The SOS Intelligence CVE Chatter Weekly Top Ten – 29 April 2024

by Amir Hadzipasic

April 29, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-29986

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29986

2. CVE-2024-29981

Microsoft Edge (Chromium-based) Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29981

3. CVE-2024-29991

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29991

4. CVE-2024-29987

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29987

5. CVE-2024-29049

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29049

6. CVE-2020-13699

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: –play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.

https://nvd.nist.gov/vuln/detail/CVE-2020-13699

7. CVE-2024-21412

Internet Shortcut Files Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21412

8. CVE-2022-38028

Windows Print Spooler Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-38028

9. CVE-2024-0519

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-0519

10. CVE-2023-1671

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

https://nvd.nist.gov/vuln/detail/CVE-2023-1671

Uncategorized

Ransomware – State of Play March 2024

by Daniel Collyer

April 22, 2024

SOS Intelligence is currently tracking 183 distinct ransomware groups, with data collection covering 368 relays and mirrors.

In the reporting period, SOS Intelligence has identified 439 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain, despite law enforcement activity against the group in February 2024. However, we are seeing a significant decrease in their activity level, which is to be expected. The impact of law enforcement activity against the group is still being monitored, but it has already been seen that the group has suffered significant reputation damage. Many affiliates have lost trust in the group to keep their data safe and their identities anonymous.

March also saw the sudden exiting of ALPHV/BlackCat from the scene, in what appeared an exit scam. Affiliates were left stunned when the group shut up shop shortly after receiving a significant ransom from UnitedHealth Group. As previously reported, the code for ALPHV/BlackCat was purported to have been sold, so a new group is expected to emerge using similar TTPs in due course.

As such, we have seen increases in activity amongst other high-profile groups. Most groups have seen small increases in activity over the last month. Still, BlackBasta, Medusa, Play, and RAGroup seem to have profited most from LockBit’s misfortune and ALPHV/BlackCat’s sudden disappearance. All have been operating for at least 12 months and have carved their own niche in the space vacated by these high-profile group.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected. Brazil remains a popular target, as the most economically developed country in the region

Targeting continues to follow international, geopolitical lines. Heavy targeting follows countries that have supported Ukraine against Russia. Attacks against Sweden continued as it pressed ahead with preparations to join NATO. This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction & Engineering have remained the key targeted industries for March. These industries would be more reliant on technology to continue their business activities, so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems. The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period. Health & Social Care has seen a significant increase over the period. This is likely in response to several groups, reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

Significant Events

Targeting against the UK took an aggressive turn, with NHS Scotland (INC Ransomware) and media outlet The Big Issue (Qilin) amongst the most high-profile victims. This highlights ransomware groups’ apathy towards who they target, and the secondary impacts that that targeting can have.

The Oceania arm of Nissan suffered a significant data breach, which was associated with the Akira ransomware. The attack was limited to operations in Australia and New Zealand but did have a significant impact on distribution, marketing, sales, and services.

New Groups

March saw the emergence of three new groups; Donex, Kill Security (5 victims each) and RedRansomware (12 victims). Kill Security has shown some aggressive public-sector targeting, including police services in India and Romania.

Vulnerability Exploitation

BianLian and Jasmine groups have been observed exploiting CVE-2024-27198 (CVSS 9.8). This is a vulnerability in JetBrains TeamCity CI/CD server products up to version 2023.11.4, which allows a remote unauthenticated attacker to execute arbitrary code to take complete control of affected instances. This would allow threat actors to gain access and maintain permanence within an affected network, while conducting reconnaissance, exfiltrating data, and uploading ransomware payloads.

JetBrains has implemented a fix for the impacted system, so it is advised to update to the latest available version.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 22 April 2024

by Amir Hadzipasic

April 22, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-3400

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-3400

2. CVE-2024-29981

Microsoft Edge (Chromium-based) Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29981

3. CVE-2024-29049

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29049

4. CVE-2024-29987

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29987

5. CVE-2024-29986

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29986

6. CVE-2024-21338

Windows Kernel Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21338

7. CVE-2024-3273

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

https://nvd.nist.gov/vuln/detail/CVE-2024-3273

8. CVE-2020-16040

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2020-16040

9. CVE-2022-47522

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target’s original security context. This behavior occurs because the specifications do not require an access point to purge its transmit queue before removing a client’s pairwise encryption key.

https://nvd.nist.gov/vuln/detail/CVE-2022-47522

10. CVE-2023-32054

Volume Shadow Copy Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-32054

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 April 2024

by Amir Hadzipasic

April 15, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-41265

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

https://nvd.nist.gov/vuln/detail/CVE-2023-41265

2. CVE-2024-21893

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

https://nvd.nist.gov/vuln/detail/CVE-2024-21893

3. CVE-2024-0519

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-0519

4. CVE-2023-6548

Improper Control of Generation of Code (‘Code Injection’) in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

https://nvd.nist.gov/vuln/detail/CVE-2023-6548

5. CVE-2023-2551

PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1.

https://nvd.nist.gov/vuln/detail/CVE-2023-2551

6. CVE-2024-3273

https://nvd.nist.gov/vuln/detail/CVE-2024-3273

7. CVE-2024-29049

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29049

8. CVE-2024-29981

Microsoft Edge (Chromium-based) Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29981

9. CVE-2022-21990

Remote Desktop Client Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-21990

10. CVE-2024-21413

Microsoft Outlook Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21413

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 08 April 2024

by Amir Hadzipasic

April 8, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

2. CVE-2024-21338

Windows Kernel Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21338

3. CVE-2024-3273

https://nvd.nist.gov/vuln/detail/CVE-2024-3273

4. CVE-2023-41265

https://nvd.nist.gov/vuln/detail/CVE-2023-41265

5. CVE-2023-41266

A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

https://nvd.nist.gov/vuln/detail/CVE-2023-41266

6. CVE-2023-6549

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service

https://nvd.nist.gov/vuln/detail/CVE-2023-6549

7. CVE-2023-6875

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

https://nvd.nist.gov/vuln/detail/CVE-2023-6875

8. CVE-2023-33106

Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.

https://nvd.nist.gov/vuln/detail/CVE-2023-33106

9. CVE-2024-29049

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-29049

10. CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 April 2024

by Amir Hadzipasic

April 1, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-3094

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

2. CVE-2024-21338

Windows Kernel Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21338

3. CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

https://nvd.nist.gov/vuln/detail/CVE-2021-41773

4. CVE-2023-36584

Windows Mark of the Web Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-36584

5. CVE-2023-6549

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service

https://nvd.nist.gov/vuln/detail/CVE-2023-6549

6. CVE-2024-26246

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26246

7. CVE-2024-0519

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-0519

8. CVE-2024-26163

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26163

9. CVE-2024-26247

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26247

10. CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26167

Uncategorized

Compromised Password Analysis

by Daniel Collyer

March 28, 2024

How threat actors target your credentials and what you can do to protect yourself

Across the dark web, and shadier parts of the clear web, there is a booming marketplace for compromised credentials. Threat actors are looking to make a quick return can monetise your sensitive data, leaving you vulnerable to further compromise. So how do threat actors get ahold of your credentials, and what can you do to protect yourself?

How do threat actors get your credentials?

Threat actors have an arsenal of tools and techniques for obtaining credentials to facilitate further criminal activity. These range from the highly technical to meticulously researched to plain and simple brute force. We discuss a sample of these techniques below to assist you in understanding how threat actors can obtain your credentials.

Malware

For the more technically-minded, malware can be utilised to intercept passwords being input across the internet, or just simply to steal passwords from your device.

A “man-in-the-middle” attack sees a threat actor tactically position themself between a victim and the service the victim is accessing. While the victim is inputting their credentials, the threat actor can see the input and capture this for their use. This technique has commonly been utilised with banking trojan’s, such as TrickBot.

Once installed on a victim’s device, TrickBot would identify when victims attempted to access banking services online and provide them with a cloned website, controlled by the threat actor. Subsequently, they would then be able to see what the victim was typing, thereby gaining access to their login details. To preserve the illusion that nothing was amiss, the threat actor would then redirect the victim to the legitimate site as if they were logged in. The threat actor would then capture the victim’s credentials, allowing them to log in whenever they saw fit.

Infostealer malware is much simpler. Once installed on a device, it can quickly query common areas of a device used for password storage, and send this data to a waiting server controlled by a threat actor. Owing to the various deployment methods used, threat actors can quickly generate a large volume of content from infostealer malware. This content is then sorted and sold online, or at times even given away. Further information regarding infostealer malware can be found in our article here.

Phishing

Phishing requires an element of trickery from the threat actor. In this situation, they are portraying themselves as something they aren’t to trick the victim into divulging their credentials. This can often be in the form of messages (email, SMS etc) asking victims to clarify their credentials associated to a legitimate service, i.e. banking, or premium services such as Netflix. The threat actor will also provide a convenient link for the victim however, this link will invariably lead to a cloned website controlled by the threat actor, who can then collect credentials as victims input them.

Social Engineering

Remembering passwords for all the different services we use can be tiresome. It has been estimated that the average person has over 100 passwords to remember. Therefore it’s only natural that we utilise the things in our lives that matter most when coming up with passwords. Significant dates, names of pets, and our favourite locations. All can be useful when creating passwords as you’re more likely to remember these details.

The problem comes with our online activity. Many people are very public about what they post online, and we talk about the things we like and what’s important to us. If we’re then using those important things to generate our passwords, it becomes very easy for threat actors to do a little research into us to discover those passwords for themselves.

As an example, we have identified within our data collections that “fiona2014” is one of the most commonly used passwords. If someone were to be using this password, it could be very easy to use social engineering to obtain it. It would be straightforward to talk to someone, engage them about their life, and quickly find out they have a daughter called Fiona who is 10 years old. Putting these details together we can come to “fiona2014”.

Dictionary Attacks

We are inundated with accounts requiring passwords, so it is common for people to use simple passwords to avoid having to remember anything too complex. Threat actors rely on this as the basis for a “dictionary attack”. Years of data regarding passwords has allowed for generating files containing thousands of common passwords and their variants. These files then allow a threat actor to query a service, armed with a victim’s email address, and try each password until the service allows them to log in.

Thankfully, dictionary attacks are somewhat easier to defend against. Most services will now only allow a few login attempts before any suspicious activity is flagged and the account is locked down. Threat actors will constantly look for methods to bypass this security, so the best option is to keep those passwords unique.

Brute Force

When finesse will not work, take a sledgehammer to the door. Brute force requires a threat actor to have some coding knowledge. They can write code which will query a service to attempt a login, but instead of being more methodical, this method is more trial and error. Commonly, brute force attacks will iterate through millions of potential combinations to find the correct password (assuming that any security the service has does not lock the account down). This method can be more easily defeated by using longer, more complex passwords, and we will explain why shortly.

Brute force attacks can also occur when a threat actor obtains a username:password combination for a particular site. Banking on poor password hygiene, they will attempt the same combination across multiple sites to see if there has been any password reuse.

What happens when your credentials are compromised

What happens when credentials are compromised depends on who the victim is.

Compromise of personal accounts tends to provide threat actors with access to various services and information, including the victims’ banking, online shopping, premium entertainment services etc. These have some value to others, who may want the benefits of those services without having to pay, e.g. to watch Netflix, listen to Spotify etc. These types of data will often be grouped and sold in bulk on online forums for a fraction of the cost of the service they give access to.

Real value for threat actors comes from compromised corporate accounts. These accounts allow a threat actor to access a corporate system, giving them a platform to launch further criminal activity. There is an entire marketplace dedicated to gaining initial access to corporate systems – initial access brokerage – and depending on the size of the victim, can bring in thousands of pounds for the threat actor selling credentials. Such access can be a precursor to more serious cybersecurity events, such as data theft/loss, or the deployment of ransomware.

Password hygiene and habits

Now for the statistics.

We have taken a sample of data collated by SOS intelligence in March 2024, totalling over 10 million passwords obtained by infostealer malware.

The most common password length was 8 characters, with an average length across the dataset of 10.5. This was to be expected as 8 characters is often presented as a minimum across many password policies. Additionally, it’s also the number of characters in “password”…

Top 20 most common passwords
Password	Count
123456	51022
admin	22322
https	16682
12345678	16525
123456789	15737
12345	8958
Profiles	8611
password	6533
Opera	3946
1234567890	3326
123123	3093
1234567	2923
Aa123456	2866
Kubiak22	2821
Pass@123	2761
Password	2665
111111	2488
fiona2014	2206
12345678910	2043
P@ssw0rd	2029

On that note, the word “password”, and numerous variants utilising common character substitutions, appeared over 37,000 times. “admin” appeared more than 22,000 times, while “https” was used more than 16,000 times. This is concerning as dictionary attacks will often focus on keywords such as this first, knowing they are so common. “admin” is frequently used as a default password on routers and other IoT devices which highlights the ongoing vulnerability of these devices.

In total, approximately 1 million passwords contained only digits, while approximately another 1 million contained only letter characters. Overall, over 7.5 million passwords contained no special characters.

So the fundamental question is, why are these statistics important, and how can we use them to improve our password hygiene?

Password strength works based on “entropy” – the measure of randomness or uncertainty of the password. Password entropy allows us to quantify the difficulty or effort required to guess, or “crack”, a password using brute force or other similar methods. As a general rule, higher entropy passwords are deemed stronger and more secure.

We measure entropy in bits. The number of bits a password has indicates how strong it is. The basic formula for calculating entropy looks like this:

Entropy = log₂(N^L)

Where:

N is the number of possible characters in the character set used for the password
L is the length of the password (in characters)
log₂ is the base-2 logarithm

Taking this formula we can see that the longer a password is, and the more characters it pools from, the higher entropy it will have. We can visualise this with our data.

Using a length of 8 (being the most commonly seen) we can see the entropy when different sizes of character sets are used:

	Numerical	Single Case	All Case	Alphanumeric	Alphanumeric w/ Special Characters
Total # of characters	10	26	52	62	92
Entropy	26.58	37.60	45.60	47.63	52.19

If we increase the password length to 12, strength increases significantly:

	Numerical	Single Case	All Case	Alphanumeric	Alphanumeric w/ Special Characters
Total # of characters	10	26	52	62	92
Entropy	39.86	56.41	68.41	71.45	78.28

Based on the above, working at 1000 guesses per second, a brute force attack on an 8-character numerical password would take about 27 hours. However, a similar attack on a 12-character password utilising alphanumeric and special characters would take roughly 11.5 billion years!

The key factor to note here is that there is a reason we’re always asked for longer passwords with uppercase, lowercase, numbers and special characters – they’re that much stronger and secure.

So a crucial question remains; what should be done with this information? We sincerely hope that what we’ve discussed here will highlight the need for strong and enforced password policies. These should factor in the following:

Use of alphanumeric and special characters
Mandatory lengths (at least 10, but longer is better)
No password reuse
Frequent and enforced password changing.

Wherever possible, we would highly recommend the use of password managers. They can save a lot of time for users, allow for significantly more complex passwords to be used, and only require the user to remember one password. We don’t recommend using one product over another, but one such example would be KeePassXC. KeePassXC is a host-based password vault which keeps passwords encrypted when not in use. It offers numerous options for password generation, varying on characters used, length etc. The benefits of this are that you can generate passwords up to 128 characters long, which simply need to be copied and pasted whenever they are required. Here is one such example with an entropy value of 715:

J4kKutHec3RYxQo3kpm4mot5EAVp&opRCSr&x4J5r%fQ$XxzrjdW2ZgRg@k42XhA@zz`S4ofiR4~^s`&43zZ@JQ&qQ$Mad2^jtQdHSZ@hbJbVk5Qabvs5Kc$KW3#W@Rm

What our external research shows

Research conducted by NordPass in 2022 identified that the average person has approximately 100 user accounts requiring password verification. This is the most probable cause for password reuse and password fatigue; where users are exasperated by the constant need to generate unique strong passwords and fall into a habit of using weak, easy-to-remember passwords, or reusing old ones. Verizon’s Data Breach Investigations Report, published in 2021, estimates that 80% of hacking-related breaches were a result of stolen or brute-forced credentials. This number could be significantly reduced by ensuring and maintaining good password hygiene.

Forgetting passwords can have a significant impact on the password owner, the services they use, and the organisations they work for:

Research firm Forrester has indicated that, for some organisations, the costs associated with handling password resets could be up to $1 million USD per year. Gartner estimates that around 40% of help desk queries in large companies relate to password resets, taking up a substantial part of billable work, and taking focus away from more business-critical support.
In 2017, MasterCard and the University of Oxford published a study looking at users of online shopping platforms. Their research indicates that 33% of users would abandon a purchase if they could not remember an account password, while 19% would abandon a purchase while waiting for a password reset link.
Chainalysis, a cryptocurrency data firm, estimates that 20% of all mined Bitcoin are locked in lost or otherwise inaccessible wallets. In one such example, one user has 7002 Bitcoins locked within a hard drive, which risks being encrypted following two more incorrect password attempts.

What is SOS Intelligence doing, and how can it benefit you?

At SOS Intelligence, we understand the risk that credential theft can pose to the security of your data. What we can provide is early detection for when your data has been exposed.

We are actively collecting and analysing stolen credentials from multiple sources which feeds into our intelligence pipeline. Within moments of ingestion, we can generate bespoke alerts for you to indicate when you may be at risk. Early detection is vital to allow you to take action before an issue becomes serious and impactful against your business.

If you are serious about your cyber security, why not book a demo?

Photos by Ed Hardie on Unsplash, Ryunosuke Kikuno on Unsplash, Joshua Hoehne on Unsplash

Product news

Introducing the SOS Intelligence Source Library

by Amir Hadzipasic

March 27, 2024

Amir and Daniel

I’m delighted to announce that last week we launched our newest feature, the Source Library for paying customers. This has been in development for the past few months and the team has done an outstanding job getting this live. Thank you guys!

I sat down with Daniel, our Threat Intelligence Analyst and frequent guest on our webinars to run through the specifics.

You can see what we covered below:

Introduction of the Source Library: this has been developed in the background over the last few months and the team has done an excellent job. Having our new developer, Srdjan is already paying dividends.
Purpose: The Source Library aims to provide customers with additional context and information about the sources being monitored, as well as specific alerts generated. This has been something that has been requested and gives the extra information which often helps with context and understanding of what is happening, or could happen.
Strategic Decision: Integrating the Source Library into the platform was a strategic decision based on customer feedback and the direction of the platform. The 2024 roadmap is looking solid! We are always balancing the work required / difficulty and return.
Collection Plan Management: The focus of the development was on managing the collection plan, which is crucial for the intelligence process, especially in content ingestion and matching.
Features of the Source Library:
- Provides a browsable view of all collection sources with status indicators making it easy to read.
- Includes tags for categorizing sources based on topics – this is extremely useful for marking and returning to data.
- Implements a risk scoring system for each source based on various factors, showing the high risk items.
- Offers transparency and visibility to our customers.
Continuous Development: The Source Library is considered a living thing and will be continuously updated and expanded as the platform evolves.
Ransomware Data and Statistics: Customers can access ransomware statistics, filtering by industry vertical, group, and time period, to understand the frequency and distribution of ransomware attacks.
Integration with Alerts: Each alert references a collection source, allowing users to quickly assess the risk level associated with the alert based on the source’s risk score.

I’d like to highlight the importance of listening to our customers. We pride ourselves on actively listening to feedback and requests. Whilst not all may be feasible, a lot are and we are focused on continuing to launch new features based on customer needs.

Thanks again to Daniel and Srdjan for the work on this!

If you have any questions about the source library or SOS Intelligence in general and how it can become part of your companies’ cyber protection, please do get in touch.

Photo by Ryunosuke Kikuno on Unsplash

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 25 March 2024

by Amir Hadzipasic

March 25, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-26247

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26247

2. CVE-2023-29057

A valid XCC user’s local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.

https://nvd.nist.gov/vuln/detail/CVE-2023-29057

3. CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26167

4. CVE-2024-26163

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26163

5. CVE-2024-26246

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26246

6. CVE-2024-27198

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

https://nvd.nist.gov/vuln/detail/CVE-2024-27198

7. CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-23397

8. CVE-2023-6875

https://nvd.nist.gov/vuln/detail/CVE-2023-6875

9. CVE-2024-21762

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

10. CVE-2024-1512

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the ‘user’ parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

https://nvd.nist.gov/vuln/detail/CVE-2024-1512

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 18 March 2024

by Amir Hadzipasic

March 18, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-21762

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

2. CVE-2024-26163

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26163

3. CVE-2024-26246

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26246

4. CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26167

5. CVE-2023-6875

https://nvd.nist.gov/vuln/detail/CVE-2023-6875

6. CVE-2023-27997

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

https://nvd.nist.gov/vuln/detail/CVE-2023-27997

7. CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

https://nvd.nist.gov/vuln/detail/CVE-2024-23897

8. CVE-2024-21413

Microsoft Outlook Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-21413

9. CVE-2024-27199

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

https://nvd.nist.gov/vuln/detail/CVE-2024-27199

10. CVE-2023-29360

Microsoft Streaming Service Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-29360

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The SOS Intelligence CVE Chatter Weekly Top Ten – 29 April 2024

Ransomware – State of Play March 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 22 April 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 April 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 08 April 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 April 2024

Compromised Password Analysis

How threat actors target your credentials and what you can do to protect yourself

What happens when your credentials are compromised

Password hygiene and habits

What our external research shows

What is SOS Intelligence doing, and how can it benefit you?

Introducing the SOS Intelligence Source Library

The SOS Intelligence CVE Chatter Weekly Top Ten – 25 March 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 18 March 2024

Recent Posts

Recent Comments