Happy Friday! The VulnCheck Initial Access Intelligence release notes will follow but quickly two calls outs. The first is that CISA KEV published 4 new entries on November. Three of which already had coverage in IAI, and the fourth was a local vulnerability (out of scope). Additionally, VulnCheck observes a holiday next week (Monday) and has a company-wide offsite for three days. Communication might be slower than we'd like, and output might be less than is typical next Friday. Thanks for bearing with us!
The team developed an exploit for the Acronis Cyber Protect and Backup solutions for Acronis Cyber Protect 15 Build 28503, Build 27009, Build 26981, Build 26172 and Acronis Cyber Protect 12.5 since Build 11010 (includes current). The default configuration for Acronis allows for unauthenticated agents to enroll in the API and does not restrict API access, which allows for an attacker to craft backup plans on any system. This allows for remote code execution on all of the enrolled agents and servers in the Acronis ecosystem, including Linux and Windows agents. This exploit variant additionally has an enumeration tool for non-exploitation focused enrollment and data collection.
VulnCheck additionally created PCAPs, Snort and Suricata rules, and queries for Censys, FOFA, ZoomEye, and GreyNoise queries.
This vulnerability exploits an information leak and allows for access to all API endpoints on Solr that utilize the BasicAuthPlugin. The plugin is enabled by default when Solr enables authentication. The leak allows for recovery of Solr hashed credentials, cluster information, and file retrieval for any ZooKeeper file. In our previous release of CVE-2023-50386, we noted that internet-facing Solr typically enable authentication (making the 2023 CVE less valuable). Combining these two CVE allows for a full chain unauth rce chain (assuming hash cracking).
The team delivered an exploit, version scanner, vulnerable docker image, search engine queries, network signatures, and search engine queries.
The team developed an exploit (really just GET /), scanner, signatures, queries, and a target for CVE-2024-9014, an OAuth2 information disclosure in pgAdmin, an administration tool for PostgreSQL. VulnCheck's exploit simply sends a GET / request, following any redirects, and leaks any OAuth2 configuration with secrets embedded in the page. Most public PoCs target /login?next=/ directly, increasing the risk of detection. By sending a GET /, our exploit appears more like benign web traffic and is able to leverage our scanless technique. The team noted approximately 11k vulnerable instances of pgAdmin online, though far fewer were exposing OAuth2 secrets.
At request, the team developed search engine queries for this post-authentication vulnerability used by Vanguard Panda (aka Volt Typhoon). Censys queries flag the number of targets at between 500 and 1000.
At request, the team developed PCAP and Snort/Suricata rules based on known exploits. The team was also able to write an additional GreyNoise query that flags a couple of IPs probing for vulnerability FortiOS systems using Bishop Fox's scanner that somewhat ironically uses an endpoint including VULNCHECK: https://viz.greynoise.io/query/raw_data.web.paths:%22%2Fremote%2FVULNCHECK%22
The team decrypted filesystems and disassembled firmware for vulnerable instances of FortiManager and FortiGate, delivering an additional a threat intelligence query for Shodan and a research script for decrypting Fortigate VM filesystems (the script is available in the git repository within the appropriate feed directory). The team continues efforts to reproduce and weaponize the exploit chain, along with create detection queries for Snort and Suricata.
The "proxies" category was updated to include monitoring for commercial VPN FrootVPN, Easy Hide VPN, and Private Internet Access. Additionally the open source proxy CORS-Anywhere is now being monitored. The "c2" category was updated to including monitoring of geacon_pro (an open source, Chinese-language c2) and GX40 SMS Sender (a tool used in phishing and spam activities).