Allowing long password leads to denial of service in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

**Description**

The Organizr application allows to sending a very long password (10000000 characters) it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

**Proof of Concept**

1.Sign up to the application, capture the request in burp suites, and send it to Repeater.

2.Copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1\_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste on password parameter and send go.

3.You will see that the application allows long passwords this can leads to Dos and can exploit as DDos

**Video PoC**

    https://drive.google.com/file/d/1V_ZoXRJGkF7XSGdXJ4yPKRtQoxeTDyFe/view?usp=sharing
    

**Impact**

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

CVE-2022-1698: Allowing long password leads to denial of service in organizr

Uncontrolled Resource Consumption in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

**Description**

The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

**Proof of Concept**

1.Sign up to the application, capture the request in burp suites, and send it to Repeater.

2.After the &username= parameter put the payload mentioned on this link:- https://drive.google.com/file/d/1PBd3aXwKOL8uinLG7FJsn-8ldQceW4Zb/view?usp=sharing

3.Now press go and you will see the JWT token also get generated as the same size as the user input.

**Video PoC**

    https://drive.google.com/file/d/1su5IYU3GwUBCMX6SP_Ur-u2uxXXPh6cT/view?usp=sharing
    

**Impact**

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

CVE-2022-1699: Uncontrolled Resource Consumption in organizr

CISA and the FBI are sharing information about the US attribution of cyberattacks on SATCOM networks that targeted Ukraine but spilled over into other European countries.
The post Cyberattacks on SATCOM networks attributed to Russian threat actors appeared first on Malwarebytes Labs.

The Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have updated their joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with US government attribution to Russian state-sponsored malicious cyberactors.

**Critical infrastructure**

When we touched on the subject a few months ago, we explained why we think satellites are critical infrastructure. Commercial satellites provide us with the ability to establish services like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

**Spill over**

The United States believes Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the Russia invasion, and those actions had spillover impacts into other European countries.

In the months leading up to and after Russia’s invasion began, Ukraine experienced a series of disruptive cyber operations, including website defacements, distributed denial-of-service (DDoS) attacks, and cyberattacks to delete data from computers belonging to government and private entities.

For example, the United States has assessed that Russian military cyber operators have deployed multiple families of destructive wiper malware, like HermeticWiper, on Ukrainian Government and private sector networks.

Now, the US is sharing publicly its assessment that Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.

**Defense**

In order to uphold the rules-based international order in cyberspace, the US and its allies and partners are taking steps to defend against Russia’s actions. The US government has developed new mechanisms to help Ukraine identify cyberthreats and recover from cyberincidents.

CISA has exchanged technical information on cybersecurity threats related to Russia’s further invasion of Ukraine with key partners, including Ukraine.

**Mitigation guidance**

On March 17, 2022 CISA issued an alert providing technical details and mitigation guidance on possible threats to US and international SATCOM networks. A quick recap:

*   Use secure methods for authentication.
*   Enforce principle of least privilege through authorization policies.
*   Review existing trust relationships with IT service providers.
*   Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
*   Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
*   Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
*   Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

Cyberattacks on SATCOM networks attributed to Russian threat actors

New federal cybersecurity rules will set timelines for critical infrastructure sector organizations — those in chemical, manufacturing, healthcare, defense contracting, energy, financial, nuclear, or transportation — to report ransomware payments and cyberattacks to CISA. All parties have to comply for it to work and help protect assets.

The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.

Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.

The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.

Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.

But to truly understand the magnitude of the act's potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation's benefits and limitations. Let's explore.

**Cyber Threats Show No Signs of Slowing Down  
**The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.

Shortly following these attacks, a new "wiper" malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.

One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.

Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.

**Need for Information Sharing and Ransomware Reporting  
**Upon reviewing the comprehensive piece of legislation, one aspect that stood out to me was a call for "the rapid centralized aggregation and dissemination of real-time attack data." Through the passing of the act, the government and security community at large publicly recognize that speed, collection, and sharing of real-time attack data is critical to properly protect private and public networks, especially as ransomware groups and attack methods mature and become more frequent. What is more important than ensuring the right people get the right information at the right time, especially when this type of information sharing is possibly the key to preventing the next cyberattack?

Another noteworthy aspect of the legislation is the process of ransomware attack reporting. Today, there are more than 250 ransomware families, and that figure only continues to grow. This, coupled with the rise in more sophisticated and targeted ransomware, exposes organizations to increased risk.

As such, it's essential to have the proper reporting tools and systems in place. The Cyber Incident Reporting Act, which is an act within the larger legislation, will ensure that all critical infrastructure attacks are reported in a timely manner. Traditionally, these types of events go unreported or underreported; through these new reporting protocols, security teams can better gauge the size and scope of the attacks potentially facing their own organization, and society at large.

**Too Good to Be True? Recognizing Potential Pitfalls  
**While the act brings immense benefits, it's also important to acknowledge several potential limitations exist within the legislation. For instance, while increased transparency is crucial to help prevent damaging attacks, many security teams may be hesitant to report attacks so openly. Increased attack reporting could potentially cause companies to face litigation, which could trigger significant reputational and financial losses as attacks are made public.

To eliminate some of this worry, organizations may consider an increased investment in cyber insurance. While once a fairly new concept, the cyber insurance market is growing exponentially, forecast to become a $20 billion industry by 2025. In the boardroom, CFOs should prioritize conversations on cyber insurance during planning and budgetary meetings. After all, if an organization isn't proactive and instead takes a laggard approach to cybersecurity, they are leaving their companies at risk of attack and lost corporate funds.

Additionally, the act will only be effective if all applicable parties work to ensure that the quality and timeliness of information collected, and the corresponding reporting processes, are taken seriously and done properly. This is not a one-time process; data sharing and incident reporting must be done continuously. The success of the new legislation is dependent on the cooperation of security teams within the public and private sectors it reaches. Simply put, a lax approach will equate to an ineffective bill.

The Strengthening American Cybersecurity Act's passing is a true acknowledgment from the public sector that the frequency and severity of cyberattacks cannot go unresolved. The onus is on both public and private organizations to uphold its principles as these incidents take place – regardless of the size or scale of the attack. Overall, the public sector should continue prioritizing security-related legislation, and the private sector must follow the guidelines provided to them. A concentrated effort from both parties is the best way to protect the nation's most sensitive assets.

Breaking Down the Strengthening American Cybersecurity Act

How can you safeguard your organization amid global conflict and uncertainty?

Cybersecurity has always been a moving target. Most recently, a two-year global pandemic and the war in Eastern Europe have heightened the risk of cyberattacks, prompting President Joe Biden to urge US companies to "harden \[their\] cyber defenses immediately."

Consider the current cybersecurity landscape. In 2021, US businesses weathered a 17% increase in data breaches from 2020. Also in 2021, organizations experienced the highest average cost of a data breach in 17 years at $4.24 million, up almost 10% from the previous year. Common attack vectors include compromised credentials, phishing, and cloud misconfiguration. Now, modern warfare has been redefined to include cyber warfare.

As CISO, your job is to ensure there are controls and processes in place to help mitigate risk to the organization, and the current global instability has upped the risk ante for all organizations. You have already been working to identify and prioritize risks from fraudulent SMS, phishing emails, ransomware attempts, breaches, distributed denial-of-service (DDoS) attacks, fake landing pages, and more. But how can your organization double down on cybersecurity to stay one step ahead of the curve?

Based on this current global landscape, it is time for CISOs to rethink their strategies.

**1\.** **Realize that the security playbook has changed — at least for now.  
**The landscape has changed, and the playbook must change, as well. Previously, we've seen cybercriminals focus on ransomware or phishing attempts — attacks focused on monetary incentives. If we think about potential nation-state activity, we will see fewer financially motivated attacks and more attempts to disrupt or shut down specific services or networks, including DDoS attacks.

Rather than infiltration and breaches, we will see more backbone-level attack attempts (think ISP and uptime) that affect availability and continuity. This could also extend to major cloud providers and Internet resources. Bad actors may focus on resources that allow people to continuously share and exchange free-flowing information — including services tied to the economy. Their aim is to affect, disrupt, and destabilize continuity, preventing major organizations from delivering value. There is also the potential for more "strategic viability" cyberattacks against critical infrastructure systems, such as those driving power generation or electricity production.

In the past, we saw more concealed interaction. In other words, prior attempts were cloaked; one host country could launch an attack from another unwitting host. Now, the cloak is gone, and there is less effort to conceal attacks.

**2**. **Make visibility a priority.  
**Organizations need the appropriate controls and mechanisms in place to "see" where specific traffic and requests come from so they can start making the difficult decisions about where they will allow traffic to come from.

This is not just about enabling safe access, but also creating the ability to control the flow of traffic and requests to your company and assets. You need to drill down into activity across your platforms and assess everything from a geolocation perspective. Have you deployed technology that allows you to actively contextualize traffic patterns based on what's happening globally? If several major service providers experience an outage, can this be attributed to global interference at a nation-state level? If, when, and how will this affect your organization? Can you detect if a nation-state threat actor targets your organization, and, if so, can you trace the exact location and source? Also, keep in mind that criminal hacking groups can work closely with nation-states, which makes a proxy attack possible.

**3**. **Keep your security controls under control.  
**As CISO, you should maintain an updated risk register. This risk register should identify threats, outline the probability they will affect your organization, and present the overall potential impact. This framework, which should be broken down into sections that align with various business units and stakeholders (such as infrastructure, internal systems, and Web applications) should help you prioritize identified risks.

You should also be up to date on cybersecurity compliance regulations, standards, frameworks, and certifications (such as GDPR, ISO 27001, PCI-DSS, and FIPS, SOC) that ensure the security, processing integrity, and privacy of sensitive data. Security controls, specifically, encompass data encryption, network firewalls, password policies, network access control, and more.

Keep in mind that new standards may be imposed by your host/home government amid ongoing conflict. This could affect, for example, who you allow to access your platforms. The security and IT teams will be tasked with using existing controls or leveraging them in an alternative capacity to meet new government mandates — mandates that may apply internally to a company or companies that operate with them. You may be called upon to prevent traffic from geo-specific locations to better safeguard customer data or to fulfill an applicable restriction from a governing body. Also, your organization's customers may ask if you have can block or deny access to your platform based on a certain region.

**Conclusion  
**When it comes to cybersecurity, no one person can control all the variables — especially variables at a global level. In addition to your usual risk mitigation efforts, you should be prepared to adopt new policies and processes — depending on the "temperature" of global events. If cybersecurity is a moving target, it's moving even faster now. Organizations that reinforce their defenses (and prepare for additional safeguards) will have the best playbook for pre-empting and preventing new types of fraud, breaches, and hacks.

Mastering the New CISO Playbook

Suspected DDoS attack took place one hour before Russia invaded Ukraine

Suspected DDoS attack took place one hour before Russia invaded Ukraine

The EU has blamed Russia for a powerful cyber-attack that disrupted satellite broadband services in Ukraine and “helped facilitate President Vladimir Putin’s invasion of the country”.

Thousands of modems were knocked offline by the attack on the KA-SAT network, which took place one hour before Russia’s invasion of Ukraine commenced on February 24.

The suspected distributed denial-of-service (DDoS) attack caused communication outages and other disruptions for government websites and banks in Ukraine, and affected several EU Member States that also use the KA-SAT network.

**‘Unacceptable’**

The KA-SAT satellite and network is operated by US telecoms giant Viasat, which provides connectivity to military as well as commercial customers.

“This unacceptable cyber-attack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” reads a statement issued today (May 10) by the Council of the EU.

Read more of the latest cybersecurity news from Ukraine

Cyber-attacks against critical infrastructure “could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk”, it warned.

“The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behaviour in cyberspace. The European Union will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.”

**Russian cyber-war**

Although Russian-backed cybercrime groups have apparently been less active since war broke out in Ukraine than many experts predicted, Microsoft last month claimed that at least six Russian nation-state actors had launched damaging cyber-attacks against the country since the invasion began.

As reported by _The Daily Swig_, Microsoft researchers tracked at least 237 “cyber operations” originating from Russia that “have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership”.

Kremlin-backed groups were also suspected of being involved in another assault on telecoms infrastructure on March 28, when the networks of a Ukrainian internet service provider (ISP) that supplies the country’s military were taken offline.

**RELATED** Microsoft report unmasks at least six Russian actors responsible for cyber-attacks against Ukraine

Russia behind cyber-attack on satellite internet network KA-SAT that disrupted Ukrainian infrastructure – EU

Researchers say a hacker is selling access to quality malware for chump change.

Researchers say a hacker is selling access to quality malware for chump change.

For about the price of a cup of Starbucks latte, a hacker is renting out a remote access trojan designed to backdoor targeted networks.

Dubbed as Dark Crystal RAT (or DCRat), the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing.

“DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at ($6) for a two-month subscription, and occasionally dips even lower during special promotions,” according to BlackBerry researchers who published their findings on Monday.

  
BlackBerry said sales of the budget RAT are being facilitated by the cybercriminal that goes by the name “boldenis44” or “crystalcoder.”

Capabilities of the RAT include a “stealer/client executable”, a single PHP page, which serves as the command-and-control endpoint and an administrator tool.

**A Breakdown of DCRat**

DCRat is, in some ways, amateurish, researchers assert. “There are certainly programming choices in this threat that point to this being a novice malware author,” they wrote.

“The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine,” BlackBerry wrote.

JPHP, they noted, is an easy-to-use language aimed at novice developers of desktop games. “The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.”

In another odd quirk, researchers note, is the malware author “implemented a function that displays a randomly generated number of ‘servers working’ and ‘users online’ that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.”

However, in most respects, DCRat punches well above its weight.

Along with the stealer, command-and-control interface and administrator tool, the malware is highly customizable, demonstrating a higher level of attempted sophistication. The modular architecture allows RAT customers to create and share their own plugins.

“DCRat’s modular architecture and bespoke plugin framework make it a very flexible option,” the researchers wrote, “helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.”

Customization prevents DCRat from growing stale, even after three years. That, and the constant care and attention its author gives it. “The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.” The researchers noted a particular case in 2020, when Mandiant published an in-depth look at the DCRat client. “Just days after this report was released,” to combat the unwanted attention, “the malware author shifted distribution of the RAT to a new domain.”

**Is DCRat an Outlier or an Omen?**

Current is about $7 for a two-month lease. For a year, $33 and for a lifetime subscription $63.

Researchers speculate the low price is because the criminals behind the malware are just looking for attention. “It could be that they’re simply casting a wide net,” the researchers theorized, “trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income.”

It remains to be seen whether DCRat will be an outlier on cybercrime forums, or a new precedent. The implications could be significant. If effective malware is as cheap as a cup of coffee, how many more people might be lured into trying it out? And how much more capable might their attacks be?

“The biggest, flashiest threat groups might get their name in lights,” the researchers concluded, “but they aren’t necessarily the cybercriminals that keep security practitioners up at night.”

Low-rent RAT Worries Researchers

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike.
"Unlike the well-funded, massive Russian threat groups crafting custom malware [...], this remote access Trojan (RAT) appears to be the work of

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike.

"Unlike the well-funded, massive Russian threat groups crafting custom malware \[...\], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget," BlackBerry researchers said in a report shared with The Hacker News.

"In fact, this threat actor's commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums."

Written in .NET by an individual codenamed "boldenis44" and "crystalcoder," DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integrated development environment (IDE) called DCRat Studio.

It was first released in 2018, with version 3.0 shipping on May 30, 2020, and version 4.0 launching nearly a year later on March 18, 2021.

Prices for the trojan start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription, figures which are further reduced during special promotions.

While a previous analysis by Mandiant in May 2020 traced the RAT's infrastructure to files.dcrat\[.\]ru, the malware bundle is currently hosted on a different domain named crystalfiles\[.\]ru, indicating a shift in response to public disclosure.

"All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz\[.\]guru, which also handles some of the DCRat pre-sales queries," the researchers said.

Also actively used for communications and sharing information about software and plugin updates is a Telegram channel which has about 2,847 subscribers as of writing.

Messages posted on the channel in recent weeks cover updates to CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder plugins, as well as "cosmetic changes/fixes" to the panel.

"Some Fun features have been moved to the standard plugin," a translated message shared on April 16 reads. "The weight of the build has slightly decreased. There should be no detects that go specifically to these functions."

Besides its modular architecture and bespoke plugin framework, DCRat also encompasses an administrator component that's engineered to stealthily trigger a kill switch, which allows the threat actor to remotely render the tool unusable.

The admin utility, for its part, enables subscribers to sign in to an active command-and-control server, issue commands to infected endpoints, and submit bug reports, among others.

Distribution vectors employed to infect hosts with DCRat include Cobalt Strike Beacons and a traffic direction system (TDS) called Prometheus, a subscription-based crimeware-as-a-service (CaaS) solution used to deliver a variety of payloads.

The implant, in addition to gathering system metadata, supports surveillance, reconnaissance, information theft, and DDoS attack capabilities. It can also capture screenshots, record keystrokes, and steal content from clipboard, Telegram, and web browsers.

"New plugins and minor updates are announced almost every day," the researchers said. "If the threat is being developed and sustained by just one person, it appears that it's a project they are working on full-time."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos