The team developed an exploit and signatures for CVE-2024-8069, a .NET deserialization vulnerability in Citrix Session Recording, a product in Citrix's Virtual Apps and Desktops suite. This vulnerability was added to the VulnCheck KEV on November 12, 2024 due to observed exploitation by ShadowServer. The SANS Internet Storm Center corroborated exploitation in the wild on November 18.
The vulnerability can be exploited through MSMQ over HTTP, making the attack more widely applicable across targets. Unfortunately, the software is not discoverable via Shodan, Censys, FOFA, and Zoomeye. The team delivered pcaps, network signatures, an exploit, and GreyNoise query. The team noted one Russian host in GreyNoise (at the time of this writing) scanning for the vulnerability.
This PAN-OS exploit chain started life as a zero-day and was added to CISA KEV and VulnCheck KEV on November 18. Exploitation in the wild has been confirmed by Unit 42 and Shadow Server (among others). The team delivered an exploit chaining the CVEs to achieve remote code execution. We also delivered a network scanner, a version scanner, pcap, Snort and Suricata signatures, and Shodan, Censys, ZoomEye, FOFA, and GreyNoise queries. The provided pcap contains network traffic for chaining the vulnerabilities together.
The team delivered a couple of GreyNoise queries that appear to identify activity across the vulnerable endpoints. Additionally, the Shodan query in particular does a good job removing honeypots to identify an exposure of some ~14,000 systems.
The D-Link ShareCenter DNS-320/DNS-320LW/DNS-325/DNS-340L products contain an unauthenticated remote code execution vulnerability via shell injection in the account_mgr.cgi script. The vulnerability was first added to the VulnCheck KEV in mid-November due to exploitation attempts flagged by ShadowServer. Our GreyNoise query likely bolsters this finding.
The team developed an exploit for this target by completing the exploit chain that was not public, which required developing go-exploit base64 chunking logic to allow easier data optimization to reduce multiple requests, as well as a bypass for the potential for multiple executions in the vulnerable code using lexical names with a shell glob. The team also provides Suricata, Snort, and PCAPs for DNS-325.
In previous weeks, the team had landed multiple deliverables but this week finalized and delivered the exploit accompanied by a network scanner. The exploit comes with a usable certificate/key embedded, but can also use user provided values. As part of delivering this exploit, go-exploit was updated to support the fgfm authentication protocol.
IP Intel was updated to track the ngioweb botnet. Specifically we've fingerprinted ngioweb Loaders and ngioweb Backconnect C2. This addition was based on recent research published by Black Lotus Research about the NSOCK botnet.
The team released go-exploit 1.31.0. This release contains an update to the latest Edge User-Agent, improved HTTP multipart handling, support for the Fortinet fgfmd protocol, a base64 chunked encoder, and documentation updates.