CyberWire Daily - Triofox and the key to disaster. [Research Saturday]

Episode Date: May 31, 2025

This week, we are joined by John Hammond, Principal Security Researcher at Huntress, who is sharing his PoC and research on "CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Expl...oited In The Wild." A critical 9.0 severity vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox is being actively exploited in the wild, allowing remote code execution via hardcoded cryptographic keys in default configuration files. Huntress researchers observed compromises at multiple organizations and confirmed hundreds of vulnerable internet-exposed servers, urging immediate patching or manual machineKey updates. Mitigation guidance, detection, and remediation scripts have been released to help users identify and secure affected installations. The research can be found here: ⁠CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware.
Starting point is 00:00:40 Don't let invisible threats compromise your business. Get your free corporate dark net exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire. Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Starting point is 00:01:31 If we see that in a strange or new or different application or program that we don't typically see, we start to get the hunch, hey there might be some weaknesses, there's a flaw or potential vulnerability in that software. And truth be told, that was the very beginning of the story here. When we saw this detector fire, well, that pointed us towards that center stack application. And then after we did our homework, did a little bit of research, we see, Oh, this has just recently been added to the known exploited vulnerabilities
Starting point is 00:02:00 database that Sysm maintains. And we're thinking, okay, yeah, we're onto something here. That's John Hammond, principal security researcher at Huntress. The research we're discussing today is titled CVE 2025 30406, critical Glendonet center stack and Trio Fox vulnerability exploited in the wild.
Starting point is 00:02:24 vulnerability exploited in the wild. Well for folks who aren't knee-deep in exploit detection every day, it's my understanding from reading the research that it was a PowerShell alert that that was part of tripping you off to that there was a problem here? Correct. Any of those sort of, hey, on the computer, on the endpoints, typical sort of living off the land is the keyword you tend to hear, but certainly PowerShell or other oftentimes command prompt low level system commands that could be ran. Well, we could see that and we have that visibility and it's definitely something that's an identifier and breadcrumb for us. So at the center of this is CVE 2025-3406. Explain that to us in plain terms. What in particular makes this one dangerous? Great question and thank you. So CVE 2025-30406 is the CVE identifier that was assigned to this weakness and vulnerability in Gladinet
Starting point is 00:03:29 Center Stack. I'll admit, I don't think it particularly covers or really does a good job explaining, oh, this affects the Trio Fox application just as well. But if you drill down into it, what that really is, is what a lot of nerds and geeks call deserialization vulnerability. And that's usually a dangerous one. It's something that, oh, it's taking data or input from the user and then trying to manipulate it or process it in a way that, well, could open the door for a little bit of tricks, a little bit of a magic something up their sleeve where it will now evaluate
Starting point is 00:04:06 and actually execute raw commands or raw code. But this was all pre-authentication. You didn't exactly need a username or password or any credentials to get in the door to be able to access this endpoint. Truth be told, if you just knew the IP address or sort of the domain or website for this application, it's point and
Starting point is 00:04:26 shoot. You just say, this is who I want to target. And then, then it's done. Well, let's dig into that a little bit. The research mentions view state deserialization. Can you explain that for us? Yeah. Deserialization is a very well known and especially that view states. I know you mentioned that key word there. That is a common, I don't know if that's the right word to say that, that's just a well established potential weakness in this specific style or format of applications. It's specific to ASP or ASP.net or ASP.ASPX.
Starting point is 00:05:02 Forgive me, I know the ASP sort of family of different things gets a little wild. So it's one of those in that ASP umbrella. But that is native and natural to that language and syntax and code that's used for web applications like this. That view state handles session logic. So anytime that you might be interacting with the website,
Starting point is 00:05:25 oh, it's keeping track of, oh, you logged in. You have some information tied to your account, properties with your own persona as you navigate through the pages. But ASP in this view states, if it's trying to deserialize some data, it could absolutely be used and abused. Now, this exploit involves hard-coded cryptographic keys. Can we dig into that a little bit?
Starting point is 00:05:51 Can you unpack that for us? Yes, and thank you because this is the heart of the issue. The way that Vue State works, and I'm glad we got to the core of it, well, truthfully, it relies on sensitive secrets, kind of to be used as the seed or the beginning original value that it will work with for a lot of the crypto math and magic that it uses to compute and work with all the input and output it's handling. Now the secrets is something that should be stored server side. It should be a secret, right? It's not something that'll be in the user's browser.
Starting point is 00:06:25 It's going to be way across the internet, tucked away on the server or the website that you're trying to access. But it needs to be secret. Unfortunately, it seemed that in these Gladinet, CenterStack, and TrioFox installations, every single installation or copy and running rendition of the server just had the exact same value. It was not changed, it was not rotated, it was not new or dynamic. So if you knew one, you knew all of them.
Starting point is 00:06:57 And that way it's not a secret anymore. You could go track down and determine what are those values, what are those magic numbers that will clue us in to be able to beat up that view state and do this deserialization attack. I mean, it's kind of the keys to the kingdom, right? Oh, yeah. You mentioned in the research that you've seen this being used against a handful of organizations already. Are there particular types of organizations we're talking about?
Starting point is 00:07:24 Is there any focus here? Truth be told, I don't think I have a good answer for you right off the cuff. I tend to think when it comes to vulnerabilities just like this that are pre-authentication, immediate jump to code execution and owning or compromising the host. Oftentimes threat actors and hackers will just spray and pray. It's kind of an attack of opportunity. Look, if there's anything out and open and exposed on the internet, well, it's point and shoot. It's open season. Why not just try to get an implant? Why not just try to gain persistence and exploit as
Starting point is 00:07:57 much as possible en masse? And there's really no specific, oh, is it a sector? Is it a certain industry or vertical? It's just whatever's an easy target. What's your sense for how widespread this could be? Truth be told, this is small. It's small scale. It's very limited. When we got to see some of the footprints or what's accessible out on the open internet with tools like census or showdown, just kind of seeing what's out there while other resources are scanning the internets. There weren't a lot of these servers out and
Starting point is 00:08:30 about and that's not to say oh what relative to other cases where you're looking at other software that's ubiquitous but maybe about 250, 275 or 300 or so servers out and about in the wind or so servers out and about in the wind. And I'll say what we saw compromised or now potentially tested in our partner environments, small numbers, started at two, moved to seven, maybe moved up to 12 or 24, but that's not zero. And that's more than enough for us to spring into action. We'll be right back. to spring into action.
Starting point is 00:09:08 We'll be right back. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that.
Starting point is 00:09:31 It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how Threat Locker can help you lock down your environment at www.threatlocker.com Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed
Starting point is 00:10:06 up. DeleteMe keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals.
Starting point is 00:10:31 Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your DeleteMe plan. Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout. That's JoinDeleteMe.com slash N2K, code N2K. Yeah, I mean, I guess it's on the one hand, it's good news that it's not more globally widespread. But on the other hand, if one of those servers happens to be yours, that can make for a bad day.
Starting point is 00:11:21 Yeah, without a doubt. So let's go through a typical attack chain here. Can you walk us through sort of step by step what the attacker does and what they're trying to accomplish? I can. And forgive me, I can get as nerdy and geeky and spew as much techno babble as you'd like. Well, let's walk the line there knowing that our audience is pretty technical, but also, you know, we do have limited time.
Starting point is 00:11:47 No. So let's say you're putting your hacker hat on, you're acting as the adversary. And if you're doing your homework, trying to just see track down what are these hard coded secrets or these cryptographic values tucked away in the application center stack or trio Fox, truth be told, you can just kind of, hey, grab a free trial of the software off the website, off the internet and then get it installed and you could see what the values are.
Starting point is 00:12:15 And that's the keys of the kingdom, just as you mentioned. So there are, again, truth be told, off the shelf, like readily available tools and tooling to be able to test or validate weaknesses like this with view state deserialization in these ASP web apps. Why so serial is what I'm alluding to for, again, the nerds and geeks listening in. But you can pretty easily weaponize that. There are plugins to say, let me plug in these right in these right values, those correct sensitive cryptographic keys,
Starting point is 00:12:47 and then point it to a server. If we wanted to zoom in just a little bit, and this is really where the nuance comes in, if I may, there are different endpoints or different addresses like you're accessing the website that will correspond to a different internal configuration file where there might be different view state configuration values.
Starting point is 00:13:10 So you as a system owner, as an administrator, maybe the IT or security individual, you need to be tracking all of those. Really it boils down to just two, kind of as we've seen in the wild. But that is where we wanted to get a little bit of the extra messaging out because it's not just one File on your file system. It's something else that you got to keep track of too and Some of the patching or upgrading opportunities that are available to you I'll admit there was more than one and some of them worked and some of them didn't seem to.
Starting point is 00:13:46 So we've seen instances where this software, Gladinet or Tririfox, is in air quotes upgraded to the latest version and in air quotes, patched, but those sensitive keys still weren't rotated and could still just as easily be exploited. So there are a couple gimmicks and gotchas there that we wanted to help spread the word for. This was just too easily weaponized, but a couple things to still keep an eye out and be aware of. So as the attacker makes their way
Starting point is 00:14:16 through their business here, what sort of things do they seem to be focused on? This one is oftentimes gaining persistence, gaining more implants, access, hooks and claws so that they can get back into the environment. If they maybe found a door closed behind them or anything, there's still other opportunities to continue their campaign or work with this later.
Starting point is 00:14:41 We had seen Cobalt Strike, very, very well known and again, common command and control capability and tooling there and others like different remote monitoring and management solutions. Again, nerds and geeks might be familiar with mesh central, but you think of that as again, just that remote control application that's typically trusted.
Starting point is 00:15:02 It's a well known and that's just a third party solution that your antivirus or a lot of security solutions aren't gonna complain about because it looks quote unquote normal. It's just how it's used with the intent, with the purpose. But bad actors, well, they have ill intent. Yeah. Let's talk detection and response here.
Starting point is 00:15:23 I mean, what are your recommendations? What should defenders be looking for in their logs or their alerts, you know, those sorts of things? Yeah. And thank you so much. There is a real, real indicator. There is a artifact that is left behind in the logs. You could drill down and track down the Windows Event Viewer, the Windows Application Event Log.
Starting point is 00:15:43 And if you wanted to be super tactical, one of the event IDs, I Windows application event log. And if you want it to be super tactical, one of the event IDs, I believe it's 1316, will just really sound the alarm. It says, bright and bold, the view state verification failed, like view state was invalid, anything curious there. But it'll include the whole payload or the raw dump that's just the encoded commands that could have very well been trying to be executed, trying to be processed, deserialized to run.
Starting point is 00:16:10 So if you did a little bit of magic, if you try to decode that data, you could really see smoking gun at the crime scene, what they tried to fire off, what they wanted to execute. But that is definitely the key indicator. Look in your logs and try to find those indicators of compromise. You mentioned that there are patches available. Looking at the big picture here, if I discover that a tool, and I'm trying to be nonspecific here, but if I discover that a tool in my inventory that I count on has hard-coded cryptographic keys, is it time for me to maybe be shopping around?
Starting point is 00:16:50 Yeah, well, I'll put my finger on my nose here and I know that's really within everyone's personal, your own assessment, your risk model. But hey, in 2025, as we're having a lot of conversations of secure by design, we're thinking about that supply chain, we're thinking about all the ways that hackers are banging at the door. Yeah, maybe we can board up the windows and lock the doors a little bit more. Yeah. Yeah. What do you hope people take away from this research. Any words of wisdom here? Well, I think, and forgive me, I know again, nerdy geeks, but I think there's been some interesting conversations that followed this because this view state deserialization is,
Starting point is 00:17:38 as I was alluding to, just a known thing that's established in the information security and information technology ecosystem to the point that this has been around for many years. This is a known weakness and class of vulnerability. So seeing this as we are in today's day and age, the modern world right now, we're kind of scratching our head, just as you mentioned. Why do we still suck with this? And are there other applications or software that have the same fault?
Starting point is 00:18:08 So we saw some write-ups and articles from Microsoft. We saw other vendors connect-wise, making some changes to their Screen Connect application and other things to try and mitigate this. So this glaring, potentially open hole is not an attack surface for the future. And I'm glad to see and hear kind of the industry picking up our ears and looking around and having the wherewithal to say,
Starting point is 00:18:32 oh yeah, let's get ahead of this so there's not more damage done. We can limit this and focus on that class of vulnerabilities. We really got to make sure we can nip this in the bud. Our thanks to John Hammond from Huntress for joining us. The research is titled, Critical Gladinet Center Stack and Trio Fox Vulnerability Exploited in the Wild. We'll have a link in the show notes. This episode was produced by Liz Stokes, we're mixed by Elliot Peltsman and Trey Hester, our executive producer is Jennifer Iben, Peter Kilpey is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here, next time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.