Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.0.

**Microweber missing standardized error handling mechanism**

Low severity GitHub Reviewed Published Dec 8, 2023 to the GitHub Advisory Database • Updated Dec 8, 2023

GHSA-9r6p-hg4g-5gxp: Microweber missing standardized error handling mechanism

Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious code via a DLL with a matching name in an accessible search path. The affected components are:
  *  MMXFax.exe  *  winfax.dll




  *  MelSim2ComProc.exe
  *  Sim2ComProc.dll




  *  MMXCall_in.exe  *  libdxxmt.dll
  *  libsrlmt.dll








> By Asher Davila and Malav Vyas, Palo Alto Networks Researchers

Iconics Suite is a collection of software tools and solutions primarily focused on automation, building management, manufacturing, and industrial applications. It offers a range of functionalities including:

*   SCADA (Supervisory Control and Data Acquisition): Provides real-time monitoring and control of industrial, infrastructure, and facility-based processes.
    
*   HMI (Human-Machine Interface): Offers interactive interfaces for operators to monitor and manage industrial and building automation systems.
    
*   Building Automation and Energy Management: Helps in managing and optimizing building systems like HVAC, lighting, and power systems for efficiency and sustainability.
    
*   Manufacturing Intelligence: Provides analytics and reporting tools for optimizing manufacturing processes and improving productivity.
    
*   Asset Management: Assists in managing and tracking the performance and maintenance of industrial assets.
    

Phantom DLL Hijacking is a cybersecurity attack method where an attacker takes advantage of the way applications load Dynamic Link Libraries (DLLs). Unlike DLL hijacking, which involves replacing a legitimate DLL with a malicious one, Phantom DLL Hijacking involves reintroducing an obsolete or no longer used legitimate DLL back into the system. This obsolete DLL is modified to perform malicious activities. This attack exploits the process by which applications load external DLL files. It is a variant of DLL hijacking but with a subtle difference in approach. In Phantom DLL Hijacking, an attacker places an obsolete or unused legitimate DLL into a location where the application would typically load it. The application, thinking it is loading a genuine and required DLL, executes the code within the phantom DLL..

Impact

Arbitrary Code Execution: Similar to DLL hijacking, Phantom DLL Hijacking can result in the execution of arbitrary code. The application unknowingly runs the malicious code within the phantom DLL, leading to various security breaches.

Persistence and Stealth: Phantom DLLs can be more challenging to detect since they appear legitimate. They can remain operational for extended periods, allowing continuous unauthorized access.

System Integrity Compromise: The phantom DLL can destabilize the system by introducing bugs, errors, and crashes, affecting both the application and overall system stability.

Trust Relationship Abuse: Applications trust the DLLs they load. Phantom DLL Hijacking exploits this trust, allowing attackers to perform trusted actions that can lead to significant security breaches.

Vulnerability Overview

It was possible to confirm that the following software components are vulnerable to Phantom DLL hijacking through the next DLLs:

1.  MMXFax.exe - winfax.dll

2.  MelSim2ComProc.exe - Sim2ComProc.dll

3.  MMXCall\_in.exe - libdxxmt.dll
4.  MMXCall\_in.exe - libsrlmt.dll

Prevention

Secure Coding Practices: Developers should use secure methods for loading DLLs, such as specifying absolute paths and using code signing to verify DLL integrity.

Disclosure Timeline

July 27th, 2023 - Submitted a report with our findings on Iconics website.

July 28th, 2023 - Iconics security team confirmed receipt and requested more details regarding the exploitability of the reported vulnerabilities.

October 19th, 2023 - Iconics provided a comprehensive and detailed report of their tests, agreeing that there were vulnerabilities present on Iconics Suite related to Phantom DLL hijacking.

Conclusion

In summary, Iconics suite has been found to be vulnerable to Phantom DLL hijacking via the following DLLs:

*   winfax.dll
*   Sim2ComProc.dll
*   libdxxmt.dll
*   libsrlmt.dll

Iconics is actively working to remediate the aforementioned vulnerabilities.

CVE-2023-6061: Phantom DLL hijacking vulnerabilities in Iconics Suite - CVE-2023-6061

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6599

By Waqas
The documents were leaked on December 6th, 2023, on Breach Forums.
This is a post from HackRead.com Read the original post: Hacker IntelBroker Leaks Alleged Sensitive US DoD Documents

IntelBroker claims that the documents include information about communications between the Pentagon and the US Army’s CIO/G-6.

The infamous hacker, known by the online handle of ‘IntelBroker,’ alleges having acquired sensitive internal documents from the United States Department of Defense (US DoD). According to IntelBroker, the leaked data includes PDFs and XLSX files, potentially containing communications between the Pentagon and the Army’s CIO/G-6.

For readers’ information, the Chief Information Officer (CIO) is responsible for addressing IT and cybersecurity-related issues. On the other hand, G-6 refers to the Deputy Chief of Staff (DCS), who reports to the Chief of Staff of the Army. The G-6 is primarily involved in planning, strategy, network architecture, and related matters.

Some of the leaked documents are labeled FOUO (PDF) meaning ”For Official Use Only.” It is a security designation used by some governments, including the United States, to identify unclassified information that is sensitive and should be protected from unauthorized disclosure.

As seen by Hackread.com, the leaked documents are accessible for download on the Breach Forums. The same forum where, last month, another threat actor leaked a scraped LinkedIn database with 35 million user data. A couple of weeks ago, the Breach Forums witnessed the leak of a database containing the personal data of thousands of employees of the Idaho National Lab.

Regarding the current breach, screenshots provided by the hacker as samples reveal dates ranging from 2017 to 2021. Among the samples is a document titled “Task 10 – EIEMA (Enterprise Information Environment Mission Area) Process Improvement Projects and Tasks, dated 25th March 2021.”

Another document, labeled “Enterprise Service Division SAIS-NSE,” includes a presentation containing personal and contact details of several civilian government officials and contractors. The information disclosed comprises their full names along with contact numbers for office, cellular, and home.

Another FOUO document, titled “MDEP MXCL RVT Brief to the TT PEG – Pentagon,” provides a summary discussing requirements for Long Haul Communication within the US Army.

Hackread.com did not conduct the usual in-depth analysis; therefore, the authenticity of the data remains uncertain. However, considering the hacker’s track record with previous leaks, it is reasonable to presume that the documents could be legitimate.

Additionally, according to the online malware samples repository vx-underground, “The Five Eyes (FVEY) are actively hunting him down,” signaling the severity and gravity of the situation and suggesting potential damage caused by IntelBroker to the targeted organizations.

**Who is IntelBroker Exactly?**

IntelBroker is an infamous threat actor/hacker known for high-profile hacks against the US government, businesses, and delivery and logistics firms worldwide. Their previous cyber attacks include breaching the US-based online grocery delivery platform Weee! and leaking the personal details of over 1.1 million customers online.

In the past month, IntelBroker claimed to have breached the US-based multinational corporation General Electric (GE) and offered data, including access related to the US government’s defense R&D agency DARPA, for sale at just $500.

****Impact of Such FOUO Leaks****

The severity of the impact of a FOUO leak will depend on several factors, including the nature of the information that was leaked, the extent to which it was disseminated, and the response of the government and military. However, it is clear that the potential consequences of such leaks are significant and should not be taken lightly. Here are some potential consequences:

**1\. Damage to national security:**

*   Leaked FOUO documents could contain sensitive information about military strategies, troop deployments, weapons systems, or intelligence operations. This information could be used by adversaries to gain an advantage in a conflict or to plan attacks against the United States or its allies.

**2\. Embarrassment and political fallout:**

*   Leaked FOUO documents could reveal embarrassing or damaging information about the government or military. This could lead to public outrage, a loss of confidence in the government, and political pressure to change policies.

**3\. Harm to individuals:**

*   Leaked FOUO documents could contain personal information about military personnel or their families. This information could be used to target individuals for harassment, threats, or even violence.

**4\. Financial loss:**

*   Leaked FOUO documents could reveal information about sensitive government contracts or trade secrets. This could lead to financial losses for the government or private companies.

**5\. Loss of trust in the military:**

*   Repeated leaks of FOUO documents could erode public trust in the military and make it more difficult for the government to recruit and retain personnel.

****_RELATED ARTICLES_****

1.  **Military Satellite Access Sold on Russian Hacker Forum**
2.  **Quest Diagnostics data breach affects 12 million customers**
3.  **Top 10 vulnerable airports where your device can be hacked**
4.  **Top US aerospace services provider breach, loses 1.5 TB of data**
5.  **America’s largest diagnostics service LabCorp suffers data breach**

Hacker IntelBroker Leaks Alleged Sensitive US DoD Documents

When searching for holiday gifts online, make sure you’re buying from a trusted vendor, or if you haven’t heard of the vendor before, take a few extra minutes just to look them up and read their app’s privacy policy.

Thursday, December 7, 2023 14:00

As I wrote about last week, there are holiday shopping-related scams already popping up all over the place.  

But another aspect of security that many shoppers don’t consider this time of year is the security of the products they’re buying, even through a legitimate online marketplace. 

This is a glaring issue with home security cameras and Wi-Fi-connected doorbells, but I can’t imagine these are particularly popular holiday gifts. With virtually everything being connected to the internet somehow these days, everything is a potential security risk if you’re buying a new piece of technology. 

Take smartwatches, for example. Apple Watches and Samsung Galaxy watches are always popular on everyone’s wishlists this time of year because they’re high-priced items you normally wouldn’t buy for yourself. Many shoppers might be looking for a deal this time of year and not looking to spend hundreds on the gift, so any sort of cheaper alternative could be appealing. 

I searched for “smart watches” on Amazon, and the results page displayed four different watches from four different vendors as their “Top Results,” none of which were Samsung and Apple. Well-known vendors are certainly not immune to security issues or vulnerabilities, but at least users can be confident that any known vulnerabilities will be disclosed and patched by these companies as they pop up. 

The top result is for a $29.99 smartwatch that offers sleep tracking, blood pressure monitoring, dozens of different workout modes, step tracking, and more. However, there are a few security flags for me right up front with this deal (after all, if it seems too good to be true, it probably is). Amazon states the seller is a company called “Nerunsa,” but a quick search did not turn up any legitimate information on who this company is, where they’re based, or the sort of security bona fides you’d be hoping for. The only search results are for the company’s Amazon store page and a few eBay listings for people reselling the watch in question. 

The app that’s listed as supporting the watch is called “GloryFit” on the Google Play and Apple app stores, and its privacy policy is equally vague. It states that the app will collect all the suspected information for someone using a smartwatch — phone calls, text messages, GPS location, personal information, health information, etc. But, the policy states that, when the user accepts the privacy policy, “You hereby consent to our process and disclose personal information to our affiliated companies (which are in the communications, social media, technology and cloud businesses) and to Third Party Service Providers for the purposes of this Privacy Policy.” And it’s not particularly clear what those other companies do, exactly — Google was no help here, either. 

Apple Air Tags are also another popular tech gift every year and are usually featured in major retailers’ Black Friday sales. I personally have my own concerns about any type of tracking tag coming into my house, but that’s for another column. 

On Walmart, which is increasingly trying to compete with Amazon by offering more products online, I searched for “smart tag” and found three results that appeared ahead of Apple’s legitimate Air Tags. The second-most-popular result is for a “Bluetooth Tracker and Item Locator” that’s only $15.98, compared to $86.88 for a four-pack of Apple’s. This tracker is listed as being made by “AILIUTOP,” which also remains elusive on the internet and does not seem to have any sort of legitimate contact information available to the public. Their store page on Walmart indicates the seller offers many types of products, from clothing to home goods and more.  

 This seems like a good bargain as a gift for someone who is always losing their keys or wallet or wants to make sure their bicycle is secure when they lock it up somewhere. But purchasing these types of “smart” devices with so much uncertainty poses a few issues. 

If you do experience some sort of security failure or issue, there is no easy way to contact any of these vendors through the traditional means that the average user would go searching for. These vendors have no clear history of responsibly disclosing vulnerabilities, releasing security updates, or testing their products’ security before release. 

When these types of gifts are dealing with such high-profile information like your personal information, health data, or physical location, users should be confident that their information is being stored correctly and securely, or at least there’s a way to contact the vendor should they have any questions. 

When searching for holiday gifts online, make sure you’re buying from a trusted vendor, or if you haven’t heard of the vendor before, take a few extra minutes just to look them up, read their app’s privacy policy, or even read the reviews to make sure there’s no clear sign of bot activity like repetitive words or phrases or using the same photo for multiple reviews.  

**The one big thing **

The 2023 Cisco Talos Year in Review is now available to download. Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out. 

**Why do I care? **

The Year in Review report includes new data and telemetry from Talos about attacker trends, popular malware seen in the wild, and much more. Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, our report shows that the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.   

**So now what? **

Download our full report here, bookmark the Year in Review landing page for future content we have planned around the report, and listen to the Beers with Talos episode that covers the details of the report. 

**Top security headlines of the week **

**More than six million people are reportedly victims of a large data breach at DNA and genealogy testing firm 23andMe.** The breach is larger than initially expected, with more than 5.5 million users who opted into the company’s “DNA Relatives” feature, which allows customers to automatically share some of their data with other users. Another 1 million-plus users had their family tree information accessed. The attackers accessed the accounts because of password reuse from users, likely who used easy-to-guess login information or passwords they used across multiple other accounts. 23andMe was not the target of the initial breach, nor was a company account the source of the compromised credentials. Security experts are urging users to move away from traditional username-and-password login methods as these types of attacks happen more often, instead moving toward multi-factor authentication or passwordless logins. (TechCrunch, Wall Street Journal) 

**Apple released emergency fixes for two zero-day vulnerabilities in its WebKit browser engine that have already been exploited in the wild.** The company reported that the flaws are being exploited on devices running on iOS versions before iOS 16.7.1 (released on Oct. 10, 2023). There are new patches available, which users should install immediately, in iOS, iPadOS, macOS Sonoma and the Safari web browser. The two vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, leave affected devices vulnerable to adversaries accessing sensitive information on targeted devices. CVE-2023-42917 could also allow an attacker to execute arbitrary code on the targeted machine. (SC Magazine, Decipher) 

**Security researchers say a new threat actor known as “AeroBlade” compromised a U.S. aerospace company for more than a year.** The actor reportedly started testing their malware and infection chain on the targeted network in September 2022 and executed malware on the network in July 2023. The activity sat undetected for months due to anti-analysis techniques. It is currently unknown what actions, if any, the actor carried out during that time or if they compromised any user or customer data. The initial infection began with a Microsoft Word lure document with the title, “"SOMETHING WENT WRONG Enable Content to load the document." The ensuing malicious Microsoft Word template (DOTM) file then loaded a DLL that served as a reverse shell. Researchers say the attacker’s intent was likely to steal data from the target to sell it, potentially supply it to international competitors, or use it to extort the target into paying a ransom. (Dark Reading, Bleeping Computer)  

**Can’t get enough Talos? **

Security journalists from Decipher bring you the headlines, including new U.S. government sanctions on threat actor groups in our latest Threat Spotlight video.

Then, Hazel chats to Talos security researcher Joe Marshall to discuss the Talos 2023 Year in Review, and Project PowerUp, the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to help “keep the lights on” in Ukraine, by injecting a measure of stability in Ukraine’s power transmission grid.

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

_The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

_Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

_The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Cybersecurity considerations to have when shopping for holiday gifts

Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine.

**Directory Traversal in Gladys Assistant**

Moderate severity GitHub Reviewed Published Dec 7, 2023 to the GitHub Advisory Database • Updated Dec 12, 2023

GHSA-c79f-pqgf-fhp3: Directory Traversal in Gladys Assistant

By Deeba Ahmed
Discovered by the cybersecurity researchers at Group-IB; the new Linux RAT, dubbed Krasue, is targeting telecom firms in Thailand.
This is a post from HackRead.com Read the original post: New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms

The Krasue Linux RAT is quite sophisticated, and equipped with the capability to evade detection through Rootkit and RTSP communication.

Group-IB, a leading cybersecurity company, has uncovered a sophisticated new Linux RAT (Remote Access Trojan) they have dubbed “Krasue.” The malware is actively targeting organizations, mainly telecommunication firms, in Thailand and has been active since 2021.

GroupIB’s Threat Intelligence unit researchers found that Krause operates by gaining access to the targeted network and uses its rootkit capabilities to maintain persistence and ensure stealthy access.

The researchers are still investigating the initial infection vector and the full scale of the RAT’s usage. However, they believe that potential methods include vulnerability exploitation, deceptive downloads, and credential brute force attacks.

A notable feature of Krause is that it uses the Real Time Streaming Protocol (RTSP) for communication with its C2 server. This is an unusual tactic and is most likely used to evade detection by security software.

Profile of Krasue RAT (Credit: Group-IB)

Report author Sharmine Low, Group-IB’s Malware Analyst, wrote that Krause is named after a nocturnal spirit mentioned in Southeast Asian folklore. It lets cybercriminals remotely access and control compromised systems and remain undetected for a significant period.

Krasue uses multiple embedded rootkits to ensure compatibility with different Linux kernel versions. Interestingly, as with several other Linux rootkits, Krasue’s rootkit draws its functionalities from publicly available sources, specifically incorporating code from three open-source Linux Kernel Module rootkits.

This embedded rootkit can hook key system calls like kill(), network-related functions, and file listing operations to effectively mask its presence and evade detection. Researchers believe that this RAT was created by the same person who developed the XorDdos Linux Trojan or someone who has access to its source code.

Benyatip Hongto, Group-IB’s Business Development Manager in Thailand, highlighted the company’s commitment and proactive efforts to fighting cybercrime, including the planned opening of a Digital Crime Resistance Center in Thailand and their partnership with leading cybersecurity distributor nForce.

Upon discovering Krause, Group-IB researchers promptly notified their Threat Intelligence customers and published a report with YARA rules, which was shared with Thai authorities including ThaiCERT and TTC-CERT.

This revelation underscores the ever-looming threat of cyber risks and the need for strong cybersecurity measures. Organizations must be aware of threats like Krause and implement suitable security measures like strict access control, regular patching, and advanced threat detection solutions.

****_RELATED ARTICLES_****

1.  **New Cylance Ransomware Targets Linux and Windows**
2.  **Patched OpenSSH Exploited for IoT, Linux Cryptomining**
3.  **Free Download Manager Site Pushed Linux Password Stealer**
4.  **Kinsing Crypto Malware Hits Linux Systems via Apache Flaw**
5.  **Hamas Targeting Israelis with New BiBi-Linux Wiper Malware**

New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms

Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formAdvancedSetListSet.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49404: TENDA/w30e/tenda_w30e_setAdvancedSetList/w30e_setAdvancedSetList.md at main · GD008/TENDA

Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function UploadCfg.

CVE-2023-49405: TENDA/w30e/tenda_w30e_UploadCfg/w30e_UploadCfg.md at main · GD008/TENDA

Tenda W30E V16.01.0.12(4843) was discovered to contain a Command Execution vulnerability via the function /goform/telnet.

Tag

#git