Not Simon

@simontsui@infosec.exchange
1.2K Followers
112 Following
687 Posts
This is not Simon. Opinions are made by a screaming goat and do not express the views or opinions of his goatherder.
Show threadNot SimonApr 22, 2024
@deepthoughts10 I had to go back to the original article to see any mentions to China. After the iSoon leaks, I suspect ToddyCat is yet another hackers-for-hire company in China's private industry.
Not SimonApr 22, 2024

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation

h4sh (@h4sh@infosec.exchange)

I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. https://www.cve.org/CVERecord?id=CVE-2024-4040 If anyone disagrees with our CVSS analysis, please let me know & bring proof #CVE20244040 #CVE_2024_4040

Infosec Exchange
Not SimonApr 22, 2024

@GossiTheDog Wasn't the reason because ALPHV banned the RaaS affiliate and exit scammed? The affiliate was left holding the exfiltrated data and had no better option than to extort the company again.

I know there's a $10 million reward but I didn't hear anything about sanctions: https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-alphv-blackcat-linked-cyber-actors-targeting-u-s-critical-infrastructure/

Not SimonApr 22, 2024
DrWhaxApr 22, 2024
The United States state department issues a visa ban to 13 people and some of their family members. Reason is the proliferation of spyware. https://www.state.gov/promoting-accountability-for-the-misuse-of-commercial-spyware/
Not SimonApr 22, 2024
The RecordApr 22, 2024
CrushFTP urges customers to patch file transfer tool ‘ASAP’ https://therecord.media/crushftp-file-transfer-vulnerability-patch-asap
CrushFTP urges customers to patch file transfer tool ‘ASAP’

Two of the biggest cybersecurity incidents in 2023 revolved around zero-day vulnerabilities in file transfer tools.

Show threadNot SimonApr 22, 2024

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

CVE Website

Not SimonApr 22, 2024
Show threadKevin BeaumontApr 22, 2024

Wall Street Journal has a leak from the Change Healthcare ransomware incident

- Initial entry was via a remote access system without MFA
- Dwell time was 9 days
- They paid the ransom, then got held to ransom again and had data leaked anyway

https://www.wsj.com/articles/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6

#threatintel #ransomware

Show threadNot SimonApr 22, 2024

@mttaggart Another interesting point is that CVE-2022-38028 was originally reported to Microsoft by the National Security Agency, as Bleeping Computer mentioned: https://www.bleepingcomputer.com/news/security/microsoft-apt28-hackers-exploit-windows-flaw-reported-by-nsa/

Since it was not disclosed as exploited at the time, we might infer that NSA didn't observe exploitation in the wild by a foreign adversary like APT28 back in 2022. So how did NSA come across CVE-2022-38028? 🤔 I hope I don't have to explicitly say it.

Microsoft: APT28 hackers exploit Windows flaw reported by NSA

​Microsoft warns that the Russian APT28 threat group exploits a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.

BleepingComputer
Show threadNot SimonApr 22, 2024

@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes. These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.

Not SimonApr 22, 2024

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/

#CVE_2023_48795 #Terrapin #vulnerability #Jenkins

Jenkins Security Advisory 2024-04-17

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software

Jenkins Security Advisory 2024-04-17