SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 08
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Python InfoStealer With Dynamic Sandbox Detection
Published: 2024-02-20
Last Updated: 2024-02-20 07:07:02 UTC
by Xavier Mertens (Version: 1)
Infostealers written in Python are not new. They also onboard a lot of sandbox detection mechanisms to prevent being executed (and probably detected) by automatic analysis. Last week, I found one that uses the same approach but in a different way. Usually, the scripts have a list of "bad stuff" to check like MAC addresses, usernames, processes, etc. These are common ways to detect simple sandboxes that are not well-hardened. This time, the "IOD" (Indicators Of Detection) list is stored online on a Pastebin-like site, allowing the indicators to be updated for all scripts already deployed. It's also a way to disclose less interesting information in the script.
Read the full entry:
https://isc.sans.edu/diary/Python+InfoStealer+With+Dynamic+Sandbox+Detection/30668/
Phishing pages hosted on archive.org
Published: 2024-02-21
Last Updated: 2024-02-21 07:27:43 UTC
by Jan Kopriva (Version: 1)
The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”. On its “WayBackMachine” website, which is hosted on https://archive.org/, one can view archived historical web pages from as far back as 1996. The Internet Archive basically functions as a memory for the web, and currently holds over 800 billion web pages as well as millions of books, audio and video recordings and other content… Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time.
Read the full entry:
https://isc.sans.edu/diary/Phishing+pages+hosted+on+archiveorg/30676/
Internet Storm Center Entries
YARA 4.5.0 Release (2024.02.18)
https://isc.sans.edu/diary/YARA+450+Release/30662/
Wireshark 4.2.3 Released (2024.02.18)
https://isc.sans.edu/diary/Wireshark+423+Released/30660/
Mirai-Mirai On The Wall... [Guest Diary] (2024.02.18)
https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658/
[Guest Diary] Learning by doing: Iterative adventures in troubleshooting (2024.02.15)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-1389 - TP-Link Archer AX-21 Command Injection Vulnerability
CVE-2024-21410 - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability
CVE-2020-0688 - Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability
CVE-2024-21351 - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2024-21412 - Internet Shortcut Files Security Feature Bypass Vulnerability
CVE-2023-50387 - MITRE:
CVE-2023-26801 - LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 are vulnerable to command injection via mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
CVE-2024-21364 - Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
CVE-2024-21376 - Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability
CVE-2024-21401 - Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability
CVE-2024-21403 - Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21413 - Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-24691 - Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows allow an unauthenticated user to escalate privileges through network access due to improper input validation.
CVE-2023-6441 - UNI-PA University Marketing & Computer Internet Trade Inc. University Information System is vulnerable to SQL Injection prior to 12.12.2023.
CVE-2024-25214 - Employee Management System v1.0 is vulnerable to authentication bypass through injection of a crafted payload in the E-mail and Password parameters at /alogin.html.
CVE-2024-25215, CVE-2024-25216 - Employee Managment System v1.0 was discovered to contain SQL injection vulnerabilities.
CVE-2024-25220, CVE-2024-25222 - Task Manager App v1.0 was discovered to contain SQL injection vulnerabilities
CVE-2024-26260 - HGiga OAKlouds has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters, leading to arbitrary code execution on the remote server.
CVE-2024-26261 - HGiga OAKlouds' certain modules are vulnerable to Arbitrary File Read and Delete attacks, allowing unauthorized downloads and subsequent file deletions without the need for login credentials.
CVE-2024-26264 - EBM Technologies RISWEB allows remote attackers to inject SQL commands and gain unauthorized access to database records through an unrestricted specific query function that can be accessed without login.
CVE-2023-39245 - DELL ESI for SAP LAMA version 10.0 has an information disclosure vulnerability in the EHAC component, allowing remote attackers to gain admin level credentials by eavesdropping network traffic.
CVE-2024-20738 - Adobe Framemaker versions 2022.1 and earlier are vulnerable to an Improper Authentication issue enabling unauthorized access without user interaction.
CVE-2024-20719 - Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored XSS vulnerability allowing admin attackers to inject malicious scripts into admin pages, potentially leading to unauthorized admin access.
CVE-2024-20720 - Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier allow arbitrary code execution due to an OS Command Injection vulnerability, without requiring user interaction.
CVE-2024-23113 - Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 are vulnerable to a use of externally-controlled format string, enabling an attacker to execute unauthorized code or commands via specially crafted packets.
CVE-2020-12812 - Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
CVE-2024-21762 - Fortinet FortiOS Out-of-Bound Write Vulnerability
CVE-2023-5155 - Utarit Information Technologies SoliPay Mobile App before 5.0.8 is vulnerable to SQL Injection.
CVE-2023-7081 - POSTAHS?L Online Payment System before 14.02.2024 allows SQL Injection.
CVE-2023-40057 - SolarWinds Access Rights Manager is susceptible to a Remote Code Execution Vulnerability, allowing an authenticated user to abuse a SolarWinds service and execute code remotely.
CVE-2024-23476, CVE-2024-23477, CVE-2024-23479 - The SolarWinds Access Rights Manager (ARM) is susceptible to multiple Directory Traversal Remote Code Execution Vulnerabilities
Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23476NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23477NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23479NVD References: - https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479CVE-2024-21915 - Rockwell Automation FactoryTalk® Service Platform (FTSP) has a privilege escalation vulnerability that could allow a malicious user to gain administrator privileges and potentially compromise sensitive data, delete information, and disrupt system operations.Product: Rockwell Automation FactoryTalk® Service PlatformCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21915NVD References: https://www.rockwellautomation.com/en-us/support/advisory.SD1662.htmlCVE-2024-0610 - The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1.Product: Piraeus Bank WooCommerce Payment Gateway pluginCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0610NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035641%40woo-payment-gateway-for-piraeus-bank&new=3035641%40woo-payment-gateway-for-piraeus-bank&sfp_email=&sfph_mail=- https://www.wordfence.com/threat-intel/vulnerabilities/id/f17c4748-2a95-495c-ad3b-86b272855791?source=cveCVE-2024-1512 - The MasterStudy LMS WordPress Plugin is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5.Product: MasterStudy LMS WordPress PluginCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1512NVD References: - https://plugins.trac.wordpress.org/changeset/3036794/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/d6b6d824-51d3-4da9-a39a-b957368df4dc?source=cveCVE-2024-1597 - pgjdbc, the PostgreSQL JDBC Driver, is vulnerable to SQL injection when using PreferQueryMode=SIMPLE, allowing attackers to alter queries and bypass parameterized query protections in certain versions.Product: pgjdbc PostgreSQL JDBC DriverCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1597NVD References: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56CVE-2023-50257 - eProsima Fast DDS (formerly Fast RTPS) is vulnerable to a Disconnect Vulnerability in RTPS Packets Used by SROS2, allowing malicious attackers to forcibly disconnect and deny Subscribers connections.Product: eProsima Fast DDSCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50257NVD References: - https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4- https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026- https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13- https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86- https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98CVE-2023-6260 - Brivo ACS100 and ACS300 are vulnerable to OS Command Injection, allowing attackers to bypass physical security measures from version 5.2.4 to 6.2.4.3.Product: Brivo ACS100CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6260NVD References: https://sra.io/advisories/CVE-2024-1297 - Loomio version 2.22.0 is vulnerable to OS Command Injection, allowing attackers to execute arbitrary commands on the server.Product: Loomio version 2.22.0CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1297NVD References: - https://fluidattacks.com/advisories/stones- https://github.com/loomio/loomioCVE-2024-1644 - Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.Product: Suite CRMCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1644NVD References: - https://fluidattacks.com/advisories/silva/- https://github.com/salesagility/SuiteCRM/CVE-2024-1651 - Torrentpier version 2.4.1 is vulnerable to insecure deserialization, allowing for arbitrary command execution on the server.Product: TorrentPier version 2.4.1CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1651NVD References: - https://fluidattacks.com/advisories/xavi/- https://github.com/torrentpier/torrentpierCVE-2024-1608 - OPPO Usercenter Credit SDK is vulnerable to an escalation of privilege through loose permission checks, allowing for potential internal information leaks without user interaction.Product: OPPO Usercenter Credit SDKCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1608NVD References: https://security.oppo.com/en/noticeDetail?notice_on…
CVE-2024-21915 - Rockwell Automation FactoryTalk® Service Platform (FTSP) has a privilege escalation vulnerability that could allow a malicious user to gain administrator privileges and potentially compromise sensitive data, delete information, and disrupt system operations.
CVE-2024-0610 - The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1.
CVE-2024-1512 - The MasterStudy LMS WordPress Plugin is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5.
CVE-2024-1597 - pgjdbc, the PostgreSQL JDBC Driver, is vulnerable to SQL injection when using PreferQueryMode=SIMPLE, allowing attackers to alter queries and bypass parameterized query protections in certain versions.
CVE-2023-50257 - eProsima Fast DDS (formerly Fast RTPS) is vulnerable to a Disconnect Vulnerability in RTPS Packets Used by SROS2, allowing malicious attackers to forcibly disconnect and deny Subscribers connections.
CVE-2023-6260 - Brivo ACS100 and ACS300 are vulnerable to OS Command Injection, allowing attackers to bypass physical security measures from version 5.2.4 to 6.2.4.3.
CVE-2024-1297 - Loomio version 2.22.0 is vulnerable to OS Command Injection, allowing attackers to execute arbitrary commands on the server.
CVE-2024-1644 - Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
CVE-2024-1651 - Torrentpier version 2.4.1 is vulnerable to insecure deserialization, allowing for arbitrary command execution on the server.
CVE-2024-1608 - OPPO Usercenter Credit SDK is vulnerable to an escalation of privilege through loose permission checks, allowing for potential internal information leaks without user interaction.
CVE-2023-45318 - Weston Embedded uC-HTTP git commit 80d4004 is vulnerable to a heap-based buffer overflow in its HTTP Server functionality, enabling arbitrary code execution via a specially crafted network packet.
CVE-2024-21795, CVE-2024-21812, CVE-2024-22097, CVE-2024-23305, CVE-2024-23310, CVE-2024-23313, CVE-2024-23606, CVE-2024-23809 - The Biosig Project libbiosig 2.5.0, multiple vulnerabilities
CVE-2024-22245 - VMware Enhanced Authentication Plug-in (EAP) is vulnerable to Arbitrary Authentication Relay and Session Hijack exploits, enabling malicious actors to manipulate web browser-installed EAP to request and relay service tickets for any Active Directory Service Principal Names (SPNs).
CVE-2024-22250 - Deprecated VMware Enhanced Authentication Plug-in poses a Session Hijack vulnerability, allowing local malicious actors to hijack privileged EAP sessions on Windows systems.
CVE-2021-21972 - VMware vCenter Server Remote Code Execution Vulnerability
CVE-2024-25610, CVE-2024-25147, CVE-2024-25152, CVE-2024-25601, CVE-2024-25602, CVE-2023-40191, CVE-2023-42496, CVE-2023-42498, CVE-2024-25603, CVE-2024-26266, CVE-2024-26269 - Multiple vulnerabilities in Liferay Portal and Liferay DXP
CVE-2024-1631 - Impact: Ed25519KeyIdentity.generate in the library may use an insecure seed for key pair generation, compromising the private key and potentially leading to loss of funds or access to associated resources.
CVE-2023-50358 - QNAP operating system versions are vulnerable to an OS command injection, allowing execution of commands via a network; however, the vulnerability has been fixed in the mentioned versions.
Sponsors
CrashPlan
Sponsored By CrashPlanYour opportunity to participate has been extended! Do You Know Where Your Data Is? We want you to share your thoughts with us. We are seeking insight into the amount and makeup of data that exists on user endpoints versus central data stores. Complete this survey for a chance to win a $250 Amazon gift card!
Palo Alto Networks
2024 SANS State of Security Automation Survey | We would like to understand what drives automation in security teams, the role of automation in facilitating collaboration, and the ongoing challenges of automating security operations. Complete this survey for a chance to win a $250 Amazon gift card!
Apiiro
Upcoming Webcast: Modernizing AppSec with Application Security Posture Management | Join Matt Bromiley and Idan Elor from Apiiro on March 6 at 1PM ET as they discuss how to secure applications, a complex and cumbersome issue many organizations have yet to solve. Register now:
Zscaler
Buyers Guide: How to Secure Egress Traffic from Workloads in the Public Cloud | Tune in on March 12! Dave Shackleford will explore the inherent challenges associated with legacy cloud workload security, and highlight seven critical capabilities to securing egress traffic from workloads in the public cloud. Register now: