Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability.

\[CVE ID\]

CVE-2023-27667

\[PRODUCT\]

Auto Dealer Management System - v 1.0

\[VERSION\]

Auto Dealer Management System - v 1.0

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

SQL Injection on page view\_car\_type.php and parameter is id, application url is (/view\_car\_type.php?id=?)

Can be called without authorized access.

CVE-2023-27667: CVE-2023-27667

Ubuntu Security Notice 6012-1 - It was discovered that Smarty incorrectly parsed blocks' names and included files' names. A remote attacker with template writing permissions could use this issue to execute arbitrary PHP code.

==========================================================================  
Ubuntu Security Notice USN-6012-1  
April 13, 2023

smarty3 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Smarty could be made to crash or run programs if it received a specially  
crafted template.

Software Description:  
- smarty3: The compiling PHP template engine

Details:

It was discovered that Smarty incorrectly parsed blocks' names and  
included files' names. A remote attacker with template writing permissions  
could use this issue to execute arbitrary PHP code. (CVE-2022-29221)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   smarty3                         3.1.39-2ubuntu1.22.10.1

Ubuntu 22.04 LTS:  
   smarty3                         3.1.39-2ubuntu1.22.04.1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6012-1  
   CVE-2022-29221

Package Information:  
https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.10.1  
https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.04.1

Ubuntu Security Notice USN-6012-1

A novel credential harvester compromises SMTP services to steal data from a range of hosted services and providers, and can also launch SMS-based spam attacks against devices using US mobile carriers.

Threat actors are selling a novel credential harvester and hacktool via a Telegram channel, which can exploit numerous Web-based services to steal credentials. It also has the bonus ability to launch SMS-based spam attacks that target US-based mobile devices as well, the researchers have found.

Researchers from Cado Security uncovered the Python-based credential stealer, called Legion, which has links to both the AndroxGh0st malware family and another previously discovered malware, they revealed in a blog post published today.

Legion's primary means of attack is to compromise misconfigured Web servers running content management systems (CMS), PHP, or PHP-based frameworks, such as Laravel, the researchers noted. Once installed, it contains several methods for retrieving credentials from the servers: by targeting the Web server software itself, scripting languages, or frameworks on which the server is running. The malware attempts to request resources from these known to contain secrets, parses them, and saves the secrets into results files sorted on a per-service basis, the researchers said.

"One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based Web applications," wrote Matt Muir, threat intelligence researcher at Cado Security, in the analysis. "The malware maintains a list of likely paths to this file, as well as similar files and directories for other Web technologies."

Legion then marches on to steal credentials from myriad Web-based sources and services —such as email providers, cloud service providers, server-management systems, databases, and payment platforms like Stripe and PayPal, the researchers said. And Legion can brute-force credentials to Amazon Web Services (AWS), which is consistent with similar functionality in AndroxGh0st, according to analysis of that malware by researchers at Lacework, Muir said. 

In addition to credential theft, Legion includes traditional hacktool functionality that can exploit well-known PHP vulnerabilities to register a Webshell or remotely execute malicious code, Muir tells Dark Reading.

"It is an SMTP abuse tool primarily, but it relies on opportunistic exploitation of misconfigured Web services to harvest credentials for said abuse," he says. "It also bundles additional functionality traditionally found in more common hacktools, such as the ability to execute Web-server-specific exploit code and brute force account credentials."

As mentioned, one unique aspect of the malware is that along with stealing credentials and general hacking, it also can automatically send SMS spam messages to mobile network users based in the United States, including subscribers to AT&T, Boost Mobile, Cingular, Sprint, Verizon, and more. This feature is one not often, if ever, seen in a credential harvester, the researchers noted.

This function is fairly basic: It retrieves the area code from the website www.randomphonenumbers.com, then tries different combinations of numbers to find a workable phone number.

"To retrieve the area code, Legion uses Python's BeautifulSoup HTML parsing library," Muir wrote. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential-harvesting modules, he added.

**Widespread Malware Distribution via Telegram**

A public Telegram group with more than 1,000 members to which Cado researchers gained access is distributing Legion, which also has a dedicated YouTube channel containing tutorial videos on the malware, the researchers said.

The malware is also being advertised by other Telegram groups to reach about 5,000 users in total. These combined factors indicate that Legion already has a loyal following and is likely a for-purchase offering under a perpetual license model, Muir said.

"While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high," he wrote in the post. "Related research indicates that there are a number of variants of this malware, likely with their own distribution channels."

While the researchers have not identified the definitive source of Legion, several Indonesian-language comments on the YouTube channel suggest that the developer may be Indonesian or based in Indonesia, and references to user with the handle "my13gion" in the Telegram group also offer clues to its source, they said.

Moreover, in a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky, with a profile suggesting that this user is located in Indonesia. Still, it's not clear if Rizky is the developer behind Legion, or if his code just happens to be found in the sample analyzed by Cado, the researchers said.

**How to Mitigate & Assess Legion's Cyber-Risk**

Researchers included a list of indicators of compromise (IoCs), as well as a list of targeted US mobile carriers in the blog post to help organizations or device users know if they've been compromised by Legion or could be a target of the malware, respectively.

Given the malware's reliance on misconfigurations in Web servers or frameworks to access systems, Cado recommends that organizations and other users of these technologies review existing security processes and ensure that secrets are appropriately stored. Moreover, if credentials are stored in a .env file, this file should be outside Web server directories so that it's inaccessible from the Web, the researchers said.

Organizations using cloud providers such as AWS and Microsoft Azure should also keep in mind their shared-responsibility obligations under the terms of use for those platforms to ensure their Web servers are configured properly, Muir says. A compromise by the malware "would likely fall under the user's remit in a shared responsibility context," he says.

Additionally, AWS users should also be aware of Legion's targeting of the platform's identity access management (IAM) and simple email service (SES) in its attempt to gain AWS credentials. To mitigate this risk, organizations should look out for user accounts that show a change in the IAM user registration code to include an "Owner" tag with the hardcoded value "ms.boharas," which is a hallmark of the malware, the researchers said.

Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users

By Waqas
The Legion malware is capable of stealing credentials from misconfigured or exposed servers and is linked to the AndroxGh0st malware family.
This is a post from HackRead.com Read the original post: Legion: Credential Harvesting & SMS Hijacking Malware Sold on Telegram

**The new Python-based Legion malware is being linked to a potential Indonesian developer.**

Cloud forensics and incident response platform startup, Cado Security Ltd., has revealed details of a new credential harvester and hacking tool called “Legion.”

According to researchers, Legion is being sold on Telegram and is designed to exploit various services for email abuse. The tool is believed to be linked to the AndroxGh0st malware family which was first reported in December 2022.

The use of Telegram for selling Legion malware should not come as a surprise, as the popular messaging platform has often been associated with illegal activities. In fact, just last week, **it was reported** that threat actors are leveraging Telegram to automate phishing attacks, highlighting the platform’s role in facilitating cybercriminal activities.

Legion specifically targets web servers running content management systems, PHP or PHP-based frameworks. It has the ability to retrieve credentials for a wide range of web services, including email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe Inc. and PayPal Holdings Inc. Additionally, Legion can hijack SMS messages and compromise Amazon Web Services Inc. credentials.

One notable feature of Legion is its availability of modules that can enumerate vulnerable SMTP servers, conduct remote code execution, exploit vulnerable versions of Apache, and brute-force cPanel and WebHost Manager accounts.

It also interacts with the **Shodan Search Engine**‘s API to retrieve a target list and has modules focused on abusing AWS services. Researchers have also highlighted Legion’s ability to send SMS spam messages to mobile network users in the United States across all carriers, which sets it apart from other similar tools.

Legion is being sold on various Telegram channels and is being promoted on YouTube through tutorial videos, suggesting that it is widely distributed and likely paid malware.

While the origin of the malware is not confirmed, comments found in Bahasa Indonesia suggest that the developer may be Indonesian or based in Indonesia. A GitHub Gist link leads to a user named “Galeh Rizky” with a profile indicating residence in Indonesia.

As a precaution, Cado Security researchers recommend in their **report** that users of web server technologies and frameworks like Laravel review their existing security processes and ensure that credentials are appropriately stored.

Ideally, sensitive information such as credentials should be stored in a .env file outside of web server directories to prevent unauthorized access.

Legion splash screen (Cado Labs)

The discovery of Legion highlights the ongoing threat of credential harvesting and hacking tools in the cybersecurity landscape. It serves as a reminder for organizations to prioritize robust security measures and stay vigilant against evolving cyber threats.

On the other hand, the trend of using Telegram as a platform for buying and selling malware is concerning, as it provides a convenient and anonymous means for cybercriminals to conduct illicit activities.

1.  360 Million WhatsApp Records Leaked on Telegram
2.  Hackers turn to Telegram to assist Iranian protestors
3.  Telegram and Discord Bots Drop Infostealing Malware
4.  Fake Telegram and WhatsApp clones steal crypto funds
5.  21M SuperVPN, GeckoVPN user data leaked on Telegram

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Legion: Credential Harvesting & SMS Hijacking Malware Sold on Telegram

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.

**Welcome to bloofoxCMS**

  
bloofoxCMS is a free open source content management system (CMS). bloofoxCMS is a small and easy to use CMS. It enables you to manage websites and intranet sites on a very simple way. It is slim but also flexible. You may use and download it **free of charge** without any limitations. But it would be a great pleasure to receive a small donation.

  
\[ Features \] \[ Download \]

**bloofoxCMS Key Features**

  

Very **easy installation** over web browser by using an automated install process with only 2 steps. If you prefer a manual setup just use our SQL dump files.

**Easy to use admin panel** with structured areas. You need only a short training period. The Admincenter includes an intuitive user interface.

More simply and fast expandable program code also for PHP beginners. Every php developer is able to extend the code with additional individual code lines.

Fast customization und creation of individual template designs with HTML or XHTML and CSS (cascading stylesheets). Our **templates are completely free of PHP code**. Even web designers without PHP knowledge can create templates.

   

  
**Latest News**

bloofoxCMS 0.5.2.1 available

Read more

bloofoxCMS 0.5.1 available

Read more

bloofoxCMS now available on github

Read more

**Make a donation**

You may help us by making a little donation. Please click the image beside. Thanks for your support!

CVE-2023-27812: bloofoxCMS - Home

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

This is the message page of the front desk  

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.  
Function call flow:  
index() calls checkDate()  
checkDate() calls the filter\_strs($\_POST) function to filter strings  
checkDate() calls the p() function again to prevent injection  
The p() function calls the filter\_sql() function to filter the reserved characters of mysql to prevent injection  
Then index() continues execution and calls the add() function  
The add() function calls the addModel() function in turn  
addModel() function and then addDB() function  
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.  
  
  
  
  
  
  

Add echo $sql to output complete sql statement, which is convenient for constructing payload.  

Packet analysis  

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground  
  

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the 'value' in the array $data, but not the 'key', and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.  
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1  
  

Protection Advice  
Filter the keys in the array as well

CVE-2023-29598: lmxcms v1.4.1 Front page sql injection · Issue #3 · jspring996/PHPcodecms

bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-29597: bloofox 0.5.2 sql injection · Issue #2 · jspring996/PHPcodecms

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

<?php return \['ISO-8859-1', 'ISO-8859-2', 'ISO-8859-3', 'ISO-8859-4', 'ISO-8859-5', 'ISO-8859-6', 'ISO-8859-7', 'ISO-8859-8', 'ISO-8859-9', 'ISO-8859-10', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'WINDOWS-1251', 'WINDOWS-1252', 'WINDOWS-1254', 'CP932', 'CP936', 'CP950', 'CP866', 'CP850', 'CP51932', 'CP50220', 'CP50221', 'CP50222', 'ISO-2022-JP', 'ISO-2022-KR', 'JIS', 'JIS-ms', 'EUC-CN', 'EUC-JP', 'ANSI\_X3.4-1968', 'ANSI\_X3.4-1986', 'ASCII', 'CP367', 'IBM367', 'ISO-IR-6', 'ISO646-US', 'ISO\_646.IRV:1991', 'US', 'US-ASCII', 'CSASCII', 'UTF-8', 'ISO-10646-UCS-2', 'UCS-2', 'CSUNICODE', 'UCS-2BE', 'UNICODE-1-1', 'UNICODEBIG', 'CSUNICODE11', 'UCS-2LE', 'UNICODELITTLE', 'ISO-10646-UCS-4', 'UCS-4', 'CSUCS4', 'UCS-4BE', 'UCS-4LE', 'UTF-16', 'UTF-16BE', 'UTF-16LE', 'UTF-32', 'UTF-32BE', 'UTF-32LE', 'UNICODE-1-1-UTF-7', 'UTF-7', 'CSUNICODE11UTF7', 'UCS-2-INTERNAL', 'UCS-2-SWAPPED', 'UCS-4-INTERNAL', 'UCS-4-SWAPPED', 'C99', 'JAVA', 'CP819', 'IBM819', 'ISO-IR-100', 'ISO8859-1', 'ISO\_8859-1', 'ISO\_8859-1:1987', 'L1', 'LATIN1', 'CSISOLATIN1', 'ISO-IR-101', 'ISO8859-2', 'ISO\_8859-2', 'ISO\_8859-2:1987', 'L2', 'LATIN2', 'CSISOLATIN2', 'ISO-IR-109', 'ISO8859-3', 'ISO\_8859-3', 'ISO\_8859-3:1988', 'L3', 'LATIN3', 'CSISOLATIN3', 'ISO-IR-110', 'ISO8859-4', 'ISO\_8859-4', 'ISO\_8859-4:1988', 'L4', 'LATIN4', 'CSISOLATIN4', 'CYRILLIC', 'ISO-IR-144', 'ISO8859-5', 'ISO\_8859-5', 'ISO\_8859-5:1988', 'CSISOLATINCYRILLIC', 'ARABIC', 'ASMO-708', 'ECMA-114', 'ISO-IR-127', 'ISO8859-6', 'ISO\_8859-6', 'ISO\_8859-6:1987', 'CSISOLATINARABIC', 'ECMA-118', 'ELOT\_928', 'GREEK', 'GREEK8', 'ISO-IR-126', 'ISO8859-7', 'ISO\_8859-7', 'ISO\_8859-7:1987', 'ISO\_8859-7:2003', 'CSISOLATINGREEK', 'HEBREW', 'ISO-IR-138', 'ISO8859-8', 'ISO\_8859-8', 'ISO\_8859-8:1988', 'CSISOLATINHEBREW', 'ISO-IR-148', 'ISO8859-9', 'ISO\_8859-9', 'ISO\_8859-9:1989', 'L5', 'LATIN5', 'CSISOLATIN5', 'ISO-IR-157', 'ISO8859-10', 'ISO\_8859-10', 'ISO\_8859-10:1992', 'L6', 'LATIN6', 'CSISOLATIN6', 'ISO-8859-11', 'ISO8859-11', 'ISO\_8859-11', 'ISO-IR-179', 'ISO8859-13', 'ISO\_8859-13', 'L7', 'LATIN7', 'ISO-CELTIC', 'ISO-IR-199', 'ISO8859-14', 'ISO\_8859-14', 'ISO\_8859-14:1998', 'L8', 'LATIN8', 'ISO-IR-203', 'ISO8859-15', 'ISO\_8859-15', 'ISO\_8859-15:1998', 'LATIN-9', 'ISO-IR-226', 'ISO8859-16', 'ISO\_8859-16', 'ISO\_8859-16:2001', 'L10', 'LATIN10', 'KOI8-R', 'CSKOI8R', 'KOI8-U', 'KOI8-RU', 'CP1250', 'MS-EE', 'WINDOWS-1250', 'CP1251', 'MS-CYRL', 'CP1252', 'MS-ANSI', 'CP1253', 'MS-GREEK', 'WINDOWS-1253', 'CP1254', 'MS-TURK', 'CP1255', 'MS-HEBR', 'WINDOWS-1255', 'CP1256', 'MS-ARAB', 'WINDOWS-1256', 'CP1257', 'WINBALTRIM', 'WINDOWS-1257', 'CP1258', 'WINDOWS-1258', '850', 'IBM850', 'CSPC850MULTILINGUAL', '862', 'CP862', 'IBM862', 'CSPC862LATINHEBREW', '866', 'IBM866', 'CSIBM866', 'MAC', 'MACINTOSH', 'MACROMAN', 'CSMACINTOSH', 'MACCENTRALEUROPE', 'MACICELAND', 'MACCROATIAN', 'MACROMANIA', 'MACCYRILLIC', 'MACUKRAINE', 'MACGREEK', 'MACTURKISH', 'MACHEBREW', 'MACARABIC', 'MACTHAI', 'HP-ROMAN8', 'R8', 'ROMAN8', 'CSHPROMAN8', 'NEXTSTEP', 'ARMSCII-8', 'GEORGIAN-ACADEMY', 'GEORGIAN-PS', 'KOI8-T', 'CP154', 'CYRILLIC-ASIAN', 'PT154', 'PTCP154', 'CSPTCP154', 'KZ-1048', 'RK1048', 'STRK1048-2002', 'CSKZ1048', 'MULELAO-1', 'CP1133', 'IBM-CP1133', 'ISO-IR-166', 'TIS-620', 'TIS620', 'TIS620-0', 'TIS620.2529-1', 'TIS620.2533-0', 'TIS620.2533-1', 'CP874', 'WINDOWS-874', 'VISCII', 'VISCII1.1-1', 'CSVISCII', 'TCVN', 'TCVN-5712', 'TCVN5712-1', 'TCVN5712-1:1993', 'ISO-IR-14', 'ISO646-JP', 'JIS\_C6220-1969-RO', 'JP', 'CSISO14JISC6220RO', 'JISX0201-1976', 'JIS\_X0201', 'X0201', 'CSHALFWIDTHKATAKANA', 'ISO-IR-87', 'JIS0208', 'JIS\_C6226-1983', 'JIS\_X0208', 'JIS\_X0208-1983', 'JIS\_X0208-1990', 'X0208', 'CSISO87JISX0208', 'ISO-IR-159', 'JIS\_X0212', 'JIS\_X0212-1990', 'JIS\_X0212.1990-0', 'X0212', 'CSISO159JISX02121990', 'CN', 'GB\_1988-80', 'ISO-IR-57', 'ISO646-CN', 'CSISO57GB1988', 'CHINESE', 'GB\_2312-80', 'ISO-IR-58', 'CSISO58GB231280', 'CN-GB-ISOIR165', 'ISO-IR-165', 'ISO-IR-149', 'KOREAN', 'KSC\_5601', 'KS\_C\_5601-1987', 'KS\_C\_5601-1989', 'CSKSC56011987', 'EUCJP', 'EXTENDED\_UNIX\_CODE\_PACKED\_FORMAT\_FOR\_JAPANESE', 'CSEUCPKDFMTJAPANESE', 'MS\_KANJI', 'SHIFT-JIS', 'SHIFT\_JIS', 'SJIS', 'CSSHIFTJIS', 'CSISO2022JP', 'ISO-2022-JP-1', 'ISO-2022-JP-2', 'CSISO2022JP2', 'CN-GB', 'EUCCN', 'GB2312', 'CSGB2312', 'GBK', 'MS936', 'WINDOWS-936', 'GB18030', 'ISO-2022-CN', 'CSISO2022CN', 'ISO-2022-CN-EXT', 'HZ', 'HZ-GB-2312', 'EUC-TW', 'EUCTW', 'CSEUCTW', 'BIG-5', 'BIG-FIVE', 'BIG5', 'BIGFIVE', 'CN-BIG5', 'CSBIG5', 'BIG5-HKSCS:1999', 'BIG5-HKSCS:2001', 'BIG5-HKSCS', 'BIG5-HKSCS:2004', 'BIG5HKSCS', 'EUC-KR', 'EUCKR', 'CSEUCKR', 'CP949', 'UHC', 'CP1361', 'JOHAB', 'CSISO2022KR', 'CP856', 'CP922', 'CP943', 'CP1046', 'CP1124', 'CP1129', 'CP1161', 'IBM-1161', 'IBM1161', 'CSIBM1161', 'CP1162', 'IBM-1162', 'IBM1162', 'CSIBM1162', 'CP1163', 'IBM-1163', 'IBM1163', 'CSIBM1163', 'DEC-KANJI', 'DEC-HANYU', '437', 'CP437', 'IBM437', 'CSPC8CODEPAGE437', 'CP737', 'CP775', 'IBM775', 'CSPC775BALTIC', '852', 'CP852', 'IBM852', 'CSPCP852', 'CP853', '855', 'CP855', 'IBM855', 'CSIBM855', '857', 'CP857', 'IBM857', 'CSIBM857', 'CP858', '860', 'CP860', 'IBM860', 'CSIBM860', '861', 'CP-IS', 'CP861', 'IBM861', 'CSIBM861', '863', 'CP863', 'IBM863', 'CSIBM863', 'CP864', 'IBM864', 'CSIBM864', '865', 'CP865', 'IBM865', 'CSIBM865', '869', 'CP-GR', 'CP869', 'IBM869', 'CSIBM869', 'CP1125', 'EUC-JISX0213', 'SHIFT\_JISX0213', 'ISO-2022-JP-3', 'BIG5-2003', 'ISO-IR-230', 'TDS565', 'ATARI', 'ATARIST', 'RISCOS-LATIN1'\];

CVE-2023-2021: 3.0.3 · nilsteampassnet/TeamPass@77c541a

An emerging Python-based credential harvester and a hacking tool named Legion are being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and

An emerging Python-based credential harvester and a hacking tool named **Legion** is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.

Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts.

The malware is suspected to be linked to another malware family called AndroxGh0st that was first documented by cloud security services providerLacework in December 2022.

Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services.

"Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt Muir told The Hacker News. "Developers of these tools often steal each other's code, making attribution to a particular group difficult."

Besides using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks like Laravel.

"It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal," Cado Labs said.

Some of the other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting opportunistic phishing campaigns.

The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting mass spam and opportunistic phishing campaigns.

The cybersecurity firm said it also discovered a YouTube channel containing tutorial videos on how to use Legion, suggesting that the "tool is widely distributed and is likely paid malware." The YouTube channel, which was created on June 15, 2021, remains active as of writing.

Furthermore, Legion retrieves AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers.com," security researcher Matt Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Furthermore, Legion can retrieve AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin by leveraging the stolen SMTP credentials.

"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers\[.\]com," Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

Another notable aspect of Legion is its ability to exploit well-known PHP vulnerabilities to register a web shell for persistent remote access or execute malicious code.

The origins of the threat actor behind the tool, who goes by the alias "forzatools" on Telegram, remain unknown, although the presence of Indonesian-language comments in the source code indicates that the developer may be Indonesian or based in the country.

"Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it's recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored," Muir said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Python-Based "Legion" Hacking Tool Emerges on Telegram

Sielco PolyEco Digital FM Transmitter version 2.0.6 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks to gain full control of the system.

    Sielco PolyEco Digital FM Transmitter 2.0.6 Default CredentialsVendor: Sielco S.r.lProduct web page: https://www.sielco.orgAffected version: PolyEco1000 CPU:2.0.6 FPGA:10.19                  PolyEco1000 CPU:1.9.4 FPGA:10.19                  PolyEco1000 CPU:1.9.3 FPGA:10.19                  PolyEco500 CPU:1.7.0 FPGA:10.16                  PolyEco300 CPU:2.0.2 FPGA:10.19                  PolyEco300 CPU:2.0.0 FPGA:10.19Summary: PolyEco is the innovative family of high-end digitalFM transmitters of Sielco. They are especially suited as highperformance power system exciters or compact low-mid powertransmitters. The same cabinet may in fact be fitted with 50,100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,1000).All features can be controlled via the large touch-screen display4.3" or remotely. Many advanced features are inside by defaultin the basic version such as: stereo and RDS encoder, audiochange-over, remote-control via LAN and SNMP, "FFT" spectralanalysis of the audio sources, SFN synchronization and much more.Desc: The FM transmitter uses a weak set of default administrativecredentials that can be easily guessed in remote password attacksand gain full control of the system.Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5764Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5764.php26.01.2023--User role:----------Username: userPassword: 1234Admin role:-----------Username: adminPassword: sielco1

Tag

#php