Jump to content

<<< FLASH MESSAGE SIGNALS INTELLIGENCE >>>


OperatorXoR

Recommended Posts

<<< SOLARWINDS ZERO DAY ATTACK >>>

 

industry partners have identified artifacts related to another SolarWinds 0-day. According to the industry partner the 0-Day has not been published yet but involves the helpdesk app and a java deserialization attack.

  • Currently the only IOC that has been provided is what the error log entry will look like:

                                                                                                                                                                                                               

[DATE / TIME] [https-jsse-nio-443-exec-1] ERROR com.macsdesign.whd.ui.Application - Context = <er.extensions.appserver.ERXWOServletContext54 contextID=4 requestSenderID=1 elementID=null sessionID=p09lX2kf2i4QmkvsWRy2qM request=<com.macsdesign.util.MDSRequest (<com.macsdesign.util.MDSRequest httpVersion=HTTP/1.0 headers={accept=[*/*], accept-encoding=[gzip, deflate], connection=[keep-alive], content-length=[80866], content-type=[text/plain], cookie=[JSESSIONID=B3AA83D5E556642832C0B5334FC51886;XSRF-TOKEN=13c1f5bf-4f54-4336-85fa-747cc98ee4a8;woinst=-1; wosid=p09lX2kf2i4QmkvsWRy2qM], host=[REDACTED], remote_addr=[REDACTED], user-agent=[python-requests/2.31.0], x-webobjects-servlet-server-name=[REDACTED], x-webobjects-servlet-server-port=[443], x-xsrf-token=[13c1f5bf-4f54-4336-85fa-747cc98ee4a8]} content-length=80866 cookies=null userInfo={HttpServletRequest=SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@10ef6087], ServletConfig=org.apache.catalina.core.StandardWrapperFacade@2a852df9, HttpServletResponse=org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@4e617f6b, ServletContext=org.apache.catalina.core.ApplicationContextFacade@638b5987} storePageInBacktrackCache=true >) method=POST uri=/helpdesk/WebObjects/Helpdesk.woa/ajax/1.1 defaultFormValueEncoding=UTF-8 formValueEncodingDetectionEnabled=NO formValueEncoding=UTF-8 formValues={WOIsmapCoords = ("{"id": 1, "method": "wopage.takeValueForKey", "params": [{"javaClass": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource", "userOverridesAsString": "HexAsciiSerializedMap:ACED00057372002C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4861736865644D6170E72F0A460E4F73F00300007870770C3F4”

 

  • The helpdesk app identified in this attack is Dameware.
  • The exploit allowed for RCE on an endpoint which allowed them to launch a shell (specifically CMD, windows box).
  • At this point it looks like the first identified attack occurred on 6/18/2024 so this 0-Day has had a chance to mature and propagate.”
Edited by AdvancedSetup
Disabled hyperlinks
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.