Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Webdenim AppUI 1.0 Insecure Direct Object Reference

Relive some of the major cybersecurity incidents and events that have shaped Talos over the past 10 years.

Wednesday, July 24, 2024 06:00

A lot has happened in Talos’ 10 years of existence. And to celebrate our birthday, we wanted to look back on some of the major moments in Talos’ history. Here’s an overview of some of the major events, cyber attacks, research breakthroughs and more that truly make Talos _Talos_. We hope this walk down memory lane inspires good times reminiscing, provides lessons learned from cyber attacks past, or PTSD from those late nights — whether you worked at Talos or not.

*   **2001:** Martin Roesch, the creator of Snort, founds Sourcefire.
*   **July 2013:** Cisco Systems announces an agreement to buy Sourcefire for $2.7 billion.
*   **April 2014:** Stakeholders from Sourcefire, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps) start meeting to discuss the formation of Talos — including what the name would be!
*   **August 2014:** Talos is formally launched at the BlackHat cybersecurity conference.
*   **March 2015:** Talos publishes breaking research on the POSeidon point-of-sale malware, one of the first major coordinated cyber attacks found under the Talos banner.
*   **Oct. 2015:** Talos helped to shut down the Angler exploit kit by shutting down access for customers by updating Cisco products to stop redirects to the Angler proxy servers, and releasing new Snort rules to detect and block checks from the exploit kit. At the time, we estimated that Angler was targeting more than 90,000 users a day and generating $30 million annually.     
*   **May 2017:** WannaCry, which to this day is one of the largest ransomware attacks ever, hits several notable victims, including FedEx and the National Health Service in the U.K. Attackers exploited the NSA-created EternalBlue exploit.

*   **May 2017:** The first-ever episode of Beers with Talos goes live.
*   **June 2017:** EternalBlue pops up again, this time with the Nyetya ransomware attack. The attackers primarily deployed the malware via a fake update to the Ukrainian-made MeDoc tax software.
*   **June 2017:** A team of Talosians comes first in the Fake News Challenge after creating a tool that uses advanced machine learning and artificial intelligence technology to detect fake headlines and misleading “facts.”
*   **Feb. 2018:** Talos’ discovered samples of malware used to disrupt various technologies at the Olympic Games in Japan, including ticket-taking operations during the Opening Ceremony. OlympicDestroyer would have ripple effects for months as we tried to figure out who exactly was (or wasn’t) behind the attack.
*   **May 2018:** Talos publishes our findings on VPNFilter, a massive malware campaign from Russian state-sponsored actors. At the time of publishing, we estimated that VPNFilter affected more than 500,000 internet-connected devices.

*   **Nov. 2018:** DNSpionage, a previously undiscovered malware, makes headlines for targeting a Lebanese airline and companies in the United Arab Emirates. Adversaries set up fake job application phishing pages hoping to infect targets with malicious Microsoft Word applications.
*   **Feb. 2019:** Talos releases our 3-D printed model of an oil pumpjack into the wild to demonstrate how an attacker could overload it if it exploits the human-machine interface the pump relies on.

*   **Oct. 2019:** Cisco Talos Incident Response is officially launched. Merging Incident Response from Cisco’s CX organization with Talos’ threat intelligence, Talos IR offers proactive and reactive assistance to customers around the world.
*   **May 2020:** Talos’ Vulnerability Research team takes part in the Microsoft Azure Sphere Research Challenge, eventually discovering 16 security vulnerabilities in the popular application platform. Talos was one of only a handful of teams selected for the challenge. Specifically, a vulnerability the team discovered made headlines for potentially allowing an adversary to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.
*   **Nov. 2020:** The infamous “pig couch” goes viral after a fake Craigslist ad for it spreads on social media. This somehow ended up with the Snort Twitter account also going viral, and Marty Roesch making it into The New York Times.

Via Craigslist

*   **Dec. 2020:** Capping off a string of major supply chain attacks, adversaries compromise the legitimate SolarWinds Orion IT management software to deploy malware via a fake software update.
*   **Jan. 2021:** Snort 3, the first major release for Snort in more than a decade, goes open-source.
*   **Dec. 2021:** Just days before the winter holidays, the internet nearly catches on fire with the infamous Log4shell vulnerability in Log4j.

*   **Feb. 2022:** The Russian military launches an offensive assault against Ukraine. Talos immediately responds to assist Ukraine, capitalizing on yearslong partnerships to help keep critical infrastructure online and users protected from a barrage of cyber attacks. We would also assist Talos teammates in staying protected, supporting them in moving to other countries.
*   **May 2022:** ClamAV, Sourcefire’s original anti-virus detection solution, turns 20 (and will finally go 1.0 a few months later!)
*   **April 2023:** Cisco and Talos help to launch the Network Resilience Coalition, a group of technology companies working to ensure users and companies upgrade and update their network infrastructure. The effort was launched after the discovery of JaguarTooth, a massive campaign targeting unpatched wireless routers.
*   **May 2023:** Talos enters the world of private sector offensive actors (PSOAs) by disclosing new technical details about the Predator spyware and its creator, Intellexa. Spyware from these so-called “mercenary groups” is still spreading, often being used to target potentially sensitive users like journalists, activists and politicians.
*   **December 2023:** Talos discloses the details of Project PowerUp, a cross-team effort to help protect Ukraine’s power grid and the GPS positioning it relies on. Spearheaded by Joe Marshall, the multi-national, multi-company global team of power grid security practitioners, who had never worked together before, built a device to help Ukraine keep the lights on.

*   **March 2024:** Talos releases SnortML, a machine learning-based detection engine for the Snort Intrusion prevention system.
*   **August 2024:** Talos celebrates its 10th anniversary — cheers to many more!

A (somewhat) complete timeline of Talos’ history

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

**LMS ZAI 6.1 Insecure Settings**

Posted Jul 23, 2024

Authored by indoushka

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ac6f91ffe20c571e57ac0c8a6aef0c5437b2d37e5f53c46ef41059f24100b7db

Download | Favorite | View

**LMS ZAI 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : LMS ZAI v6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/lmszai-learning-management-system/38383087                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 123456[+] https://www/127.0.0.1/www.mylmsin/admin/dashboardGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

LMS ZAI 6.1 Insecure Settings

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

**Quick Job 2.4 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | ed619defcb18f94880d7fdc150758b05fc052d89b88cf6c32eda99ac714a326b

Download | Favorite | View

**Quick Job 2.4 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Quick Job v2.4 IDOR Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://bylancer.com/demo/quickjob/                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/newjobcartcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Quick Job 2.4 Insecure Direct Object Reference

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

After an extended period underground, the Chinese hackers have added a more sophisticated infection chain and additional EDR evasion techniques.

Source: Rokas Tenys via Alamy Stock Photo

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

**Infection Chain, Evasion Techniques**

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

**GhostEmperor Left a Global Trail**

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

**Chinese Threat Actors Multiply **

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years

The vulnerability was given the highest CVSS score possible, though few details have been released due to its severity.

Source: designer491 via Alamy Stock Photo

Cisco has released a patch for a maximum-severity vulnerability, tracked as CVE-2024-20419, that allows threat actors to change any user or admin password.

The vulnerability carries a CVSS rating of 10, however, the company has not released many details about the bug, likely due to how high risk it is.

The attack complexity was deemed low, as no privileges or user interaction is necessary to complete the action, but the impact on the product's integrity, availability, and confidentiality are all deemed high.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," Cisco said in a statement. "A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

This vulnerability affects SSM On-Prem and SSM Satellite. There are no workarounds for the vulnerability, so it's recommended that users apply patches for the bug as soon as possible. 

Cisco has not released any additional information regarding this vulnerability in the wild or how many users have been potentially impacted. SSM On-Prem is primarily used by "financial institutions, utilities, service providers, and government organizations," according to the vendor, so organizations in these sectors should be especially wary. 

**About the Author(s)**

High-Severity Cisco Bug Grants Attackers Password Access

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Thursday, July 18, 2024 14:00

Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach. 

We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.  

Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s going to be eventually.  

I took this as an opportunity to check for myself. The ever-popular Have I Been Pwned? says my personal email address has been involved in 14 breaches, some dating back to 2017 and one as recently as June.  

Thankfully, Trend Micro’s ID Protect says that my personal cell phone hasn’t been involved in any data breaches, but that certainly hasn’t stopped me from getting my fair share of spam texts and phone calls. 

Outside of those two search engines, I felt like this would be a good space to provide additional resources and advice for anyone reading this. Even if you haven’t been a part of the recent spate of data breaches, I think it’s a good idea to take these steps now anyway, because you never know when the next breach is going to happen.  

*   **Stop reusing passwords.** Use a free password manager to generate random, secure passwords for each new account you create. That way, if one of your passwords \*is\* leaked, it makes it impossible for adversaries to start using those leaked credentials to try and brute force their way into other accounts.  
*   Once you enroll in that password manager, use it to frequently update and rotate your passwords.  
*   **Enroll in multi-factor authentication.** Using any type of MFA will ensure bad actors aren’t using any leaked credentials to log into other devices, so even if they have a complete set of usernames and passwords, you can still deny their login.  
*   **Initiate a fraud alert** **to credit reporting agencies.** Of course, this only applies to users who live in the U.S. (though I’m sure other countries have something similar; I can only confidently write about the process in the U.S.). This will let potential lenders know that you may be the victim of fraudulent activity so they will take extra steps to ensure it’s actually you filling out a credit application.  
*   **If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.** We’ll be covering what identity monitoring does for users in tomorrow morning’s episode of Talos Takes, so stay tuned! 
*   **Set up a unique passcode needed to make changes to certain accounts.** AT&T is specifically advising customers to set up a passcode needed to prevent any significant account changes, such as porting phone numbers to another carrier.  

**The one big thing **

Speaking of data breaches, adversaries know that users and companies are concerned about this threat, too, and they’re leveraging that in phishing attacks and scams. Talos researchers recently observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills. Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims. 

**Why do I care? **

This particular campaign seems to be successful, as wallets connected to the group have received tens of thousands of U.S. dollars in the Ethereum cryptocurrency. But this is also evidence of a broader trend on the threat landscape: Attackers are going to be using data breaches as a threat and lure going forward. Users who are afraid of their data being leaked may be more likely to click on a phishing email or lure document that claims to have information on a leak. Or they may be more open to clicking on a link claiming to lead to “free” identity monitoring.  

**So now what? **

The significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations. So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced. 

**Top security headlines of the week **

**Trend Micro’s Zero Day Initiative publicly called out Microsoft for not crediting their researchers for a recently disclosed vulnerability.** Security researchers at ZDI say they first informed Microsoft of the vulnerability in May and hadn’t heard anything about it again until it showed up in July’s Patch Tuesday, Microsoft’s monthly security update. The ZDI blog post has generated additional conversations in the security community about the pros and cons of coordinated vulnerability disclosure and existing problems with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) CVD program. There is also still uncertainty on the exact nature of the vulnerability, CVE-2024-38112. The initial discoverers say it is a remote code execution vulnerability that should be considered critical, though when Microsoft disclosed it, it came with a lower CVSS score and identified it as a spoofing vulnerability. “CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where ‘coordination’ simply means ‘You tell us everything you know about this bug, and maybe something will happen,’” Trend Micro wrote in their blog post. (Zero Day Initiative, The Register) 

**A data breach unmasked the company behind the spyware mSpy and a list of its customers.** According to the data leak site Have I Been Pwned?, unknown attackers stole millions of customer support tickets, eventually leaking 142GB of data. The leaked information includes personal details of customers, emails to mSpy’s support team and email attachments. mSpy promotes itself as a phone surveillance app that can track users’ children or employees. However, it is often used to monitor people without their consent, like most spyware. The stolen data includes customer and user emails to mSpy support via the third-party software Zendesk. Leaked emails include targets who did not wish to have the spyware tracking their device, including journalists, and even U.S. law enforcement agents looking to file subpoenas or legal demands with the company. Once installed on an infected device, mSpy can monitor keystrokes, review text messages, track users’ locations, scrape their social media accounts and view the target’s sent and received photos. (TechCrunch, PC World) 

**The Iranian APT MuddyWater added a new backdoor to its malware arsenal known as BugSleep.** Security researchers say the malware “partially replaces” the actor’s traditional use of legitimate remote monitoring tools. MuddyWater is known for its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s most recent campaign included sending phishing emails that invite targets to attend online classes and webinars to 10 different Israeli companies. Some versions of BugSleep come with a custom malware loader that injects the backdoor into the active processes of several well-known software, including Microsoft Edge, Google Chrome and Microsoft OneDrive, so taht it can remain undetected. Talos has reported on several MuddyWater campaigns over the past few years against entities spread throughout the U.S.A, Europe, Middle East and South Asia. Their campaigns are primarily designed to either steal sensitive information or execute ransomware on a targeted network. (The Register, Bleeping Computer) 

**Can’t get enough Talos? **

*   Cisco Talos Report Reveals Critical Insights in Ransomware Trends 
*   Cisco Talos analyzes attack chains, network ransomware tactics 
*   Cisco Talos: Top Ransomware TTPs Exposed 
*   Talos Takes Ep. #190: What we learned from studying the TTPs of the 14 most active ransomware groups 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201

It's best to just assume you’ve been involved in a data breach somehow

Three newly discovered SMTP smuggling attack techniques can exploit misconfigurations and design decisions made by at least 50 email-hosting providers.

Source: Maksim Kabakou via Adobe Stock Photo

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.

The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies.

The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.

**Email-Hosting, Vulnerable by Default**

The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns in a session at the forthcoming Black Hat USA conference during first week in August, entitled "Into the Inbox: Novel Email Spoofing Attack Patterns."

They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.

"The issue we want to emphasize is that email gateway vendors remain vulnerable to SMTP smuggling in their default configuration," Wang tells Dark Reading in an interview. "This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains."

While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. "Consequently, many large customers continue to use the default, vulnerable setting," he says, creating a wide avenue for attacker abuse.

**Novel Attack Techniques**

The team's research was informed by two previous works from other researchers: a "SpamChannel" talk presented by Marcello Salvati at DefCon 2023, and an innovative SMTP smuggling attack unveiled by Timo Longin in December, Wang says.

The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.

"Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails," Wang explains, adding that the attack has a "high success rate" due to the large number of affected domains and the broad reach of email spoofing.

The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.

The third attack pattern is one that expands upon Longin's SMTP smuggling attack discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the exploit of existing flaws on messaging servers from Microsoft, GMX, and Cisco.

"Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors," Wang says. "The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check."

**SMTP Smuggling Detection and Mitigation **

As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someone's email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.

"This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules," Wang says. "At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack."

Indeed, while the attack patterns discovered can allow email spoofing by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations enforce these measures for their domains as a foundational security baseline.

"Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks," Wang says.

Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.

Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also "is critical for maintaining the security and reliability of email communications," and preventing various forms of email-based attacks."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco