CrushFTP users beware! Patch exploited zero-day

Apr 22 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wonders which side the hackers will elect in the #GeneralElection2024 πŸ˜‚

Β Today’s hottest cybersecurity news stories:

  • ⚠️ CrushFTP users beware! Patch exploited zero-day πŸšͺ

  • πŸ›‘οΈ Palo Alto security turned to the dark side by researcher πŸ‘¨β€πŸ’»

  • πŸͺ Middle East terrorised by elusive CR4T backdoor malware πŸ‘Ύ

Hackers will be Crushed when you 🩹 the zero-day πŸ˜‰

🚨 URGENT: CrushFTP Zero-Day Vulnerability Exploited in Targeted Attacks 🌐

πŸ”’ CrushFTP has issued a critical security advisory warning customers of an actively exploited zero-day vulnerability, urging immediate patching to mitigate the risk of compromise.

πŸ” The zero-day bug allows unauthenticated attackers to bypass the user's virtual file system (VFS) and access sensitive system files, posing a severe escalation risk.

πŸ”’ While CrushFTP instances deployed behind a DMZ perimeter network remain protected, those exposed to the internet are vulnerable to exploitation.

πŸ“… The vulnerability, reported by Simon Garrelou of Airbus CERT, has been swiftly addressed in CrushFTP versions 10.7.1 and 11.1.0, emphasising the importance of timely updates.

πŸ“ˆ According to Shodan, approximately 2,700 CrushFTP instances with exposed web interfaces are susceptible to attacks, highlighting the urgent need for remediation measures.

πŸ’Ό CrowdStrike confirms the zero-day exploitation in targeted attacks, linking the activity to a politically motivated intelligence-gathering campaign primarily targeting U.S. organisations.

πŸ”’ CrushFTP users are advised to prioritise patching and remain vigilant against emerging threats, as adversaries continue to leverage vulnerabilities for malicious purposes.

⚠️ This latest incident underscores the critical importance of proactive security measures and underscores the need for organisations to remain vigilant and proactive in defending against evolving cyber threats.

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

With great power comes great responsibility 😱😱😱

🚨 Palo Alto Networks XDR Exploit Unveiled: Puppeting Security Software πŸ”

πŸ”’ Security researcher Shmuel Cohen from SafeBreach has revealed a creative exploit targeting Palo Alto Networks' extended detection and response (XDR) software, Cortex, at Black Hat Asia.

πŸ› οΈ Cohen reverse-engineered Cortex, weaponizing it to deploy a reverse shell and ransomware, effectively puppeting the security tool as a malicious multitool.

πŸ” While Palo Alto has patched most vulnerabilities associated with the exploit, questions remain about the vulnerability of other XDR solutions to similar attacks.

πŸ’Ό The exploit highlights the inherent risks of using far-reaching security tools like XDR, which necessitate highly privileged access to system resources for effective threat detection.

πŸ” Cohen's research underscores the unsettling possibility of turning security solutions into malware, leveraging their extensive access privileges against users.

πŸ›‘οΈ The exploit relied on a vulnerability in Cortex's anti-tampering mechanism, enabling Cohen to manipulate critical Lua files and execute malicious actions undetected.

πŸ” Despite fixes implemented by Palo Alto, a fundamental vulnerability remains: Cortex's plaintext Lua files lack encryption, leaving them susceptible to exploitation.

πŸ”’ Encryption, while providing some protection, wouldn't deter determined attackers, as decryption is ultimately required for XDR functionality.

πŸ’‘ Cohen warns that similar vulnerabilities may exist in other XDR platforms, emphasising the need for continued vigilance and proactive security measures.

⚠️ The incident underscores the complex trade-offs inherent in cybersecurity, balancing security needs with the potential risks posed by sophisticated exploits.

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Hackers: CR4Tee time, baby! πŸŒοΈπŸ‘¨β€πŸ’»πŸ’€

🚨 New Backdoor CR4T Uncovered in Middle East Government Targeting πŸ”

πŸ›‘οΈ Russian cybersecurity firm Kaspersky has uncovered a previously undocumented campaign targeting government entities in the Middle East, deploying a new backdoor dubbed CR4T. The campaign, named DuneQuixote, was discovered in February 2024 but may have been active for at least a year prior.

πŸ•΅οΈβ€β™‚οΈ The threat actors behind DuneQuixote have demonstrated sophisticated evasion tactics to prevent detection and analysis of their implants, implementing practical and well-designed evasion methods both in network communications and malware code.

πŸ’Ό The attack begins with a dropper, available in two variantsβ€”one as a regular executable or DLL file and the other as a tampered installer for the legitimate tool Total Commander. The dropper extracts an embedded command-and-control (C2) address using a novel technique to obfuscate the server address from automated analysis tools.

πŸ”’ The dropper establishes connections with the C2 server and downloads a next-stage payload, accessible only with the correct user-agent string in the HTTP request. The payload, CR4T, is a C/C++-based memory-only implant granting attackers access to a command-line console, file operations, and file uploads/downloads.

πŸ” Kaspersky also identified a Golang version of CR4T, featuring cross-platform capabilities, including executing arbitrary commands, creating scheduled tasks, achieving persistence through COM objects hijacking, and utilising the Telegram API for C2 communications.

🌐 The presence of the Golang variant suggests ongoing refinement of the threat actors' tradecraft with cross-platform malware, indicating an evolving threat landscape in the Middle East.

πŸ›‘οΈ Through the deployment of memory-only implants and droppers masquerading as legitimate software, the attackers demonstrate advanced evasion capabilities, underscoring the need for enhanced cybersecurity measures to mitigate such threats effectively.

Stay, safe cyber squad! It’s a jungle out there πŸ’

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles