Posts

HORUS Protector Part 2: The New Malware Distribution Service

/0 Comments/in /by

Recently, the SonicWall Capture Labs threat research team came across a new Horus FUD (Fully Un-Detectable) malware crypter used for spreading different malware families including AgentTesla, Remcos, Snake, NjRat and many others. Here, we will be discussing the infection chain/spreading mechanism followed by payloads distributed using Horus Protector. If you want to learn more about Horus Protector, please read our previous blog.

Most malicious files are distributed through scripts contained in archive files. Recent infections have been attributed to VBE scripts, which are encoded VBS scripts that can be decoded using various tools.

Figure 1: Infection Chain

Upon execution, the VBE script downloads all the required data from its CnC server hxxp://144.91.79[.]54. From this server, it initially retrieves a few encoded files hxxp://144.91.79[.]54/1109/s, hxxp://144.91.79[.]54/1109/r and hxxp://144.91.79[.]54/1109/H011yiDJHSNr3TuAtkpt.txt. All this downloaded data is stored in a particular registry. The registry path is [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx], where uOITNhlpKJsMLJx is predefined as a SystemPath variable in the VBE script.

All this data is stored in different subkeys of this registry which we will discuss further. The data mostly contains executables and instructions. Below are the registries and their values.

Figure 2: Registry Entries

Another registry named \donn is formed under the same parent registry, with the main payload in hexadecimal format distributed across several subkeys based on the size of the payload. The subkeys are named as segment1, segment2, …, segmentn. In few instances we have also observed the names as data1, data2, …, datan.

Figure 3: Main Payload

After this, it creates a new VBS script at “<UserName>\AppData\Roaming” location with the same name uOITNhlpKJsMLJx.VBS.

Later, the VBS file is written with the data downloaded from the URL hxxp://144.91.79[.]54/1109/file. A task scheduler with same name is created for this VBS script, with a trigger configured to execute it once a minute.

Figure 4: Task Scheduler

Afterward, it checks for existence of antivirus software using “winmgmts:\\.\root\SecurityCenter2”. It particularly verifies the presence of Windows Defender by looking for the string “Windows Defender Enabled” in this object.

Figure 5: Check Antivirus

If Windows Defender is enabled on the system, the script executes the file located in the registry subkey [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\s] essentially functioning as a loader(Elfetah.exe) using the following command parameters:

“PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit.”

Conversely, if the defender is not enabled, the VBS script <UserName>\AppData\Roaming\uOITNhlpKJsMLJx.vbs is automatically executed through the already scheduled task.

The uOITNhlpKJsMLJx.vbs script first checks for existence of genuine process name provided in registry subkey [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\i], here, MSBuild.exe in the running processes.

In case the process is not running, it runs powerShell and executes command in registry [HKEY_CURRENT_USER\Software\uOITNhlpKJsMLJx\v]. This command perticularly decodes the loader file from [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\s] registry and passes the path uOITNhlpKJsMLJx as a parameter.

Execution Step 1:

As discussed above, the registry value [HKCU:\Software\uOITNhlpKJsMLJx\s] contains reversed base64 data. Using this data, the dropped VBS executes module named Elfetah.exe. The exclusive purpose of this file is to load and execute assembly of next injector file stored in registry [HKCU:\Software\uOITNhlpKJsMLJx\r]. The registry key path i.e. “uOITNhlpKJsMLJx” is passed to Elfetah.exe as a parameter. Using this it retrieves data from registry [HKCU:\Software\uOITNhlpKJsMLJx\r], reverse it and converts from hex to ascii to form raw binary.

Figure 6: Call to second stage

The new assembly is loaded by calling the r method from in newly loaded DotNet dll, erezake.dll.

Execution Step 2:

The second stage of the malware execution is the injector erezake.dll, which injects the payload into the target process provided by service user.

Here, we already know that the intended target process is MSBuild.exe which is stored in registry [HKCU:\Software\uOITNhlpKJsMLJx\i].

Figure 7: Search Target Process

This MSBuild.exe is searched in the directories shown in the image. These paths may vary according to the target process to be searched. So, there is a possibility that this dll file might be generated separately for specific user requests.

The main payload which is stored in [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\ donn] key with subkeys segment1, segment2, …, segment, etc. is concatenated and reversed to form a PE file.

Figure 8: Extract Payload

The payload is then injected into the target process by using an image hollowing process injection technique. All win APIs are wrapped using French function names as mentioned in the below image.

Figure 9: Process Hollowing

After the process injection, it checks for the presence of the value in the registry [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\b]. Although we’re not sure of its use, there is a large possibility that it is used for a BotKill option which was provided by the Horus Crypter service provider. Also, it will be present only if the user has opted or ticked the BotKill checkbox while creating the payload.

Figure 10: BotKill Check

If the registry value is “1”, then it removes all the persistence of the malware from the victim’s system. This also includes Scheduled Task deletion from the system.

Figure 11: Delete Persistence

 

Here, the injected payload was the SNAKE Keylogger. The SNAKE Keylogger is infamous for stealing sensitive data, such as:

  • Key logs
  • Screenshots
  • Clipboard data
  • Application data (browsers, email clients, etc.)

Figure 12: SNAKE Keylogger Strings

You can read more about SNAKE Keylogger in our old blog.

We have observed similar mechanisms spreading different malware over this period. It would be interesting to see what new versions authors will bring in future.

 

IOCs:

c39a2e4fbcce649cb5ac409d4a2e1b1f

f0fe04a3509d812ade63145fd37a1cb2

8acccb571108132e1bbe7c4c60613f59

405377b1469f31ff535a8b133360767d

fd4302cdfacbc18e723806fde074625b

 

Ips:

144.91.79[.]54

 

CoreWarrior Spreader Malware Surge

/0 Comments/in /by

Overview

This week, the SonicWall Capture Labs threat research team investigated a sample of CoreWarrior malware. This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring.

Infection Cycle

The malware is a UPX-packed executable that has been manually tampered with and will not unpack using the standard UPX unpacker.

Figures 1 (top), 2(bottom): Initial detection, and failure due to checksum error

On runtime, the executable creates a copy of itself with a randomly generated name. The copy will launch a command prompt and use curl to POST data to “http://wecan.hasthe(dot)technology/upload”. With each subsequent POST that is completed, the parent program will delete the existing copy and create a new copy. During testing, one hundred and seventeen copies were created and deleted in under ten minutes.

Figure 3: Malware is connecting to site and posting data

As messages are being sent, the program will then bind a listener on ports 49730-49777 and 50334-50679. A secondary IP address of 172.67.183.40 had a single connection made, but no TCP/UDP traffic was sent.

Figure 4: Multi-part output of data sent

The parent process will obtain information on the system drives, as well as create a hook for the command prompt window to monitor for changes. The malware has several types of anti-analysis capabilities, including:

  • Anti-debug using rdtsc to check debug times; program will exit if times exceed threshold
  • Evasion using a randomized sleep timer that changes per number of connection attempts/successes/failures (Figure 4)
  • VM environment detection, as there are strings to check for HyperV containers

Figure 5: Variables used in sleep determinations

Other protocols referenced by the code include FTP, SMTP, and POP3 for data exfiltration.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • CoreWarrior.A

IOCs

85A6E921E4D5107D13C1EB8647B130A1D54BA2B6409118BE7945FD71C6C8235F (packed)

8C97329CF7E48BB1464AC5132B6A02488B5F0358752B71E3135D9D0E4501B48D (unpacked)

Microsoft Security Bulletin Coverage for October 2024

/0 Comments/in /by

Overview

Microsoft’s October 2024 Patch Tuesday has 117 vulnerabilities, of which 42 are Remote Code Execution.SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2024 and has produced coverage for 4 of the reported vulnerabilities. 

Vulnerabilities with Detections

CVE  CVE Title  Signature 
CVE-2024-43502  Windows Kernel Elevation of Privilege Vulnerability  ASPY 7012 Exploit-exe exe.MP_415 
CVE-2024-43560  Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability  ASPY 7013 Exploit-exe exe.MP_416 
CVE-2024-43572  Microsoft Management Console Remote Code Execution Vulnerability  IPS 4516 Microsoft Management Console Remote Code Execution (CVE-2024-43572) 
CVE-2024-43573  Windows MSHTML Platform Spoofing Vulnerability  IPS 4515 Windows MSHTML Platform Spoofing (CVE-2024-43573) 

ASPY 608 Malformed-msc msc.MP_2 

 

Release Breakdown

The vulnerabilities can be classified into following categories: 

 

For October there are 3 critical, 110 Important and 3 moderate vulnerabilities. 

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month. 

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE  CVE Title 
CVE-2024-38149  BranchCache Denial of Service Vulnerability 
CVE-2024-43483  .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability 
CVE-2024-43484  .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability 
CVE-2024-43485  .NET and Visual Studio Denial of Service Vulnerability 
CVE-2024-43506  BranchCache Denial of Service Vulnerability 
CVE-2024-43512  Windows Standards-Based Storage Management Service Denial of Service Vulnerability 
CVE-2024-43515  Internet Small Computer Systems Interface (iSCSI) Denial of Service Vulnerability 
CVE-2024-43520  Windows Kernel Denial of Service Vulnerability 
CVE-2024-43521  Windows Hyper-V Denial of Service Vulnerability 
CVE-2024-43537  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43538  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43540  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43541  Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability 
CVE-2024-43542  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43544  Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability 
CVE-2024-43545  Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability 
CVE-2024-43555  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43557  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43558  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43559  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43561  Windows Mobile Broadband Driver Denial of Service Vulnerability 
CVE-2024-43562  Windows Network Address Translation (NAT) Denial of Service Vulnerability 
CVE-2024-43565  Windows Network Address Translation (NAT) Denial of Service Vulnerability 
CVE-2024-43567  Windows Hyper-V Denial of Service Vulnerability 
CVE-2024-43575  Windows Hyper-V Denial of Service Vulnerability 
CVE-2024-43603  Visual Studio Collector Service Denial of Service Vulnerability 

 

Elevation of Privilege Vulnerabilities

CVE  CVE Title 
CVE-2024-37979  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2024-38097  Azure Monitor Agent Elevation of Privilege Vulnerability 
CVE-2024-38124  Windows Netlogon Elevation of Privilege Vulnerability 
CVE-2024-38129  Windows Kerberos Elevation of Privilege Vulnerability 
CVE-2024-38179  Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability 
CVE-2024-43501  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2024-43502  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2024-43503  Microsoft SharePoint Elevation of Privilege Vulnerability 
CVE-2024-43509  Windows Graphics Component Elevation of Privilege Vulnerability 
CVE-2024-43511  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2024-43514  Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability 
CVE-2024-43516  Windows Secure Kernel Mode Elevation of Privilege Vulnerability 
CVE-2024-43522  Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability 
CVE-2024-43527  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2024-43528  Windows Secure Kernel Mode Elevation of Privilege Vulnerability 
CVE-2024-43529  Windows Print Spooler Elevation of Privilege Vulnerability 
CVE-2024-43532  Remote Registry Service Elevation of Privilege Vulnerability 
CVE-2024-43535  Windows Kernel-Mode Driver Elevation of Privilege Vulnerability 
CVE-2024-43551  Windows Storage Elevation of Privilege Vulnerability 
CVE-2024-43553  NT OS Kernel Elevation of Privilege Vulnerability 
CVE-2024-43556  Windows Graphics Component Elevation of Privilege Vulnerability 
CVE-2024-43560  Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability 
CVE-2024-43563  Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 
CVE-2024-43570  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2024-43583  Winlogon Elevation of Privilege Vulnerability 
CVE-2024-43590  Visual C++ Redistributable Installer Elevation of Privilege Vulnerability 
CVE-2024-43591  Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability 
CVE-2024-43604  Outlook for Android Elevation of Privilege Vulnerability 

 

Information Disclosure Vulnerabilities

CVE  CVE Title 
CVE-2024-43500  Windows Resilient File System (ReFS) Information Disclosure Vulnerability 
CVE-2024-43508  Windows Graphics Component Information Disclosure Vulnerability 
CVE-2024-43534  Windows Graphics Component Information Disclosure Vulnerability 
CVE-2024-43546  Windows Cryptographic Information Disclosure Vulnerability 
CVE-2024-43547  Windows Kerberos Information Disclosure Vulnerability 
CVE-2024-43554  Windows Kernel-Mode Driver Information Disclosure Vulnerability 

 

Remote Code Execution Vulnerabilities

CVE  CVE Title 
CVE-2024-30092  Windows Hyper-V Remote Code Execution Vulnerability 
CVE-2024-38029  Microsoft OpenSSH for Windows Remote Code Execution Vulnerability 
CVE-2024-38212  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-38229  .NET and Visual Studio Remote Code Execution Vulnerability 
CVE-2024-38261  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-38262  Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability 
CVE-2024-38265  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43453  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43468  Microsoft Configuration Manager Remote Code Execution Vulnerability 
CVE-2024-43480  Azure Service Fabric for Linux Remote Code Execution Vulnerability 
CVE-2024-43488  Visual Studio Code extension for Arduino Remote Code Execution Vulnerability 
CVE-2024-43497  DeepSpeed Remote Code Execution Vulnerability 
CVE-2024-43504  Microsoft Excel Remote Code Execution Vulnerability 
CVE-2024-43505  Microsoft Office Visio Remote Code Execution Vulnerability 
CVE-2024-43517  Microsoft ActiveX Data Objects Remote Code Execution Vulnerability 
CVE-2024-43518  Windows Telephony Server Remote Code Execution Vulnerability 
CVE-2024-43519  Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability 
CVE-2024-43523  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43524  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43525  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43526  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43533  Remote Desktop Client Remote Code Execution Vulnerability 
CVE-2024-43536  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43543  Windows Mobile Broadband Driver Remote Code Execution Vulnerability 
CVE-2024-43549  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43552  Windows Shell Remote Code Execution Vulnerability 
CVE-2024-43564  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43572  Microsoft Management Console Remote Code Execution Vulnerability 
CVE-2024-43574  Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability 
CVE-2024-43576  Microsoft Office Remote Code Execution Vulnerability 
CVE-2024-43581  Microsoft OpenSSH for Windows Remote Code Execution Vulnerability 
CVE-2024-43582  Remote Desktop Protocol Server Remote Code Execution Vulnerability 
CVE-2024-43589  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43592  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43593  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43599  Remote Desktop Client Remote Code Execution Vulnerability 
CVE-2024-43601  Visual Studio Code for Linux Remote Code Execution Vulnerability 
CVE-2024-43607  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43608  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43611  Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
CVE-2024-43615  Microsoft OpenSSH for Windows Remote Code Execution Vulnerability 
CVE-2024-43616  Microsoft Office Remote Code Execution Vulnerability 

 

Security Feature Bypass Vulnerabilities

CVE  CVE Title 
CVE-2024-20659  Windows Hyper-V Security Feature Bypass Vulnerability 
CVE-2024-37976  Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability 
CVE-2024-37982  Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability 
CVE-2024-37983  Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability 
CVE-2024-43513  BitLocker Security Feature Bypass Vulnerability 
CVE-2024-43584  Windows Scripting Engine Security Feature Bypass Vulnerability 
CVE-2024-43585  Code Integrity Guard Security Feature Bypass Vulnerability 

 

Spoofing Vulnerabilities

CVE  CVE Title 
CVE-2024-43481  Power BI Report Server Spoofing Vulnerability 
CVE-2024-43550  Windows Secure Channel Spoofing Vulnerability 
CVE-2024-43571  Sudo for Windows Spoofing Vulnerability 
CVE-2024-43573  Windows MSHTML Platform Spoofing Vulnerability 
CVE-2024-43609  Microsoft Office Spoofing Vulnerability 
CVE-2024-43612  Power BI Report Server Spoofing Vulnerability 
CVE-2024-43614  Microsoft Defender for Endpoint for Linux Spoofing Vulnerability 

Tampering Vulnerability

CVE  CVE Title 
CVE-2024-43456  Windows Remote Desktop Services Tampering Vulnerability 

 

HORUS Protector Part 1: The New Malware Distribution Service

/0 Comments/in /by

Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others.

The authors appear to be native French speakers. The files in the distribution mechanism have instructions in the French language and the desktops shown in YouTube demo videos have French as the default language for the software installed on their desktop.

Figure 1: Horus Telegram Group Description

The authors have their own telegram group that communicates the latest updates to their subscribers. They also have different links on the homepage along with a demo YouTube video and a description of their services and prices. This page also has links to their telegram group. The authors provide three service packages with varying features: Shared STUB at $50/month, Premium STUB at $100/month and Private STUB at $150/month.

Figure 2: Webpage with demo YouTube video

The telegram group currently hosts four different versions of the crypter, v 0.3, v 0.4, v 0.4.1 and the latest version, v 0.4.2. These can be downloaded by anyone from the Telegram group, but a key is required to use the service, which the author will provide after payment.

The HORUS Protector service providers keep looking for detections by AV vendors and update their code accordingly. These updates are provided on its Telegram group channel. Initially, the scanning service kleenscan[.]com is used to test the detection by AV vendors. The website contains details about 39 well-known AV scanners and claims not to share malware with AV vendors. These kinds of services are used by malware authors to test the detection rates of malware binaries. Furthermore, there are some advertisements for harmful services on the scanner website, showcasing its malicious use.

Figure 3: Kleenscan service

In the image below, we observe updates on malware detection, indicating that the authors were indeed tracking AV detections to keep their malware service undetectable.

Figure 4: Telegram Group Updates

Also, the hashes of all encrypted malware (or we can say hashes of the generated infection chain) were checked on VirusTotal to update their mechanism and payload generation tactics.

HORUS Protector Tool

We have analyzed the latest version of the protector (v 0.4.2) and found that it spreads malware through multilayered malware propagation with extensive use of registries. Previously, the generated infection vectors were scripts like JavaScript, but now it uses a .zip file containing VBE script, which is encoded visual basic script.

Figure 5: Horus Protector binary

We can see that the tool is a 32-bit DotNet Assembly file with a FUD cryptor, as described in comments. Also, this version is mentioned in the FileVersion property.

When run, the tool shows a prompt for a requirement of an internet connection to access the features of the tool.

Figure 6: Internet Connection Prompt

Once a user clicks “yes”, the tool will generate the ID of the user from the hardware configuration of the system. It retrieves the drive serial number using ManagementObject.Properties[“VolumeSerialNumber”]; and the processor serial number using ManagementObject[“ProcessorId”]. Both values are converted to string and concatenated to form the ID of the user. Afterwards, it attempts to connect to its server 144.91.79[.]54:670.

Figure 7: User Information

The tool has two tabs, the first is User Informations and the second is Crypter. Under the User Informations tab, you can find the ID, the subscription package and the days passed since the subscription date. The last row indicates whether it is connected to the server. If connected to the server, it shows “Connected Successfully” if it’s not connected, it shows “Connexion failed !”.

The second tab shows details related to the cryptor/tool.

Figure 8: Crypter Window

The user has to provide malware payload by using “Add..” button. One of the genuine processes from the list using the “Inject to:” option must be selected and then payload will be injected upon execution.

The “inject to:” list has the following options:

“MSBuild.exe”, “RegAsm.exe”, “RegSvcs.exe”, “vbc.exe”, “AddInProcess32.exe”, “ngentask.exe”, “AppLaunch.exe”, “aspnet_compiler.exe”, “csc.exe”, “cvtres.exe”,”mscorsvw.exe”, “MicrosoftEdgeUpdate.exe”.

The “Online Scan” checkbox is supposed to be used for using malware scanning services to check which AV vendors are detecting the file. The function of the “Botkill (beta)” checkbox is still unclear, but we believe it is intended as an option to remove persistence(scheduled task, run entries etc.) to avoid detection.

Figure 9: Data Sent to Server

After selecting all the necessary fields, it transmits the data to the server, including the User ID, malware payload, the name of the file to be injected and the checkbox values.

The main processing of the payload is carried out server side. For the newest version, it downloads the infection vector on a users’ machine as a VBE script. This VBE script downloads and carries out the execution of the multistage infection chain. Also, a significant persistence technique is used for stealthy malware infection.

The infection chain will be discussed in our second blog on this tool.

IOCs:

IP:

144.91.79[.]54:670

MD5:

f9aebea5a93ab48c69bb116e70478d09

0250722d091337129c84d9e82bb626f5

4564f734da06c25128722ff9d6188eab

7b9717229f2d8a289da22ba4db19a892

A Look Into Embargo Ransomware, Another Rust-based Ransomware

/0 Comments/in /by

Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid.

Infection Cycle

This ransomware uses an executable written in Rust. Examining its strings will show references to multitude of Rust libraries and crates used.

Figure 1: Rust libraries and crates referenced in its strings

Here are some of the notable Rust crates used by this ransomware that will help understand its functionality:

  • Clap_builder – command line argument parser
  • Humantime – parser and formatter for durations and timestamps
  • Log4rs – crate used for output logging
  • Ignore – file/directory iterator; can be used to automatically filter out files and directories according to ignore globs
  • Zeroize- Securely clear secrets from memory
  • Winapi-util-0.1.6/src/sysinfo.rs – routines for querying various Windows specific properties such as Computer Name
  • Chacha20 – Rust implementation of the ChaCha20 Stream Cipher,  256-bit stream cipher used to encrypt and decrypt data

This ransomware uses command line options as shown in the figure below.

Figure 2: Embargo ransomware command line options

Executing this malware with the option for logging will create a log file showing every single file being successfully encrypted along with errors during runtime.

Figure 3: Runtime execution logging output to a file

Upon successful execution, encrypted files will be appended with random digits and a ransom note can be found in every directory where files have been encrypted.

Figure 4: Example of encrypted files within a directory

The ransom note will show instructions on how to recover files along with a threat that all sensitive data will be posted on their blog site.

Figure 5: Embargo ransom note

 

Embargo have targeted various organizations. Their blog on the onion network lists some of the victims that have allegedly not paid the ransom for which their data are now available to the public.

Figure 6: Embargo website on the Onion network accessible using a Tor browser

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Embargo.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Linux CUPS Printing Systems Multiple Vulnerabilities

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of multiple bugs leading to remote code execution in a CUPS-browsed system, assessed its impact, and developed mitigation measures. CUPS (Common Unix Printing System) is an open-source standard printing system for many Unix-like operating systems, such as GNU/Linux distributions and macOS. Despite being included, CUPS is not always enabled by default on some systems, such as Red Hat. Enabling the CUPS-browsed service allows a computer to function as a network print server through Internet Printing Protocol (IPP).

Identified as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, & CVE-2024-47177, CUPS-browsed versions before 2.0.1 allow an unauthenticated threat actor to achieve unauthenticated arbitrary code execution using open print job via IPPServer when chained together. Considering that a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of CUPS-browsed systems among threat actors, exploitation is more likely to occur in the next several months. On the local network, an attacker can spoof zeroconf, mDNS, or DNS-SD advertisements to achieve the same exploit path, leading to remote code execution. Users are strongly encouraged to stop and disable the cups-browsed service and/or port 631,if it is not needed as per the advisory.

Technical Overview

The chain of vulnerabilities arises from a flaw in how the application allows random connections with a random URL on UDP port 631. Out of the whole CVE chain, CVE-2024-47146 is a loophole, where cups-browsed as a part of the CUPS system allows anyone to discover new printers and automatically add them to the system. This binding occurs on UDP port 631 without notifying or consenting the user, as shown in Figure 1.

Figure 1: CVE-2024-47146

Once the exploit sends the random URL on UDP port 631 to the victim, as shown in Figure 1, the attacker’s machine is automatically displayed in the victim printer’s list. After that, the attacker must wait for the victim to print any file using the attacker’s printer, which is already on the victim’s printer list.

Due to CVE-2024-47076, the function cfGetPrinterAttributes5 does not validate the IPP attributes returned from an IPP server, allowing an attacker to inject a malicious payload along with the attributes. Further chaining it with CVE-2024-47175, the function ppdCreatePPDFromIPP2 does not validate the IPP attributes when writing them to a temporary Postscript Printer Description (PPD) file, allowing an attacker to write malicious payload in the PDD.

Finally, CVE-2024-47177 allows the execution of the specified arbitrary command (echo 1 > /tmp/I_AM_VULNERABLE) in the FoomaticRIPCommandLine parameter when a print job is sent to the fake printer.

Figure 2: Arbitrary code Injection in CUPS system

Exploitation

Exploiting this vulnerability allows the remote threat actor to execute arbitrary code on the server as a system. It has a severe impact on the system’s confidentiality, integrity, and availability of the system and does not require user interaction.

We leveraged publicly available Poc to achieve remote code execution on CUPS system 2.0.1. The primary requirement for exploiting these vulnerabilities is that UDP port 631 be open on the target. An attacker sends a malicious UDP packet to convert the victim machine to an attacker-controlled IPP server. Further, the victim system’s cups-browsed service returns the connection, retrieving printer attributes that include malicious PPD directives. When a print job starts on this fake printer, these PPD directives allow the attacker’s code to run on the target system, resulting in Remote Code Execution, as seen in Figure 3.

Figure 3: CUPS RCE

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20394 CUPS Get-Printer-Attributes IPP Request
  • IPS: 20380 CUPS foomatic-rip Command Injection

Remediation Recommendations

Administrators should ensure that a host-based firewall is running  secure affected UDP port 61. Red Hat users can configure Firewalld, and Ubuntu users can configure ufw (which is disabled by default). Users should stop and disable the cups-browsed service if it is not needed.

Relevant Links

 

Insecure Deserialization in Veeam Backup and Replication: CVE-2024-40711

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.

Identified as CVE-2024-40711, Veeam Backup & Replication versions before 12.1.2.172 allow a threat actor to achieve unauthenticated remote code execution using an underlying insecure deserialization vulnerability, earning a critical CVSS score of 9.8. Considering a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of Veeam among threat actors, exploitation is more likely in the next several months.  Considering the crucial role of the Veeam Backup & Replication in the infrastructure of an organization, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in how the application handles the deserialization process. TThe addition of the class type ‘System.Runtime.Remoting.ObjRef’ in the list of blacklist, as seen in Figure 1 (which is also a popular .NET deserialization gadget) indicates that the attack is likely to be accomplished using this malicious class.

Figure 1: Addition of class type in blacklist

The deserialization occurs in the ProcessMessage function in the Veeam.Common.Remoting.CBinaryServerFormatterSink class, which implements the custom .NET remoting server. The ProcessMessage function handles the processing of the .NET remoting packet and the code snippet which handles the deserialization process as shown in Figure 2.

Figure 2: ProcessMessage function

Although Veeam has enforced several defenses against such deserialization attacks, it is unable to consider all possible code paths that could ultimately allow untrusted serialized data to be sent to the ProcessMessage function.

A serializable class uses a whitelist from the file ‘Veeam.Backup.Common.Sources.System.IO.BinaryFormatter.whitelist.txt’ to filter the allowed .NET class types in the serialization process. However, the static function ‘CProxyBinaryFormatter.Deserialize’ from Veeam.Backup.Core switches from whitelist to blacklist mode while deserialization processes, as seen in Figure 3.

Figure 3: CProxyBinaryFormatter.Deserialize function

Since the blacklist provided by unpatched Veeam doesn’t include the malicious ObjRef gadget ‘System.Runtime.Remoting.ObjRef’, it allows remote code execution by leveraging a class that has been whitelisted, such as CDbCryptoKeyInfo, and nesting one BinaryFormatter inside another. The outer deserialization satisfies .NET Remoting constraints, while the inner layer decodes and deserializes a payload using the exploitable ObjRef gadget. Using this technique, an attacker can obtain SYSTEM-level privileges.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

  • The attacker must have network access to the target vulnerable system.
  • The attacker must host the crafted SOAP wrapper payload on the HTTP server, and the server must be within reach of the victim machine.
  • The serialized payload using CDbCryptoKeyInfoWrapper class must be sent to Backup.MountService, running on port 6170 by default.

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server as a SYSTEM. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

We leveraged the publicly available Poc to achieve remote code execution on Veeam Backup & Replication version 12.1.1.56. The exploit code hosts the SOAP payload, generated using ysoserial and SoapFormatter, on the http server. Then it sends a payload that is base64encoded and serialized using CDbCryptoKeyInfoWrapper class to the URI PermanentSessionService on port 6170, which triggers the insecure deserialization and requests the hosted SOAP payload, as seen in Figure 4. It leads to the execution of the defined underlying command calc.exe by Veeam.Backup.MountService.

Figure 4: POC video

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4511 SoapFormatter Malformed Response
  • IPS: 4512 SoapFormatter Malformed Response 2

Remediation Recommendations

The users of Veeam Backup & Replication are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory.

Relevant Links

 

 

 

 

 

Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability (CVE-2024-20017) Threatens Routers and Smartphones

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-20017, assessed its impact and developed mitigation measures for the vulnerability. CVE-2024-20017 is a critical zero-click vulnerability with a CVSS 3.0 score of 9.8, impacting MediaTek Wi-Fi chipsets MT7622/MT7915 and RTxxxx SoftAP driver bundles used in products from various manufacturers, including Ubiquiti, Xiaomi and Netgear. The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02. This translates to a large variety of vulnerable devices, including routers and smartphones. The flaw allows remote code execution without user interaction due to an out-of-bounds write issue. MediaTek has released patches to mitigate the vulnerability and users should update their devices immediately. While this vulnerability was published and patched back in March, only recently did a public PoC become available making exploitation more likely.

Technical Overview

The vulnerability resides in wappd, a network daemon included in the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This service is responsible for configuring and managing wireless interfaces and access points, particularly with Hotspot 2.0 technologies. The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device’s wireless interfaces, and communication channels between components via Unix domain sockets.  Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy.  This buffer overflow creates an out-of-bounds write.

Triggering the Vulnerability

The vulnerability exists in the IAPP_RcvHandlerSSB function where an attacker controlled length value is passed to the IAPP_MEM_MOVE macro as described in hyprdude’s blog and seen in Figure 1.

Figure 1: Vulnerable Code sourced from hyprdude

Prior to the last line which calls IAPP_MEM_MOVE, the only bounds check done is to check that the provided length does not exceed the maximum packet length of 1600 bytes. As the size of the destination struct is only 167 bytes, this results in a stack buffer overflow of up to 1433 bytes. To trigger this vulnerability an attacker must send a packet with the expected structures prepending the attack payload.  These structures are referred to as the RT_IAPP_HEADER and the RT_IAPP_SEND_SECURITY_BLOCK within the code.  To bypass validation checks the length of the RT_IAPP_HEADER struct needs to be small and the RT_IAPP_HEADER.Command field must be to 50.

Exploitation

The publicly available exploit code achieves remote code execution by using a global address table overwrite technique via a return-oriented programming (ROP) chain. This method leverages the `system()` call to execute commands, such as sending a reverse shell back to the attacker. The reverse shell is established using Bash and the existing Netcat tool on the chipset. Figure 2 illustrates how the reverse shell command is crafted and embedded within the payload to enable this exploitation tactic.

Figure 2: Reverse Shell Commands

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20322 MediaTek MT7915 wlan Service OOB Write 1
  • IPS: 20323 MediaTek MT7915 wlan Service OOB Write 2

Remediation Recommendations

Due to the availability of the exploit code, it is highly recommended that users upgrade to the latest version of the firmware for their respective chipset.

Relevant Links

 

Key Group Russian Ransomware Gang Uses Extensive Multi-purpose Telegram Channel

/0 Comments/in /by

The SonicWall Capture Labs threat research team has been recently tracking ransomware known as Key Group. Key Group is a Russian-based malware threat group that was formed in early 2023.  They have reportedly attacked various organizations around the world by encrypting files and exfiltrating data before using Telegram channels to negotiate ransom payments.  The malware is written in .NET and is created using the Chaos ransomware builder.

Infection Cycle

Upon infection, files on the system are encrypted and each file name is given an extension consisting of five random alphanumeric characters.

Disassembling the file reveals a list of targeted file types:

Figure 1: Targeted files

We can also see a list of processes which will be killed if running:

Figure 2: Targeted processes to kill

It disables system recovery:

Figure 3: Disables system recovery

It contains a whitelist of files to ignore:

Figure 4: Whitelisted files

After encrypting files, the following message is displayed on the desktop background:

Figure 5: Desktop message

The following files are written to the filesystem:

C:\SystemID\keygroup777.txt

C:\SystemID\PersonalID.txt.UF4TA

keygroup777.inf does not exist, but Keygroup777.txt does.  It contains the following ransom message:

Figure 6: Ransom note

The first Github.io link leads to the following page:

Figure 7: First Github link

The “Login” button leads to the following page:

Figure 8: After “Log in”

It automatically redirects to the following page:

Figure 9: Redirected page

The last link in the ransom note leads to the following webpage:

Figure 10: Key Group ransom page

Figure 11: The ransom page continued

@SpyWareSpyNet and keygroup777Rezerv1 are handles for communicating with operators on the Telegram online chat network.

The two buttons lead to the following pages:

Figure 12: “About yourself” button

Figure 13: “Satana” button

The page above plays an audio track called T.A.t.i (feat. Ddeks) from ЧИЧ

The @SpyWareSpyNet Telegram handle leads to the following channel.  It contains links that eventually lead to the contact information of various operators:

Figure 14: Telegram channel for operator communication

Figure 15: Operator contact information

The Telegram channels are also used by many operators to share information on victims, contact information, tools and more.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Keygroup777.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage For September 2024

/0 Comments/in /by

Overview

Microsoft’s September 2024 Patch Tuesday has 79 vulnerabilities, of which 30 are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2024 and has produced coverage for 9 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability ASPY 7007 Malformed-lnk lnk.MP_5
CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability ASPY 7004 Exploit-exe exe.MP_408
CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 7005 Exploit-exe exe.MP_409
CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 7006 Exploit-exe exe.MP_410
CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 602 Exploit-exe exe.MP_411
CVE-2024-38243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 603 Exploit-exe exe.MP_412
CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 604 Exploit-exe exe.MP_413
CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability ASPY 605 Exploit-exe exe.MP_414
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability IPS 4501 Windows MSHTML Platform Spoofing (CVE-2024-43461)

Release Breakdown

The vulnerabilities can be classified into following categories:

For September there are 7 critical, 71 Important and one moderate vulnerabilities.

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE CVE Title
CVE-2024-38230 Windows Standards-Based Storage Management Service Denial of Service Vulnerability
CVE-2024-38232 Windows Networking Denial of Service Vulnerability
CVE-2024-38233 Windows Networking Denial of Service Vulnerability
CVE-2024-38234 Windows Networking Denial of Service Vulnerability
CVE-2024-38235 Windows Hyper-V Denial of Service Vulnerability
CVE-2024-38236 DHCP Server Service Denial of Service Vulnerability
CVE-2024-43466 Microsoft SharePoint Server Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE CVE Title
CVE-2024-37341 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-37965 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-37980 Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38046 PowerShell Elevation of Privilege Vulnerability
CVE-2024-38188 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2024-38194 Azure Web Apps Elevation of Privilege Vulnerability
CVE-2024-38216 Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2024-38220 Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2024-38225 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38239 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2024-38240 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
8243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability
CVE-2024-38246 Win32k Elevation of Privilege Vulnerability
CVE-2024-38247 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38248 Windows Storage Elevation of Privilege Vulnerability
CVE-2024-38249 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38250 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2024-38252 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-38253 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-43457 Windows Setup and Deployment Elevation of Privilege Vulnerability
CVE-2024-43465 Microsoft Excel Elevation of Privilege Vulnerability
CVE-2024-43470 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2024-43492 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE CVE Title
CVE-2024-37337 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-37342 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-37966 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability
CVE-2024-38254 Windows Authentication Information Disclosure Vulnerability
CVE-2024-38256 Windows Kernel-Mode Driver Information Disclosure Vulnerability
CVE-2024-38257 Microsoft AllJoyn API Information Disclosure Vulnerability
CVE-2024-38258 Windows Remote Desktop Licensing Service Information Disclosure Vulnerability
CVE-2024-43458 Windows Networking Information Disclosure Vulnerability
CVE-2024-43474 Microsoft SQL Server Information Disclosure Vulnerability
CVE-2024-43475 Microsoft Windows Admin Center Information Disclosure Vulnerability
CVE-2024-43482 Microsoft Outlook for iOS Information Disclosure Vulnerability

Remote Code Execution Vulnerabilities

CVE CVE Title
CVE-2024-21416 Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-26186 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-26191 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37335 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37338 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37339 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-37340 Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
CVE-2024-38018 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38045 Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
CVE-2024-38227 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38228 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38231 Windows Remote Desktop Licensing Service Denial of Service Vulnerability
CVE-2024-38259 Microsoft Management Console Remote Code Execution Vulnerability
CVE-2024-38260 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-38263 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43454 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43463 Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2024-43464 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-43467 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
CVE-2024-43469 Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-43479 Microsoft Power Automate Desktop Remote Code Execution Vulnerability
CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability
CVE-2024-43495 Windows libarchive Remote Code Execution Vulnerability

Security Feature Bypass Vulnerabilities

CVE CVE Title
CVE-2024-30073 Windows Security Zone Mapping Security Feature Bypass Vulnerability
CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38226 Microsoft Publisher Security Features Bypass Vulnerability
CVE-2024-43487 Windows Mark of the Web Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE CVE Title
CVE-2024-43455 Windows Remote Desktop Licensing Service Spoofing Vulnerability
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-43476 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability