QuickJob version 6.1 suffers from an ignored default credential vulnerability.

**QuickJob 6.1 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

QuickJob version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | e6896d4cea9d5e1f38adf67e9cf29b00d07caf0ece1ebc4e316d431f13e72eca

Download | Favorite | View

**QuickJob 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : quickjob 6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/quickjob-job-board-php-script/25217096                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user&pass: admin[+] panel : https://www/127.0.0.1/xpressdigitalonline/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

QuickJob 6.1 Insecure Settings

Prison Management System version version 1.0 suffers from an ignored default credential vulnerability.

**Prison Management System version 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Prison Management System version version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 81a9d01f3c8c94bb0000f4403731ff41830ed447ed13fdad39cbe7cc67884842

Download | Favorite | View

**Prison Management System version 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Prison Management System version 1.0 Insecure Settings Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/untcarriercom/admin/?page=system_infoGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Prison Management System version 1.0 Insecure Settings

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

**Pharmacy Management System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 59f44c9b7f06be4efb67d80c7c07d536ce29ef1457664c97c77dea0949148078

Download | Favorite | View

**Pharmacy Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Pharmacy Management System v1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Pharmacy Management System 1.0 Insecure Settings

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

**Online Payment Hub System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 30a6b1cbf6e4c838b1c70e5f65c51d228a564e5d1e6f1bc286e2c364b4ee5cda

Download | Favorite | View

**Online Payment Hub System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Payment Hub System v1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://scriptmafia.org                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruban-witness.000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Online Payment Hub System 1.0 Insecure Settings

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

**Innue Business Live Chat 2.5 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 69cf2bb9bb7d7ff376d99fe228145e43a3757fab2416d6aff6f75b372ddf2d3a

Download | Favorite | View

**Innue Business Live Chat 2.5 Insecure Settings**

    ====================================================================================================================================| # Title     : innue business live chat v2.5 Insecure Settings Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/business-live-chat-software.php                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin[+] https://www/127.0.0.1/vmi1941086contaboservernet/loginGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Innue Business Live Chat 2.5 Insecure Settings

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

Source: Richard Levine via Alamy Stock Photo

Critical API security flaws have put millions of users at risk for account takeover, by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.

That's according to API security firm Salt Security's Salt Labs, which found that by pairing manipulation of the OAuth standard with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.

Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.

"Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances," according to a Salt Labs blog post on the research.

A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.

More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.

**A Modern Authentication Standard Meets an Old Flaw**

OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the "log in with Facebook" or "log in with Google" functionality included in many websites. The standard drives the mechanism responsible for the authentication handoff between the sites, allowing user data to be shared between them. It's been known to be misconfigured upon implementation in ways that create serious vulnerabilities that span numerous sites.

XSS, meanwhile, is one of the most oft-exploited and oldest Web vulnerabilities. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitor's browser for data theft and more.

An attacker who successfully exploits an attack vector that combines the two "will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user," Yaniv Balmas, vice president of research at Salt, tells Dark Reading.

Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.

However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.

"We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue," Balmas says.

**Hotjar Attack**

Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.

On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through OAuth to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.

"To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window," according to the post. "With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to \[the Hotjar site\] with the OAuth code in the URL."

The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victim's code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.

**Exploiting Mobile Logins**

The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.

"This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS," according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.

"What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL," according to the post. "If a victim clicks on that link, their credentials will be passed to a malicious domain."

Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site administrators need to be careful in how they implement OAuth, lest it be used in similar attack scenarios, Balmas says.

"As always, when implementing any new technology, many things need to be considered, including, of course, security," he says. "A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack."

Thursday, July 25, 2024 14:00

You’re not going to believe this, but there was a lot of misinformation on social media over the weekend after the massive CrowdStrike/Microsoft outage.  

As airlines cancelled flights, hospitals had to reschedule patients and some companies just flat-out couldn’t work on Friday, people were quick to assume that the outage, which was actually caused by a faulty CrowdStrike Falcon update, was a cyber attack. 

Media headlines posed the question: “Cyber attack, or outage?” Social posters quickly assumed this was some sort of “hack.”  

On the one hand, I get it. Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack,” because that’s how they’ve always been displayed in works of fiction or as the generic image of a “hack” anytime there is actually a real cyber attack.  

That’s not to say there aren’t many lessons to be learned from this outage, and at some point, we’ll be ready to dig into those. But also calling this a cyber attack can spread unnecessary FUD, especially when threat actors are trying to capitalize on the outage to spread malware in _actual_ cyber attacks.  

**The one big thing **

Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, accounting for 60 percent of engagements. Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.   

**Why do I care? **

Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.    

**So now what? **

The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts to prevent the spread of BEC. 

**Top security headlines of the week **

**A false narrative spread over the weekend that Southwest Airlines was using a very old version of Windows, which allowed it to escape the CrowdStrike-related outage.** Many news outlets reported that Southwest’s system relies on Windows 3.1, released more than 20 years ago. However, this does not actually appear to be the case, though Southwest’s systems may still be outdated compared to its competitors. Instead, Southwest may have been largely unaffected by the outage simply because it doesn’t use CrowdStrike. Delta, American, Spirit, Frontier, United and Allegiant airlines all reported that they were affected by the outage, forcing the cancellation of thousands of flights across the globe. The source of the story that Southwest uses Windows 3.1 appears to come from posts on social media, the original one of which provided no sources, links or background information to back this statement up. Another popular piece of fake news that made the rounds during the widespread outage was that the Las Vegas Sphere was a victim of the outage, with a fake image spreading online appearing to show the “blue screen of death” on the outside of the concert and event venue. (Kotaku, OSNews) 

**U.K. police arrested a teenager suspected of being a member of the Scattered Spider hacking group and a perpetrator of the massive MGM ransomware attack last year.** The arrest is part of a larger investigation conducted by the National Crime Agency in the U.K. and the U.S.’s FBI into a hacking group that is known to breach networks, steal data and deploy ransomware. While not named explicitly in the arrest announcement, this group is largely known as Scattered Spider. The group breached MGM’s network last year, taking hotel and casino services offline for several days, even just forcing some casino operations to stop altogether. MGM eventually paid a multi-million dollar ransomware to the attackers. Scattered Spider is a group of English-speaking threat actors, some of whom are as young as 16, and commonly communicate via Telegram channels and Discord servers. An English detective involved in the operation stated that the 17-year-old in question was part of a group that “targeted well-known organizations with ransomware, and they have successfully targeted multiple victims around the world, taking from them significant amounts of money.” (Bleeping Computer, Dark Reading) 

**Russian state-sponsored actors or hacktivist groups are likely to try and disrupt the upcoming Olympic games in France via cyber attacks, misinformation campaigns and deepfake photos and videos.** Russia has been excluded from the Summer Olympics because of its involvement in an alleged doping scheme with its athletes and has been increasingly hostile toward the West for its support of Ukraine. Russian threat actors have already been spreading disinformation, with Microsoft warning that some actors have been deploying influencers deploying artificial intelligence to “denigrate the reputation of the \[International Olympic Committee\]” and “creating the expectation of violence” at the Olympics. French authorities have also already arrested a Russian national who the government alleges was planning various events to “destabilize” the games. Researchers from FortiGuard Labs have also reported that there has been a spike of dark web activity among known Russian adversaries, including Cyber Army Russia Reborn and LulzSec, specifically saying they plan to target the Olympics. Russia may also seek to use its influence on hacktivist groups to do its bidding so that the Russian government has plausible deniability in any activities. (Forbes, Financial Times) 

**Can't get enough Talos?**

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The massive computer outage over the weekend was not a cyber attack, and I’m not sure why we have to keep saying that

A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.

Source: Den Rise via ShutterStock

A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

KnowBe4, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4's founder, shared in a blog post about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.

The checks came back clean and the candidate for the position ("principal software engineer") appeared credible and qualified, though later the company realized he was using a stolen identity and his photo was AI-enhanced.

Once the verification and hiring process was complete, KnowBe4 sent the new employee, who is referred to in KnowBe4's post as "XXXX," his Mac workstation, "and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

"On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST," he detailed. "When these alerts came in, KnowBe4's security operations center (SOC) team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to the SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise."

What the employee was really doing, however, was performing various actions to manipulate session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi. KnowBe4's SOC attempted to get him on a call to investigate further, but he said he was unavailable and "later became unresponsive." By 10:20am, the SOC had quarantined XXXX's device.

KnowBe4 shared the data it collected about the employee and his activities with cybersecurity firm Mandiant and the FBI, to corroborate the company's initial findings. The company eventually discovered that XXXX was a fake IT worker from North Korea, and an FBI investigation is still ongoing.

**"It Can Happen to Anyone"**

Sjouwerman stressed to customers that no data breach occurred due to the activity, as security tooling blocked the malware before it was executed. His aim in sharing what happened at his company is to provide "an organizational learning moment," he said.

"Do we have egg on our face? Yes," he wrote. "And I am sharing that lesson with you."

KnowBe4 grants new employees' accounts only limited permissions for proceeding through the new hire onboarding process and training, with access to only necessary apps such an an email inbox, Slack, and Zoom. This means that XXXX never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information, Sjouwerman said.

"No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. However, "if it can happen to us, it can happen to almost anyone," he added.

Indeed, North Korean threat actors are notorious for engaging in successful cybercriminal activities by posing as credible IT workers. Last October, the Department of Justice warned that the freelance IT market was being flooded by operatives working on behalf of the North Korean government, urging caution to companies when hiring new workers. The department found that these workers are quietly directing their earnings to the government's sanctions-ridden nation's nuclear weapons program.

“Most of these individuals who attempt to obtain employment are not physically located in the US," Sjouwerman explained. "In order for them to conduct work, they require a US location for the equipment to be sent. There are small networks set up at drop locations where a US-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network, and from there remote into the received device. This will cause security and access logs for that person to show up as being US-based and coming from the correct device.”

**How Not to Hire a North Korean Hacker**

KnowBe4 has made "several process changes" to hiring to help ensure any potential bad actor will be detected earlier, according to the post. In the US, for example, the company now will only ship new employee workstations to a nearby UPS shop and require a picture ID to obtain it.

Other process improvements that organizations can make are to ensure all background and reference checks are verified for inconsistencies and properly vetted; review and strengthen access controls and authentication processes; and conduct security awareness training for employees to stress social-engineering tactics used by threat actors.

The company also made recommendations so other organizations can avoid a similar scenario, including scanning remote devices for any suspicious access or activity; improving vetting and resume scanning for inconsistencies; and checking for red flags, like a laptop shipping address that's different from where the person is supposed to live and work.

Other red flags to look out for in potential employees include the use of VoIP numbers and/or lack of digital footprint for provided contact information, and any discrepancies in addresses, personal information, or date of birth across different sources. A remote employee's sophisticated use of VPNs or virtual machines should raise an alarm.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

Multi Store Inventory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

**Multi Store Inventory Management System 1.0 Insecure Direct Object Reference**

Posted Jul 25, 2024

Authored by indoushka

Multi Store Inventory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 32be0fec962b67faf38d315a9d6d5a0c83204e2e599b0319b92fa81fc435926a

Download | Favorite | View

**Multi Store Inventory Management System 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Multi Store Inventory Management System v1.0 IDOR Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /dashboard/autoupdate[+] https://www/127.0.0.1/multistore_demo/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,131)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,001)
*   Encryption (2,389)
*   Exploit (53,073)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,169)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,616)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,903)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,527)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,402)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,689)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Multi Store Inventory Management System 1.0 Insecure Direct Object Reference

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.

Tag

#cisco