Happy November! The follow are the release notes from the Initial Access Intelligence team over the last week:
The team developed an information leak exploit attacking CVE-2024-38816 affecting Spring WebFlux implemented in a popular Chinese-developed CMS called Halo. The Halo platform versions that are vulnerable additionally use to insecure deployment parameters, allowing for extraction of administrative credentials and database connection credentials. The team developed Snort and Suricata signatures, pcap, asset detection, a version scanner, an exploit, and search engine queries. We note Censys finds ~7,000 vulnerable servers (mainly in China).
This vulnerability was added to the VulnCheck KEV on October 29 and has been reported to be targeted by three ransomware groups (PSAUX and possibly Babuk and/or Cerber variants). Exploitation can happen through three different URI using a variety of HTTP verbs. The team delivered an exploit, pcap, network signature, and search engine queries. The team notes active exploitation attempts on all three URI according to GreyNoise.
The team developed an exploit, pcap, network signatures, and search engine queries for CVE-2023-47207, a .NET deserialization vulnerability in InfraSuite Device Master, an ICS product from Delta Electronics. As there was no public analysis of the vulnerability, VulnCheck performed a patch analysis and developed a working proof of concept. VulnCheck's exploit targets the Device-DataCollect service on TCP port 3000, sending a command execution payload prefixed with a small header. By default, the exploit will cause the target to connect back to the attacker, download a binary payload, and execute it as the service user. The team noted few instances currently exposed online with FOFA providing the most data.
This week featured a second ICS vulnerability, this time allowing an unauthenticated attacker to leak arbitrary files from the WebIQ Runtime Manager. The team implemented an exploit that, by default, fetches the user database (unencrypted) to dump credentials (username and password hash). The team delivered an exploit, version scanner, pcap, network signatures, and search engine queries. The team found a small footprint (see Censys results) but notes this vulnerability has not been patched therefore making all targets viable.
The team set up a developer lab containing vulnerable instances of FortiManager and FortiGate, delivered a set of threat intelligence queries for Censys, ZoomEye, FOFA, and GreyNoise (although due to limitations the GreyNoise query is quite broad). The team continues efforts to reproduce and weaponize the exploit chain, along with create detection queries for Snort and Suricata.
IP-Intel was updated to flag CyberPanel honeypots, of which we saw thousands.
go-exploit was updated to 1.30.1 with a new C2: "ShellTunnel".