Vercara’s Open-Source Intelligence (OSINT) Report – March 29 – April 4, 2024

DNS tunnel keylogger – an offensive post-exploitation tool for pentesters. 

(TLP: CLEAR) The article introduces a new tool, DNS-Tunnel-Keylogger, released on GitHub for penetration testers. This tool utilizes DNS tunneling to transmit keystrokes through firewalls covertly, aiming to evade detection during post-exploitation activities. The server component, written in Python 3, operates on UDP port 53 by default and requires the installation of dependencies. Users can customize the port using flags and configure their domain’s namespace to point to the server’s IP address. The Linux keylogger client consists of two bash scripts for keystroke capture and transmission to the server. It can be initiated silently and closed upon exit to maintain a keylogger state. The article provides setup instructions for both the server and client components, emphasizing the importance of understanding DNS and networking concepts, familiarity with Python and Bash scripting, and ensuring compliance with legal and ethical guidelines. Additionally, troubleshooting tips and security considerations are offered to mitigate potential issues and ensure responsible tool usage. Overall, the article offers a comprehensive guide for setting up a DNS tunneling keylogger for covert keystroke exfiltration, urging users to employ it responsibly and lawfully. 

(TLP: CLEAR) Comments: DNS tunneling is not a new concept and is widely used to mask malicious network activity to avoid detection. Keyloggers are used to steal sensitive data to include usernames and passwords, credit card information or other Personal Identifiable Information (PII) that will be used in either a follow-on cyberattacks or sold on the dark web for financial gain. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. 

Source: https://cybersecuritynews.com/dns-tunnel-keylogger/ 

Hackers attack python developers by poising with typo-squat on PyPI. 

(TLP: CLEAR)  The article discusses an automated typosquatting campaign targeting popular Python libraries on PyPI (Python Package Index). The attack deployed over 500 variations with typos in names like requests, TensorFlow, and BeautifulSoup, including incorrect names and libraries already part of the standard library. The attacker experimented with various packages before settling on malicious ones, with payloads pulled from remote URLs. The attack occurred in two bursts, targeting 360 packages initially and 206 packages later, prompting PyPI to swiftly respond by suspending malicious packages and temporarily halting new user registrations. The malicious script initiated a multi-stage attack, exfiltrating data from Chromium-based browsers and targeting cryptocurrency wallets for potential theft. The stolen information was compressed and uploaded to a remote server. The incident underscores the vulnerability of open package repositories, necessitating heightened vigilance from users when installing packages. Despite PyPI’s quick response, typosquatting attacks remain a significant threat, highlighting the importance of robust security measures and user caution online. 

(TLP: CLEAR) Comments: Malicious actors look at injecting malicious files or tools into trusted code repositories in hopes that an individual unknowingly adds that code to their legitimate program. Typo-squatting looks to take advantage of an individual’s misspelling of legitimate libraries or take advantage of when an individual is in a rush to complete a project and does not fully review their code. Having a detailed code review process that validates all dependencies prior to being applied onto production systems could help mitigate this type of attack. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

“Control:   

“a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.   

“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.   

“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and   

“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://cybersecuritynews.com/poising-with-typosquat-on-pypi/ 

WordPress security: XSS remains as the most vulnerability exploited. 

(TLP: CLEAR) The article highlights the prevalence of cross-site scripting (XSS) vulnerabilities in the WordPress ecosystem, constituting 53.3% of total security flaws discovered. XSS vulnerabilities, which allow attackers to insert malicious code into websites, accounted for 27% of all security vulnerabilities last year, a significant increase from 2022. The Freemius framework, a third-party eCommerce platform widely used in plugins, was a major source of XSS vulnerabilities, with over 1,200 traced back to it. Furthermore, 42.9% of newly discovered vulnerabilities were rated as high or critical severity, indicating an elevated risk level. The article also discusses the impact of abandoned plugins on security, with 481 susceptible components removed from the plugin repository in 2023. Despite the rise in reported vulnerabilities, it reflects a heightened focus on security among plugin producers and researchers, rather than indicating a deteriorating security situation within the WordPress platform. Additionally, the article lists the top five newly discovered vulnerabilities with the most attempted exploits, emphasizing the need for prompt security updates and awareness of potential risks. 

(TLP: CLEAR) Comments: Cross-Site Scripting (XSS) looks to inject malicious scripts, mainly written in JavaScript, into web pages that are viewed by other users. These scripts can be executed within the context of a victim’s browser which allows a malicious actor the ability to steal sensitive information, hijack the user season or manipulate the contents of a web site. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.  

“While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.  

“WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can defend critical applications with even the most complex workflows and prevent the most common threats that target the application layer, such as SQLi, XSS, and CSRF. 

Source: https://cybersecuritynews.com/xss-remains-as-the-most-vulnerability/ 

Prudential Insurance says data of 36,000 exposed during February cyberattack. 

(TLP: CLEAR) The article reports that Prudential Insurance, one of the largest insurers in the United States, experienced a data breach in February, affecting over 36,000 individuals. Unauthorized access to the network was detected on February 5, prompting an investigation, which revealed that personal information, including names, addresses, and driver’s license numbers or ID cards, was accessed by hackers. The company has informed law enforcement and hired a cybersecurity firm to assist with the response. While Prudential did not confirm whether it was a ransomware attack, victims will receive two years of identity protection services. In related filings with the SEC, Prudential warned of a cybercrime group accessing administrative and user data from certain IT systems and user accounts. The AlphV ransomware gang claimed responsibility for the attack on February 16, alongside other high-profile targets. The group’s activities were disrupted by a law enforcement takedown in December, but they quickly resumed operations. Prudential had previously experienced a larger data breach last year involving another ransomware gang. 

(TLP: CLEAR) Comments: The BlackCat (ALPHV) ransomware group has publicly taken credit for this data breach by listing Prudential on their Tor-based leak site. BlackCat (ALPHV) groups is a notorious cybercriminal organization and is assessed to be Russian. This group emerged in late 2021 and has since become a major threat, targeting various industries with ransomware attacks. This group has operated as a Ransomware-as-a-Service (RaaS) model where they lease their ransomware to other groups or individuals who carry out the attacks and share the ransom profits with BlackCat (ALPHV). The insurance industry is a lucrative target for malicious actors due to the amount of sensitive data retained within their servers.  

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defense” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.”  

Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://therecord.media/prudential-discloses-new-information-from-february-incident 

WP-Members plugin exposes WordPress sites to injection attacks. 

(TLP: CLEAR) The article discusses a critical vulnerability discovered in the WP-Members Membership Plugin for WordPress, which could allow attackers to inject malicious scripts and potentially take control of websites. The flaw, categorized as an unauthenticated stored cross-site scripting (XSS) vulnerability, stems from insufficient sanitization of the X-Forwarded header. Attackers can exploit this vulnerability to inject arbitrary scripts into the database, which execute whenever a user visits the edit user page. Although a partial fix was initially implemented in version 3.4.9.2 of the plugin, a complete resolution was achieved only in version 3.4.9.3. Upgrading to the latest version is crucial to mitigate this security risk. The technical analysis reveals that attackers can exploit the vulnerability during user registration by injecting malicious code into the X-Forwarded header. When an administrator views or edits a user account containing the injected script, it executes within the administrator’s browser session, potentially compromising the account or redirecting users to harmful websites. Wordfence, the security firm that discovered the vulnerability, coordinated with the vendor to release patches. While version 3.4.9.2 addressed part of the issue, version 3.4.9.3 fully patched the vulnerability. Users are advised to update the plugin and share this information with others who use it to ensure website security. 

(TLP: CLEAR) Comments: It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems. 

(TLP: CLEAR) Recommended best practices/regulations: WASP Web Security Top 10 A03:2021 – Injection: “An application is vulnerable to attack when:  

“User-supplied data is not validated, filtered, or sanitized by the application.  

“Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.  

“Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.  

“Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”  

One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, provides protection at the application layer to detect and block DDoS attacks but also unwanted web bots and application attacks such as SQLi, XSS, and CSRF. 

Source: https://cybersecuritynews.com/wp-members-plugin-flaw/ 

Critical security flaw found in popular LayerSlider WordPress plugin. 

(TLP: CLEAR) The article highlights a critical security flaw in the LayerSlider plugin for WordPress, which could lead to the extraction of sensitive information from databases, including password hashes. Designated as CVE-2024-2879, the flaw allows SQL injection and affects versions 7.9.11 through 7.10.0. The issue has been addressed in version 7.10.1, released on March 27, 2024. LayerSlider, a widely used plugin, enables users to create animations and rich content for their websites. The vulnerability arises from insufficient parameter escaping, enabling attackers to append additional SQL queries and extract data. However, exploitation requires a time-based approach due to the structure of the query. In a related development, an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852) was discovered and resolved in version 3.4.9.3. These vulnerabilities underscore the importance of maintaining up-to-date software to mitigate security risks. 

(TLP: CLEAR) Comments:  

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Security Top 10 A03:2021 – Injection: “An application is vulnerable to attack when:  

“User-supplied data is not validated, filtered, or sanitized by the application.  

“Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.  

“Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.  

“Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”  

One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks. 

Source: https://thehackernews.com/2024/04/critical-security-flaw-found-in-popular.html  

New HTTP/2 vulnerability exposes web servers to DoS attacks. 

(TLP: CLEAR) The article discusses a new vulnerability in the HTTP/2 protocol named HTTP/2 CONTINUATION Flood, discovered by security researcher Bartek Nowotarski. This vulnerability allows attackers to exploit the CONTINUATION frame to conduct denial-of-service (DoS) attacks on servers. HTTP/2 implementations often fail to properly limit or sanitize the amount of CONTINUATION frames sent within a single stream, allowing attackers to send a stream of CONTINUATION frames that can cause server crashes or out-of-memory conditions. The vulnerability arises from incorrect handling of HEADERS and multiple CONTINUATION frames, leading to a never-ending stream of headers that overwhelms the server’s memory. Several projects, including Apache HTTP Server, Apache Tomcat, and Node.js, are affected by this vulnerability. Users are advised to upgrade affected software to the latest version or temporarily disable HTTP/2 on their servers until a fix is available. 

(TLP: CLEAR) Comments: The HTTP/2 END_HEADERS flag acts as a clear endpoint, ensuring efficient communication and preventing potential attacks in the HTTP/2 protocol. Within the HTTP/2 protocol, data is transmitted in frames, including header frames that contain information about the request or response. The END_HEADER flag acts as a signal to the receiver (server or client) that all the header information for a particular data stream has been transmitted. This flag plays a key role in separating the header section from the actual message body. The CONTINUATION frame is used to extend the header information that normally doesn’t fit within a single frame. By sending a malicious stream of CONTINUATION frames without the proper “END_HEADERS” flag set, malicious actors can exploit this flaw to overwhelm the server with never-ending header data which consumes resources and potentially crashes the server. This DDoS attack is particularly concerning due to its potential to disrupt service with a single connection.  

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer source as well as intended destination to the mitigation service PoPs are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 

Source: https://thehackernews.com/2024/04/new-http2-vulnerability-exposes-web.html