This week, we explore the GrimResource initial access method and a vulnerability roundup.
The newly observed technique involves a malicious MSC file that abuses an old yet unpatched cross-site scripting (XSS) flaw in a Windows file called 'apds.dll'. When combined with a technique called 'DotNetToJScript', the XSS flaw can be used to execute .NET code in the context of MMC.
The end result of the observed infection chain was the deployment of Cobalt Strike.
It should be noted that while this specific malware deployed Cobalt Strike, the exploit can be abused to execute other commands.
There are several behavioral indicators that can be monitored for this type of attack:
Additional Resources
Researchers at Qualys published details to day on a critical unauthenticated RCE in OpenSSH Server in 'glibc-based Linux systems'. The vulnerability, tracked as CVE-2024-6387, is a race condition in sshd (OpenSSH's server) with default configurations. Successful exploitation allows commands to be run as root. Proof-of-concept exploit code is already in the wild.
Per the security release notes from OpenSSH, successful exploitation was demonstrated on 32-bit Linux/glibc systems with ASLR (address space layout randomization). In lab conditions "the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept".
The advisory also states that exploitation of 64-bit systems is believed to be possible but has not yet been demonstrated. The vulnerability impacts OpenSSH versions between 8.5p1 and 9.7p1.
Additionally, versions prior to 4.4p1 are also vulnerable unless they are patched for CVE-2005-5051 and CVE-2008-4109.
Administrators are urged to patch to version 9.8p1 as soon as possible. As an additional precaution, administrators are urged to limit SSH access through network-based controls.
See Appendix C at the end of the article for the PacketWatch query to hunt for vulnerable SSH servers.
Juniper published an out-of-band security update to address CVE-2024-2973, an authentication bypass vulnerability with a CVSS score of 10.0. Per the advisory, successful exploitation allows the attacker to take full control of the device. The vulnerability affects Juniper Networks Session Smart Router and Conductor devices running in high-availability redundant configurations.
The following versions are impacted:
Additionally, Juniper noted that the patch was applied automatically to affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud. Administrators are urged to patch as soon as possible to versions SSR-5.6.15, SSR-6.1.9-lts, or SSR-6.25-sts or later.
Broadcom released a security update for multiple critical vulnerabilities in vCenter Server. Two vulnerabilities tracked as CVE-2024-37079 and CVE-2024-37080 have a CVSS score of 9.8.
An attacker with network access to vCenter Server can send a specially crafted network packet to gain remote code execution on the vulnerable system. A third vulnerability, tracked as CVE-2024-37081, is a privilege escalation vulnerability with a CVSS score of 7.8. Successful exploitation allows for an authenticated non-administrative user to gain root privileges on the vulnerable server.
All three vulnerabilities affect vCenter Server 7.0 and 8.0, as well as Cloud foundation (vCenter Server) versions 4.x and 5.x. Administrators are urged to patch as soon as possible.
On June 25th, Progress disclosed a critical vulnerability in its managed file transfer (MFT) solution MOVEit. This vulnerability is tracked as CVE-2024-5806 and has a CVSS score of 9.1. Successful exploitation of the vulnerability allows attackers to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module.
This can lead to the attacker being able to upload, download, delete, or modify files on the MOVEit server. The flaw affects versions 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2.
Vulnerability details and proof-of-concept exploit code are published in the wild. Per this research, successful exploitation requires the attacker to have knowledge of a valid username on the affected system.
Additionally, that specified username must pass IP-based restrictions (from a network allow list). Administrators are urged to patch it as soon as possible.
Also on June 25, Progress disclosed a critical SQL injection vulnerability in their FileCatalyst Workflow software. This vulnerability is tracked as CVE-2024-5276 and has a CVSS score of 9.8.
The flaw affects versions 5.1.6 Build 135 and earlier. Per the disclosure, successful exploitation can lead to the creation of administrative users and deletion or modification of data in the application database. The disclosure does, however, state that data exfiltration is not possible using the SQLi vulnerability.
Additionally, in order for exploitation to be successful, anonymous access must be enabled, otherwise the attacker must perform the exploit as an authenticated user.
Administrators are urged to patch to version 5.1.6 build 139 (or later) as soon as possible.
Part of Microsoft's June Patch Tuesday included a fix for CVE-2024-30103, a remote code execution vulnerability in Microsoft Outlook. A unique feature of this vulnerability is the "zero-click" aspect of the remote code execution (RCE).
The flaw can be exploited by the user opening and previewing a maliciously crafted email, requiring no further interaction. Although there are few details publicly available, the Microsoft security advisory states that the vulnerability resides in the Preview Pane of Outlook.
As of this writing, there are no public exploits for this vulnerability. However, administrators are urged to patch as soon as possible. Details for updating Outlook can be found here.
(#event_simpleName = * or #ecs.version = *)
| (ImageFileName = "*mmc.exe*" and CommandLine = "*.msc*" and "*apds.dll*")
(#event_simpleName = * or #ecs.version = *)
| ("*\\INetCache\\*\\redirect*" and "*mmc.exe*")
ssh.version:/.*openssh\_(([123]\.\d)|(4\.[123])|(8\.[^1234])|(9\.[^01234567])).*/ AND destination.ip:(192.168.0.0\/16 OR 172.16.0.0\/12 OR 10.0.0.0\/8)
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.
If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.