Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, March 1, 2023, 3:53 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


CISA Adds One Known Exploited Vulnerability

The US Cybersecurity & Infrastructure Security Agency has added another vulnerabilit to its Known Exploited Vulnerabilities Catalog, indicating that it is frequently used in the wild and poses a significant risk. CVE-2022-36537 affects the AutoUploader component of the ZK Java framework, and has a CVSS 3.1 score of 7.5, making it a high risk.

According to CISA, "ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager".

Affected users should update their software to the latest version immediately.

Uncredited, CISA Adds One Known Exploited Vulnerability to Catalog, alert, 27 February 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/02/27/cisa-adds-one-known-exploited-vulnerability-catalog.

Post-Exploitation Framework Offers Attackers Lots of Options

A new post-exploitation framework - essentially a backdoor on steroids - known as EXFILTRATOR-22, or EX-22 for short, has emerged in underground marketplaces as a service available to threat actors, according to CYFIRMA. Whoever developed the framework is thoroughly familiar with defence evasion and antiforensics techniques, and claims that the tools are completely undetectable by every antivirus and EDR vendor in their promotions via Telegram and YouTube. The claim seems plausible - as of 13 February, the framework still has only 5/70 detections on online sandboxes.

The framework is highly functional, with a wide range of features:

  • Reverse shell with elevated privileges, allowing remote command execution
  • File download and upload
  • Keylogger
  • Ransomware functionality
  • Screen capture
  • Live VNC session, allowing both viewing of user activity and remote control
  • Privilege escalation
  • Persistence, so that the framework restarts after a reboot
  • Lateral movement via a worm which can rapidly infect a large number of nearby devices
  • LSASS Dump
  • Stealing authentication tokens

In short, this is a very powerful toolkit which will be attractive to cybercriminals, even at quite high subscription rates ($US1000 per month and $5000 for lifetime access), especially in view of the low detection rates, which make it attractive by comparison with tools like Cobalt Strike and Brute Ratel.

According to the CYFIRMA researchers, similarities between EX-22 and both the code and the C2 infrastructure of the LockBit ransomware suggest that the two share the same developers, who are probably based in Asia, most likely SE Asia. Their report provides both a MITRE mapping and IOC's, as well as a detailed analysis.

CYFIRMA Research, EXFILTRATOR-22 - An Emerging Post-Exploitation Framework, February 2023. Available online at https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/.

Bitdefender Releases MortalKombat Decryptor

The MortalKombat ransomware spreads through phishing emails and exposed Remote Desktop Protocol (RDP) instances, installing itself via the BAT loader. Once it is running, it encrypts files,  adding the unmissable file extension:

..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware

It also changes the desktop wallpaper to a Mortal Kombat theme and generates a ransom note called HOW TO DECRYPT FILES.txt.

Now Romanian security firm Bitdefender has released a free universal decryptor for the current version of MortalKobat. As well as the usual double-click execution, the decryptor can also be run silently from the command line, making it ideal for scripted repair of larger network infections.

Bitdefender, Bitdefender Releases Decryptor for MortalKombat Ransomware, blog post, 1 March 2023. Available online at https://www.bitdefender.com/blog/labs/bitdefender-releases-decryptor-for-mortalkombat-ransomware/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: