@deepthoughts10 I had to go back to the original article to see any mentions to China. After the iSoon leaks, I suspect ToddyCat is yet another hackers-for-hire company in China's private industry.

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation

@GossiTheDog Wasn't the reason because ALPHV banned the RaaS affiliate and exit scammed? The affiliate was left holding the exfiltrated data and had no better option than to extort the company again.

I know there's a $10 million reward but I didn't hear anything about sanctions: https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-alphv-blackcat-linked-cyber-actors-targeting-u-s-critical-infrastructure/

The United States state department issues a visa ban to 13 people and some of their family members. Reason is the proliferation of spyware. https://www.state.gov/promoting-accountability-for-the-misuse-of-commercial-spyware/

CrushFTP urges customers to patch file transfer tool ‘ASAP’ https://therecord.media/crushftp-file-transfer-vulnerability-patch-asap

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

Wall Street Journal has a leak from the Change Healthcare ransomware incident

- Initial entry was via a remote access system without MFA
- Dwell time was 9 days
- They paid the ransom, then got held to ransom again and had data leaked anyway

https://www.wsj.com/articles/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6

#threatintel #ransomware

@mttaggart Another interesting point is that CVE-2022-38028 was originally reported to Microsoft by the National Security Agency, as Bleeping Computer mentioned: https://www.bleepingcomputer.com/news/security/microsoft-apt28-hackers-exploit-windows-flaw-reported-by-nsa/

Since it was not disclosed as exploited at the time, we might infer that NSA didn't observe exploitation in the wild by a foreign adversary like APT28 back in 2022. So how did NSA come across CVE-2022-38028? 🤔 I hope I don't have to explicitly say it.

@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/

#CVE_2023_48795 #Terrapin #vulnerability #Jenkins

@rbos @BleepingComputer If by last few years you mean 2021, then there have been at least 58 Windows Print Spooler vulnerabilities https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=windows+print+spooler

Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

cc: @serghei @campuscodi @briankrebs @jwarminsky

#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg

New York Times: A report by Stanford researchers cautions that the National Center for Missing and Exploited Children doesn’t have the resources to help fight a new flood of child sexual abuse material created by artificial intelligence. https://www.nytimes.com/2024/04/22/technology/ai-csam-cybertipline.html

#CSAM #news #AI

The Record: UK arrests 2 for breaching the Official Secrets Act on behalf of China. Germany arrests 3 for obtaining information on innovative technologies with military uses for China's Ministry of State Security. 🔗 https://therecord.media/germany-arrests-spies-lasers-china

#epsionage #news #China

SANS ISC notes that the number of industrial control system devices accessible from the internet rose by 30,000: 🔗 https://isc.sans.edu/diary/rss/30860

#ICS

SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/

#MagicDot #CVE_2023_42757 #CVE_2023_32054 #CVE_2023_36396

Kaspersky reports on TTPs used by the cyberespionage group ToddyCat, an APT with little history and not currently attributed to any country. ToddyCat uses LoFiSe and PcExter for collecting and exfiltrating flies. They used reverse SSH tunnel to maintain access, server utility (VPN Server) from the SoftEther VPN, Ngrok agent and Krong (proxy), FRP client (fast reverse proxy), a new tool called Cuthead for data collection, WAExp (WhatsApp data stealer), and TomBerBil for stealing passwords from browsers. IOC included. 🔗 https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

#ToddyCat #cyberespionage #APT #threatintel #IOC

Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894

On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.

#CVE_2024_3094 #xz #xzbackdoor #supplychainattack

The Register: SafeBreach presented at the Black Hat Asia conference on Friday that flaws in Microsoft and Kaspersky security products could potentially allow the remote deletion of files. Microsoft Defender and Kaspersky's Endpoint Detection and Response (EDR) can be made to detect false positive indicators of malicious files – and then to delete them. The attack relies on the fact that Microsoft and Kaspersky use byte signatures – unique sequences of bytes in file headers – to detect malware. "Our goal was to confuse EDR by implanting malware signatures into legit files and make them think its malicious" 🔗 https://www.theregister.com/2024/04/22/edr_attack_remote_data_deletion/

#MicrosoftDefender #Kaspersky #attackvector #EDR

The Computer Emergency Response Team of Ukraine (CERT-UA) warns about malicious activity aimed at gaining access to WhatsApp. Unidentified threat actors (tracked as UAC-0195) are distributing a fake electronic petition awarding of the title "Hero of Ukraine". Victims would enter a mobile phone number, and add a third-party device to their Whatsapp account (this includes attacker-provided video instructions). IOC provided. 🔗 (Ukrainian) https://cert.gov.ua/article/6278735

#threatintel #UAC0195 #IOC #WhatsApp #Ukraine