AtRisk July 25, 2024 Vol. XXIV

Jump to:

Internet Storm Center Spotlight
Recent CVEs
Sponsors
Read More

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

"Mouse Logger" Malicious Python Script

Published: 2024-07-24

Last Updated: 2024-07-24 06:45:59 UTC

by Xavier Mertens (Version: 1)

Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and found an interesting piece of Python malware. This one implements a keylogger and a screenshot grabber but also... a "mouse logger"! By mouse logger, I mean that it can collect activity generated by the user's mouse.

The attacker uses the classic Python module pyinput ...

Read the full entry:

https://isc.sans.edu/diary/Mouse+Logger+Malicious+Python+Script/31106/

Widespread Windows Crashes Due to CrowdStrike Updates

Published: 2024-07-19

Last Updated: 2024-07-19 16:59:59 UTC

by Johannes Ullrich (Version: 1)

Last night, endpoint security company CrowdStrike released an update that is causing widespread "blue screens of death" (BSOD) on Windows systems. CrowdStrike released an advisory, which is only available after logging into the CrowdStrike support platform. A brief public statement can be found here.

CrowdStrike now also published a detailed public document with tips to recover:

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

---

Update: Some reports we have seen indicate that there may be phishing emails circulating claiming to come from "CrowdStrike Support" or "CrowdStrike Security". I do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any "patches" that may be delivered this way.

One domain possibly associated with these phishing attacks is ...

---

Linux and MacOS systems are not affected by this issue.

The quickest fix appears to boot the system into "Windows Safemode with Network". This way, Crowdstrike will not start, but the current version may be downloaded and applied, which will fix the issue. This "quick version" of the fix is not part of CrowdStrike's recommendations but may be worth a try if you have many systems to apply the fix to or if you need to talk a non-computer-savvy person through the procedure. Some users have reported that this will succeed.

Casimir Pulaski (@cybermactex) mentioned on X that a simple reboot sometimes works if the latest update was downloaded before the system crashed.

The support portal statement offers the following steps to get affected systems back into business ...

Read the full entry:

https://isc.sans.edu/diary/Widespread+Windows+Crashes+Due+to+Crowdstrike+Updates/31094/

CrowdStrike: The Monday After

Published: 2024-07-22

Last Updated: 2024-07-22 17:06:26 UTC

by Johannes Ullrich (Version: 1)

Last Friday, after CrowdStrike released a bad sensor configuration update that caused widespread crashes of Windows systems. The most visible effects of these crashes appear to have been mitigated. I am sure many IT workers had to spend the weekend remediating the issue.

It is still early regarding the incident response part, but I would like to summarize some of the important facts we know and some lessons learned.

You are likely affected if the CrowdStrike sensor system retrieved updates between 0409 and 0527 UTC on Friday, July 19th. CrowdStrike allows users to configure a sensor update policy, which will delay the update of the sensor software. But the corrupt file was a configuration ("signature") update, not an update of the sensor itself. Configuration updates are always applied as soon as they are released. Customers do not have an option to delay these updates. Systems crashed because a kernel driver provided by CrowdStrike crashed as it read the malformed configuration file.

Since news of the incident broke, CrowdStrike has been updating and expanding its guidance. Your first stop should be CrowdStrike's "Remediation and Guidance Hub". It will link to all the resources CrowdStrike has to offer. Yesterday, CrowdStrike announced that they will soon offer a new, accelerated technique for recovery. As I write this, the new technique has not been published. CrowdStrike did provide a new dashboard to affected users to track systems affected by the update.

Microsoft developed a USB solution to simplify the process. To apply the update, systems must be booted from the USB key. However, Bitlocker-encrypted hosts may require a recovery key.

Bitlocker is the major hurdle to a speedy recovery for many affected organizations. Ben Watsons posted on LinkedIn that his organization came up with a way to use a barcode scanner to simplify entering the recovery keys. I do not believe that the related code to create the barcodes is public.

Read the full entry:

https://isc.sans.edu/diary/CrowdStrike+The+Monday+After/31098/

New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) (2024.07.23)

https://isc.sans.edu/diary/New+Exploit+Variation+Against+DLink+NAS+Devices+CVE20243273/31102/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: D-Link DNS-320L

CVSS Score: 0

** KEV since 2024-04-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3273

ISC Diary: https://isc.sans.edu/diary/31102

ISC Podcast: https://isc.sans.edu/podcastdetail/9066

Product: Cisco Secure Email Gateway

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20401

ISC Podcast: https://isc.sans.edu/podcastdetail/9058

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH

Product: Cisco Smart Software Manager On-Prem (SSM On-Prem)

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-20419

ISC Podcast: https://isc.sans.edu/podcastdetail/9058

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy

Product: HPE 3PAR Service Processor Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22442

NVD References: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04663en_us&docLocale=en_US

Product: Tenda AC18

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33180

NVD References: https://palm-vertebra-fe9.notion.site/saveParentControlInfo_1-7c9695d0251945ae8006db705b9b80ac

Product: Tenda AC18

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33182

NVD References: https://palm-vertebra-fe9.notion.site/addWifiMacFilter_1-067fa6984f0d4933b88c63efd7486479

Product: Tenda i29

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35338

NVD References: https://palm-vertebra-fe9.notion.site/hardcode_i29-e1ed38dde00145d9a6be1ad2b4581259

Product: JupyterLab copier

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39700

NVD References:

- https://github.com/jupyterlab/extension-template/commit/035e78c1c65bcedee97c95bb683abe59c96bc4e6

- https://github.com/jupyterlab/extension-template/security/advisories/GHSA-45gq-v5wm-82wg

Product: Oracle Weblogic Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21181

NVD References: https://www.oracle.com/security-alerts/cpujul2024.html

Product: Online Student Management System Project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6801

NVD References:

- https://github.com/aaajuna/demo/issues/1

- https://vuldb.com/?ctiid.271703

- https://vuldb.com/?id.271703

- https://vuldb.com/?submit.374774

Product: Computer Laboratory Management System Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6802NVD References: - https://reports-kunull.vercel.app/CVE%20research/2024/cve-2024-6802- https://vuldb.com/?ctiid.271704- https://vuldb.com/?id.271704- https://vuldb.com/?submit.374797CVE-2024-6803 - itsourcecode Document Management System 1.0 is susceptible to a critical SQL injection vulnerability in the file insert.php, allowing for remote attacks.Product: itsourcecode Document Management System 1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6803NVD References: - https://github.com/hzy11111111/cve/issues/3- https://vuldb.com/?ctiid.271705- https://vuldb.com/?id.271705- https://vuldb.com/?submit.374809CVE-2024-6808 - itsourcecode Simple Task List 1.0 is vulnerable to a critical SQL injection in the insertUserRecord function of signUp.php, allowing remote attackers to exploit the argument username.Product: itsourcecode Simple Task List 1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6808NVD References: - https://github.com/qianqiusujiu/cve/issues/1- https://vuldb.com/?ctiid.271707- https://vuldb.com/?id.271707- https://vuldb.com/?submit.375154CVE-2024-6220 - The Keydatas plugin for WordPress allows arbitrary file uploads, putting servers at risk of remote code execution.Product: Keydatas CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6220NVD References: - https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/49ae7971-7bdf-4369-b04b-fb48ea5b9518?source=cveCVE-2024-5471 - Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.Product: Zohocorp Manageengine DDI CentralCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5471NVD References: https://www.manageengine.com/dns-dhcp-ipam/security-updates/cve-2024-5471.htmlCVE-2024-23466 - SolarWinds Access Rights Manager (ARM) is vulnerable to Directory Traversal Remote Code Execution, enabling unauthorized users to execute commands with SYSTEM privileges.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23466NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23467 - SolarWinds Access Rights Manager allows unauthenticated users to remotely execute code due to a Directory Traversal and Information Disclosure Vulnerability.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6 AtRiskScore 30NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23467NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23469 - SolarWinds Access Rights Manager (ARM) is vulnerable to remote code execution, enabling unauthorized users to gain SYSTEM privileges.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23469NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23470 - SolarWinds Access Rights Manager is vulnerable to a pre-authentication remote code execution flaw allowing unauthorized users to run commands and executables.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23470NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23471 - SolarWinds Access Rights Manager is vulnerable to remote code execution by an authenticated user.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23471NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23472 - SolarWinds Access Rights Manager (ARM) is vulnerable to a Directory Traversal flaw that enables authenticated users to read and delete files at will.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23472NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-23475 - SolarWinds Access Rights Manager is vulnerable to file deletion and information leakage by unauthenticated users.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23475NVD References: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmCVE-2024-28074 - SolarWinds Access Rights Manager still vulnerable as researcher bypasses implemented controls to exploit vulnerability using alternative method.Product: SolarWinds Access Rights ManagerCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE…

Product: itsourcecode Simple Task List 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6808

NVD References:

- https://github.com/qianqiusujiu/cve/issues/1

- https://vuldb.com/?ctiid.271707

- https://vuldb.com/?id.271707

- https://vuldb.com/?submit.375154

Product: Keydatas

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6220

NVD References:

- https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/49ae7971-7bdf-4369-b04b-fb48ea5b9518?source=cve

Product: Zohocorp Manageengine DDI Central

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5471

NVD References: https://www.manageengine.com/dns-dhcp-ipam/security-updates/cve-2024-5471.html