Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands. […] Read More
BleepingComputer
China-Linked ‘Muddling Meerkat’ Hijacks DNS to Map Internet on Global Scale
[[{“value”:”A previously undocumented cyber threat dubbed Muddling Meerkat has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019.
Cloud security firm Infoblox described the threat actor as likely affiliated with the”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Cactus Ransomware Exploiting Qlik Servers Vulnerability
[[{“value”:”
The Cactus ransomware gang has been exploiting vulnerable Qlik sense servers ever since November 2023 using multiple vulnerabilities such as CVE-2023-41266 (Path Traversal), CVE-2023-41265 (HTTP request Tunneling) and CVE-2023-48365 (Unauthenticated Remote Code Execution).
Though Qlik has addressed these vulnerabilities with multiple security advisories, thousands of servers remain vulnerable to exploitation.
QlikSense is a data visualization and business intelligence tool that can help businesses perform data analysis and other operations.
According to reports from Cyber Security News, threat actors were targeting these QlikSense servers with software vulnerabilities and misleading victims with cooked-up stories.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Nevertheless, the reports from Shadowserver indicate that there are 5,200+ internet-exposed Qlik servers, among which 3,100+ are vulnerable to exploitation by the Cactus group.
241 systems were discovered in the Netherlands alone, and the threat actors have already compromised 6 of them.
Identifying the list of servers and compromised servers involved multiple research steps.
An existing Nuclei template is available, which can be used to identify vulnerable QlikSense servers exposed on the Internet.
However, the researchers used the “product-info.json” file to find vulnerable servers.
This file includes several details about the server, such as the release label and version numbers, which could reveal the exact version of the QlikSense server running.
Further, the release label parameter includes information such as “February 2022 Patch 3” that states that the last update was provided to the Qlik sense server and the relevant advisory.
To retrieve this information from the product-info.json file, the below cURL command can be used.
curl -H “Host: localhost” -vk ‘https://<ip>/resources/autogenerated/product-info.json?.ttf’
The .ttf (True Type Font file) is used in the command to point the request to a .ttf file. Font files can be accessed unauthenticated on Qlik sense servers, and the “Host:localhost” is used to bypass the HTTP response to 400 bad requests.
In a patched server, the server will return “302 Authenticate at this location” in the response, whereas a vulnerable server will reveal the information of the file with a 200 OK response.
Furthermore, a 302 response or a release label parameter from the Qlik server with content containing “November 2023” is considered a non-vulnerable server.
Document
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
As Arctic Wolf explains, the Cactus ransomware group redirects the commands’ output to a TTF file named qle.ttf.
The threat group also used the qle.woff file in some instances. Moreover, these exploit files can be accessed without authentication.
When checking for these particular kinds of files, it was revealed that there are around 122 servers, of which the United States has the highest number, 49, followed by 13 servers in Spain, 11 servers in Italy, 8 servers in the UK, 7 servers in Germany and Ireland, and 6 servers in the Netherlands.
It is recommended that organizations and users of QlikSense servers upgrade to the latest versions per the security advisories to prevent threat actors from exploiting these vulnerabilities.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
The post Cactus Ransomware Exploiting Qlik Servers Vulnerability appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Beware Of Malicious Search Results Leading To SolarMarker Malware Installation
The SOC analysts identified a drive-by download attack leveraging SolarMarker malware, where the attack targeted users searching for team-building activities on Bing.
Attackers tricked the victim into downloading a seemingly harmless document by redirecting the user to a malicious website, impersonating the legitimate Indeed job search platform.
However, this downloaded file was actually the SolarMarker payload, which, upon execution, deployed additional malicious components, StellarInjector and SolarPhantom, to compromise the system further.
SolarMarker has changed its tactics, as previously, the backdoor was embedded directly in the code, and now, the malware embeds the backdoor in the resource section of an AES-encrypted file.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Once executed, the initial payload displays a fake error message, and the backdoor connects to command and control (C2) servers at the IP addresses 2.58.15.118 and 146.70.80.83.
Threat actors delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) upon a successful backdoor server connection.
This payload injects SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe process, enabling information stealing and hidden virtual network computing (hVNC) capabilities.
The backdoor configuration reveals that the target system is Windows 10 x86 and has limited privileges.
It targets Firefox browsing data, extracts the user’s profile path, and appends “saturn” and the location of the Firefox executable, which is likely used for further malicious actions.
The malware then utilizes an RSA public key, represented by the provided `<Modulus>` and `<Exponent>` elements, for potential encryption or validation, which seems to stage stolen data within temporary folders named with 10-digit values.
Malware known for information theft utilizes a specific algorithm to generate folder names for the initial payload, which involves shifting the least significant byte of a v1 value by 8 bits and XORing it with a byte.
The resulting index is then used to retrieve a value from a CRC32 lookup table and this retrieved value is XORed with the original v1 value, updating it for the next iteration.
It’s interesting to note that for this initial payload, SolarMarker is using two different certificates from DigiCert and GlobalSign.
eSentire’s Threat Response Unit (TRU) investigated a SolarMarker infection in April 2024, as the attack began with a drive-by download on a user searching for teambuilding ideas on Bing.
It then deployed additional components, StellarInjector and SolarPhantom, for information theft and remote access.
The backdoor connected to servers at 2.58.15 [.]118 and 146.70.80 [.]83, which highlights the use of SEO poisoning, fake websites impersonating legitimate ones, and the need for user vigilance and security updates.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Beware Of Malicious Search Results Leading To SolarMarker Malware Installation appeared first on Cyber Security News.