Archive, check and export commands in Chef InSpec
prior to 4.56.58 and 5.22.29 allow local command execution via maliciously
crafted profile.





CVE-2023-42658: InSpec CLI

In TOTOLINK A3300R V17.0.0cu.557_B20221024 when dealing with setLedCfg request, there is no verification for the enable parameter, which can lead to command injection.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46993: vul_report/TOTOLINK A3300R-Command Injection/readme.md at main · AuroraHaaash/vul_report

TOTOLINK A3300R V17.0.0cu.557_B20221024 is vulnerable to Incorrect Access Control. Attackers are able to reset serveral critical passwords without authentication by visiting specific pages.

CVE-2023-46992: vul_report/TOTOLINK A3300R/readme.md at main · AuroraHaaash/vul_report

The C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe file is automatically launched as SYSTEM when the system reboots. Since the C:\Windows\Temp\Agent.Package.Availability folder inherits permissions from C:\Windows\Temp and Agent.Package.Availability.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.


CVE-2023-37243: Vulnerability-Disclosures/2023/MNDT-2023-0010.md at master · mandiant/Vulnerability-Disclosures

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.
"Arid Viper's Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims' devices

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.

"Arid Viper's Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims' devices and deploy additional executables," Cisco Talos said in a Tuesday report.

Active since at least 2017, Arid Viper is a cyber espionage that's aligned with Hamas, an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there is no evidence connecting the campaign to the ongoing Israel-Hamas war.

The activity is believed to have commenced no earlier than April 2022.

Interestingly, the mobile malware shares source code similarities with a non-malicious online dating application called Skipped, suggesting that the operators are either linked to the latter's developer or managed to copy its features in an attempt at deception.

The use of seemingly-benign chat applications to deliver malware is "in line with the 'honey trap' tactics used by Arid Viper in the past," which has resorted to leveraging fake profiles on social media platforms to trick potential targets into installing them.

Cisco Talos said it also identified an extended web of companies that create dating-themed applications that are similar or identical to Skipped and can be downloaded from the official app stores for Android and iOS.

*   VIVIO - Chat, flirt & Dating (Available on Apple App Store)
*   Meeted (previously Joostly) - Flirt, Chat & Dating (Available on Apple App Store)
*   SKIPPED - Chat, Match & Dating (50,000 downloads on Google Play Store)
*   Joostly - Dating App! Singles (10,000 downloads on Google Play)

The array of simulated dating applications has raised the possibility that "Arid Viper operators may seek to leverage these additional applications in future malicious campaigns," the company noted.

The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and on any Android phone with the APK package name containing the word "security" to fly under the radar.

It's also designed to request for intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.

Among other noteworthy features of the implant includes the ability to retrieve system information, get an updated command-and-control (C2) domain from the current C2 server, as well as download additional malware, which is camouflaged as legitimate apps like Facebook Messenger, Instagram, and WhatsApp.

The development comes as Recorded Future revealed signs possibly connecting Arid Viper to Hamas through infrastructure overlaps related to an Android application named Al Qassam that's been disseminated in a Telegram Channel claiming affiliation to Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

"They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups," the company said. "One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App

TOTOLINK X6000R V9.4.0cu.852_B20230719 is vulnerable to Incorrect Access Control.Attackers can reset login password & WIFI passwords without authentication.

CVE-2023-46978: vuln-reports/TOTOLINK X6000R/1/README.md at master · shinypolaris/vuln-reports

TOTOLINK X6000R V9.4.0cu.852_B20230719 was discovered to contain a command injection vulnerability via the enable parameter in the setLedCfg function.

CVE-2023-46979: vuln-reports/TOTOLINK X6000R/2/README.md at master · shinypolaris/vuln-reports

TOTOLINK LR1200GB V9.1.0u.6619_B20230130 was discovered to contain a stack overflow via the password parameter in the function loginAuth.

CVE-2023-46977: vuln-reports/TOTOLINK LR1200GB/1/README.md at master · shinypolaris/vuln-reports

TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.

CVE-2023-46976: vuln-reports/TOTOLINK A3300R/1/README.md at master · shinypolaris/vuln-reports

The top-level domain for the United States -- .US -- is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.

The top-level domain for the United States — **.US** — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.

Researchers at **Infoblox** say they’ve been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors. Infoblox found the domains involved are typically three to seven characters long, and hosted on bulletproof hosting providers that charge a premium to ignore any abuse or legal complaints. The short domains don’t host any content themselves, but are used to obfuscate the real address of landing pages that try to phish users or install malware.

A graphic describing the operations of a malicious link shortening service that Infoblox has dubbed “Prolific Puma.”

Infoblox says it’s unclear how the phishing and malware landing pages tied to this service are being initially promoted, although they suspect it is mainly through scams targeting people on their phones via SMS. A new report says the company mapped the contours of this link shortening service thanks in part to pseudo-random patterns in the short domains, which all appear on the surface to be a meaningless jumble of letters and numbers.

“This came to our attention because we have systems that detect registrations that use domain name generation algorithms,” said **Renee Burton**, head of threat intelligence at Infoblox. “We have not found any legitimate content served through their shorteners.”

Infoblox determined that until May 2023, domains ending in .info accounted for the bulk of new registrations tied to the malicious link shortening service, which Infoblox has dubbed “**Prolific Puma**.” Since then, they found that whoever is responsible for running the service has used .US for approximately 55 percent of the total domains created, with several dozen new malicious .US domains registered daily.

.US is overseen by the **National Telecommunications and Information Administration** (NTIA), an executive branch agency of the **U.S. Department of Commerce**. But Uncle Sam has long outsourced the management of .US to various private companies, which have gradually allowed the United States’s top-level domain to devolve into a cesspool of phishing activity.

Or so concludes **The Interisle Consulting Group**, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content.

Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and identified approximately 30,000 .US phishing domains. Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Others were used to impersonate or attack U.S. government agencies.

Under NTIA regulations, domain registrars processing .US domain registrations must take certain steps (PDF) to verify that those customers actually reside in the United States, or else own organizations based in the U.S. However, if one registers a .US domain through GoDaddy — the largest domain registrar and the current administrator of the .US contract — the way one “proves” their U.S. nexus is simply by choosing from one of three pre-selected affirmative responses.

In an age when most domain registrars are automatically redacting customer information from publicly accessible registration records to avoid running afoul of European privacy laws, .US has remained something of an outlier because its charter specifies that all registration records be made public. However, Infoblox said it found more than 2,000 malicious link shortener domains ending in .US registered since October 2023 through **NameSilo** that have somehow subverted the transparency requirements for the usTLD and converted to private registrations.

“Through our own experience with NameSilo, it is not possible to select private registration for domains in the usTLD through their interface,” Infoblox wrote. “And yet, it was done. Of the total domains with private records, over 99% were registered with NameSilo. At this time, we are not able to explain this behavior.”

NameSilo CEO **Kristaps Ronka** said the company actively responds to reports about abusive domains, but that it hasn’t seen any abuse reports related to Infoblox’s findings.

“We take down hundreds to thousands of domains, lots of them proactively to combat abuse,” Ronka said. “Our current abuse rate on abuseIQ for example is currently at 0%. AbuseIQ receives reports from countless sources and we are yet to see these ‘Puma’ abuse reports.”

Experts who track domains associated with malware and phishing say even phony information supplied at registration is useful in identifying potentially malicious or phishous domains before they can be used for abuse.

For example, when it was registered through NameSilo in July 2023, the domain **1ox\[.\]us** — like thousands of others — listed its registrant as “**Leila Puma**” at a street address in Poland, and the email address **blackpumaoct33@ukr.net**. But according to **DomainTools.com**, on Oct. 1, 2023 those records were redacted and hidden by NameSilo.

Infoblox notes that the username portion of the email address appears to be a reference to the song October 33 by the Black Pumas, an Austin, Texas based psychedelic soul band. The Black Pumas aren’t exactly a household name, but they did recently have a popular Youtube video that featured a cover of the Kinks song “Strangers,” which included an emotional visual narrative about Ukrainians seeking refuge from the Russian invasion, titled “Ukraine Strangers.” Also, Leila Puma’s email address is at a Ukrainian email provider.

DomainTools shows that hundreds of other malicious domains tied to Prolific Puma previously were registered through **NameCheap** to a “Josef Bakhovsky” at a different street address in Poland. According to ancestry.com, the anglicized version of this surname — Bakovski — is the traditional name for someone from Bakowce, which is now known as Bakivtsi and is in Ukraine.

This possible Polish and/or Ukrainian connection may or may not tell us something about the “who” behind this link shortening service, but those details are useful for identifying and grouping these malicious short domains. However, even this meager visibility into .US registration data is now under threat.

The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity.

Infoblox’s Burton says Prolific Puma is remarkable because they’ve been able to facilitate malicious activities for years while going largely unnoticed by the security industry.

“This exposes how persistent the criminal economy can be at a supply chain level,” Burton said. “We’re always looking at the end malware or phishing page, but what we’re finding here is that there’s this middle layer of DNS threat actors persisting for years without notice.”

Infoblox’s full report on Prolific Puma is here.

Tag

#git