hennessy, Senior Analyst, IoT Cybersecurity, Omdia

April 15, 2022

3 min read

Article

How IP Data Can Help Security Professionals Protect Their Networks

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

April 05, 2022

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

by Jonathan Tomek, VP of Research and Development, Digital Envoy

April 05, 2022

5 min read

Article

Will the Biggest Clouds Win? Lessons From Google's Mandiant Buy

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

March 21, 2022

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

by Robert Lemos, Contributing Writer

March 21, 2022

5 min read

Article

Cut Down on Alert Overload and Leverage Layered Security Measures

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

March 17, 2022

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

by Jason Manar, Chief Information Security Officer, Kaseya

March 17, 2022

4 min read

Article

VPNs Give Russians an End Run Around Censorship

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

March 16, 2022

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

by Robert Lemos, Contributing Writer

March 16, 2022

4 min read

Article

How Enterprises Can Get Used to Deploying AI for Security

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

March 11, 2022

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

by Fahmida Y. Rashid, Features Editor, Dark Reading

March 11, 2022

4 min read

Article

Synopsys to Acquire WhiteHat Security from NTT

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.

Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.

Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years.  In  January  2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The latest activity observed by researchers occurred while Emotet was on a “spring break.” Efforts were lowkey and likely an attempt to test new tactics without drawing attention. Now, researchers say TA542 has ramped up attacks to typical high-volume threat campaigns. “The threat actor has since resumed its typical activity,” Proofpoint said.

Cybersecurity researchers from AdvIntel, Crypolaemus confirmed Proofpoint’s observations, both observing the Emotet’s return after a 10-months gap. According to those researchers, attackers behind the malware have sent millions of phishing emails designed to infect the devices with malware and can be controlled by botnets.

> 2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections.
> 
> 📌TrickBot launched what appears to be the newer Emotet loader.  
> 👇https://t.co/nVugStaAvE https://t.co/GHupFlENaQ
> 
> — Vitali Kremez (@VK\_Intel) November 15, 2021

****New Phase of Emotet****

In its report, Proofpoint researchers noted that this new testing of phishing emails could be the result of Microsoft’s actions to disable specific macros associated with Office apps in February 2022. At the time Microsoft said it was changing defaults for five Office apps that run macros.  This prevents attackers from targeting documents with automation services to execute the malware on victims’ systems.

According to cybersecurity researchers at Proofpoint, the new techniques observed in recent campaigns appeared to be tested on a smaller scale, as a test for potential be used for a larger campaign.

The new campaigns use compromised email accounts to send out spam-phishing emails with a one-word headline. Common terms in phishing attacks included “salary” are used to encourage users to click out of curiosity, found by the ProofPoint cybersecurity researchers.

The message body contains a OneDrive URL. This URL hosts Zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line.

If these XLL files are opened and executed, Emotet will infect the machine with malware. Further, it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.

According to cybersecurity researchers at Proofpoint, the use of OneDrive URLs and XLL makes this campaign distinct from previous ones. Earlier Emotet attempted to spread itself via Microsoft Office attachments or phishing URLs. Those malicious payloads included Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macros.

The attacks associated with this new campaign took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were put on hold, researchers said.

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added.

“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable” DeGrippo explained.

In another development malware, authors patched the issue, which prevented potential victims from getting compromised upon clicking on the malicious email attachments.  

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Emotet is Back From ‘Spring Break’ With New Nasty Tricks

Miele Benchmark Programming Tool versions 1.1.49 and 1.2.71 suffer from a privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220427-0 >  
=======================================================================  
               title: Privilege Escalation  
             product: Miele Benchmark Programming Tool  
  vulnerable version: at least 1.1.49 and 1.2.71  
       fixed version: 1.2.72  
          CVE number: CVE-2022-22521  
              impact: Medium  
            homepage: https://www.miele.com/  
               found: 2022-01-24  
                  by: J. Kruchem (Office Vienna)  
                      W. Schober (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"There are many good reasons for choosing Miele. Since the company's founding in  
1899, Miele has remained true to its "Immer Besser" brand promise. This means  
that we will do all that we can to be "Immer Besser" (forever better) than our  
competitors and "Immer Besser" (forever better) than we already are. For our  
customers, this means the peace of mind of knowing that choosing Miele is a  
good decision – and probably the decision of a lifetime."

Source: https://www.mieleusa.com/c/about-us-9.htm

Business recommendation:  
------------------------  
The vendor provides a patched version which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised,  
as the software may be affected from further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Privilege Escalation (CVE-2022-22521)  
The path where the Miele Benchmark Programming Tool is installed is writable  
for any user on the Windows operation system. This allows replacing the Uninstall  
binary and thus an attacker gaining local admin privileges if uninstalled.

Proof of concept:  
-----------------  
1) Privilege Escalation (CVE-2022-22521)  
The Uninstall string can be found in the following registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{<UUID of Miele Benchmark Programming>}

The UninstallString field has the following value:

UninstallString  
"C:\MIELE_SERVICE\Miele Benchmark Programming Tool\Uninstall Miele Benchmark Programming Tool.exe" /allusers

For exploitation, replace the "Uninstall Miele Benchmark Programming Tool.exe"  
with a malicious binary and uninstall via Software Center or call the admin  
and let them uninstall the Miele Benchmark Programming Tool.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested, which were the latest versions available  
during the time of the test:

* 1.1.49  
* 1.2.71

Other (lower) software versions may be affected as well.

Vendor contact timeline:  
------------------------  
2022-03-21: Contacting vendor through psirt@miele.com  
2022-03-22: Vendor answered that they will check the provided information  
2022-04-07: Vendor confirmed the vulnerability and answered with aim to fix it asap  
2022-04-11: Vendor sent their advisory (including CVE) and fixed version  
2022-04-27: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version v1.2.72 which can be downloaded here:

https://www.miele.com/en/com/downloads-6770.htm

Workaround:  
-----------  
Adapt permissions of the C:\MIELE_SERVICE directory according to the least privilege  
principle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem / @2022

Miele Benchmark Programming Tool 1.1.49 / 1.2.71 Privilege Escalation

Trojan-Downloader.Win32.Agent malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/fb3ac3c9d808de7f4b5ede68715f658f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.AgentVulnerability: Insecure PermissionsDescription: The malware writes a PE file to the "Windows\System" directory granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.Family: AgentType: PE32MD5: fb3ac3c9d808de7f4b5ede68715f658fVuln ID: MVID-2022-0570Dropped files: alg.exeDisclosure: 04/26/2022 Exploit/PoC:C:\>cacls \Windows\System\alg.exeC:\Windows\System\alg.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>dir \Windows\System\alg.exe Volume in drive C has no label. Directory of C:\Windows\System04/10/2022  01:18 AM           882,688 alg.exe               1 File(s)        882,688 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Downloader.Win32.Agent Insecure Permissions

Backdoor.Win32.Cafeini.b malware suffers from a man-in-the-middle vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/851f8945d1b5923990f4722d627156a0_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Port Bounce ScanDescription: The malware runs an FTP server on TCP port 23. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.Family: CafeiniType: PE32MD5: 851f8945d1b5923990f4722d627156a0Vuln ID: MVID-2022-0569Disclosure: 04/26/2022Exploit/PoC:C:\>nmap -n -Pn -b test:test@192.168.18.125:23  -p21,22,80 192.168.18.237 -vStarting Nmap 7.80 ( https://nmap.org ) at 2022-04-20 14:50 UTC-11Resolved FTP bounce attack proxy to 192.168.18.125 (192.168.18.125).Attempting connection to ftp://test:test@192.168.18.125:23Connected:220 CAFEiNi 1.1 FTP serverLogin credentials accepted by FTP server!Initiating Bounce Scan at 14:50Removed 22Changed my mind about port 22Removed 21Changed my mind about port 21Discovered open port 80/tcp on 192.168.18.237Completed Bounce Scan at 14:50, 2.21s elapsed (3 total ports)Nmap scan report for 192.168.18.237Host is up.PORT   STATE  SERVICE21/tcp closed ftp22/tcp closed ssh80/tcp open   httpRead data files from: C:\Program Files (x86)\NmapNmap done: 1 IP address (1 host up) scanned in 11.39 secondsDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b Man-In-The-Middle

Trojan-Downloader.Win32.Small.ahlq malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/d859ba54086fd0313dc34b73b5b1eccb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Downloader.Win32.Small.ahlqVulnerability: Insecure Permissions Description: the malware creates a directory with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: SmallType: PE32MD5: d859ba54086fd0313dc34b73b5b1eccbVuln ID: MVID-2022-0567Disclosure: 04/26/2022Exploit/PoC:C:\>cacls TempC:\Temp BUILTIN\Administrators:(OI)(CI)(ID)F        NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F        BUILTIN\Users:(OI)(CI)(ID)R        NT AUTHORITY\Authenticated Users:(ID)C        NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)CC:\>dir Temp Volume in drive C has no label. Directory of C:\Temp04/14/2022  04:03 AM           761,344 vjrgq12Server_Setup.exe               1 File(s)        761,344 bytesDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#mac