The team has started adding pcap and network signatures specific to real world attacks in the Initial Access repository within the c2 directory. For example, you can find the directory c2/redtail off of the root of the repository. This directory contains pcaps of the Redtail cryptomining group exploiting CVE-2021-41773, and fetching their stager script over HTTP. Additionally, there are network rules specifically for flagging this Redtail behavior. In the near future, network signatures in c2 will have their own API endpoint.
VulnCheck observed a new vulnerability being targeted in the wild. After some analysis and testing, we found the vulnerability affected the Four-Faith F3x24 / F3x36 industrial router. We believe this is an undocumented vulnerability and we are treating it as a zero-day. We have informed Four-Faith and will publish the CVE publicly no later than Dec 27. Of course, the details are available to our customers in the Initial Access repository.
The vulnerability is an authenticated command injection affecting the time management system. The attack we saw in the wild used default creds for the devices (admin:admin). The VulnCheck exploit uses the backdoor credentials that we found in these routers earlier this year, therefore achieving unauthenticated RCE. The team also developed search engine queries, a version scanner, pcap, and network signatures.
This vulnerability affects a subsystem of Avaya Aura, and while not widespread the team found a couple hundred high value targets (by our estimation). We also noted what we believe to be ongoing exploitation via GreyNoise. We've published an exploit that drops a PHP webshell, search engine queries, network signatures, pcap, and GreyNoise query.
On Monday, the FBI released an advisory describing HaitusRAT targeting hardware in the Five Eyes countries. The FBI was not clear on the goal of the campaign but it appears to be related to credential harvesting and controlling networked cameras/DVR/NVR in those countries. The FBI included the targeting of this credential leak affecting TBK, CVE-2018-995, that, while not on CISA KEV, has been on the VulnCheck KEV since February 2020. Additionally, VulnCheck noted potential attacker's probing for login.rsp throughout the week (the 302 redirect is broken in some older versions so attackers need to first probe for login.rsp, see the exploit for more details).
The team developed an exploit, pcap, network signatures, search engine queries (including Google), and version scanner. We note that while the FBI stated this issue hasn't been patched, we found that it has been. Our Shodan queries flag ~4000 affected system.
The GoAhead web server is a widely deployed embedded systems HTTP server that contains a vulnerability in its CGI parsing that allows for attackers to both control environment variables and write temporary files to disk, resulting in the ability to conduct LD_PRELOAD hijacking and achieve RCE. The team developed an x86 version of the web application and a demonstration payload to fit within the small size constraint buffer. The team additionally developed network rules and pcap for this exploit.
Early this week, this vulnerability saw a lot of "hype" likely based on the familiarity of the Apache Struts brand (and its history of exploitation). There were also a few fake or just wrong public exploits that we think confused people. Regardless, the team analyzed this vulnerability and, similar to S2-066, we find it incredibly unlikely that this will ever be exploited in the wild. The first issue is that we've had difficulty even confirming any projects that use the affected feature. Additionally, exploitation requires finding a vulnerable endpoint (which would be implementation specific).
The team did develop a contrived docker container for customers to test against, should they choose. We also delivered an exploit that uploads a webshell and exploitation pcap.
The team analyzed the recent Tomcat vulnerability CVE-2024-50379. This vulnerability only affects Tomcat on Windows when the default servlet has been configured to allow HTTP PUT and HTTP DELETE (basically a very rare configuration). After analyzing the diffs and running some tests on Tomcat we think we understand the timing sequence. We hope to have content for you next week. We do note that there are multiple public "exploits" that don't actually exploit the issue.
Detection was added for RedWarden, a Python-based reverse proxy designed for Cobalt Strike C2 infrastructures, implementing malleable C2 profile validation.