INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Increase in the number of phishing messages pointing to IPFS and to R2 buckets
Published: 2024-03-14
Last Updated: 2024-03-14 08:57:10 UTC
by Jan Kopriva (Version: 1)
Credential-stealing phishing is constantly evolving, nevertheless, some aspects of it – by necessity – stay the same. One thing, which is constant, is the need for a credential gathering mechanism, and although threat actors have come up with a number of alternatives to simply hosting a fake login page somewhere (e.g., using a third-party “forms” service or attaching an entire phishing page to an e-mail), the old approach of placing a phishing page on an internet-connected server and linking to it from e-mail messages is commonly used to this day.
Still, even when it comes to this kind of phishing, interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages.
IPFS, or the InterPlanetary File System is Web3 storage system – a distributed, peer-to-peer data sharing network, originally conceived back in 2015 – which has been used by threat actors to host malicious content since at least 2022. The R2 is a Cloudflare object storage service, which enables owners of buckets to expose their content publicly on the r2.dev domain. The service was rolled out by Cloudflare in 2022 and threat actors started to use it to host malicious files the same year.
Although the use of IPFS and R2 buckets to host phishing pages is therefore nothing new, I did notice a significant increase in the number of new phishing campaigns that used these hosting options starting around the middle of February… You can see this increase in the following chart ...
Read the full entry:
Attacker Hunting Firewalls
Published: 2024-03-19
Last Updated: 2024-03-19 13:29:09 UTC
by Johannes Ullrich (Version: 1)
Firewalls and other perimeter devices are a huge target these days. Ivanti, Forigate, Citrix, and others offer plenty of difficult-to-patch vulnerabilities for attackers to exploit. Ransomware actors and others are always on the lookout for new victims. However, being an access broker or ransomware peddler is challenging: The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims.
As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. For example:
December 7th, 2023: We see this IP address for the first time doing widespread scans. It starts with scans for the URL "/remote/login". This URL is commonly associated with Fortinet's FortiOS. A few days later, on December 12th, Foritgate released several patches.
December 12th, 2023: Scans for "/login". This is a bit too generic to link it with a specific vulnerability
The next big scan from this IP address doesn't show up until March 9th. The attacker is still looking for "/remote/login", which is a good hint that the same actor still controls this system. These last few days, the activity from this IP address heated up, and we now see some diversity in scans. The URLs include, for example ...
Read the full entry:
https://isc.sans.edu/diary/Attacker+Hunting+Firewalls/30758/
Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability
Published: 2024-03-20
Last Updated: 2024-03-20 13:05:39 UTC
by Johannes Ullrich (Version: 1)
Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. A few days prior to the GitHub post, the exploit was published on the Chinese QQ messaging network.
It took so long for an exploit to materialize because the vulnerability isn’t quite as trivial to exploit as the path traversal and command injection vulnerabilities usually found in similar devices. This is an "old fashioned" out-of-bounds write vulnerability requiring some assembly skills to craft a working exploit.
The vulnerability is triggered by the use of "Chunked Encoding". Chunked encoding implementations have been problematic in the past. Instead of advertising the length of the HTTP request's body via a "Content-Length" header, chunked encoding breaks the body into individual "chunks," each with a length field.
The exploit can be sent via a post request to the index page. But for the exploit to work, the right amount of memory has to be allocated first. This is done by submitting form data first, and the URL allowing an attacker to do so is "/remote/hostcheck_validate". This URL had its own heap-based buffer overflow last year. However, in this case, it just serves as an "innocent bystander", minding its business and being abused to prepare the system to exploit the new vulnerability.
Read the full entry:
https://isc.sans.edu/diary/Scans+for+Fortinet+FortiOS+and+the+CVE202421762+vulnerability/30762/