The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.

If an attacker possesses approximately 60 signatures created using one of the keys generated using this algorithm and these versions of PuTTY, the attacker can compromise the private key. The signatures needed are generated from a key when the key is used to authenticate to an SSH server. While these signatures cannot be captured by merely eavesdropping on SSH connections, one source they can be obtained from is publicly accessible signatures.

Malicious Putty Ads
The initial intrusion starts from a malicious ad displayed via Google search. We have observed several different advertiser accounts which were all reported to Google. The lures are utilities commonly used by IT admins such as PuTTY and FileZilla.
Online ads from search engine result pages are increasingly being used to deliver malware to corporate users. ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks.

Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.

These ads are convincing and tailored to the search habits of IT professionals, making them particularly effective.
Once clicked, these malicious ads lead users to download what they believe to be legitimate software installers. However, these installers are trojanized versions designed to infect the user’s system with Nitrogen malware.
This malware serves as a gateway for attackers to gain initial access to private networks, which can then be exploited for data theft or to deploy ransomware such as BlackCat/ALPHV. Despite reports to Google, the malicious ads continue to run, prompting the cybersecurity community to share detailed information on the tactics, techniques, and procedures (TTPs) used by the attackers and indicators of compromise (IOCs) to help system administrators defend against these threats.

Malware Deploying and Protecting Against Attacks

The final step in this malicious chain is deploying the Nitrogen malware through the fraudulent installers. The malware uses a technique known as DLL side loading, where a legitimate executable is used to launch a malicious DLL file.

In this instance, a seemingly innocuous setup.exe file side loads a dangerous file named python311.dll, which is associated with Nitrogen. To combat this threat, cybersecurity firm ThreatDown has blocked these malicious websites and prevented users from being tricked into downloading malware. Their Endpoint Detection and Response (EDR) engine can quarantine the malicious DLL immediately, and system administrators can use the AI-assisted engine to search for and review detection.
The PuTTy Project has released a security update to address a cryptographic vulnerability (CVE-2024-31497) in PuTTY. Successful exploitation of this vulnerability could allow attackers with access to sufficient cryptography signatures to derive their corresponding NIST P-521 private key.
                                                       
The prevalence of malvertising as a vector for cyber-attacks has highlighted the need for better user education specifically tailored to recognize and avoid such threats. While phishing training for email threats is familiar, similar training for malvertising is not yet widespread.

To protect endpoints from malicious ads, group policies can be implemented to restrict traffic from both significant and lesser-known ad networks.

How can I determine if I am vulnerable?
This vulnerability impacts private keys that leverage the ecdsa-sha2-nistp521 cipher algorithm and were generated by a vulnerable version of PuTTY Tools. Simply upgrading PuTTY, or one of the impacted applications that also is vulnerable, will not resolve the vulnerability for keys generated using a prior, vulnerable release of PuTTY.
Identifies vulnerable versions of the PuTTY and other impacted applications
On non-Windows endpoints, identifies user private keys that were generated using the ecdsa-sha2-nistp521 algorithm. It is important to note that the ecdsa-sha2-nistp521 cipher is not the default algorithm used by PuTTY. A user must select this algorithm by setting the ECDSA and nistp521 curve parameters in the key generation user interface, or pre-selecting them via command line puttygen.exe -t ecdsa -b 521.

Affected Applications

Per the MITRE CVE Dictionary entry, the following applications are impacted by this vulnerability:
•    FileZilla before v3.67.0
“Version 3.67.0 (2024-04-15)”
Fixed vulnerabilities:
SFTP: Fixed PuTTY ECDSA NIST P-521 private key recovery vulnerability (CVE-2024-31497). If you use NIST P-521 keys to connect to SSH/SFTP servers, you should regenerate them and revoke the previous ones.
       Official binaries are now built against GnuTLS 3.8.4
Bugfixes and minor changes:
    Updated to libfilezilla 0.47.0

“Version 3.66.5 (2024-02-07)”
Fixed vulnerabilities:
    Official binaries are now built againt GnuTLS 3.8.3
Bugfixes and minor changes:
    Updated to libfilezilla 0.46.0
    MSW: Fixed tab navigation over message log

•    WinSCP before 6.3.3

“Version 6.3.3  (2024-04-016)”

1. SSH core and SSH private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.81.
It brings the following change:
Security fix for CVE-2024-31497: NIST P521/ecdsa-sha2-nistp521 signatures are no longer generated with biased values of k. The previous bias compromises private keys 2285 vuln-p521-bias.
2. Translation updated: Belarusian.
3. XML parser upgraded to Expat 2.6.2.
4. Support for TortoiseMerge in Compare Files extension 2279.
5. Bug fix: File panel does not have focus after Login in Explorer interface 2276
6. Bug fix: Failure when closing the last remote tab 2283.
7. Bug fix: Copy and paste to another application in Store installation sometimes does not work 2284

“Version 6.3.2 (2024-03-12)”

1. Translation updated: Belarusian.
2. XML parser upgraded to Expat 2.6.1.
3. Optimized startup when right panel local directory tree is not visible.
4. Workaround for SFTP servers (Cisco) which omit message field from status response 2272.
5. Bug fix: Password pipe cannot be used to open a session in an existing instance 2265.
6. Bug fix: Hang when canceling connection while reading remote directory 2266.
7. Bug fix: Failure when canceling FTP connection while reading remote directory 2267.
8. Bug fix: Cannot start on Windows XP 2268.
9. Bug fix: Installation hangs when adding installation path to search path when executed in session 0 2270.
10. Bug fix: Misplaced stored site use warning in scripting when session name is specified 2271. 11. Bug fix: Correcting neon version in About box and logs.

•    TortoiseSVN through 1.14.6
Version 1.14.6
1. BUG: context menu for a directory background in Win11 when not using the first tab in explorer used the wrong path. (Stefan)
2. BUG: the revision graph did not show the HEAD revision if not all revisions were shown. (Stefan)
3. BUG: context menu items in Win11 did show up but didn't invoke the command. (Stefan)
4. BUG: TMerge didn't properly restore line numbers when undoing pasting multiple lines. (Daniel Sahlberg)
5. BUG: Project monitor duplicated the list of Users to ignore every time a project was edited. (Daniel Sahlberg)
6. BUG: Project monitor kept an error status on a project that had temporary connection issues, even after the next connection was successful. (Daniel Sahlberg)
7. NEW: added a menu item in Project monitor to check one specific project. (Daniel Sahlberg)
8. NEW: added an advanced setting to control the default value of Allow mixed revisions (not recommended) in the Merge options dialog. (Daniel Sahlberg)
9. BUG: TortoiseBlame didn't restore saved window position. (Stefan)

Mitigations
The vulnerability has been fixed in the latest versions of the affected products:
•    PuTTY 0.81
•    FileZilla 3.67.0
•    WinSCP 6.3.3
•    TortoiseGit 2.15.1
•    TortoiseSVN 1.14.7

Users are strongly advised to update to these patched versions as soon as possible to mitigate the risk of private key compromise.