繼輔仁大學及國立臺灣科技大學戴夫寇爾資訊安全獎學金頒布後,我們很高興地宣佈,2024 年度「全國資訊安全獎學金」及「資安教育活動贊助計畫」於即日起開放報名。
自 2012 年創立之初,DEVCORE 即秉持著提升台灣資安競爭力、讓世界更安全的初衷,將人才培育視為己任,透過參與教育部資安人才培育計畫、創辦 DEVCORE 實習生計畫、啟動戴夫寇爾資安獎學金、辦理資安教育活動贊助計畫等方式,協助資安人才茁壯成長。
DEVCORE 全國資訊安全獎學金DEVCORE 於 2020 年首次舉辦「戴夫寇爾資安獎學金計畫」,原為感念過去學生時代受到的多方資源及鼓勵,獎學金頒發範圍為經營團隊母校的輔仁大學及國立臺灣科技大學,後為培育更多有志青年學子,擴大獎學金範圍,開放全國各地學生報名申請,期待能推廣「駭客思維」、強化資安技能,並幫助在學學生了解資安產業生態及現況、降低學用落差,未來成為新一代的攻擊型資安人才,為資安產業注入新活力。
「戴夫寇爾全國資訊安全獎學金」歡迎所有在資訊安全領域有出眾研究成果的學生報名申請,有意申請者須提出學習資安的動機與歷程,並繳交資安研究或比賽成果,我們將從中擇優選取 10 名,獲選者可獲最高 2 萬元的研究補助。詳細申請辦法如下:
今年我們也將持續贊助資安教育活動,提供經費予資安相關之社群、社團辦理各項活動,凝聚台灣資安社群,加速培育台灣的資安新銳。
Customer trust is critical to long-term business success. But it is dramatically undermined when organizations fail to protect their personally identifiable information (PII). One study claims that two-thirds (66%) of US consumers would not trust a previously breached company with their data. And three-quarters (75%) say they’re ready to cut ties with a brand in the aftermath of a cybersecurity incident.
The post Hackers Want Your Customers’ Data: It’s Time to Hit Back appeared first on Security Boulevard.
IntroductionIn June 2024, Zscaler ThreatLabz detected fresh activity from BlindEagle, an advanced persistent threat (APT) actor also identified as AguilaCiega, APT-C-36, and APT-Q-98. BlindEagle predominantly focuses on organizations and individuals from the government and finance sector in South America, particularly in Colombia and Ecuador. BlindEagle’s primary method to gain initial access to the targets’ systems is through phishing emails. Once accessed, the threat actor usually employs commodity .NET Remote Access Trojans (RATs), like AsyncRAT, RemcosRAT, and more, to steal credentials from various banking service providers. BlindEagle is also known for operating repurposed or customized variants of commodity RATs like BlotchyQuasar, a variant of QuasarRAT.In this blog, we focus on BlindEagle’s use of the BlotchyQuasar RAT to target the Colombian insurance sector to steal payment-related data.Key TakeawaysBeginning in June 2024, BlindEagle was observed targeting the Colombian insurance sector.Attacks have originated with phishing emails impersonating the Colombian tax authority.BlindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers.Zscaler ThreatLabz uncovered additional malicious domains that are likely used by this threat actor.Technical AnalysisOverviewA BlindEagle attack chain typically originates with a phishing email that contains a PDF attachment and a URL that points to a ZIP archive file. The PDF attachment contains the same URL as the one provided in the email body. In other words, the ZIP file can be either downloaded from the PDF or directly from the email.Upon clicking the URL (in either the email body or PDF), the victim downloads a ZIP archive from a Google Drive folder. This specific folder is under the ownership of a compromised account belonging to a regional government organization in Colombia. The ZIP archive contains a .NET BlotchyQuasar executable.The figure below provides for a high-level overview of the attack chain.Figure 1: A high-level overview of a BlindEagle attack chain, where the initial phishing email includes a download URL for a password-protected compressed archive and the final payload is a packed BlotchyQuasar sample.Phishing email as initial vectorIn the phishing email, the threat actor impersonated the Dirección de Impuestos y Aduanas Nacionales (DIAN), which is the Colombian National Tax and Customs Authority. The lure used by BlindEagle involved sending a notification to the victim, claiming to be a seizure order due to outstanding tax payments. This is intended to create a sense of urgency and pressure the victim into taking immediate action. Our observations indicate that a substantial number of the targeted individuals are employees within the Colombian insurance industry.The figure below shows the phishing email, which includes the PDF and download URL, spoofing the Colombian tax authority. Figure 2: Example BlindEagle phishing email spoofing DIAN with a PDF attachment and malicious link in the email body.The download URL directs the victim to a password-protected ZIP archive. The password necessary to open the archive is provided within the email body. This ZIP archive is hosted on a Google Drive folder, which is associated with a compromised Gmail account owned by a government organization with a ".gov.co" top-level domain. Based on analysis of the phishing email's metadata, the threat actor likely sent the emails from their own infrastructure. Specifically, the first header received in the email indicates that the message originated from the IP address 69.167.8.118, which is associated with Powerhouse Management VPN. Powerhouse Management is a VPN service known to be utilized by BlindEagle to obfuscate the true source of their malicious activities and acquire IP addresses that are geographically close to their intended targets.BlotchyQuasarBlotchyQuasar is a powerful RAT that possesses a wide range of capabilities. It can log keystrokes, execute shell commands, and perform various other functions. Since BlotchyQuasar is a variant of QuasarRAT, we will not delve into a detailed analysis of its functionalities. Instead, in the following sections, we will concentrate on specific aspects that have not been extensively covered in previous publications.LoaderAs shown in the figure below, BlotchyQuasar is concealed within multiple layers of protection. Each layer consists of a .NET executable that has been safeguarded using either commercial or open-source obfuscators like DeepSea or ConfuserEx. These obfuscators are employed to make the code more complex and challenging to analyze, hindering reverse engineering attempts.Figure 3: Nested structure of the BlotchyQuasar sample.Layer 1 is the outer executable file that is contained within the ZIP archive. It decrypts the Layer 2 data that is contained in a resource named vh by utilizing a custom XOR-based algorithm. Layer 2 consists of a DLL with the name SimpleLogin.dll. When executed, SimpleLogin.dll loads and extracts the contents of a GZip-compressed resource named key0. Within this resource lies another DLL, Gamma.dll, which provides a utility for converting integers to Unicode characters. This utility is used to compose the name of a resource within Layer 1, which is subsequently loaded by SimpleLogin.dll. This resource is named HSOm and is stored as a bitmap image that undergoes a transformation process. This transformation involves discarding the last 150 rows and the last 150 columns of the image. Additionally, the row and column pixel coordinates are inverted. The figure below shows the bitmap when rendered.Figure 4: The resource HSOm rendered as a bitmap containing the Layer 3 data.By extracting the ARGB coordinates from each pixel, another DLL named Tyrone.dll is obtained. This DLL represents Layer 3, which decrypts the final payload by loading a resource named SIxfc1 and applying a custom XOR-based algorithm. This produces an executable file named Client.exe, which is a BlotchyQuasar malware sample.Obtaining the C2The installation steps completed by BlotchyQuasar are discussed in a previous publication. In the sample we analyzed, we observed a similar process. However, the procedure employed to obtain the command-and-control (C2) domain has not been previously analyzed.When BlotchyQuasar is executed, the C2 server location is retrieved from Pastebin. The specific URL used to fetch the paste is hXXps://pastebin[.]com/raw/XAfmb6xp. The content of the paste is an encrypted string, as shown in the example below. (The relevant part is highlighted in bold and separated by the two “¡” symbols.)GNNwsubynrt5oCZ+pAP97K9Sizq1eRn8XQQ8yxktdrbYQL263pZf+aQwkap8YEa09tg1w69qsZYEwGWF482CW3WBNKOJESQBz8IXYNzbbf+jrHUcNUEjV0lhaeAINnCtkqrp2l8esXBEB4rFHUqROAAwi¡CllIOSeGR/pSE1OqzWOtN5zIKVp5TOLPJ1rBUGNg5fA=¡GViPOxT6+nDuUYPCfRyIL0TFRvVOl4JGV9SCkyJUZQo06AvBlwsvaGwpLuv2q6UltL3e0awC1mmp0Cpfg7hAAmY4RpG+qIBxOYnqhLSbyuOAaWlMH4PxrqJ6p35T6Xg2+Z8esryidjlXGJVTWLISvofA2+vX4747n1lVUv4030D6Ds6NyAPHk9mRoDDsqRtW9g+xR0r479umTn8nb7wBCx5tOw2zqnWxpdGkyOrDIEcvb+cHDrA0geAclmePsRIi4CYe3ka41EMQMscoQ+2iUa43AMThis encrypted string is divided into three parts, with the symbol "¡" serving as a separator. Of particular interest is the middle part, enclosed by the separators (i.e., CllIOSeGR/pSE1OqzWOtN5zIKVp5TOLPJ1rBUGNg5fA=).This string is Base64 decoded and decrypted using standard 3DES encryption in ECB mode with PKCS7 padding. The 3DES key used is derived from the MD5 hash of the string qualityinfosolutions. In the provided example, the resulting C2 domain is edificiobaldeares.linkpc[.]net. The C2 communication for this sample leveraged the hardcoded port 9057.Monitoring the consumption of banking & payment servicesBlotchyQuasar implements a multitude of features, including the ability to monitor a victim's interactions with specific banking and payment services. In order to identify such events, the malware examines the title of each newly opened window. If the window title contains certain predefined strings associated with the targeted services, BlotchyQuasar logs a reference to indicate the occurrence of the interaction.The figure below shows an example log collected with references to several banking and payment services. In the example provided, websites for Banco Coomeva, Banco of Machala, and PayPal services were accessed. The log, in this case, is a simple XML document that contains all the references within elements labeled as NameCliente. This log file, named settings.xml, is stored on the disk within the startup folder of the compromised system.Figure 5: Example BlotchyQuasar log containing references to the victim’s interaction with specific banking and payment service providers.The table below lists the organizations that BlotchyQuasar targets. Since the list mainly includes Colombian and Ecuadorian banks, the malware was most likely designed to target individuals in those countries.OrganizationLocationBBVAGlobalBanco AV VillasColombiaBanco BolivarianoEcuadorBanco Caja SocialColombiaBanco CoomevaColombiaBanco DavivendaColombiaBanco GuayaquilEcuadorBanco InternacionalEcuadorBanco PichinchaEcuadorBanco Popular ColombiaColombiaBanco de BogotáColombiaBanco de MachalaEcuadorBanco de la ProducciónEcuadorBanco del AustroEcuadorBanco del PacificoEcuadorBancolombiaColombiaPayPalGlobalScotiabank ColpatriaColombiaTransUnionGlobalTable 1: List of banking and payment service providers targeted by BlotchyQuasar.KeyloggingBlotchyQuasar provides keylogging functionality, with the keylogging module set to flush logs every 15 seconds. These logs are stored in the %APPDATA%\GPrets directory with the filename format MM-dd-yyyy (e.g., 06-18-2024). The log file is structured according to the figure below, which details the captured keylogging data.Figure 6: Structure of a BlotchyQuasar key log.The initial 32 bytes of the encrypted log file comprise an HMAC SHA256 hash of the remaining content that is used as an integrity check. The subsequent 16 bytes store an AES initialization vector (IV) that is randomly generated per file. The AES key is hardcoded within the malware's configuration class. In the sample analyzed by ThreatLabz, the AES key was represented by the Base64-encoded string 1WvgEMPjdwfqIMeM9MclyQ==. BlotchyQuasar uses AES in CBC mode (Cipher Block Chaining) with PKCS7 padding. The remaining portion of the file following the IV encompasses the encrypted log data itself. A Python implementation of the BlotchyQuasar keylogging decryption routine is shown in the code sample below.from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def decrypt(log: bytes, key: bytes) -> bytes:
encrypted_payload = log[48:]
iv = log[32:48]
cypher = AES.new(
key,
AES.MODE_CBC,
iv
)
decrypted_payload = cypher.decrypt(encrypted_payload)
block_size = cypher.block_size
decrypted_payload = unpad(decrypted_payload, block_size, "pkcs7")
return decrypted_payloadAs illustrated in the figure below, the decrypted logs are stored in HTML format.Figure 7: Example decrypted key log data created by BlotchyQuasar.Stealing capabilitiesBlotchyQuasar targets the browser and FTP client applications shown in the table below. ApplicationTypeTargeted DataChromeBrowserSaved passwords CookiesChromiumBrowserSaved passwordsCookiesInternet ExplorerBrowserURL historyFirefoxBrowserSaved passwordsCookiesOperaBrowserSaved passwordsCookiesYandexBrowserSaved passwordsCookiesFileZillaFTP clientSaved passwordsWinSCPFTP clientSaved passwordsTable 2: Applications targeted by BlotchyQuasar for information-stealing purposes.InfrastructureBlotchyQuasar accesses Pastebin to retrieve the current C2 domain. The structure of the Pastebin content and the decryption procedure is unique, which enabled us to identify additional pastes consumed by BlotchyQuasar samples. By successfully decrypting these pastes, we uncovered three more C2 domains:equipo.linkpc[.]netperfect5.publicvm[.]comperfect8.publicvm[.]comAll those domains share a few characteristics:First, these domains are extensions of second-level domains (SLDs) associated with Dynamic DNS service providers. Second, they exhibit a consistent pattern in their resolution history. Specifically, they predominantly resolve to IP addresses that belong to two primary sets. The first set comprises nodes associated with specific VPN services, namely Powerhouse Management, PrivateVPN, and ParadiseNetworks.The second set comprises IP addresses associated with specific Colombian internet service providers (ISPs), namely Colombia Movil, Telmex Colombia, and Tigo. These IP addresses are likely indicative of compromised routers. This information aligns with publicly disclosed findings about the infrastructure under the control of the BlindEagle threat actor.By shifting our focus towards resolving IP addresses, we gained further insights into the infrastructure underpinning operations similar to the one described in this blog. We discovered additional domains that exhibited similar characteristics. While we lack sufficient information to definitively establish that these domains are controlled by the same threat actor, they continue to pose threats to individuals and organizations. Notably, these domains have been utilized, and may still be in use, as C2 servers for various commodity malware families, including njRAT, QuasarRAT, RevengeRAT, and others. It is crucial to remain vigilant as these domains could potentially be employed for malicious activities in the future.As an example, the table below displays the date of first submission on VirusTotal of various QuasarRAT samples communicating with the domain edificiobaldeares.linkpc[.]net. This domain has been utilized as a C2 server since July 2022 and active until March 2024. Since a similar pattern repeats in other domains, we strongly recommend blocking them.First Submission DateMD5Malware Family18-07-2022a73057824a65a5ac982e298a80febf61QuasarRAT21-07-2022bd4505316254f00329431fb8b2888643QuasarRAT22-07-2022d2fc372302180fbabe18c425aa4a0a72QuasarRAT22-07-2022c944cb638364c74431bf1dbe7dd329ffQuasarRAT24-07-202264e6ad512eff12e971efdd8979086c5cQuasarRAT26-07-2022a1f5091ad4e12f922a8e760e0980ab66QuasarRAT29-07-2022ad578125b337168c976ff5e7e1b190b8QuasarRAT01-08-2022e21b4c9d9da81deea2381f9b988b0f99QuasarRAT04-08-202207f661aeeb0774f0cb84b0a5e970c2a5QuasarRAT09-08-2022c4a946903cc9e9a84763ac1731cdd7ddQuasarRAT11-08-202275a40cc019c39e3c2800fb2fe5aba1d3QuasarRAT12-08-20220fa40788b75896a452398b6a49cc62b6QuasarRAT15-08-202259a4f7aed1e3a0718592fb536e987a1dQuasarRAT16-08-2022456211df625002df378cf0f4af9d1a6fQuasarRAT17-08-20220f35306ad4fede9a9ba0276a5e788138QuasarRAT19-08-20226044b126afb86682b4a3440e2924c079QuasarRAT19-08-2022b432e8ff5797fbaf5808d95d46524647QuasarRAT20-08-2022a31ff54f33ced7b4180f87afb18185a7QuasarRAT20-08-2022e3239ac16c6fe9c99d6fac0867121a88QuasarRAT07-07-20232784a9fc64d244b14e7d8e4d03f41265QuasarRAT06-03-20243125ae6b1462b0b48dc06bc47d8ddbc7QuasarRATTable 3: The most recent recorded interactions between various QuasarRAT malware samples and the domain edificiobaldeares.linkpc[.]net.AttributionWe attribute this attack to the threat actor known as BlindEagle with medium to high confidence. Our attribution claim is supported by the following:Spoofing DIAN in the phishing email and using a tax-related lure are both documented characteristics of BlindEagle.BlindEagle is recognized for employing customized or repurposed variants of commodity or open-source malware as their final payload, as mentioned here and here. In this particular case, they utilized BlotchyQuasar, which is a variant of QuasarRAT, an RAT.The extensive usage of Dynamic DNS (DDNS) services to host the C2 domain is another common strategy employed by BlindEagle throughout their operations, as indicated in past documented cases. In this attack, the threat actor utilized linkpc as a DDNS provider, which aligns with their previous choices.BlindEagle typically shields its infrastructure behind a combination of VPN nodes and compromised routers, primarily located in Colombia. This attack demonstrates the continued use of this strategy, with the C2 domains resolving to IP addresses associated with known providers frequently adopted by the threat actor, such as the Powerhouse Management VPN service, which is also used to acquire IP addresses geographically close to the targets. Additionally, the C2 domains sometimes resolve to IP addresses belonging to Colombian ISPs (e.g., Colombia Movil, Telmex, or Trigo), suggesting the involvement of compromised routers.The victims targeted in this attack align with the victimology profile previously established for BlindEagle. The known targets were Colombian individuals employed in organizations operating within the Colombian insurance industry. This nationality and vertical are consistently targeted by the threat actor.ConclusionAs part of our monitoring and research efforts, ThreatLabz discovered a BlindEagle campaign targeting the Colombian insurance sector. The threat actor employed phishing emails that impersonated DIAN (a Colombian tax collection agency) to gain initial access to the victims' systems. These emails contained links and passwords to download and open compressed archive files hosted on compromised Google Drive folders. The contents of these archives were instances of the BlotchyQuasar RAT, which grants the threat actor a wide range of capabilities, including keylogging, monitoring of bank services, and stealing information from various applications.Zscaler ThreatLabz anticipates that BlindEagle will continue launching malware campaigns in the future. We remain vigilant in monitoring the activity of this threat actor to ensure our customers are well-protected against this threat.Zscaler CoverageFigure 8: Zscaler sandbox report for the BlotchyQuasar sample.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to BlindEagle at various levels with the following threat names:Win32.Trojan.BlindEagleHTML.Malurl.Gen.LZHTML.Malurl.Gen.NCHTML.Malurl.Gen.TTHTML.Phish.Gen.LZWin32.Backdoor.Asyncrat.BSWin32.Backdoor.Bladabindi.LZWin32.Backdoor.Dcrat.BSWin32.Backdoor.Nanocore.BSWin32.Backdoor.Njrat.BSWin32.Backdoor.Quasarrat.LZWin32.Backdoor.Remcosrat.BSWin32.Backdoor.Smokeloader.BSWin32.Trojan.AgentIndicators Of Compromise (IOCs)IndicatorDescriptionb83f6c57aa04dab955fadcef6e1f4139MD5 hash of the BlotchyQuasar sample.a68cac786b47575a0d747282ace9a4c75e73504dSHA1 hash of the BlotchyQuasar sample.ec2dd6753e42f0e0b173a98f074aa41d2640390c163ae77999eb6c10ff7e2ebdSHA256 hash of the BlotchyQuasar sample.hXXps://pastebin[.]com/raw/XAfmb6xpPaste containing the encrypted C2 domain of BlotchyQuasar.edificiobaldeares.linkpc[.]netBlotchyQuasar C2 domain for the analyzed sample.equipo.linkpc[.]netAdditional BlotchyQuasar C2 domain.perfect5.publicvm[.]comAdditional BlotchyQuasar C2 domain.perfect8.publicvm[.]comAdditional BlotchyQuasar C2 domain.In addition to those indicators, we added malicious domains likely belonging to the threat actor to our GitHub repository. MITRE ATT&CK ProfileIDTechniqueAnnotationT1583.001Acquire Infrastructure: DomainsBlindEagle uses DDNS services to create third level domains. Those domains serve as C2.T1586.002Compromise Accounts: Email AccountsBlindEagle controlled a Google Drive folder owned by a Colombian, regional, administration organization.T1587.001Develop Capabilities: MalwareBlindEagle is operating BlotchyQuasar, which may be considered a customized variant of QuasarRAT.T1608.001Stage Capabilities: Upload MalwareBlindEagle staged a BlotchyQuasar sample on a compromised and publicly available Google Drive folder.T1566.002Phishing: Spearphishing LinkBlindEagle attempted to gain initial access to the victim’s system by using a phishing email including a link to download BlotchyQuasar malware.T1204.002User Execution: Malicious FileBlindEagle renamed the BlotchyQuasar sample to be consistent with the phishing email lure and push the victim to manually execute the malware.T1204.001User Execution: Malicious LinkBlindEagle’s attack chain starts with the victim clicking on a link included in the email body and in the attached PDF file. T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderBlotchyQuasar achieves persistence by setting a RunKey.T1053.005Scheduled Task/Job: Scheduled TaskBlotchyQuasar creates a scheduled task that launches itself every 3 minutes.T1562.001Impair Defenses: Disable or Modify ToolsIf executed with elevated privileges, BlotchyQuasar attempts to disable several Defender features.T1564.001Hide Artifacts: Hidden Files and DirectoriesBlotchyQuasar creates hidden directories to store keylogger files.T1027.003Obfuscated Files or Information: SteganographyOne of the protection layers included in the BlotchyQuasar loader is decrypted starting from a Bitmap image included as a .NET-managed resource.T1027.009Obfuscated Files or Information: Embedded PayloadsBlotchyQuasar malware is buried under three layers of encrypted code. Those nested code layers are embedded as .NET-managed resources and decrypted with custom XOR-based algorithms.T1027.013Obfuscated Files or Information: Encrypted/Encoded FileBlotchyQuasar stores the keylogger logs after encrypting them with AES.T1553.005Subvert Trust Controls: Mark-of-the-Web BypassBlotchyQuasar deletes the Zone.Identifier ADS (mark-of-the-web) from the original executable to bypass the MOTW.T1027.002Obfuscated Files or Information: Software PackingSome of the protection layers of the BlotchyQuasar loader are obfuscated with .NET obfuscators, such as DeepSea or ConfuserEx.T1140Deobfuscate/Decode Files or InformationThe BlotchyQuasar C2 domain is decrypted with AES.T1056.001Input Capture: KeyloggingBlotchyQuasar is capable of logging keystrokes.T1539Steal Web Session CookieBlotchyQuasar is capable of stealing cookies and passwords from popular browsers and FTP clients.T1056.002Video CaptureBlotchyQuasar is capable of controlling the webcams of the infected system.T1095Non-Application Layer ProtocolBlotchyQuasar establishes a socket-based C2 channel.T1041Exfiltration Over C2 ChannelBlotchyQuasar is capable of exfiltrating stolen information (keylogs, video recordings, and more) over the C2 channel.T1490Inhibit System RecoveryIf executed with high privileges, BlotchyQuasar deletes the shadow copies with the vssadmin utility.
The post BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar appeared first on Security Boulevard.
It’s all about the data. One thing is clear. The “business value” of data continues to grow, making it an organization’s primary piece of intellectual property. And from
The post Storage & Data Protection Trends & Innovations To Watch in 2025 appeared first on Continuity™.
The post Storage & Data Protection Trends & Innovations To Watch in 2025 appeared first on Security Boulevard.
As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of four blog posts is meant to supplement the talk and provide additional technical details. For those who did not attend OffensiveCon, you can also watch the full talk here: “Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting”. This blog post covers the part from 12:05 to 18:10.
In this article, part one of the series, I describe the MultiValuedProperty exploitation primitive, which became fundamental for my further exploitation of Exchange PowerShell. I also present a bypass for Microsoft’s first patch for this vulnerability, accomplished by chaining MultiValuedProperty with the Command class.
Introduction
You might already be familiar with the Exchange ProxyNotShell chain, CVE-2022-41040 and CVE-2022-41082. It allowed any authenticated Exchange user to achieve remote code execution. ProxyNotShell was exploited in the wild before Microsoft released a patch.
I described the ProxyNotShell chain, especially its RCE vector, in this blog post. Before proceeding with this post, please make sure that you are familiar with the original issue, as this article will focus on bypassing the patches.
In this blog post, I would like to start with 2 RCE vulnerabilities:
• ZDI-23-163/ CVE-2023-21529 – abuse of the allowed MultiValuedProperty class.
• ZDI-23-881/ CVE-2023-32031 – bypass for CVE-2023-21529, abuse of not blocked Command class.
Accessing PowerShell Without ProxyShell Path Confusion
The original path confusion vulnerability, CVE-2021-34473, was discovered by Orange Tsai. He used it together with CVE-2021-34523 and CVE-2021-31207 to achieve pre-auth remote code execution, forming the chain known as ProxyShell.
Microsoft’s original patch for the path confusion did not eliminate the root of the problem, but instead placed it behind authentication. After the patch, it was exploited in the wild for post-auth remote code execution using the ProxyNotShell chain mentioned above.
Exploitation of the path confusion allowed a threat actor to reach the Exchange PowerShell backend by sending HTTP requests to the autodiscover endpoint.
After the patch for ProxyNotShell, it appears that this attack vector is completely blocked, though I must admit that I have never fully verified that patch. Nonetheless, a low-privileged attacker still has direct access to Exchange PowerShell Remoting, subject to Kerberos authentication. This is because every Exchange user can trigger some Exchange PowerShell cmdlets, such as Get-Mailbox. Instructions that describe direct interaction with the Exchange PowerShell can be found here.
As Kerberos authentication is required, this attack surface is probably restricted to internal attackers, which is to say, attackers who are already present in the organization’s network. There remains plenty of reason for concern, though. It would not be good if any domain account (and organization member) could escalate to SYSTEM on the Exchange server.
Patch for the ProxyNotShell CVE-2022-41082 RCE
CVE-2022-41082, the RCE part of the ProxyNotShell chain, was fixed with the introduction of the Microsoft.Exchange.Diagnostics.UnitySerializationHolderSurrogateSelector class. It extends SurrogateSelector and its main goal is to validate the types that are retrieved during the deserialization of UnitySerializationHolder. It does this by checking the types against an allow list.
Microsoft’s approach here seems appropriate. An allow list is probably the best way to fight deserialization issues and similar type-based vulnerabilities. However, when the allow list is extensive, it may be possible to find some types there that can be used in exploitation. I decided to take this path and look for potentially dangerous allowed classes.
ZDI-23-162/ CVE-2023-21529 – Allowed MultiValuedProperty Leads to RCE
The Exchange allow lists can be divided into two main parts:
• List of allowed regular types.
• List of allowed generic types.
Generic types seem especially interesting because they allow the inclusion of arbitrary, internal types. Moreover, generic types can be also retrieved through a deserialization of UnitySerializationHolder. Let’s review the list of allowed generics that are defined in the Microsoft.Exchange.Data.SerializationTypeConverter.allowedGenerics member.
The first part of the list is especially interesting because it contains custom Exchange types. It turns out that deserialization involving retrieval of the Microsoft.Exchange.Data.MultiValuedProperty<T> or Microsoft.Exchange.Data.DagNetMultiValuedProperty<T> generic classes can lead to remote code execution.
One may remember that PowerShell Remoting deserialization allows one to call a single-argument constructor of any allowed type (as long as the argument can be also deserialized). This leads us to a consider a single-argument constructor of MultiValuedProperty<T>.
As you can see, it accepts an argument of type object. Thus, the attacker can provide an instance of any allowed PowerShell Remoting deserializable class. This constructor invokes a different constructor that accepts a larger number of arguments.
A great deal of processing occurs after the constructor call. Of primary interest is that we ultimately reach the ValueConvertor.ConvertValue method. Here, the attacker-controlled type is provided as the second argument, while the attacker-controlled object is provided as the first argument. This is the object provided to the MultiValuedProperty constructor.
At [1], it invokes ValueConvertor.TryParseConversion. This call looks particularly interesting because the method name suggests that the Parse method is involved.
At [2], it calls TryConstructorConversion.
Let’s focus on the parse-based conversion now.
At this stage, it is worth to note the values of specific arguments:
• originalValue - value provided by the attacker to the MultiValuedProperty constructor.
• originalType - type of the originalValue.
• resultType - the type parameter (“T”) of the attacker-specified generic MultiValuedProperty<T> type.
At [1], the method checks if originalType is the type string
At [2], it calls ConvertValueFromString. This method is also called during the deserialization process. This method hardcodes several possible conversions and throws NotImplementedException if the conversion from originalType to resultType is not implemented.
At [3], it catches the exception.
At [4], it retrieves the public static Parse method from the attacker-controlled resultType.
At [5], it invokes the Parse method with the attacker-specified value.
To summarize, the MultiValuedProperty<T> generic class implements another way to call the Parse method. This can result in invocation of the XamlReader.Parse(String) method with an attacker-controlled string. In addition, TryConstructorConversion allows one to call a single-argument constructor of a given class.
At this point, one can see that MultiValuedProperty<T> class implements the two most powerful conversions of PowerShell Remoting. Since it is an internal deserialization mechanism, it is included on the allow list. It can be abused by the attacker, for example to call a single-argument constructor of any accessible class. This became a fundamental building block for my subsequent vulnerability research.
As an example of how MultiValuedProperty<T> can be abused, consider the following code:
This line simulates what we achieve via Exchange PowerShell Remoting during exploitation:
• The attacker provides a serialized UnitySerializationHolder object that specifies the allowed MultiValuedProperty<T> type. The type parameter, T, is set to System.Windows.Markup.XamlReader.
• An allow list check is performed on our type: MultiValuedProperty<XamlReader>. The check is successful, because: (1) MultiValuedProperty<T> is present on the allow list, and (2) the type specified in the type parameter, XamlReader, is not subjected to validation at all.
• The MultiValuedProperty constructor instantiates a XamlReader object by calling the static XamlReader.Parse(String) method.
• As the attacker controls the input string, they can provide any XAML deserialization gadget to achieve remote code execution.
The simplified attack scheme is presented in the following diagram.
As we have shown, allow lists are not always secure, and they need to be carefully reviewed. It may turn out that even in a product as mature as Microsoft Exchange, allowed classes may contain functionality that can be abused. This may be especially true for generic classes included in the allow list. The generic (internal) type should always be verified by your type control mechanism. Otherwise, your allowed class may turn out to be abusable. Moreover, class inheritance should also be verified. For example, suppose that Microsoft removed MultiValuedProperty<T> from the allow list. We would still be able to reach it via the allowed type DagNetMultiValuedProperty<T>:
DagNetMultiValuedProperty<T> inherits from MultiValuedProperty<T>. Its single-argument constructor calls the constructor of the base class. Thus, it is another way to trigger the dangerous routine, and it could be abused even if MultiValuedProperty<T> were removed from the allow list.
ZDI-23-881/ CVE-2023-32031 – Bypassing the Internal Deny List with the Command Class
In CVE-2023-21529, I abused the internal deserialization-like mechanism that can be reached through the allow-listed MultiValuedProperty<T> class. When considering potential patches, two approaches present themselves:
MultiValuedProperty is frequently used by the Exchange, thus removing it from an allow list is not an option. Implementing type control in the internal deserialization mechanism defined in ValueConvertor.ConvertValue looks like a good option though. This is what the patch looks like:
You can see that the ChainedSerializationBinder.ValidateResultType method was introduced, to limit the types that the attacker can specify.
Consequently, if the attacker provides the type MultiValuedProperty<XamlReader>, an exception is being thrown, because type XamlReader fails the new validation. Looking deeper into the validation mechanism, though, I found that type validation here is based on a deny list. Instead of implementing a allow list of types that can be used with the MultiValuedProperty, a deny list was used. If you have seen my Hexacon talk about .NET deserialization, you probably know that I love messing with deny lists.
The Exchange deny list is actually pretty good, and it contains dozens of classes. However, it contains almost no internal Exchange classes. My idea was to look for a class, that:
• Is not on the deny list.
• Implements a public and static Parse(String) method that leads to something exploitable, or
• Implements a public constructor that accepts a single argument and leads to something exploitable.
Such a class could be abused when chained with MultiValuedProperty internal deserialization.
The constructor-based deserialization is handled by the previously mentioned TryConstructorConversion method, and it is pretty much the same as the one implemented in PowerShell Remoting.
It didn’t take me long to find the Microsoft.Diagnostics.Runtime.Utilities.Command class:
At [1], the Command(String) constructor calls the Command(String, CommandOptions) constructor.
At [2], a new ProcessStartInfo is instantiated, and both the process name and arguments are retrieved from the attacker's controlled input.
At [3], Process.StartInfo is set to the ProcessStartInfo object from line [2].
At [4], a new process is started.
This class was not included in the deny list, so the following code:
Leads to the execution of cmd.exe /c calc.exe. That’s it. To sum this up, I did the following:
• I used the allow-listed MultiValuedProperty class to reach the internal deserialization mechanism. This mechanism is protected with the deny list of abusable types.
• I delivered the Command class, which is not on the deny list. This allows execution of an arbitrary command.
Demo
I presented the demo for CVE-2023-32031 during my Hexacon 2023 talk about .NET deserialization. It shows the entire exploitation process with the debugger attached.
Summary
In this blog post, I have described both CVE-2023-21529 and CVE-2023-32031. In those vulnerabilities, I abused both the allow-listed and deny-listed classes to achieve RCE on Exchange. That wasn’t the end of my Exchange vulnerability research, though. I still had two additional full-RCE chains that I was able to deliver after the CVE-2023-32031 patch.
In the next blog post, I will provide you with full details on the ZDI-23-1419/CVE-2023-36756 RCE vulnerability. Once again, you can watch my entire OffensiveCon 2024 talk here.
Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
Authors/Presenters:Min Chen, Zhikun Zhang, Tianhao Wang, Michael Backes, Yang Zhang
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – FACE-AUDITOR: Data Auditing in Facial Recognition Systems appeared first on Security Boulevard.