Summary:
In December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft’s monthly Patch Tuesday release. Both vulnerabilities were deemed highly significant due to the widespread use of LDAP in Windows environments.

• CVE-2024-49112: A remote code execution (RCE) bug that attackers can exploit by sending specially crafted LDAP requests, allowing them to execute arbitrary code on the target system.
• CVE-2024-49113: A denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions.

Trend Micro recently released a blog post detailing a fake Proof-of-Concept (PoC) exploit for CVE-2024-49113 (aka LDAPNightmare) designed to lure cybersecurity researchers into downloading and executing information-stealing malware. Although the tactic of using PoC lures for malware delivery isn’t anything groundbreakingly new, this attack is significant, as it capitalizes on a trending issue that could potentially affect a large number of high-value targets. The malicious repository containing the PoC appears to be a fork from the original creator, replacing the original Python files with the executable poc.exe which raises suspicion in a Python-based project. When the victim executes the file, a PowerShell script is dropped and executed in the %Temp% folder. This will create a Scheduled Job, which in turn executes an encoded script. Once decoded, the script downloads another script from Pastebin, collecting the public IP address of the victim’s machine and uploading it using File Transfer Protocol (FTP). The malware then harvests system information, potentially for future lateral movement.


Security Officer Comments:
Protecting against fake repositories injected with malware involves implementing a combination of technical measures and security best practices. Trend Micro has provided a more granular blog post regarding the two LDAP vulnerabilities in a previous blog post. Proof-of-Concept (PoC) exploits help defenders by providing a concrete demonstration of how a vulnerability can be exploited, allowing security teams to understand the potential threat, prioritize patching efforts, develop detection mechanisms, and proactively mitigate risks. Considering that the target demographic is cybersecurity researchers, it is likely that this lure is designed to harvest sensitive information and gain access to cybersecurity company systems to target critical infrastructure organizations and compromise them utilizing cyberattacks like supply chain attacks. Microsoft has provided a workaround for organizations that are unable to apply the update: Ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks. While either mitigation will protect your system from this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability. Customers must apply the latest security update from Microsoft for their Windows version to be protected against these vulnerabilities.

Suggested Corrections:

IOCs are available here.

Protection Recommendations from Trend Micro:

• Always download code, libraries, and dependencies from official and trusted repositories.
• Be cautious of repositories with suspicious content that may seem out of place for the tool or application it is supposedly hosting.
• If possible, confirm the identity of the repository owner or organization.
• Review the repository’s commit history and recent changes for anomalies or signs of malicious activity.
• Be cautious of repositories with very few stars, forks, or contributors, especially if they claim to be widely used.
• Look for reviews, issues, or discussions about the repository to identify potential red flags.

Link(s):
https://www.trendmicro.com/en_us/re...masquerades-as-ldapnightmare-poc-exploit.html