Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Reverse Shell. Show all posts

Attackers Gained Access to the Systems of the National Games of China

 

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.

Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw

 

A fully working exploit for the remote code execution vulnerability in VMware vCenter labelled as CVE-2021-22005 is now publicly accessible, and is being exploited in the wild.

In contrast to the version that began to circulate at the end of last week, this variation can be used to open a reverse shell on a vulnerable system, permitting remote attackers to launch code of their preference. The flaw requires no authentication and permits intruders to upload a file to the vCenter Server analytics service. 

On Monday, exploit writer wvu published a declassified exploit for CVE-2021-22005 which targets endpoints that have the Customer Experience Improvement Program (CEIP) component activated, which is the default setting. 

Moreover, VMware defines the vulnerability as exploitable "by anyone who can reach vCenter Server over the network to gain access, regardless of vCenter Server's configuration settings." wvu describes what their code does at every level in a technical study released this week, beginning with a request that generates the directory required for path traversal and schedules the spawn of a reverse shell. 

Although the exploit creates several files, the attack is not logged by standard solutions, as per the researcher, who suggests utilizing the Audit framework, which gathers data on both security and non-security-related events. 

On September 21, VMware published CVE-2021-22005, with a severe severity rating of 9.8 out of 10, and a piece of clear advice for companies to consider “an emergency change” in accordance with ITIL best methods for handling IT services, and patch “as soon as possible.” 

CISA also encouraged major infrastructure firms with susceptible vCenter servers to prioritize upgrading the machines or use VMware's interim fix in a warning issued on Friday. 

The initial proof-of-concept exploit code was made public four days later. Although the code was inactive in its initial version, it could readily be exploited to accomplish remote code execution, and attacks began quickly. 

Following an analysis of the unfinished code, CERT/CC vulnerability expert Wil Dormann stated that "the missing portion from this PoC will indeed keep away script kiddies, but not any determined actor,” adding that a complete attack should be available shortly. 

Threat actors showed interest in it just hours after VMware reported the vulnerability, and they rapidly developed a workable attack using the unfinished code that security researcher Jang provided last week along with some technical comments. 

With a fully functional vulnerability being accessible, the number of attacks is estimated to escalate as less-skilled actors can engage.VMware alerted that becoming the victim of a ransomware assault is one of the most serious threats to a company.