Categories
Cybersecurity Advisories

CVE-2023-20198: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

October 22nd, 2023 Update: Cisco has released fixes for CVE-2023-20198. Customers are advised to upgrade to an appropriate fixed software release.

Cisco is warning of a critical severity zero-day vulnerability affecting Cisco IOS XE that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. Tracked as CVE-2023-20198 (CVSSv3 score: 10.0 – Critical), the actively exploited flaw impacts the software’s Web UI feature and affects both physical and virtual devices running IOS XE when they are exposed to the internet and have the HTTP or HTTPS Server feature enabled. At the time of writing, there is no patch available, however Cisco will provide updates on the status and when a software patch is available. Customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems and check for malicious activity in the form of newly created users on its devices.

The issue was discovered after Cisco detected malicious activity on a customer’s device in September 2023, where an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. This activity ended on October 1, 2023. Another set of related activities occurred on October 12, 2023, where an unauthorized user created a local user account under the name “cisco_support” from a different IP address. This is claimed to have been followed by a series of actions that ended in the deployment of a Lua-based implant that allows the actor to execute arbitrary commands at the system level or IOS level. These clusters of activity were assessed to likely be carried out by the same threat actor.

The installation of the implant is carried out by exploiting an older vulnerability, CVE-2021-1435, which is a patched command injection flaw that impacted the web UI of Cisco IOS XE Software. The vulnerability would allow an authenticated attacker to inject arbitrary code that would be executed as the root user. It was observed that even on devices that were fully patched against CVE-2021-1435, threat actors were still able to deploy their implant. At the time of writing, it is not known how they were able to do so.

No proof-of-concept code was found to be publicly available for CVE-2023-20198. Based on research using the Shodan search engine, there are nearly 40,000 Cisco devices that have web UI exposed to the internet.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Affected Products

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

Recommendations

According to Cisco, customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

The following decision tree can be used to help determine how to triage an environment and deploy protections:

  • Are you running IOS XE?
    • No. The system is not vulnerable. No further action is necessary.
    • Yes. Is ip http server or ip http secure-server configured?
      • No. The vulnerability is not exploitable. No further action is necessary.
      • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
        • No. Disable the HTTP Server feature.
        • Yes. If possible, restrict access to those services to trusted networks.

Cisco Advisory

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cisco IOS XE Implant Scanner

VulnCheck has released a scanner to detect the implant on affected devices. See: cisco-ios-xe-implant-scanner

Indicators of Compromise

5.149.249[.]74

154.53.56[.]231

Resources & Related Articles

Categories
Cybersecurity Advisories

Microsoft’s October 2023 Patch Tuesday Addresses 3 Zero-Days and Over 100 Flaws

Microsoft released security updates for 103 vulnerabilities, including forty-five RCE bugs and three actively exploited zero-day flaws. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. Notable vulnerabilities are listed below. For the full list, see Microsoft CVE Summary.

CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability

Microsoft released fixes for an actively exploited information disclosure vulnerability in Microsoft WordPad that can be used to steal NTLM hashes when opening a document. Tracked as CVE-2023-36563 (CVSSv3 score: 6.5 – Medium), an unauthenticated, remote attacker could exploit this vulnerability using social engineering in order to convince a victim to open a link or download a malicious file and run it on the vulnerable system. As an alternative, an attacker could execute a specially crafted application to exploit the flaw after gaining access to a vulnerable system. Successful exploitation could lead to the disclosure of NTLM hashes. Admins should consider blocking outbound NTLM over SMB on Windows 11 to significantly hinder NTLM-relay exploits.

Microsoft announced last month that Word Pad is no longer being updated and will be removed in a future version of Windows, although no specific timeline has yet been given. Microsoft recommends Word as a replacement for WordPad.

  • For more information, see: Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited Elevation of Privilege flaw in Skype for Business that can be used by sending a specially crafted network call to a vulnerable Skype for Business server. Tracked as CVE-2023-41763 (CVSSv3 score: 5.3 – Medium), successful exploitation would result in the disclosure of IP addresses and/or port numbers, which could be used to gain access to internal networks.

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

Microsoft released mitigations for a new zero-day DDoS technique called HTTP/2 Rapid Reset Attack. Tracked as CVE-2023-44487, (CVSSv3 score: 5.3 – Medium), attackers can make hundreds of thousands of requests and immediately cancel them with a reset stream. This avoids limits on the number of streams accepted and can lead to CPU exhaustion on the server attempting to clean up the canceled streams. By using the “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and can make anything that uses HTTP/2 go offline.

According to Google, the protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. As the feature is built into the HTTP/2 standard, there is no fix for the technique that can be implemented other than rate limiting or blocking the protocol. While the DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data.

Mitigations

All providers who have HTTP/2 services should assess their exposure to this issue. Software patches and updates for common web servers and programming languages may be available to apply now or in the near future. Microsoft’s mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. Additional information and protections are detailed in a dedicated article on HTTP/2 Rapid Reset.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to these CVE’s. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

 Resources & Related Articles

Categories
Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns. 

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
    • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles

Categories
Cybersecurity Advisories

Flax Typhoon APT Group Using LOLBins for Cyber Espionage

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Mitigation & Protection

  • Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
  • Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

  • Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
  • Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)


IOCS

 

 

 

 

 

 

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-3519: Critical Citrix ADC and Gateway Flaw Exploited in the Wild

Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.

Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.

There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

At the time of writing, technical details about all three vulnerabilities are not publicly available.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

Vulnerable Products

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

Recommendation

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security Bulletin

Resources & Related Articles 

Categories
Cybersecurity Advisories

AA23-187A: Truebot Malware Infects Networks in U.S. and Canada

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network. 

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain. 

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information. 

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve. 

CVE-2022-3199 Delivery Method for Truebot 

SecurIT360 SOC Managed Services     

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:    

MDR Services    

  • We utilize several threat feeds that are updated frequently on a daily basis.  
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.    

EDR Services    

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.     

Indicators are provided in the Indicators of Compromise section below for your reference.   

As always, if we detect activity related to these exploits, we will alert you when applicable.    

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.     

Mitigations 

  • All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 
  • CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services. 

MITRE Summary 

Technique Title 

ID 

Use 

Initial Access 

  

Replication Through Removable Media 

T1091

Cyber threat actors use removable media drives to deploy Raspberry Robin malware. 

Drive-by Compromise 

T1189 

Cyber threat actors embed malicious links or attachments within web domains to gain initial access. 

Exploit Public-Facing Application 

T1190 

Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution. 

Phishing 

T1566.002 

Truebot actors can send spear phishing links to gain initial access. 

Execution 

  

Command and Scripting Interpreter 

T1059 

Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. 

Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools. 

Shared Modules 

T1129 

Cyber threat actors can deploy malicious payloads through obfuscated share modules. 

User Execution: Malicious Link 

T1204.001 

Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update. 

Persistence 

  

Hijack Execution Flow: DLL Side-Loading 

T1574.002 

Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence. 

Privilege Escalation 

  

Boot or Logon Autostart Execution: Print Processors 

T1547.012 

FlawedGrace malware manipulates print spooler functions to achieve privilege escalation. 

Defense Evasion 

  

Obfuscated Files or Information 

T1027 

Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID. 

Obfuscated Files or Information: Binary Padding 

T1027.001 

Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols. 

Masquerading: Masquerade File Type 

T1036.008 

Cyber threat actors hide Truebot malware as legitimate appearing file formats. 

Process Injection 

T1055 

Truebot malware has the ability to load shell code after establishing a C2 connection. 

Indicator Removal: File Deletion 

T1070.004 

Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. 

Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station. 

Modify Registry 

T1112 

FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que. 

Reflective Code Loading 

T1620 

Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network. 

Credential Access 

  

OS Credential Dumping: LSASS Memory 

T1003.001 

Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping. 

Discovery 

  

System Network Configuration Discovery 

T1016 

Truebot malware scans and enumerates the affected system’s domain names. 

Process Discovery 

T1057 

Truebot malware enumerates all running processes on the local host. 

System Information Discovery 

T1082 

Truebot malware scans and enumerates the OS version information, and processor architecture. 

Truebot malware enumerates the affected system’s computer names. 

System Time Discovery 

T1124 

Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. 

Software Discovery: Security Software Discovery 

T1518.001 

Truebot has the ability to discover software security protocols, which aids in defense evasion. 

Debugger Evasion 

T1622 

Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses. 

Lateral Movement 

  

Exploitation of Remote Services 

T1210 

Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network. 

Use Alternate Authentication Material: Pass the Hash 

T1550.002 

Cyber threat actors use cobalt strike to authenticate valid accounts 

Remote Service Session Hijacking 

T1563.001 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Remote Service Session Hijacking: RDP Hijacking 

T1563.002 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Lateral Tool Transfer 

T1570 

Cyber threat actors deploy additional payloads to transfer toolsets and move laterally. 

Collection 

  

Data from Local System 

T1005 

Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives. 

Screen Capture 

T1113 

Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. 

Truebot gathers and compiles compromised system’s host and domain names. 

Command and Control 

  

Application Layer Protocol 

T1071 

Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic. 

Non-Application Protocol 

T1095 

Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol. 

Ingress Transfer Tool 

T1105 

Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections. 

Encrypted Channel: Asymmetric Cryptography 

T1573.002 

Cyber threat actors use Teleport to create an encrypted channel using AES. 

Exfiltration 

  

Scheduled Transfer 

T1029 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Data Transfer Size Limits 

T1030 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Exfiltration Over C2 Channel 

T1048 

Cyber threat actors blend exfiltrated data with network traffic to evade detection. 

Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol. 

Indicators of Compromise 

Resources & Related Articles 

 

Categories
Cybersecurity Advisories

CVE-2023-27997: Fortinet Patches Critical RCE Flaw in Fortigate SSL-VPN Devices

Fortinet has patched a critical security flaw, tracked as CVE-2023-27997, in its SSL VPN devices that could be used by a threat actor to achieve remote code execution without authentication. By sending a carefully crafted request to the SSL VPN, an attacker can exploit this vulnerability and effectively execute arbitrary code on the compromised system even if the MFA is activated. The flaw affects every SSL VPN appliance, and the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Further details about the vulnerability have been withheld.

Fortinet devices are commonly targeted by threat actors because they are among the most popular firewall and VPN devices in the market. SSL-VPN flaws have historically been exploited just days after patches were released. According to a Shodan search, over 255,000 Fortigate firewalls can be reached from the Internet. Since the vulnerability affects all previous versions, the majority of those devices are likely exposed.

How to Patch a Vulnerable Fortinet Fortigate Product

Visit the Fortinet Support site frequently and apply newly released patches to keep your Fortigate VPN secure. To update your device:

  • Check the firmware version: Check the “System Information” section of your device’s dashboard to see the current firmware version.
  • Find the latest firmware: Go to the “Download” section after logging into the support site. In the product list, look for Fortigate VPN and select your Fortigate model. To view all available updates, click the “Firmware Images.” Look for and download the patch addressing CVE-2023-27997.
  • Apply the patch: On the Fortinet Fortigate VPN dashboard, navigate to System > Firmware > Update > Upload File, then select the downloaded patch file. After the update, make sure to test your VPN. Check that all functions are operational and the device is stable.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

  • As always, if we detect activity related to these exploits, we will alert you if warranted.
  • Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Mitigation

Users are strongly urged to apply the security updates released by Fortinet before the Proof of Concept is released publicly.

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-34362: MOVEit Transfer Zero-Day Vulnerability Actively Being Exploited

June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.

June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options. 

Technical Details 

Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.  

The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass. 

The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362. 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. 

Attribution 

Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom. 

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.  

EDR Services   

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.   

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything. 

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Affected Versions 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). 

Non-susceptible Products in MOVEit Transfer 

MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products. 

Recommendations & Mitigation 

Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability. 

  • Update MOVEit Transfer to one of these patched versions:
    • MOVEit Transfer 2023.0.1
    • MOVEit Transfer 2022.1.5
    • MOVEit Transfer 2022.0.4
    • MOVEit Transfer 2021.1.4
    • MOVEit Transfer 2021.0.6
  • If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
  • If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
  • Any unauthorized user account should be removed.
  • View the full recommendations here:

MOVEit Best Practices Guide 

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application.

Phishing

T1566

CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.

Execution

  

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer.

Command and Scripting Interpreter

T1059.003

CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server.

Shared Modules

T1129

CL0P actors use Truebot to download additional modules.

Persistence

  

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network.

Event Triggered Execution: Application Shimming

T1546.011

CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.

Privilege Escalation

  

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network.

Defense Evasion

  

Technique Title

ID

Use

Process Injection

T1055

CL0P actors use Truebot to load shell code.

Indicator Removal

T1070

CL0P actors delete traces of Truebot malware after it is used.

Hijack Execution Flow: DLL Side-Loading

T1574.002

CL0P actors use Truebot to side load DLLs.

Discovery

  

Technique Title

ID

Use

Remote System Discovery

T1018

CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers.

Lateral Movement

  

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares

T1021.002

CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.

Collection

  

Technique Title

ID

Use

Screen Capture

T1113

CL0P actors use Truebot to take screenshots in effort to collect sensitive data.

Command and Control

  

Technique Title

ID

Use

Application Layer Protocol

T1071

CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).

Ingress Tool Transfer

T1105

CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components.

CL0P actors use SDBot to drop copies of itself in removable drives and network shares.

Exfiltration

  

Technique Title

ID

Use

Exfiltration Over C2 Channel

T1041

CL0P actors exfiltrate data for C2 channels.

Indicators of Compromise

Resources & Related Articles 

Categories
Cybersecurity Advisories

Volt Typhoon Detection and Mitigation

Alert Code: AA23-144A

The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.

Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.

Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.

Volt Typhoon attack flow

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Victimology

Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Recommended Mitigations

  • Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
  • Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Forward log files to a hardened centralized logging server, preferably on a segmented network.

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-facing Application

T1190

Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.

Execution

  

Windows Management Instrumentation

T1047

The actor executed WMIC commands to create a copy of the SYSTEM registry.

Command and Scripting Interpreter: PowerShell

T1059.001

The actor used a PowerShell command to identify successful logons to the host.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.

Persistence

  

Server Software Component: Web Shell

T1505.003

The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.

Defense Evasion

  

Hide Artifacts

T1546

The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

Indicator Removal: Clear Windows Event Logs

T1070.001

The actor cleared system event logs to hide activity of an intrusion.

Credential Access

  

OS Credential Dumping: NTDS

T1003.003

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.

Brute Force

T1110

The actor attempted to gain access to accounts with multiple password attempts.

Brute Force: Password Spraying

T1110.003

The actor used commonly used passwords against accounts to attempt to acquire valid credentials.

OS Credential Dumping

T1003

The actor used additional commands to obtain credentials in the environment.

Credentials from Password Stores

T1555

The actors searched for common password storage locations.

Discovery

  

System Information Discovery

T1082

The actors executed commands to gather information about local drives.

System Owner/User Discovery

T1033

The actors gathered information about successful logons to the host using a PowerShell command.

Permission Groups Discovery: Local Groups

T1069.001

The actors attempt to find local system groups and permission settings.

Permission Groups Discovery: Doman Groups

T1069.002

The actors used commands to enumerate the active directory structure.

System Network Configuration Discovery

T1016

The actors used commands to enumerate the network topology.

Command and Control

  

Proxy

T1090

The actors used commands to enable port forwarding on the host.

Proxy: External Proxy

T1090.002

The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.

IOCS

f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c

b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74

4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349

c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d

d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af

9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a

450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267

93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066

7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5

389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61

c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984

17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

Resources & Related Articles

Categories
Cybersecurity Advisories

KeePass Flaw Lets Attackers Recover Master Passwords from Memory

An issue was discovered impacting the popular KeePass password manager which affects KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54. Tracked as CVE-2023-32784, the vulnerability allows recovery of the cleartext master password from a memory dump, even when the database is locked or the program is closed. 

It is important to note that successful exploitation of the flaw requires an attacker to have already compromised a potential target’s computer. Additionally, it also requires that the password is typed on a keyboard, and not copied from the device’s clipboard.   

The developer of KeePass promises to push a fix for CVE-2023-32784 on version 2.54, expected to be released in June or July 2023.   

Proof of Concept  

Affected Versions  

All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected.   

Recommendations

  • Users are advised to update to KeePass 2.54 once it becomes available. 
  • Restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being. 
  • For the best protection, be vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.  

Technical Details 
The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.  

The master password encrypts the KeePass password database and prevents it from being opened without first entering the password. If that master password becomes compromised, a threat actor can access every credential stored in the database. A proof-of-concept tool was made available that could be exploited to recover a victim’s master password in cleartext under specific circumstances. BleepingComputer tested this tool by installing KeePass on a test device and created a new database with “password123” being the master password.   

After locking the workspace, Process Explorer was used in tests to dump the memory of the KeePass project but required a full memory dump to work correctly. No elevated privileges were needed to dump the process’ memory. The PoC tool was later compiled and executed against their memory dump and recovered most of the cleartext password, with only a few letters missing. Master passwords used in the past can remain in memory, so they can still be retrieved even if KeePass is no longer running on the breached computer.  

Resources & Related Articles