Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.

Thursday, September 26, 2024 09:00

*   Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. 
*   This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders. 
*   The breadth of different sources of spam suggests that the attackers have automated the process of initially identifying web infrastructure vulnerable to abuse. However, the complexity of executing each individual attack suggests more human involvement. 
*   Attackers are also testing credentials obtained from data breaches by credential stuffing IMAP and SMTP accounts. 

Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. 

There are many ways spammers accomplish this task: One is to abuse web pages connected to backend SMTP infrastructure, and another uses breached email/password credentials to try and log into email accounts they can use to send spam. Cisco Talos has new research that explores both styles of attack and delves into some of the tools used by spammers. 

**Web form abuse **

The HTML <form> tag was released with HTML version 2.0, nearly 30 years ago. Since then, spammers have found creative ways to abuse web forms. The lack of proper input validation left many of these forms open to manipulation by attackers. Over time, these HTML form attacks became more sophisticated, sometimes employing cross-site scripting or SQL injection. Many administrators learned the hard way that their forms were vulnerable and were forced to harden their forms as a result. However, spammers are a persistent bunch, and they look for anything they can use to facilitate malicious activities. Creative spammers have realized that \*any\* web form that triggers an email back to the user can be abused. 

**Online account registration **

Many websites allow users to sign up for an account and log in to access specific features or content. Typically, upon successful user registration, an email is triggered back to the user to confirm the account. In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link. 

An example spam message exploiting an account signup form

**Event signup **

Like account registration, many websites let users register to participate in an event. Again, poor input validation and sanitization is prevalent on many of these sites, allowing the spammers to overload the name field with text and URLs. 

An example spam message exploiting an event registration form

Contact forms sometimes send users a copy of their form responses. This could be a checkbox on the form or an automatic reply. Again, the spammers rely on poor input validation and sanitization to transmit text and URLs to the victim. 

An example spam message exploiting a web site contact form

**Google Quizzes, Calendar, Groups and other apps **

Talos previously reported on spammers abusing Google Quizzes. But that is not the only Google software that spammers have been abusing. Google Drawings, Sheets, Forms, Calendar and Groups all contain similar vulnerabilities that allow spammers to send unsolicited emails to victims. Additionally, by using a variety of Google applications, and ones that are located in different countries, they can largely avoid detection by Google. 

These messages from Google require some significant pre-attack setup. For example, to send spam from Google Quizzes, the attackers must set up a quiz and configure it correctly, then they must fill out the quiz, masquerading as the victim. Then, the attackers must log back into the Google Quiz they created to “grade” the results and send the quiz score email back to the victim. This suggests a significant human interaction on the part of the spammers. 

An example spam message sent via Google Drawings

An example spam message sent via Google Sheets

An example spam message sent via Google Forms

An example spam message sent via Google Calendar

An example spam message sent via Google Groups

Unfortunately for defenders, there is very little we can do to defend against such spam messages. Most of the emails sent by these contact forms are legitimate, so the malicious email blends in with the otherwise legitimate traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate.   

**SMTP server credential stuffing **

Have you ever wondered what cyber criminals do with all the information they’ve obtained in a data breach? If the stolen dataset contains email address usernames and passwords, then it is quite probable that those same credentials will work in other places. Trying the same set of credentials at other sites is known as “credential stuffing.”  

One of the main ways cybercriminals leverage stolen credentials is attempting to access the victim’s email. POP/IMAP servers are often juicy targets, because if an attacker can access a person’s email inbox, then they can find other accounts used by the victim, account usernames/passwords, cryptocurrency wallet keys or perhaps other lucrative, sensitive personal information. Attackers can also leverage access to the victim’s inbox to receive email-based multifactor authentication codes or password resets. 

One of the other, lesser-known ways attackers leverage stolen credentials is on the outbound side of the victim’s mailbox. If an attacker can log into the outbound smtp server as the victim, they can send out email using the victim’s email server. This provides the cybercriminal with a legitimate mail server and domain which are not likely blocked by various spam real-time blackhole lists (RBLs). 

How do cybercriminals locate mailboxes that have working credentials? Typically, the attacker will set up a personal mailbox somewhere (Yahoo, Gmail, etc.) and then send themselves test messages using the stolen credentials at the outbound SMTP server matching the email address’ domain. Some criminals have turned this into an online business by finding working SMTP server credentials and selling them to others. 

__A test email from Smart Tools Shop. The price of working SMTP server credentials is $6__

__The Smart Tools Shop interface shows the typical prices of SMTP server credentials__ 

There are also open-source tools used for these sorts of activities. Among the tools Talos sees most frequently are MadCat and MailRip, both of which are available to download and run on GitHub. 

The MadCat SMTP cracker tool found on Github

 MadCat is an open-source SMTP tool that includes credential-stuffing capabilities. The test emails can be recognized from the Subject header: “Subject: You get a new smtp”. Among some of MadCat’s advertised features is the ability to skip emails hosted by known security vendors such as Cisco. This feature is implemented rather poorly, however, because the code used to skip “dangerous emails” is simply a regular expression with words like “cisco,” “cloudflare,” “proofpoint,” etc., as if spam traps implemented by security organizations are all run out of the main corporate domain name (S_poiler alert: they are not_). 

__MailRip is another open-source tool capable of credential stuffing in outbound SMTP servers__

Another tool that Talos frequently sees performing credential stuffing is a program named MailRip. Although it contains a disclaimer that the code is not to be used “for any kind of illegal activity,” it is a tool primarily designed to facilitate checking username/password combos on IMAP servers and outbound SMTP servers. 

Besides these commercial and open-source tools, Talos also sees attackers who have “rolled their own” tools used for this activity. Typically, the Subject headers are a giveaway that the messages are test emails looking for valid SMTP accounts. However, some of the subject headers and email bodies of test messages are encoded/encrypted. Below are some of the more frequent Subject headers Talos has encountered. 

**Common Credential Stuffing Test Message Subject headers:**   
Subject: Mail Inbox Test IDF50F22   
Subject: You get a new smtp **_(from MadCat SMTP cracker tool)_**   
Subject: smtp id 2496130   
Subject: g1ukczr0iz3b6o6xsk0al0tyqy8ggr **_(encrypted/encoded Subject/Body)_**   
Subject: test   
Subject: Testing: mx.example.com   
Subject: new SMTP from MadCat checker   
Subject: Smart Tools Shop - Test SMTP ID: 1016587   
Subject: MailRip Test Result ID0BAB7A **_(from MailRip Tool)_**   
Subject: !XProad mx.example.com|2525|nywepaq@example.com|f29r21caT4. **_(from Laravel Monster Tool)_**   
Subject: SMTP Check #131085 - Jemex Shop   
Subject: TESTING RELAY!   
Subject: SMTP Check #6148 - Spyxe Shop   
Subject: Your Account ID #62363   
Subject: Mail Test Result ID0CD637.    
Subject: aloha: 127.0.0.255   
Subject: Mail Auto-Email ID86E8A6   
Subject: Mail Email Test ID23CB4D   
Subject: Mail Test Result IDD762AB   
Subject: =?utf-8?q?New\_working\_smtp\_=2350131001?=  

**Thwarting SMTP server credential stuffers **

One way Talos has tried to thwart these types of attacks is to make them believe that the actors have found a working outbound email account.  

To accomplish this, Talos has configured some of our spam traps to deliver those messages we have identified by Subject as test messages from the credential stuffers, while every other email is sent to various internal anti-spam systems for processing. Once the credential stuffers believe they have found a valid account, they typically turn on the spam firehose, which causes all the connecting IP addresses to be dinged for sending spam, which significantly affects those addresses' ability to deliver mail to the inbox. 

 The anti-spam industry has largely been successful at driving a wedge between legitimate senders and spammers, causing spammers to seek out new ways to deliver their mail.  

Rather than send directly, these spammers have chosen to try and blend in with legitimate traffic to make their spam more difficult to block.  

**Defenses **

**_Create Unique Passwords:_** People are terrible at creating and remembering good passwords. For the past several decades, even, the most popular unsafe password has been “123456”. Despite years of guidance from the security community that people should use a unique password for every website, many users will re-use the same credentials at several different sites. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim.  

**Use a password manager:** All those unique passwords you have been creating are going to be hard to remember. But avoid storing credentials in a browser. These can be stolen by attackers quite easily. A perfect tool exists for storing your passwords: a password manager. It is best to use a dedicated password manger such as KeePass, LastPass or 1Password. 

**Educate Users:** Unfortunately for defenders, there is very little we can do to defend against spam messages sent from legitimate forms. Most of the emails sent via forms are legitimate, so the malicious email blends in with the otherwise legitimate email traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate. Educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email.

Simple Mail Transfer Pirates:   How threat actors are abusing third-party infrastructure to send spam

Researchers have uncovered one of the first examples of threat actors using artificial intelligence chatbots for malware creation, in a phishing attack spreading the open source remote access Trojan.

Source: Irene R via Shutterstock

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It's one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the AsyncRAT, an easily accessible, commercial malware that can be used for controlling a victim's computer.

The researchers first noticed the behavior when investigating a suspicious email in June. It had "an unusual French email attachment" posing as an invoice, HP Wolf Security revealed in its "Threat Insights Report" (PDF) for this month. The researchers ultimately discovered a campaign that was using both scripting types — code that was not, as it usually is, obfuscated — to spread AsyncRAT.

"The scripts' structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," according to the report.

It's widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because legitimate chatbot tools have guardrails that prevent malicious use. However, security experts have known since the advent of the technology that it was only a matter of time before threat actors would find a way around those gates, and malicious chatbot development is a phenomenon on the Dark Web.

Related:Dark Reading Confidential: The CISO and the SEC

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone's inbox," according to the report.

**Investigating a Malicious Email Campaign**

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an HTML-smuggling attack; however, it didn't behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.

Related:How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys the AsyncRAT. "The VBScript writes various variables to the Windows Registry, which are reused later in the chain," according to the report.

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.

**Unpacking GenAI-Generated Scripts**

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.

"In fact, the attacker had left comments throughout the code, describing what each line does — even for simple functions," according to the report. "Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible."

Related:Cybersecurity Success Hinges on Full Organizational Support, New CompTIA Report Asserts

This behavior and the scripts' structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker used GenAI to develop the scripts, according to HP Wolf Security.

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

GenAI Writes Malicious Code to Spread AsyncRAT

Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday.
The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor.
"Investigators

Cyber Espionage / Hacking

Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday.

The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor.

"Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet," the publication was quoted as saying, citing people familiar with the matter.

The end goal of the attacks is to gain a persistent foothold within target networks, allowing the threat actors to harvest sensitive data or launch a damaging cyber attack.

GhostEmperor first came to light in October 2021, when Russian cybersecurity company Kasperksy detailed a long-standing evasive operation targeting Southeast Asian targets in order to deploy a rootkit named Demodex.

Targets of the campaign included high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition to outliers located in Egypt, Ethiopia, and Afghanistan.

As recently as July 2024, Sygnia revealed that an unnamed client was compromised by the threat actor in 2023 to infiltrate one of its business partner's networks.

"During the investigation, several servers, workstations, and users were found to be compromised by a threat actor who deployed various tools to communicate with a set of \[command-and-control\] servers," the company said. "One of these tools was identified as a variant of Demodex."

The development comes days after the U.S. government said it disrupted a 260,000-device botnet dubbed Raptor Train controlled by a different Beijing-linked hacking crew called Flax Typhoon.

It also represents the latest in a string of Chinese state-sponsored efforts to target telecom, ISPs, and other critical infrastructure sectors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive…

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response.

Dell has allegedly been hit with yet another data leak, marking the third such incident in a week. The threat actor, who goes by the alias “grep,” has claimed responsibility for the latest breach and continues to target the tech giant.

This time, the hacker has leaked approximately 500 MB of sensitive data, including internal documents, PDFs, images, internal device testing videos, and Multi-Factor Authentication (MFA) data, which if confirmed by Dell could further escalate concerns over the company’s data security.

According to information obtained by Hackread.com, the hacker shared details of the data leak, stating that Dell suffered a third breach that exposed internal files. The hacker revealed, “I knew Dell would fix their failure without confirming or denying my claims, for the same reason I had exfiltrated more data when I breached the internal employees, which was not leaked and waited for this exact moment.”

The leaked data includes access vectors and references to Chinese infrastructure, which, if not at a large scale, could still have some impact on the company’s operations.

The hacker on the breach forum boosted about the data leak and the leaked data was analysed by Hackread.com (Screenshot: Hackread.com)

**Leaked Data Includes Internal Tickets and Infrastructure Documents**

Among the leaked data is a CVS file titled “Ticket Summary – FY23,” which includes details of Dell’s internal ticketing system. Some of the entries shared in the leak include:

*   Incident reports on Agile access, VPN issues, proxy requirements for testing, and application migrations.
*   Ticket summaries that highlight VPN enhancements, DevOps software access requests, and network setups.

Additionally, the hacker shared a range of files and folders containing critical infrastructure information, such as:

*   “China Infra Compute.pdf”
*   “Global Project FY23.pdf” and “Global Project FY25.pdf”
*   “MFA Authentication – Cisco DUO.pdf”
*   Various project summaries and security-related documents.

The documents released by “grep” provide a snapshot of Dell’s internal operations and project infrastructure, revealing sensitive information that could pose security risks if exploited. Therefore, for security reasons; we are withholding specific details of the leaked files.

> 🚨Data Breach Update: Threat Actor Claims Third Breach of DELL
> 
> "Greg" is now claiming that DELL suffered a third data breach, this time compromising data such as "PDFs, images, videos, models, MFA data, along with their access vectors, including Chinese infrastructure."
> 
> In the… https://t.co/lTaOeC0IAL pic.twitter.com/8w3Fh9flo8
> 
> — HackManac (@H4ckManac) September 25, 2024

**Pattern of Breaches: A Coordinated Attack or Piecemeal Leaks?**

This third leak follows two previous data breaches conducted by the same hacker within a short time frame. **On September 19, 2024**, “grep” leaked data belonging to over 12,000 Dell employees, sparking an internal investigation. Just days later, **on September 22**, more sensitive internal files were released, allegedly compromised through Dell’s use of Atlassian tools.

In today’s data leak, the hacker clarified that all the data was stolen during a single breach, but he is strategically leaking it in parts. This statement eliminates speculation that Dell is facing repeated attacks, confirming instead that the data is being gradually released from one initial breach.

It is worth noting that Dell has yet to confirm the extent of the damage or whether the hacker gained access through a third-party vendor, as seen in other recent incidents. The hacker’s method aligns with his earlier attack, where he **leaked 12,000 Twilio records** from a compromised customer. Twilio confirmed to Hackread.com that it was a third-party breach, which resulted in the leak of only one Twilio customer’s data.

**Dell’s Response and Next Steps**

So far, Dell has not released a formal statement regarding today’s data leak. With three data leaks in just one week, concerns about Dell’s cybersecurity are growing. Hackread.com has reached out to Dell for comment, and this article will be updated as more information becomes available. Stay tuned!

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

**Multi Branch School Management System 3.5 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | b4c3fb3408f8d7a80baf2b5ec0b035520c60a8b287134c61abe01863834639ea

Download | Favorite | View

**Multi Branch School Management System 3.5 Backup Disclosure**

    =============================================================================================================================================| # Title     : Multi Branch School Management System 3.5 Backup Disclosure Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://school.ramomcoder.com/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /uploads/db_backup/[+] http://127.0.0.1/Multi/uploads/db_backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Multi Branch School Management System 3.5 Backup Disclosure

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | e760cf3c5b44d7d8984817fcf92204fd9912a026b5d02720406cc72f12ac70ed

Download | Favorite | View

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Complete Multi Hospital Management System 1.0 Backup Disclosure Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/free-download-complete-multi-hospital-management-system/                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /files/backups/[+] http://127.0.0.1/multihospital/files/backups/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Complete Multi Hospital Management System 1.0 Backup Disclosure

The advanced Python-based PysSilon malware can steal data, record keystrokes, and execute remote commands. The attackers behind it are promising to leak details of deleted X posts related to accused rapper and music producer Sean Combs.

Source: Photo 12 via Alamy Stock Photo

Threat actors are using the public's interest in a current scandal surrounding celebrity rapper Sean "Diddy" Combs to spread spyware, via files promising to reveal details of deleted posts related to Combs from the X social media platform.

Researchers have uncovered a version of the open source PySilon RAT, a remote access Trojan called "PdiddySploit" hiding in files posted online and then submitted to VirusTotal, according to analysis from Veriti Research published Sept. 24.

PySilon RAT is an advanced Python-based malware that can steal sensitive information, record keystrokes, capture screen activity, and execute remote commands, posing "serious threats to personal and organizational security," according to the post by Veriti.

Combs (aka P. Diddy), a rapper, record producer, and entrepreneur who has been in the public eye since the 1990s, is facing multiple charges of sexual assault and misconduct in New York, which has thrust him into the recent media spotlight. One area of acute public interest are controversial posts related to Combs and alleged illicit activity on X by fellow celebrities and musicians, such as Usher and Pink, as well as Combs himself that have since been deleted, according to Veriti.

"One of the most concerning aspects of this trend is the use of files related to Combs' social media activity, particularly from X.com," according to the post.

Related:Security Concerns Plague Emerging Chip Architecture

Specifically, the researchers uncovered files containing posts and replies from Combs' now-deleted account on VirusTotal, where they were uploaded by a user named @lamps\_apple. "These files are part of an automated process of 'collecting posts and replies,' but they pose a high risk because they can be easily armed with malicious payloads," according to Veriti.

**Taking Advantage of Current Events**

The activity demonstrates how attackers are quick to take advantage of current events or media stories of interest to the public to spread malware by weaponizing content related to them. One clear example of this activity was during the COVID-19 pandemic, when multiple phishing and other malicious campaigns leveraged public interest in the virus and other health-related topics to spread malware.

"Given the intense media coverage surrounding P. Diddy and other public figures, attackers are using these files to lure curious users into downloading them, only to be infected with malware," according to Veriti. "The fact that P. Diddy and others have deleted their social media content adds an additional layer of intrigue, tempting users to open these files to see what was deleted."

Related:How to Establish & Enhance Endpoint Security

PsySilon RAT — discovered in 2022 — also has seen a surge in recent use by multiple threat actors, with more than 300 samples reported on VirusTotal since June 2023, according to Cyble Research and Intelligence Labs (CRIL). Attackers use the malware to infiltrate systems, steal information, and even control devices remotely, according to Veriti.

PsySilon RAT is currently in version 3.6 and has been detected in numerous samples that imitate software, tools, and cracks, which likely originate from phishing websites, free software-downloading websites, and the like, according to Cyble.

Given the discovery of the RAT lurking behind the cover of PdiddySploit, it's likely that as the related scandal continues to attract attention, even more attackers will "leverage this malware to exploit public interest," according to Veriti.

**Don't Let Curiosity Cloud Safe Judgment**

It's perfectly natural for people to take an interest in trending topics and celebrity scandals, the researchers noted. However, that doesn't mean people should throw caution to the wind when interacting with any related files or content online.

"Curiosity can be dangerous," Veriti researchers warned, especially as attackers are well-versed in social engineering and "are always looking for ways to exploit human nature."

Related:RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

To avoid falling prey to attackers aiming to capitalize on this and other news of public interest, Veriti advised that people avoid downloading suspicious files, especially if they encounter files claiming to contain deleted posts or exclusive content related to a celebrity scandal. They should always verify the source of these or any files before downloading something from the Internet, the researchers noted.

People also should be wary of email attachments because phishing emails remain a primary way that attackers spread malware. "If you receive an email with attachments related to the P. Diddy scandal, think twice before opening it," according to Veriti. Using up-to-date antivirus software and other protections to secure email accounts also effectively can delete malware or malicious files before they even reach someone's inbox.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sophisticated RAT Hides Behind P. Diddy Scandal Lures

Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.

Wednesday, September 25, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. 

One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. 

Additionally, Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Microsoft High-Definition Audio Bus Driver denial-of-service vulnerability **

_Discovered by Marcin “Icewall” Noga._ 

TALOS-2024-2008 (CVE-2024-45383) is a vulnerability in the Microsoft HD Audio Bus Driver that could allow an attacker to cause a denial of service. 

The driver allows the Windows operating system to communicate with external audio devices that play sound, including those that are integrated into machines’ motherboards or connected via HD audio interfaces.  

A mishandling of IRP requests in the driver’s interface could allow an attacker to send multiple IRP Complete requests to the driver, causing the DoS and forcing the operating system into the “Blue Screen of Death.” 

**Stale memory dereference in Microsoft Pragmatic General Multicast Server **

_Discovered by a Cisco Talos researcher._ 

A memory corruption vulnerability exists in the Pragmatic General Multicast server in the Microsoft Windows 10 Kernel.  

The Pragmatic General Multicast protocol is an IP-based multicasting protocol that is implemented by Microsoft as part of the Message Queueing service available in different versions of Windows. 

A specially crafted network packet can lead to the access of stale memory structure, resulting in memory corruption. An attacker can send a sequence of malicious packets to trigger TALOS-2024-2062 (CVE-2024-38140). 

Talos independently discovered this issue and reported it to Microsoft prior to their patch release earlier this year. However, Microsoft informed us that an internal researcher had already discovered this issue. 

**Three vulnerabilities in OpenPLC **

_Discovered by Jared Rittle_.

Talos recently discovered three vulnerabilities in OpenPLC, an open-source programmable logic controller designed to provide a low-cost option for automation in many manufacturing and logistics settings. 

Two of the issues — TALOS-2024-2004 (CVE-2024-36980, CVE-2024-36981) and TALOS-2024-2016 (CVE-2024-39589, CVE-2024-39590) — can lead to a denial-of-service on the targeted device. An adversary could exploit these vulnerabilities by sending a series of specially crafted Ethernet/IP requests. 

Another stack-based buffer overflow vulnerability, TALOS-2024-2005 (CVE-2024-34026), can also be exploited in this way. However, in this case, it could lead to remote code execution.

Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC

Reservation Management System version 1.0 suffers from a backup disclosure vulnerability.

**Reservation Management System 1.0 Backup Disclosure**

Posted Sep 24, 2024

Authored by indoushka

Reservation Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | 3fdb31b63dd3dffcc359c8fe22cdbfc2692c268e17a6a1cc41302fd995ff1353

Download | Favorite | View

**Reservation Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Reservation Management System 1.0 Backup Disclosure Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /admin/backup/[+] http://127.0.0.1/reservation/admin/backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,935)
*   Arbitrary (17,095)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,287)
*   Encryption (2,395)
*   Exploit (54,293)
*   File Inclusion (4,275)
*   File Upload (1,018)
*   Firewall (822)
*   Info Disclosure (2,920)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,303)
*   Local (14,856)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,277)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,900)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,120)
*   Web (10,141)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,303)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,591)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,312)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,885)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,861)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Reservation Management System 1.0 Backup Disclosure

The latest version of the evolving threat is a multistage attack demonstrating a move away from ransomware to purely espionage activities, typically targeting Ukraine and its supporters.

Source: Peter Treanor via Alamy Stock Photo

The RomCom cyber-espionage malware that rampaged through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim's system in a multistage attack.

The variant, called SnipBot by researchers at Palo Alto's Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed in analysis published this week. The malware is based on RomCom 3.0., but it also shares techniques already seen in RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family.

Earlier attacks of the actor behind RomCom — which also targeted supporters of Ukraine — often included ransomware payloads in addition to cyber-espionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.

Even so, "the attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture," Unit 42's Yaron Samuel and Dominik Reichel wrote in the analysis.

Related:Dark Reading News Desk Live From Black Hat USA 2024

**Email Kicks Off Initial RomCom Attack**

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes "a basic set of features that allows the attacker to run commands on a victim's system and download additional modules," the researchers wrote.

The PDF file shows distorted text that states a font is missing that's needed to show it correctly.

"If the victim clicks on the contained link that’s purported to download and install the font package, they will instead download the SnipBot downloader," the researchers wrote.

The malware itself is composed of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.

"We don’t know how the threat actors obtain these certificates, but it's likely they steal them or gain them by fraud," they observed, adding that subsequent modules of the initial SnipBot malware were not signed.

**SnipBot's Infection Vector**

Related:Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware's code is split up into multiple unordered blocks that are triggered by custom window messages.

The downloader also uses "two simple yet effective" anti-sandbox tricks, the researchers wrote. "The first one checks for the original file name by comparing the hashed process name against a hard-coded value," while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, "which is usually the case on a regular user’s system but less likely to be the case in a sandbox system," they wrote.

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim’s system, as well as the ability download and execute additional payloads from C2.

Unit 42 also witnessed post-infection activity aiming to gather information about the company's internal network as well as attempts to exfiltrate a list of different files from the victim’s documents, downloads, and OneDrive folders to an external, attacker-controlled server.

Related:Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

**RomCom Remains an Active Threat**

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyber espionage.

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed "the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats," the researchers noted in their analysis.

Given the RomCom threat actor's interest in cyber espionage against Ukraine and its supporters, the Computer Emergency Response Team of Ukraine (CERT-UA) also has published information about the threat group and how it operates.

"This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine," the agency warned.

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco