Employee Management System version 1.0 suffers from an ignored default credential vulnerability.

**Employee Management System 1.0 Insecure Settings**

Posted Aug 12, 2024

Authored by indoushka

Employee Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c729820d6c74d0d245f5de6b7ade8e4cebaa60f462a3e7bd0e326402db59bf4

Download | Favorite | View

**Employee Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Employee Management System v1.0 Insecure Settings Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16999/employee-management-system.html                                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,349)
*   Arbitrary (16,870)
*   BBS (2,859)
*   Bypass (1,861)
*   CGI (1,033)
*   Code Execution (7,810)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,390)
*   DoS (25,071)
*   Encryption (2,389)
*   Exploit (53,180)
*   File Inclusion (4,262)
*   File Upload (994)
*   Firewall (822)
*   Info Disclosure (2,890)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,202)
*   Local (14,795)
*   Magazine (586)
*   Overflow (13,169)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,393)
*   Protocol (3,724)
*   Python (1,640)
*   Remote (31,655)
*   Root (3,635)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,027)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,276)
*   SQL Injection (16,609)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,967)
*   Web (9,963)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,250)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,096)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,707)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,485)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,737)
*   UNIX (9,435)
*   UnixWare (187)
*   Windows (6,672)
*   Other

Employee Management System 1.0 Insecure Settings

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature with the aim of accessing sensitive data.
The agency said it has seen adversaries "acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature."
It also

Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature with the aim of accessing sensitive data.

The agency said it has seen adversaries "acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature."

It also said it continues to observe weak password types used on Cisco network devices, thereby exposing them to password-cracking attacks. Password types refer to algorithms that are used to secure a Cisco device's password within a system configuration file.

Threat actors who are able to gain access to the device in this manner would be able to easily access system configuration files, facilitating a deeper compromise of the victim networks.

"Organizations must ensure all passwords on network devices are stored using a sufficient level of protection," CISA said, adding it recommends "type 8 password protection for all Cisco devices to protect passwords within configuration files."

It is also urging enterprises to review the National Security Agency's (NSA) Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.

Additional best practices include the use of a strong hashing algorithm to store passwords, avoiding password reuse, assigning strong and complex passwords, and refraining from using group accounts that do not provide accountability.

The development comes as Cisco warned of the public availability of a proof-of-concept (PoC) code for CVE-2024-20419 (CVSS score: 10.0), a critical flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users.

The networking equipment major has also alerted of multiple critical shortcomings (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454, CVSS scores: 9.8) in Small Business SPA300 Series and SPA500 Series IP Phones that could permit an attacker to execute arbitrary commands on the underlying operating system or cause a denial-of-service (DoS) condition.

"These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow," Cisco said in a bulletin published on August 7, 2024.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level."

The company said it does not intend to release software updates to address the flaws, as the appliances have reached end-of-life (EoL) status, necessitating that users transition to newer models.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Hackers Exploiting Legacy Cisco Smart Install Feature

As with everything nowadays, politics are sure to come into play.

Thursday, August 8, 2024 14:00

Over the next two weeks, two of the largest cybersecurity conferences in the world will take place in Las Vegas: Black Hat and DEF CON. 

That means product announcements, buzzwords and stories about “X smart appliance could burn your house down!” or something like that. Over the next two weeks, I’ll be using this space to catch readers up on the top stories, trends and talking points to come out of Hacker Summer Camp. If you’re on the ground in Vegas, follow along with us on Twitter to keep track of our talks and events.  

To no one’s surprise, AI is likely going to be in the spotlight all week, especially generative AI. Many companies will use these tools to spin up new cybersecurity products and protections, and other researchers are sure to point out the potential security pitfalls of emerging technologies.  

There is a dedicated full-day workshop to discuss holding generative AI accountable, including potential legislation that outlines how generative AI models are trained and using whose content. And AI Village at DEF CON is sure to turn up a slew of vulnerabilities in AI tools while highlighting how researchers can best disclose and help patch these security issues.  

In the vein of “how to hack X” headlines that I mentioned before, Talos’ own Dan Mazzella is presenting research on how an attacker could take over some cars’ Android-based infotainment systems to steal user data.  

Some of the systems used in Ford, Honda and GM cars could be exploited to steal data that is being transferred between the so-called “head unit” and a mobile device connected to the car, including text messages, contacts, photos and other private user information.  

And as with everything nowadays, politics are sure to come into play. With the recent news that Kamala Harris is taking over as the Democratic Party’s likely nominee for the upcoming U.S. presidential election, experts and regulators are trying to figure out what a potential Harris presidency would mean for cybersecurity and AI policy.  

Hackers are also hosting the year’s first cybersecurity-focused fundraiser for a presidential candidate with DEF CON organizers taking the lead on supporting Harris after she was supportive of the election security community in past years.  

Other elections around the globe also have cybersecurity implications, as Black Hat’s keynote will cover with (among others) Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency. Disinformation and fake news are always swirling online about any political candidate, regardless of country, and AI and deepfakes have only worsened the problem.  

And that’s before you get into any actual attempts to change votes or hack voting systems. 

**The one big thing **

Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. These campaigns evade detection through obfuscation and updates. Talos researchers identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. 

**Why do I care? **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. Thankfully, Snort can provide a strong defense before this malware reaches endpoints. 

**So now what? **

Talos’ first entry in our new series, “The Deep Dive with NDRT,” we dive into how our analysts craft protection against NetSupport RAT and the newest Snort rules to keep users safe from this threat.  

**Top security headlines of the week **

**A French Olympic site and cultural institution was targeted with a cyber attack over the weekend, though the effects appear to be limited.** Security experts and Olympics organizers largely expected there to be several efforts to try and disrupt the games. Despite false reports that adversaries had encrypted data belonging to the Grand Palais Réunion des musées nationau, the venue said in a statement that as of Monday morning, “no data extraction has been detected.” The institution most famously oversees the Louvre, one of the most famous art museums in the world. Its venues hosted several Olympics-related exhibitions and events over the past week, including fencing and Taekwondo competitions. The attack appears to be attempted ransomware, though an investigation with the ANSSI, France’s cybersecurity agency, is still underway. "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency,” the Grand Palais director said in a statement after the attempted attack. (CyberScoop, Dark Reading) 

**A cyber attack knocked out Mobile Guardian, a U.K.-based mobile device management software used in the U.K.** The event largely affected students and schools in Singapore, which the Ministry of Education says led to thousands of students having their devices completely wiped. Mobile Guardian advertises itself as a cross-platform solution for K-12 schools to monitor and manage their devices. “Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator,” the Singaporean education ministry said in a statement. Adversaries seemed to have removed some targeted devices from Mobile Guardian’s network and completely wiped the devices. The company said in a statement this week that the outage affected instances in North America, Europe and Singapore. The incident appears to stem from a misconfiguration that caused an IT outage on July 30. (TechCrunch, Bleeping Computer) 

**A ransomware attack on a blood donation non-profit forced many hospitals to tap into their emergency blood supplies and host last-minute drives.** OneBlood, which provides blood samples to many hosptials in the Southeastern U.S., was hit with a ransomware attack that forced most of its network offline. The non-profit had to switch to manual processes for several days, including printing out its own labels and having donors fill out paper forms to donate blood, which delayed their usual supply chain to hospitals. Some health care facilities had to delay non-emergency procedures until after the blood donor supply had returned to normal. Late last week, OneBlood told its more than 250 hospital partners to activate their critical blood shortage protocols, which included holding last-minute drives and calling for volunteers to donate blood asap. As of Wednesday, OneBlood says its software is returning to normal. The process was made even more difficult by the presence of Hurricane Debby, which moves through Florida and Georgia, dumping inches of rain and causing flooding in states that were heavily affected by OneBlood’s outage. (Axios, CBS News) 

**Can’t get enough Talos? **

**Upcoming events where you can find Talos **

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

The top stories coming out of the Black Hat cybersecurity conference

Attackers can use a seemingly innocuous IP address to exploit localhost APIs to conduct a range of malicious activity, including unauthorized access to user data and the delivery of malware.

Source: Tada Images via Shutterstock

Attackers can use a flaw that exploits the 0.0.0.0 IP address to remotely execute code on various Web browsers — Chrome, Safari, Firefox, and others — putting users at risk for data theft, malware, and other malicious activity.

Researchers at open source security firm Oligo Security have discovered a way to bypass browser security and interact with services running on an organization's local network from outside the network, that they are calling "0.0.0.0 Day," because of the Web address it exploits.

The vulnerability exists due to "the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry," Avi Lumesky, an Oligo AI security researcher, revealed in a blog post published this week.

Attackers can use the flaw to exploit localhost application programming interfaces (APIs) from the browser, thus performing a range of malicious activities.

"As a result, the seemingly innocuous IP address, 0.0.0.0, can become a powerful tool for attackers to exploit local services, including those used for development, operating systems, and even internal networks," Lumesky wrote.

**Breaking Down the Flaw**

The flaw lies in the ability by design of browsers for services to send a request to almost any HTTP server using JavaScript; a browser's key job is to focus on delivering the correct response, either by serving up a valid response to a request or an error.

While browsers are generally supposed to prevent errant or malicious requests from getting through via their responses, there has been a lack of streamlined security in handling requests across browsers since their inception.

"For a long time, it was not clear how browsers should behave when they make requests to local or internal networks from less-private contexts," Lumesky explained in the post.

While most browsers have relied on CORS, or Cross-Origin Resource Sharing — a standard defining a way for client Web applications that are loaded in one domain to interact with resources in a different domain — "its performance depends on the response content, so requests are still made and can still be sent," Lumesky noted.

"This is simply not good enough," he wrote. "History proved that a single HTTP request can attack a home router — and if that's all it takes, every user needs to be able to prevent this request from happening at all."

**PNA Bypass**

Chrome's introduction of Private Network Access (PNA) — which goes beyond CORS — should, in theory, protect websites from the 0.0.0.0 day bug. PNA proposes distinguishing between public, private, and local networks, ensuring that "pages loaded under a less-secure context will not be able to communicate with more-secure contexts," Lumesky wrote.

However, Oligo researchers discovered that website requests sent to 0.0.0.0, which should be blocked under PNA, were actually received and processed by local servers. "This means public websites can access any open port on your host without the ability to see the response," Lumesky wrote.

To prove their point, the attackers investigated how ShadowRay, a recent attack campaign its researchers discovered targeting AI workloads, could execute its attack from the browser using 0.0.0.0 as its attack vector.

ShadowRay enabled arbitrary code execution when a private server was unintentionally exposed to the Internet, and went undiscovered for nearly a year. To prove their concept, Oligo researchers ran a local Ray cluster on localhost, then started a socket that is listening to new connections to open a reverse shell.

"Then, the victim clicks on the link in the email, which runs the exploit," Lumesky explained. "The exploit opens a reverse shell for the attacker on the visitor’s machine."

The researchers proved the concept within Chromium, Safari, and Firefox to execute ShadowRay from the browser in "one of an undoubtedly huge number of remote code execution attacks enabled by this approach," Lumesky noted. They also proved the attack via Selenium Grid public servers and PyTorch TorchServe via respective previously identified attack campaigns SeleniumGreed and ShellTorch.

Ultimately, the researchers demonstrated how by using 0.0.0.0 together with mode "no-cors," attackers "can use public domains to attack services running on localhost and even gain arbitrary code execution, all using a single HTTP request," Lumeksy explained.

**How Defenders Can Mitigate Attacks**

Oligo disclosed the findings to the relevant browser owners — including Google, Apple, and Mozilla — which responded by making fixes in their browsers to block 0.0.0.0 as a target IP, according to Oligo.

Meanwhile, as the companies in charge work to streamline security standards across browser offerings, there are other technical mitigations that network administrators can use to thwart attacks using the vector, Lumesky said.

They include implementing PNA headers, verifying the HOST header of the network request to protect against DNS rebinding attacks to localhost or 127.0.0.1, and generally mistrusting localhost networks just because they are "local." "Add a minimal layer of authorization, even when running on localhost," he advised.

Network administrators should also use HTTPS over HTTP whenever possible and implement CSRF tokens in your applications, even if they are local.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk

The number of additions to the Known Exploited Vulnerabilities catalog is growing quickly, but even silent changes to already-documented flaws can help security teams prioritize.

CVE age distribution of KEV by groupSource: GreyNoise Intelligence

B-SIDES LAS VEGAS – Las Vegas – Wednesday, Aug. 7 – Organizations that use the Known Exploited Vulnerabilities (KEV) catalog to prioritize patching are likely missing silent changes to the list that could indicate that an issue's severity has changed, according to an analysis presented at the BSides Las Vegas conference on Aug. 7.

The KEV catalog — which currently consists of more than 1,140 vulnerabilities that are known to have been exploited in the wild — tracks software flaws by their Common Vulnerabilities and Exposures (CVE) identifier, records the date when the vulnerability was confirmed in the wild and has a flag that indicates whether ransomware groups are using the security issues.

Yet, specific changes to the data — such as uncommonly short times to remediate vulnerabilities and changes to the ransomware status — can give security teams valuable information, the analysis stated.

Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA), which manages the list, does not often call out these changes and outliers, says Glenn Thorpe, senior director of security research and detection engineering at GreyNoise Intelligence.

"We who are not bound by its directives forget that this is actually a to-do list," he says, adding: "So, if folks are actually using this to prioritize remediation or some kind of process, they need to know \[when\] it is updated silently."

The KEV catalog, introduced in November 2021 with 290 exploited vulnerabilities, is maintained by CISA and gives organizations the information necessary to prioritize patching flaws that are currently under attack. The list, however, does not rank the severity of issues, and vulnerabilities are often not added until well after the initial evidence of exploitation comes to light.

**Surge From a Cyber Conflict**

While less than 3 years old, the KEV catalog has already passed through three periods, Thorpe says. The original catalog had 287 vulnerabilities, which had an average age — the time between the release of the CVE and the vulnerability's addition to the KEV list — of 591 days. Then, during a 109-day period in early 2022 and the initial months of Russia's invasion of Ukraine, a massive stockpile of vulnerabilities was exploited, encompassing 396 issues with an average age of 1,898 days.

Starting in mid- to late 2023, CISA started changing its policies on the KEV catalog, providing additional signals as to the severity of a vulnerability. Source: GreyNoise Intelligence

Since mid-2022, 453 newly exploited vulnerabilities have been discovered, with an average age of 567 days.

"There is this thought that maybe the numbers have gone down, because the Russia-Ukraine conflict has dragged on so long," he says. "But I \[feel that\] when it ends, each side will looking for vulnerabilities and stockpiling once again."

Five organizations — Microsoft, Apple, Cisco, Adobe, and Google — account for about half of all vulnerabilities on the list, demonstrating cyberattackers' penchant for major software platforms.

**Pay Attention to Friday Updates**

While any vulnerability in the KEV catalog should likely be patched as soon as possible, companies may want to prioritize those being used in ransomware campaigns. The list has a flag designating whether CISA has confirmed use of a particular flaw by ransomware gangs. However, at least 41 times, that flag has been changed to "known" — indicating ransomware use — after the vulnerability's addition to the list without explicit notification.

Perhaps more critical for prioritization is the "due date" for fixing a vulnerability, which informs federal agencies of the date by which the issue must be remediated. While the vast majority of vulnerabilities have a 21-day requirement, since late 2023, CISA has set shorter remediation deadlines for specific vulnerabilities. The shorter patching deadlines are typically for more critical appliances that are connected to a networks, such as the severe Ivanti vulnerabilities, as well as issues in Juniper routers and Cisco devices and Atlassian's Confluence server, GreyNoise's Thorpe says.

In fact, another data point suggests that CISA made other changes to how it handles KEV-catalog announcements in late 2023. Around the same time that CISA had assigned shorter deadlines, the agency also began foregoing the release of any list updates on Fridays, except in two specific cases, the analysis found.

"Either there was a decision made to prioritize these a little differently, or they ... were kind of figuring out how to prioritize these differently, because the list is getting big," Thorpe says.

Organizations can use the policy changes inferred from the way CISA updates the KEV catalog to understand which issues the agency considers most critical. A KEV update released on a Friday should be considered significant, as should a vulnerability with a due date less than 21 days away. Finally, Thorpe says, updates to the known ransomware usage field are another signal that security teams should pay attention to.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Monitoring Changes in KEV List Can Guide Security Teams

The evolving malware is targeting hospitality and other B2C workers in Canada and Europe with capabilities that can evade Android 13 security restrictions.

ImageBroker.com GmbH & Co. KG via Alamy Stock Photo

The Chameleon Android banking Trojan is back on the threat scene, armed with new Android security-bypass features. The malware poses as a customer relationship management (CRM) application and targets employees in the hospitality sector and other business employees on two continents.

Researchers from Threat Fabric revealed that the device-takeover Trojan is targeting "hospitality workers and potentially B2C business employees in general" across Canada and Europe. Researchers say the new variant uses a dropper that can bypass Android 13+ AccessibilityService restrictions.

The Trojan is targeting a popular restaurant chain in Canada, which operates globally, to get access to corporate banking accounts, which would pose a "significant risk" to the organizations breached, according to Threat Fabric.

"The increased likelihood of such access for employees whose roles involve CRM is the likely reason behind the choice of the masquerading during this latest campaign," according to a blog post from Threat Fabric.

Researchers also see evidence of attacks that target "customers of specific financial organizations" in which Chameleon masquerades as a security application to install a security certificate released by the victims' banks as part of the malware's resurgence.

**Shape-Shifting Malware**

Security researchers first detected Chameleon — which got its name for its ability to adapt to its environment through multiple new commands — around December 2022/January 2023, when it appeared in its earliest form as a work in progress. Except for an appearance late last year with a significantly more fully featured variant that could bypass biometric security, the malware has been flying under the radar.

Now it has evolved yet again, with new features that show how its operators are changing the malware to keep up with the Android OS as it also becomes fortified with advanced security features.

According to the Threat Fabric post, "Most significant is the Trojan's ability to bypass Android 13+ restrictions, which once again proves the prediction we made in the past — this capability has become essential for modern banking Trojans."

Chameleon's use of the BrokewellDropper for delivery is significant to this bypass; indeed, since the leak of the source code for the dropper — which has an extensive set of device-takeover capabilities — more threat actors now have access to security bypass on the Android OS, according to Threat Fabric.

**Trojan's Latest Disguise**

Chameleon's most recent disguise should be no surprise to security researchers tracking the Trojan, as the malware, like other Trojans, has historically impersonated trusted apps. Previously, Chameleon came cloaked as an app from institutions such as the Australian Taxation Office (ATO) or one of several popular banking apps in Poland to steal data from user devices.

Once loaded, the dropper displays a fake page masquerading as a CRM login page, requesting the employee ID. It then displays a message asking to reinstall the application, which is actually Chameleon, which installs and bypasses Android AccessibilityService restrictions. After installation, the Trojan loads a fake website again asking for the employee's credentials. If submitted, the app displays an error page, according to Threat Fabric.

Chameleon remains running in the background on a device, which means it can also collect other credentials and sensitive info from a user by using keylogging. "Such information can be used in further attacks or the actors can monetise it by selling  it on underground forums," according to the post.

**More Sophisticated Attacks**

The latest Chameleon campaign demonstrates how Trojan-wielding cybercriminals are finding new and innovative ways to target bigger assets beyond the banking credentials of individual mobile users, according to Threat Fabric. This should put all organizations on high alert to the evolving mobile threat landscape.

"With the rising number of banking products for businesses (especially small and medium) and the convenience of having them available through mobile, we can expect cybercriminals to further explore the approach of targeting such mobile devices and its users," according to the post.

To combat these threats, financial organizations can take preventive measures to educate business customers about the potential impact of mobile banking malware like Chameleon and the consequences these malicious apps can bring, according to Threat Fabric. Moreover, given their visibility into customers' financial accounts, banks should also become more proactive in spotting anomalies in activity and behavior to stop threats before they compromise accounts.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chameleon Banking Trojan Makes a Comeback Cloaked as CRM App

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

Posted Aug 7, 2024

Authored by indoushka

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 8c38f4e680e6513d62d4303a51a4d7e3eaa5a7bb80e3e87ce8e510bba268a0b9

Download | Favorite | View

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,289)
*   Arbitrary (16,852)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,792)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,386)
*   DoS (25,050)
*   Encryption (2,389)
*   Exploit (53,137)
*   File Inclusion (4,259)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,889)
*   Intrusion Detection (915)
*   Java (3,143)
*   JavaScript (896)
*   Kernel (7,191)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,167)
*   Perl (1,435)
*   PHP (5,222)
*   Proof of Concept (2,382)
*   Protocol (3,724)
*   Python (1,635)
*   Remote (31,646)
*   Root (3,635)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,605)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,941)
*   Web (9,960)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,090)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,547)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,646)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,459)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,729)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,670)
*   Other

Covid-19 Directory On Vaccination System 1.0 Insecure Settings

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

**Computer Laboratory Management System 1.0 Insecure Settings**

Posted Aug 6, 2024

Authored by indoushka

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 903fb54e0bd8fb8efe43fdddb49a0f5abaa23ea96b8495e4f7c47b36636f9f0d

Download | Favorite | View

**Computer Laboratory Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Computer Laboratory Management System v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,255)
*   Arbitrary (16,849)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,786)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,385)
*   DoS (25,039)
*   Encryption (2,389)
*   Exploit (53,128)
*   File Inclusion (4,258)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,888)
*   Intrusion Detection (915)
*   Java (3,142)
*   JavaScript (896)
*   Kernel (7,188)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,166)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,632)
*   Remote (31,643)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,604)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,932)
*   Web (9,955)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,087)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,536)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,612)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,441)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,727)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,668)
*   Other

Computer Laboratory Management System 1.0 Insecure Settings

Google has addressed a high-severity security flaw impacting the Android kernel that it has been actively exploited in the wild.
The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel.
"There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security

Mobile Security / Vulnerability

Google has addressed a high-severity security flaw impacting the Android kernel that it has been actively exploited in the wild.

The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel.

"There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024.

As is typically the case, the company did not share any additional specifics on the nature of the cyber-attacks exploiting the flaw or attribute the activity to a particular threat actor or group. It's currently not known if Pixel devices are also impacted by the bug.

That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks.

The August patch addresses a total of 47 flaws, including those identified in components associated with Arm, Imagination Technologies, MediaTek, and Qualcomm.

Also resolved by Google are 12 privilege escalation flaws, one information disclosure bug, and one denial-of-service (DoS) flaw impacting the Android Framework.

In June 2024, the search company revealed that an elevation of privilege issue in Pixel Firmware (CVE-2024-32896) has been exploited as part of limited and targeted attacks.

Google subsequently told The Hacker News that the issue's impact goes beyond Pixel devices to include the broader Android platform and that it's working with OEM partners to apply the fixes where applicable.

Previously, the company also closed out two security flaws in the bootloader and firmware components (CVE-2024-29745 and CVE-2024-29748) that were weaponized by forensic companies to steal sensitive data.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-0824, a remote code execution flaw impacting Microsoft COM for Windows to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by August 26, 2024.

The addition follows a report from Cisco Talos that the flaw was weaponized by a Chinese nation-state threat actor named APT41 in a cyber attack aimed at an unnamed Taiwanese government-affiliated research institute to achieve local privilege escalation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#cisco