Microsoft has released the optional KB5027293 Preview cumulative update for Windows 10 22H2 with three new features and 11 additional fixes or changes. […] Read More
BleepingComputer
Related Posts
GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability
GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ to disseminate the Golang-based botnet GoTitan and the.NET application “PrCtrl Rat,” which has the ability to be remotely controlled.
Any Operating System using Apache Active MQ versions earlier than 5.15.16, 5.16.7, 5.17.6, and 5.18.3 was susceptible to this critical vulnerability.
An advisory was released by Apache in October addressing this vulnerability (CVE-2023-46604) that pertains to the deserialization of untrusted data in Apache.
Due to the high risk and potential consequences of this vulnerability, CISA added CVE-2023-46604 to its list of known exploits, or KEV Catalog, on November 2.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
GoTitan Botnet – Ongoing Exploitation on Apache ActiveMQ
Generally, in this case, the attacker causes the system to unmarshal a class under their control by sending a crafted packet.
It is then necessary for a predefined XML file to be hosted externally for the susceptible server to be prompted to retrieve and load a class configuration XML file from the given remote URL.
The arbitrary code meant to run on the infected system is defined in the malicious XML file. Attackers can execute code on the remote, susceptible server by setting parameters like “cmd” or “bash.”
Malicious XML files
According to Fortinet researchers, this month, GoTitan, a new botnet, was identified, which may be obtained from the malicious URL “hxxp://91.92.242.14/main-linux-amd64s” and is written in the Go programming language. The malware runs certain checks prior to execution, and the attacker only offers binaries for x64 architectures.
Additionally, a file called “c.log” is created, containing the program status and execution time. It appears that this file is a developer’s debug log, indicating that GoTitan is still in its early stages of development.
Subsequently, it obtains the C2 IP address and crucial facts about the exploited endpoint, such as CPU details, memory, and architecture.
C2 traffic session for GoTitan
“GoTitan communicates with its C2 server by sending “xFExFE” as a heartbeat signal and waiting for further instructions. When it receives a command, it passes it to a function named “handle_socket_func2” that determines an attack method,” researchers explain.
Distributed denial-of-service (DDoS) attacks can be launched using 10 distinct methods by GoTitan: TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.
Researchers also found more well-known malware and tools in use, like Sliver, Kinsing, and Ddostf.
System updates, patching, and continuous monitoring of security advisories are essential to reduce the danger of exploitation.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability appeared first on Cyber Security News.
Cyber Security News
Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console
Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console
The shift in attack vectors includes JavaScript, MSI files, LNK objects, and ISOs, as Microsoft has disabled Office macros in documents downloaded from the Internet.
Some sophisticated attackers are now using other undisclosed methods to go unnoticed.
The Elastic team of security researchers has spotted a new kind of infection, dubbed “GrimResource,” that uses MSC files to run code inside mmc.exe when a user interacts with such a modified file.
The Virus Total discovered this technique for the first time on June 6th, reflecting a continuing evolution in malware delivery mechanisms responding to enhanced security features.
Scan Your Business Email Inbox to Find Advanced Email Threats – Try AI-Powered Free Threat Scan
Technical Analysis
The GrimResource technique exploits an ancient XSS vulnerability in the apds.dll library, allowing arbitrary JavaScript execution within mmc.exe upon opening specifically crafted MSC files.
DotNetToJScript combined with it leads to arbitrary code execution. A sample of this type, initially unknown to VirusTotal, involves transformNode obfuscation and embedded VBScript to set up the attack.
Then, a custom loader called PASTALOADER was introduced that retrieves the payload from environment variables and injects it into a new dllhost.exe instance through stealthy methods such as DirtyCLR, function unhooking, and indirect syscalls.
PASTALOADER loader (Source – Elastic)
Cobalt Strike was the final payload showing how sophisticated this new attack vector is.
The GrimResource technique was detected in many ways, such as suspicious execution monitoring through Microsoft Common Console, non-standard Windows Script Interpreters’ .NET COM object creation detection, and MMC Console File script execution observation.
In the main technique, apds.dll executes JavaScript via XSS, which can be detected through file open events. Additional forensic artifacts, such as temporary HTML files created in the INetCache folder, are also present.
Although some behaviors, like mmc.exe loading certain DLLs, may be normal, malicious activity can be identified by combining these indicators.
mmc.exe allocating RWX memory (Source – Elastic)
These detections span various parts of the attack chain from initial execution to payload delivery and create a comprehensive means of identifying this advanced technique.
This new form of attack involves using modified MSC files to run arbitrary code on Microsoft Management Console.
Security experts recommend defenders implement practical detection guidance against this technique before it’s adopted by most threat actors targeting the commodity market.
Consequently, this highlights the need for proactive security measures in response to ever-changing cyber threats.
Observables
Observables (Source – Elastic)
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console appeared first on Cyber Security News.
Hackers steal Windows NTLM authentication hashes in phishing attacks
Hackers steal Windows NTLM authentication hashes in phishing attacks
The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks. […] Read More
BleepingComputer