The Good, the Bad and the Ugly

10973825883?profile=RESIZE_400xBack in the late 1960’s there was a film called, The Good, the Bad and the Ugly.  It was a story of three outlaw cowboys who exhibited these three moral traits.  Sentinel Labs are now sharing a story of the modern day The Good, the Bad and the Ugly.

The Good - The man behind the development and sale of the NLBrute password-hacking tool was extradited to the United States this week.  Known by his alias, dpxaker, US officials charged Russian national Dariy Pankov with computer and access device fraud as well as one charge of conspiracy.

According to the DOJ’s press release on his indictment, Pankov wrote the malware to compromise protected computers by decrypting login credentials. Using NLBrute, he went on to steal the passwords of tens of thousands of computers globally, re-selling the credentials on dark websites to other cyber criminals.  

Investigations have found that login credentials to more than 35,000 computers were sold by Pankov over a three-year period, garnering him over $350,000 in illegal earnings.[1]


While active, Pankov marketed, sold, and had other actors sell NLBrute on his behalf, proliferating the malware to interested malware buyers.  NLBrute has appeared in various malicious cyber campaigns, including tax fraud schemes, brute force attacks, and Ransomware-as-a-Service (RaaS) operations attributed to REvil, Dharma, and Netwalker.

10973826070?profile=RESIZE_400xThough Pankov currently faces a 46-year sentence in federal prison should he be convicted of all charges, his nefarious brainchild is just one of many available credential hacking tools on the dark market.  Credential theft continues to be a leading initial attack vector with threat actors targeting the vulnerable identity surface.

The Bad - Several versions of Carbon Black App Control for Windows are impacted by a critical injection vulnerability reported this week by security researcher, Jari Jääskelä.  In VMware’s security advisory[2], the company labeled the vulnerability as ‘critical’, assigned it a score of 9.1 out of 10, and warned users that attackers leveraging the flaw could gain access to the underlying server operating system.

10973826876?profile=RESIZE_400xThe critical injection flaw is tracked as CVE-2023-20858 and provides malicious actors with privileged access to the App Control administration console.  Once inside, actors could potentially use specially-crafted input to bypass XML parsing restrictions to access sensitive assets or perform privilege escalation.  Versions affected by CVE-2023-20858 include version 8.7.7 and older, version 8.8.5 and older, and version 8.9.3 and older.  There are no workarounds for the vulnerability, and VMware has urged users to patch immediately to versions 8.7.8, 8.8.6, and 8.9.4 to avoid potential risks.

VMware’s Carbon Black App Control is used to lock down servers and critical systems.  The injection vulnerabilities could allow an attacker to execute unapproved commands leading to complete systems compromise and access to connected customers.  News of the injection flaw follows a rapid wave of ransomware attacks reported just two weeks ago that leveraged a two-year-old VMware Service Location Protocol (SLP) vulnerability to compromise thousands of unpatched ESXi servers.

The Ugly - Organizations are racing to patch a remote code execution (RCE) vulnerability impacting multiple Zoho ManageEngine products.  The vulnerability known as CVE-2022-47966 (assigned CVSS score 9.8) is observed to be in use by multiple threat actors with the majority of attacks on victims located in the US, UK, Canada, Australia, Italy, Mexico, Nigeria, Ukraine, and the Netherlands.

CVE-2022-47966 enables unauthorized remote code execution through the use of an outdated, third-party dependency for XML signature validation called Apache Santuario.  

Unauthenticated attackers have exploited the flaw to completely take over two dozen Zoho on-premise products, execute lateral movement techniques, and deploy tools such as Cobalt Strike and Netcat.  

In last weeks’ attacks, threat actors were seen to install AnyDesk software or a Windows version of Buhti ransomware after gaining initial access.

10973826889?profile=RESIZE_584x [3]

Zoho has since published a security advisory detailing all affected products, versions, and fixes and notes that the exploit works only if Security Assertion Markup Language (SAML) single sign-on (SSO) was already enabled at the time of compromise.  Used most commonly by large enterprises to streamline the employee login experience, targeting SAML SSO remains a lucrative target for threat actors seeking high-value payouts for successful attacks.

Based on security researchers’ findings, between 2000 to 4000 servers running ManageEngine products are accessible from the internet, making the attack surface a wide one for opportunistic attackers.  Organizations are urged to patch immediately and implement continuous monitoring and detection capabilities.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We wish to thanks Sentinel Labs for this report.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!