A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.
The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.
"

A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.

The black hat SEO cluster has been codenamed **DragonRank** by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.

"DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said.

The attacks have led to compromises of 35 Internet Information Services (IIS) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021.

It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for malicious communications between its customers (i.e., other threat actors) and their victims.

On top of that, it can modify the content served to search engines to manipulate search engine algorithms and boost the ranking of other websites of interest to the attackers.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the \[detection of\] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," security researcher Zuzana Hromcova told The Hacker News at the time.

The latest set of attacks highlighted by Talos spans a broad spectrum of industry verticals, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.

The attack chains commence with taking advantage of known security flaws in web applications like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to introduce supplemental tools into the targets' environment.

The primary objective of the campaign is to compromise the IIS servers hosting corporate websites, abusing them to implant the BadIIS malware and effectively repurposing them as a launchpad for scam operations by utilizing keywords related to porn and sex.

Another significant aspect of the malware is its ability to masquerade as the Google search engine crawler in its User-Agent string when it relays the connection to the command-and-control (C2) server, thereby allowing it to bypass some website security measures.

"The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results," Chen explained. "They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings."

One important way DragonRank distinguishes itself from other black hat SEO cybercrime groups is in the manner it attempts to breach additional servers within the target's network and maintain control over them using PlugX, a backdoor widely shared by Chinese threat actors, and various credential-harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.

Although the PlugX malware used in the attacks relies on DLL side-loading techniques, the loader DLL responsible for launching the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism in an attempt to ensure that the legitimate file (i.e., the binary susceptible to DLL side-loading) can load the PlugX without tripping any alarms.

Evidence unearthed by Talos points to the threat actor maintaining a presence on Telegram under the handle "tttseo" and the QQ instant message application to facilitate illegal business transactions with paying clients.

"These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their clients' needs," Chen added.

"Customers can submit the keywords and websites they wish to promote, and DragonRank develops a strategy suited to these specifications. The group also specializes in targeting promotions to specific countries and languages, ensuring a customized and comprehensive approach to online marketing."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Windows Security / Vulnerability

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

*   **CVE-2024-38014** (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
*   **CVE-2024-38217** (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
*   **CVE-2024-38226** (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
*   **CVE-2024-43491** (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, Focus and Thunderbird
*   NVIDIA
*   ownCloud
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Spring Framework
*   Synology
*   Veeam
*   Zimbra
*   Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

Tuesday, September 10, 2024 15:30

Microsoft disclosed four vulnerabilities that are actively being exploited in the wild as part of its regular Patch Tuesday security update this week in what’s become a regular occurrence for the company’s patches in 2024. 

Two of the zero-day vulnerabilities, CVE-2024-38226 and CVE-2024-38014, exist in the Microsoft Publisher software and Windows Installer, respectively. Last month, Microsoft disclosed six vulnerabilities in its Patch Tuesday that were already being exploited in the wild.  

In all, September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-38217, a vulnerability in Windows Mark of the Web that could allow an adversary to bypass usual MOTW detection techniques.  

Cisco Talos’ Vulnerability Research team also discovered an information disclosure vulnerability in the AllJoyn API that could allow an adversary to access uninitialized memory. CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.  

The most serious of the issues included in September’s Patch Tuesday is CVE-2024-43491, which has a severity score of 9.8 out of 10. CVE-2024-43491, a remote code execution issue in Windows Update, is considered “more likely” to be exploited, though Microsoft disclosed few details about the nature of this vulnerability. 

There are also four remote code execution vulnerabilities in SharePoint Server that are also considered “more likely” to be exploited: CVE-2024-38018, CVE-2024-38227, CVE-2024-38228 and CVE-2024-43464. 

In the case of the latter three vulnerabilities, an authenticated attacker with Site Owner permissions can inject arbitrary code and execute code in the context of SharePoint Server. However, an attacker only needs to have Site Member permissions to exploit CVE-2024-38018. 

CVE-2024-38226, one of the zero-days disclosed this week, is a security feature bypass vulnerability in Microsoft Publisher that could allow an attacker to bypass the default Microsoft Office macro policies used to block untrusted or malicious files. An adversary could exploit this vulnerability by tricking a user into opening a specially crafted, malicious file in Microsoft Publisher, which could lead to a local attack on the victim’s machine. Macros have been blocked by default on Office software to prevent attackers from hiding malicious code in them.  

Another vulnerability being actively exploited in the wild, CVE-2024-38014, is an issue in Windows Installer that could allow an adversary to gain SYTEM-level privileges. This issue affects Windows 11, version 24H2, which is currently only available on certain Microsoft Copilot+ devices, among other older versions of Windows 10 and 11. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63979 - 63984 and 63987 - 63994. There are also Snort 3 rules 301008 - 301013.

Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score

A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

Source: Chris Willson via Alamy Stock Photo

One of China's most prolific and well-known state-sponsored threat actors is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.

Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers revealed in a blog post on Sept. 9.

Using malware-loaded USB drives is a strategy that experienced a revival during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it as a primary infection vector. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to collaborate with other Chinese actors on coordinated attacks. In fact, Trend Micro has recently reported a spate of fresh activity from Chinese threat actors in general, which may or may not be related.

**Mustang Panda's Quick Attacks, Custom Malware**

This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.

Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to what's happening, according to Trend Micro.

"Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region," Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.

**Evolution of Previous APT Tactics**

The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the group's typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.

In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.

"This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same," the researchers noted in the post.

The version of PUBLOAD used in the new campaigns is similar to ones previously delivered through spear-phishing and documented by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.

**Spear-Phishing Delivers Multistage Attack**

Separately, a "fast-paced" spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.

Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration.

The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.

"The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16\[.\]162\[.\]188\[.\]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region," they wrote.

The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise "continuous vigilance" and "updated defensive measures" in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. "Earth Preta has remained highly active in APAC," they wrote, "and will likely remain active in the foreseeable future."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mustang Panda Feeds Worm-Driven USB Attack Strategy

Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank, a Chinese-speaking SEO manipulator service provider

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Akira Ransomware Actors Exploit SonicWall Bug for RCE

POMS version 1.0 suffers from an ignored default credential vulnerability.

**POMS 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

POMS version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | e96b4926531826f22ee72eeb7f339d7761192178a35f69af5d5141abbc8b63c1

Download | Favorite | View

**POMS 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : POMS v1.0 Insecure Settings Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

POMS 1.0 Insecure Settings

Pharmacy Management System version version 1.0 suffers from an ignored default credential vulnerability.

**Pharmacy Management System version 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

Pharmacy Management System version version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 6c367c1c4b085e72851f370194180a14f132217419dbc26645d989d1f50bd05c

Download | Favorite | View

**Pharmacy Management System version 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Pharmacy Management System version 1.0 Insecure Settings Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/demoocom/admin/?page=user/manage_user&id=8Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

Pharmacy Management System version 1.0 Insecure Settings

PDF Generator Web Application version 1.0 suffers from an ignored default credential vulnerability.

**PDF Generator Web Application 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

PDF Generator Web Application version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit, web

SHA-256 | ea0edf3e01f27c48e18ff7db4471b92d0d058e7c65718cf02003efd67a75fb49

Download | Favorite | View

**PDF Generator Web Application 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : PDF Generator Web Application v1.0 Insecure Settings Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15243/pdf-generator-web-app-using-tcpdf-and-phpoop-free-source-code.html        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

Tag

#cisco