GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

GYM Management System 1.0 Insecure Settings

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data.…

A hacker known as IntelBroker claims to have breached the UK-based company Experience Engine, allegedly exposing sensitive data. The hacker is selling the data on an online forum, raising concerns about data security for affected clients and businesses.

The notorious IntelBroker hacker has claimed responsibility for breaching Experience Engine, a UK-based company that provides experiential marketing and promotional staffing services. The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data on Breach Forums, demanding payment in **Monero** (XML) cryptocurrency to remain anonymous and untraceable.

****Who is Experience Engine?****

Experience Engine, founded over 20 years ago, specializes in creating experiential marketing and promotional staffing solutions. With a global reach and a client base that includes major corporations; they work across sectors such as tech, public sectors, and fast-moving consumer goods (FMCG) brands, offering a network of over 1,200 “Experience Engineers™.”

These professionals are tech-trained to help businesses engage with customers through activations, events, and brand ambassador roles. The company claims to offer access to over 200,000 properties worldwide, focusing on integrating campaigns and humanizing complex technological messages for brands.

Screenshot from Experience Engine’s website highlighting its portfolio

****The Alleged Breach****

According to IntelBroker, the breach occurred in September and involves a trove of sensitive data. The hacker is also offering to sell entire .bak database files, which contain a large amount of client and transactional information. IntelBroker has even provided sample data, which includes details from tables such as dbo.invoice and dbo.booking_backup, containing thousands of rows of sensitive records.

One of the notable tables, dbo.invoice, includes 31,000 rows of data, with fields such as InvoiceID, InvoiceNumber, and InvoiceDate, alongside client-specific information such as contact details and invoice amounts. For instance, one invoice dated October 3, 2006, references Thomas Cook, a now-defunct global travel group, headquartered in the United Kingdom with payment details and banking information related to a booking at the now permanently closed Thirty Thirty New York City Hotel.

InterBorken hacker on Breach Forums (Screenshot: Hackread.com)

Another table, dbo.booking_backup, contains 784,000 rows of data, featuring sensitive customer information such as names, addresses, emails, booking histories, and revenue data. Among the entries are details of clients from the UK, United States, and Saint Lucia, with personal information, email addresses, and booking records all included.

The data sample provided by IntelBroker reveals alarming details of the alleged breach. The exposed data includes highly sensitive information, including financial transactions, customer contact details, and bank account numbers.

For instance, a sample from the dbo.invoice table analyzed by the Hackread.com research team shows details of an invoice amounting to $4699.36, with full banking details for the recipient. The booking records reveal customer names, addresses, and even room revenue from bookings, which can put individuals’ privacy and financial security at risk.

Moreover, the nature of the alleged data breach suggests that Experience Engine’s security protocols may have been insufficient to prevent this large-scale leak. Given that the company manages promotional staffing and experiential campaigns for global brands, the impact on their reputation could be severe.

****IntelBroker’s Dark History****

IntelBroker is no stranger to the hacking world. The hacker has been linked to several high-profile breaches, including the following organisations:

*   **Europol**
*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **U.S. contractor Acuity Inc.**
*   **Staffing giant Robert Half**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

(Screenshot: Hackread.com)

The alleged breach of Experience Engine adds another company to IntelBroker’s cybercrime portfolio. With millions of sensitive records potentially exposed, the fallout from this breach could have long-lasting consequences.

Hackread.com has reached out to Experience Engine for comment. If and when the company responds the article will be updated accordingly. Stay tuned!

1.  **UK’s Freecycle Data Breach Impacts 7 Million Users**
2.  **Exposed ICS in the US, and UK Threaten Water Supplies**
3.  **NCA Arrests Teenager in Walsall Over TfL Cyber Attack**
4.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
5.  **UK Criminal Records Office Down in Potential Ransomware Attack**

Hacker Claims Breach of UK’s Experience Engine, Data Sold Online

Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information.
The development was first reported by The Washington Post on Friday.
The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle

Spyware / Threat Intelligence

Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information.

The development was first reported by The Washington Post on Friday.

The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants.

"At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case."

"While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk."

Apple originally filed the lawsuit against the Israeli company in November 2021 in an attempt to hold it accountable for illegally targeting users with its Pegasus surveillance tool.

It described NSO Group, a subsidiary of Q Cyber Technologies Limited, as "amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."

Earlier this January, a federal judge denied a motion from NSO Group to dismiss the lawsuit under the grounds that the company is "based in Israel and Apple should have sued them there," with the court stating that "the anti-hacking purpose of the CFAA fits Apple's allegations to a T, and NSO has not shown otherwise."

In its motion for voluntary dismissal, Apple said three major developments have been a contributing factor: The risk that the threat intelligence information it has developed to protect users against spyware attacks could be exposed, pointing to a July 25, 2024, report from The Guardian.

The British newspaper revealed that Israeli officials had seized documents from NSO Group in July 2020 in an apparent effort to stop the handover of information about the notorious hacking tool as part of the company's ongoing legal tussle with Meta-owned WhatsApp, which filed a similar lawsuit in 2019.

"The seizures were part of an unusual legal maneuver created by Israel to block the disclosure of information about Pegasus, which the government believed would cause 'serious diplomatic and security damage' to the country," The Guardian noted at the time.

Apple also cited as reasons for changing dynamics in the commercial spyware industry and the proliferation of different spyware companies, as well as the possibility of revealing to third-parties "the information Apple uses to defeat spyware while defendants and others create significant obstacles to obtaining an effective remedy."

The development comes as the Atlantic Council divulged that the individuals behind some of the spyware vendors in Israel, Italy, and India that have come under the scanner for enabling authoritarian regimes to spy on human rights advocates, opposition leaders, and journalists have sought to rename them, start new ones, or undertake strategic jurisdiction hopping.

Case in point, Intellexa, the now-sanctioned company behind the Predator spyware, has resurfaced with new infrastructure in connection with its ongoing use by likely customers in countries such as Angola, the Democratic Republic of the Congo (DRC), and Saudi Arabia.

"Predator's operators have significantly enhanced their infrastructure, adding layers of complexity to evade detection," the cybersecurity company's Insikt Group said.

"The new infrastructure includes an additional tier in its multi-tiered delivery system, which anonymizes customer operations, making it even harder to identify which countries are using the spyware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

Plus: New evidence emerges about who may have helped 9/11 hijackers, UK police arrest a teen in connection with an attack on London’s transit system, and Poland’s spyware scandal enters a new phase.

After Apple's product launch event this week, WIRED did a deep dive on the company's new secure server environment, known as Private Cloud Compute, which attempts to replicate in the cloud the security and privacy of processing data locally on users' individual devices. The goal is to minimize possible exposure of data processed for Apple Intelligence, the company's new AI platform. In addition to hearing about PCC from Apple's senior vice president of software engineering, Craig Federighi, WIRED readers also received a first look at content generated by Apple Intelligence's “Image Playground” feature as part of crucial updates on the recent birthday of Federighi's dog Bailey.

Turning to privacy protection of a very different kind in another new AI service, WIRED looked at how users of the social media platform X can keep their data from being slurped up by the “unhinged” generative AI tool from xAI known as Grok AI. And in other news about Apple products, researchers developed a technique for using eye tracking to discern passwords and PINs people typed using 3D Apple Vision Pro avatars—a sort of keylogger for mixed reality. (The flaw that made the technique possible has since been patched.)

On the national security front, the US this week indicted two people accused to spreading propaganda meant to inspire “lone wolf” terrorist attacks. The case, against alleged members of the far-right network known as the Terrorgram Collective, marks a turn in how the US cracks down on neofascist extremists.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ChatGPT Tricked Into Revealing Instructions for Making Fertilizer Bombs After Being Led Deep Into Fantasy Storytelling**

OpenAI's generative AI platform ChatGPT is designed with strict guardrails that keep the service from offering advice on dangerous and illegal topics like tips on laundering money or a how-to guide for disposing of a body. But an artist and hacker who goes by “Amadon” figured out a way to trick or “jailbreak” the chatbot by telling it to “play a game” and then guiding it into a science-fiction fantasy story in which the system's restrictions didn't apply. Amadon then got ChatGPT to spit out instructions for making dangerous fertilizer bombs. An OpenAI spokesperson did not respond to TechCrunch's inquiries about the research.

“It’s about weaving narratives and crafting contexts that play within the system’s rules, pushing boundaries without crossing them. The goal isn’t to hack in a conventional sense but to engage in a strategic dance with the AI, figuring out how to get the right response by understanding how it ‘thinks,’” Amadon told TechCrunch. “The sci-fi scenario takes the AI out of a context where it’s looking for censored content … There really is no limit to what you can ask it once you get around the guardrails.”

**New Evidence Indicates That at Least Two Saudi Officials May Have Helped 9/11 Hijackers**

In the fervent investigations following the September 11, 2001, terrorist attacks in the United States, the FBI and CIA both concluded that it was coincidental that a Saudi Arabian official had helped two of the hijackers in California and that there had not been high-level Saudi involvement in the attacks. The 9/11 commission incorporated that determination, but some findings indicated subsequently that the conclusions might not be sound. With the 23-year anniversary of the attacks this week, ProPublica published new evidence “suggest\[ing\] more strongly than ever that at least two Saudi officials deliberately assisted the first Qaida hijackers when they arrived in the United States in January 2000.”

The evidence comes primarily from a federal lawsuit against the Saudi government brought by survivors of the 9/11 attacks and relatives of victims. A judge in New York will soon make a decision in that case about a Saudi motion to dismiss. But evidence that has already emerged in the case, including videos and documents such as telephone records, points to possible connections between the Saudi government and the hijackers.

“Why is this information coming out now?” said retired FBI agent Daniel Gonzalez, who pursued the Saudi connections for almost 15 years. “We should have had all of this three or four weeks after 9/11.”

**British Teenager Arrested in Investigation of Cyberattack on London Transportation Agency**

The United Kingdom's National Crime Agency said on Thursday that it arrested a teenager on September 5 as part of the investigation into a cyberattack on September 1 on the London transportation agency Transport for London (TfL). The suspect is a 17-year-old male and was not named. He was “detained on suspicion of Computer Misuse Act offenses” and has since been released on bail. In a statement on Thursday, TfL wrote, “Our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details, including email addresses and home addresses where provided.” Some data related to the London transit payment cards known as Oyster cards may have been accessed for about 5,000 customers, including bank account numbers. TfL is reportedly requiring roughly 30,000 users to appear in person to reset their account credentials.

**Polish Court Blocks Investigation Into Apparent Spyware Abuses by Previous Government Administration**

In a decision on Tuesday, Poland’s Constitutional Tribunal blocked an effort by Poland's lower house of parliament, known as the Sejm, to launch an investigation into the country's apparent use of the notorious hacking tool known as Pegasus while the Law and Justice (PiS) party was in power from 2015 to 2023. Three judges who had been appointed by PiS were responsible for blocking the inquiry. The decision cannot be appealed. The decision is controversial, with some, like Polish parliament member Magdalena Sroka, saying that it was “dictated by the fear of liability.”

Security News This Week: A Creative Trick Makes ChatGPT Spit Out Bomb-Making Instructions

A new Android malware called Trojan Ajina.Banker is targeting Central Asia – Discover how this malicious malware disguises…

A new Android malware called Trojan Ajina.Banker is targeting Central Asia – Discover how this malicious malware disguises itself as legitimate apps to steal banking information and intercept 2FA messages. Learn about the tactics used by the attackers and how to protect yourself from this growing threat.

Central Asia has become the target of a malicious new campaign distributing Android malware dubbed “Ajina.Banker.” Discovered by Group-IB in May 2024, Ajina.Banker has been wreaking havoc since November 2023 and around 1,400 unique variants of the malware were identified by researchers.

The malware is named after a malevolent Uzbek mythical spirit known for deception, shape-shifting, and chaos. Ajina.Banker targets unsuspecting users by masquerading as trusted applications like banking services, government portals, and everyday utilities “to maximize infection rates and entice people to download and run the malicious file, thereby compromising their devices.”

The malware primarily spreads through social engineering tactic on messaging platforms like Telegram. Attackers create numerous accounts to distribute malicious links and files disguised as enticing offers, promotions, or even local tax authority apps. Users lured by the promise of “lucrative rewards” or “exclusive access” unknowingly download and install the malware, compromising their devices.

The attackers also employ a multi-pronged approach, sending messages with just the malicious file attached, exploiting user curiosity. Additionally, they share links to channels hosting the malware, bypassing security measures in place on some community chats.

Ajina used themed messages and localized promotion strategies to create a sense of urgency and excitement in regional community chats, urging users to click on links or download files without suspecting malicious intent. These campaigns were conducted across multiple accounts, sometimes simultaneously, indicating a coordinated effort.

While primarily targeting users in Uzbekistan, Ajina.Banker’s reach extends beyond borders. The malware collects information on installed financial applications from various countries, including Armenia, Azerbaijan, Iceland, and Russia. Additionally, it gathers SIM card details and intercepts incoming SMS messages, potentially capturing 2FA codes for financial accounts.

The malware exhibits a concerning level of adaptability. The analysis reveals two distinct versions – com.example.smshandler and org.zzzz.aaa – suggesting ongoing development. Newer versions showcase additional functionalities, including the ability to steal user-provided phone numbers, bank card details, and PIN codes.

Group-IB’s investigation suggests Ajina.Banker operates on an affiliate program model. A core group manages the infrastructure, while a network of affiliates handles distribution and infection chains, likely incentivized by a share of the stolen funds.

To protect yourself and your devices from Ajina.Banker and similar threats, be cautious of unsolicited messages and downloads, stick to trusted app stores like Google Play Store, scrutinize app permissions, install security software, and stay updated on the latest malware threats and best practices for mobile security.

Rocky Cole, Co-Founder and COO of mobile device security company iVerify shared his comments about this cunning new campaign with Hackread.com:

“Credential theft is the number one action being taken by threat actors. It’s so easy to steal credentials on phones where smaller screens, lower attention spans, lack of training, and the mixing of personal and professional use cases put people at risk. This new Android malware is just a continuation of that trend and a prime example of why phones should be running EDR platforms to detect malicious APKs and social engineering attempts.”

1.  **Hackers using Google Sites to spread banking malware**
2.  **Google reveals spyware attack on Android, iOS, and Chrome**
3.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple, Google**
4.  **V3B Phishing Kit Steals Logins and OTPs from EU Banking Users**
5.  **Android Banking Malware FjordPhantom Steals Via Virtualization**

New Android Malware Ajina.Banker Steals 2FA Codes, Spreads via Telegram

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard.
The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865.
"A novel attack that can infer eye-related biometrics from the avatar image to

Virtual Reality / Vulnerability

Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard.

The attack, dubbed **GAZEploit**, has been assigned the CVE identifier CVE-2024-40865.

"A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing," a group of academics from the University of Florida said.

"The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar."

Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.

"Inputs to the virtual keyboard may be inferred from Persona," it said in a security advisory, adding it resolved the problem by "suspending Persona when the virtual keyboard is active."

In a nutshell, the researchers found that it was possible to analyze a virtual avatar's eye movements (or "gaze") to determine what the user wearing the headset was typing on the virtual keyboard, effectively compromising their privacy.

As a result, a threat actor could, hypothetically, analyze virtual avatars shared via video calls, online meeting apps, or live streaming platforms and remotely perform keystroke inference. This could then be exploited to extract sensitive information such as passwords.

The attack, in turn, is accomplished by means of a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities (e.g., watching movies or playing games).

In the subsequent step, the gaze estimation directions on the virtual keyboard are mapped to specific keys in order to determine the potential keystrokes in a manner such that it also takes into account the keyboard's location in the virtual space.

"By remotely capturing and analyzing the virtual avatar video, an attacker can reconstruct the typed keys," the researchers said. "Notably, the GAZEploit attack is the first known attack in this domain that exploits leaked gaze information to remotely perform keystroke inference."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

A technique to abuse Microsoft's built-in source code editor has finally made it into the wild, thanks to China's Mustang Panda APT.

Source: Postmodern Studio via Alamy Stock Photo

A Chinese state-aligned espionage group has become the first documented threat actor to weaponize a known exploit in VS Code in a malicious attack.

Visual Studio Code, or VS Code, is Microsoft's free source code editor for Windows, Linux, and macOS. According to Stack Overflow's 2023 survey of 86,544 developers, it's the most popular integrated development environment (IDE) among both new (78%) and professional developers (74%), by some distance. The next most popular IDE, Visual Studio, was used by 28% of respondents.

In September 2023, a threat researcher described how an attacker could take advantage of a VS Code feature called "Tunnel" to gain initial access to a target's environment. Initially, the tactic was just fodder for red teaming. Now, according to Palo Alto Networks' Unit 42, China's Mustang Panda (aka Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon) has used it in an espionage attack against a government entity in southeast Asia.

"The technique described requires an attacker to have previously gained code execution privileges on a target machine," a Microsoft spokesperson tells Dark Reading. "As a security best practice, we encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages or opening unknown files."

**Turning VS Code Into a Reverse Shell**

"One of the worst fears as a cybersecurity expert is detecting and preventing a signed reverse shell binary," Truvis Thornton wrote, a whole year prior to Unit 42's latest research. "Guess what? Microsoft gladly gave us one."

First introduced in July 2023, VS Code Tunnel allows users to share their VS Code environments on the open Web, and only requires authentication through a GitHub account.

An attacker with their victim's GitHub credentials could do damage, but much worse is the fact that one can remotely install a portable version of VS Code on a targeted machine. Because it's a legitimate signed binary, it will not be flagged as suspicious by security software.

And yet, it will walk and talk like a reverse shell. By running the command "code.exe tunnel," the attacker opens a GitHub authentication page, which they can log into with their own account. Then they're redirected to a VS Code environment connected to their target's system, and free to execute commands and scripts and introduce new files at will.

Mustang Panda — a 12-year-old advanced persistent threat (APT) known for espionage against governments, nongovernmental organizations (NGOs), and religious groups in Asia and Europe — used this playbook to perform reconnaissance against its target, drop malware, and, most importantly for its purposes, exfiltrate sensitive data.

**How to Deal with VSCode**

"While the abuse of VSCode is concerning, in our opinion, it is not a vulnerability," Assaf Dahan, director of threat research for Unit 42, clarifies. Instead, he says, "It's a legitimate feature that was abused by threat actors, as often happens with many legitimate software (take lolbins, for example)."

And there are a number of ways organizations can protect against a bring-your-own-VSCode attack. Besides hunting for indicators of compromise (IoCs), he says, "It's also important to consider whether the organization would want to limit or block the use of VSCode on endpoints of employees that are not developers or do not require the use of this specific app. That can reduce the attack surface." 

"Lastly, consider limiting access to the VSCode tunnel domains '.tunnels.api.visualstudio\[.\]com' or '.devtunnels\[.\]ms' to users with a valid business requirement. Notice that these domains are legitimate and are not malicious, but limiting access to them will prevent the feature from working properly and consequently make it less attractive for threat actors," he adds.

**A Second, Overlapping Attack**

While investigating the Mustang Panda attack, Unit 42 came across a second threat cluster occupying the same target's systems.

In this case, the attacker abused imecmnt.exe — a legitimate and signed file associated with Microsoft's Input Method Editor (IME), used for generating text in languages not conducive to the QWERTY keyboard — with some dynamic link library (DLL) sideloading. The file they dropped, ShadowPad, is a 7-year-old modular backdoor popular among Chinese threat actors.

This compromise occurred at the same time as the VS Code exploitation, often on the same endpoints, and the overlaps didn't end there. Still, researchers couldn't say for certain whether this second cluster of malicious activity could be attributed to Mustang Panda. "There could also be other possible scenarios to explain this connection," they wrote. "For example, it could be a joint effort between two Chinese APT groups or perhaps two different groups piggybacking on each other's access."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft VS Code Undermined in Asian Spy Attack

Most investors aren't demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.

Source: Illia Uriadnikov via Alamy Stock Photo

It was a tale of two startups.

"A company that I invested in — about, oh, five years ago — happened to be in the proptech \[property technology\] space," said David Rose, managing partner at Rose Tech Ventures, during a panel at Cybertech NYC last week. The property tech startup he was referring to helped people build their credit by paying their rent with credit cards. "So it was a really cool company, \[and\] it was going great. And then it turned out they had been hit by scammers, who were setting up fake buildings and fake credit cards, using them \[for fraud\]. And the entire company blew up because of that."

Another company from one of Rose's protégés had a similar idea and business model, but because the company had better security, it was able to grow. "So you see a company that had really interesting ideas, demonstrated a great potential, smart guys, but the company got killed because of cyber," Rose noted.

Startups are valued for their forward thinking, their financials, and their talent. No investment negotiation has ever broken down over the issue of cyber preparedness. Yet, clearly, an incident can be catastrophic to a promising but volatile new business, and anecdotal evidence suggests investors and founders alike are starting to take that risk seriously.

**The Threat to Startups**

Volt Typhoon, the Chinese advanced persistent threat (APT) du jour, has compromised critical infrastructure providers of every kind — Internet service providers, electric utilities, wastewater treatment, energy, and more — on multiple continents, targeting military organizations along the way. Its attacks are of the highest caliber among known APTs. But a few weeks ago, it went after a different type of prey: a startup.

Versa Networks attracted a lot of attention with its secure access service edge (SASE) software-as-a-service offering and earned $120 million in pre-IPO funding in October 2022. Less headline-grabbing was a bug in its software-defined wide area networking (SD-WAN) technology (CVE-2024-39717). The vulnerability — rated as "high" severity with a CVSS score of 7.2 — allowed Volt Typhoon to push a custom, credential-grabbing Web shell through the Versa Director platform, allowing the attackers to breach four Versa customers in the United States and one in India.

Though attacks and breaches can happen to any company, startups like Versa Networks, security camera firm Verkada — which was fined $3 million by the FTC last month following its breach where attackers took over customer cameras — and Rose's proptech failure are particularly vulnerable. Like any small or medium-sized businesses, they might struggle with budgets and resource allocation. More so than other businesses, though, startups sell excitement and promise. Where a typical business might aim to be secure, but simply lack the money and manpower to do it right, startups that aim to move fast and break things might simply deprioritize a cost that does not incur growth.

As Rose told Dark Reading at Cybertech, "In the case of the company that I mentioned, it \[cybersecurity\] hadn't even occurred to them. They were thinking about the upside \[of the business\], not the downside."

Unfortunately, the answer to securing startups isn't straightforward.

**When Startups Need to Think About Security**

When established companies shift their attention to beefing up their cybersecurity, they typically invest in personnel, training, and layered security software (among other things). But as Rose points out, "Virtually no founders we are speaking with are facing cyber security challenges because they don't have any product!"

Startup security is a more nuanced matter which largely rests on timing, explains Bob Ackerman, founder and managing director of the early-stage VC company AllegisCyber.

"When you're looking at a stage zero startup, security probably is not the number one consideration. It's, 'Is this a good idea?', 'Can this team perform?', 'Is there actually a business here?' But as companies gather steam, establish critical mass, the consequences of getting cybersecurity wrong increase," Ackerman says.

"Usually a mid-stage or later-stage company has enough cybersecurity questions for it to be obvious that we need a security team, a security program, \[and\] a security budget as well," says Will Lin, author of The VC Field Guide. "If I were to force a number, I would say that for companies over, say, 3,000 employees, it starts becoming more of a key topic for investors."

Lin cautions, though, that needs vary widely across companies of different kinds.

"You might find very, very large organizations — even above 3,000 people, for example — that have a tiny, three-person-or-less security team, and then you might find a small organization of 200 people spending quite a lot per year on security. Security budgets and programs and everything tends to be more reactive than \[saying\] 'Obviously, the next step of the company is we need to do X, Y, Z," Lin explains.

The variation occurs not just due to size and maturity, Ackerman adds, but also industry.

"Maybe a financial services company is going to have cyber risk exposure, and so \[be\] aware of it from a very early stage, particularly in sectors like financial services, where there is a lot of personally identifiable information, or anything in supply chain, where a compromise could be disruptive and have an adverse consequence," he says.

**Nudging Security to a Higher Priority**

According to a February survey from business insurance company Embroker, more than two thirds of founders have experienced a cyberattack against one of their businesses.

Founders seem to be extra cautious about security. In the survey, 86% reported owning some kind of cyber insurance, and 71% were considering additional security protections in addition to having insurance. About a third (31%) of the respondents reported being more concerned with security than they were the year prior.

Those who aren't thinking about cybersecurity may be nudged into doing something by the investors themselves. As Rose points out, "One of the things that we have on our standard investor checklist when we do full-on due diligence is: What is your cybersecurity plan? How is it going to work? Actually, in many cases, it's the first time anybody ever asked the startup founder about security."

He continues, "I would be very happy if they have something in their deck — at least in their appendix to their deck — which would say: 'Here's our thoughts, here's our plan, here's our vulnerability.' Just tell me that you've actually given more than two-and-a-half minutes worth of thought to the subject, and you will be ahead of 95% of other companies."

More mature, later-stage startups need to start making material investments, and hiring for executive positions, he explains, "And if you're a platform business that is open to the public, and you've got any kind of money going anywhere, then you damn well better have a really serious plan."

"If the world was under my control, I would say: Yes, as a startup founder with no paying clients until next year, I want you thinking about building in security from day one. But because that doesn't tie out to dollars day one — and startups are always pressed for dollars, always trying to move fast and break things — that's a very hard sell," he admits.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

When Startup Founders Should Start Thinking About Cybersecurity

Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

**Hey Siri, google “Apple phone support”**

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent _index.html_ template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

**Risks and mitigations**

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#apple