The team did a patch analysis on the last two hotpatches from Solarwinds and found the hard-coded credentials in whd-core.jar:com/macsdesign/whd/rest/controllers/BasicAuthRouteController.class. The credentials are helpdeskIntegration:Userdev-C4F8025E7. We also note that these same credentials were discovered by AssetNote back in January 2022, so this is likely a regression. The team developed a network signature and Censys/Shodan queries.
Anyscale Ray first caught the team's attention when we stumbled upon the tens of thousands of Ray honeypots. After investigation why there might be so many the team delivered exploits, scanners, pcap, network signatures, vulnerable docker, and Shodan/Censys/GreyNoise queries for these two CVE. We note that CVE-2023-48022 actually remains unpatched as of the latest release (6.34.0). They did add a User-Agent filter (which does seem to break almost all public exploits - including Metasploit), but of course we worked around that. Additionally, it appears GreyNoise is likely seeing people scanning for this.
This is outside of the scope of our normal work, but done at special request. This is a local privilege escalation affecting GLIBC ld.so and is on the CISA KEV list. The team developed an exploit, vulnerable docker, and YARA for this vulnerability. To our knowledge there is no public Go implementation of this exploit so ours may be the first (all public exploits are Python, or C+Python, or Ruby+Python - the Python typically being useful for ELF parsing). The exploit compiles down to a native binary and was tested on Ubuntu and Debian versions dating back to 2021 (both aarch64 and arm64).
The team added an exploit, pcap, and signatures for an authentication bypass in the WooCommerce Payments plugin for WordPress. This vulnerability is listed on the VulnCheck KEV. E-commerce software is a high-value target for attackers and typically sees increased internet exposure, making it an attractive target for initial access. The exploit creates an administrator account with user-supplied credentials. The team noted thousands of instances of WooCommerce Payments online, and the affected endpoint /wp-json/wp/v2/users has a number of associated IPs on Greynoise (but the path is too generic to say its specifically relate to this vulnerability).
The team continues to prod at this hard to exploit vulnerability. We've developed a go-exploit to reproduce the blue screen of death, and added a pcap to the repository as well. We have not yet determined a good way to write a Suricata or Snort rule, unfortunately. We have learned, however, that there are many caveats to the exploitation of a target and we documented that in the README.
After investigating these CVE (Spring Cloud Dataflow and Fonoster VoiceServer VoiceApp), the team determined impactful exploitation of these to be very unlikely. None-the-less, network signatures were written just in case.
The team added tracking of Remcos RAT, a commercial product initially marketed as a legitimate remote administration tool. The product has since been widely adopted by malicious actors. The team also started tracking Anyscale Ray honeypots.