CentOS Web Panel v0.9.8.12 – Non-Persistent Cross Site Scripting Vulnerabilities

Posted by Vulnerability Lab on Jan 19

Document Title:
===============
CentOS Web Panel v0.9.8.12 – Non-Persistent Cross Site Scripting Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1835

Release Date:
=============
2018-01-17

Vulnerability Laboratory ID (VL-ID):
====================================
1835

Common Vulnerability Scoring System:
====================================
3.3

Vulnerability Class:…

Read more

Shopware 5.2.5 & v5.3 – Multiple Cross Site Scripting Web Vulnerabilities

Posted by Vulnerability Lab on Jan 19

Document Title:
===============
Shopware 5.2.5 & v5.3 – Multiple Cross Site Scripting Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1922

Shopware Security Tracking ID: SW-19834

Security Update:
http://community.shopware.com/Downloads_cat_448.html#5.3.4
http://community.shopware.com/_detail_2035.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15374

CVE-ID:…

Read more

CentOS Web Panel v0.9.8.12 – Multiple Persistent Web Vulnerabilities

Posted by Vulnerability Lab on Jan 19

Document Title:
===============
CentOS Web Panel v0.9.8.12 – Multiple Persistent Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1836

Release Date:
=============
2018-01-19

Vulnerability Laboratory ID (VL-ID):
====================================
1836

Common Vulnerability Scoring System:
====================================
4.4

Vulnerability Class:
====================
Cross…

Read more

Photo Vault v1.2 iOS – Insecure Authentication Vulnerability

Posted by Vulnerability Lab on Jan 19

Document Title:
===============
Photo Vault v1.2 iOS – Insecure Authentication Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2110

Release Date:
=============
2018-01-16

Vulnerability Laboratory ID (VL-ID):
====================================
2110

Common Vulnerability Scoring System:
====================================
4.8

Vulnerability Class:
====================
Insecure…

Read more

OnePlus confirms up to 40,000 customers affected by Credit Card Breach

oneplus-credit-card-breach

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company’s official website.

In a statement released today, Chinese smartphone manufacturer admitted that credit card information belonging to up to 40,000 customers was stolen by an unknown hacker between mid-November 2017 and January 11, 2018.

According to the company, the attacker targeted one of its systems and injected a malicious script into the payment page code in an effort to sniff out credit card information while it was being entered by the users on the site for making payments.

The malicious script was able to capture full credit card information, including their card numbers, expiry dates, and security codes, directly from a customer’s browser window.

The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated,” OnePlus said on its official forum. “We have quarantined the infected server and reinforced all relevant system structures.”

However, the company believes users who shopped on its website using their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the breach.

OnePlus is still investigating the incident and committed to conducting an in-depth security audit to identify how hackers successfully managed to inject the malicious script into its servers.

Meanwhile, credit card payments will remain disabled on the OnePlus.net store until the investigation is complete as a precaution, though users can make purchases through PayPal.

We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” OnePlus says.

OnePlus is notifying all possibly affected OnePlus customers via an email and advises them to keep a close eye on their bank account statements for any fraudulent charges or look into cancelling their payment card.

The company is also looking into offering a one-year subscription of credit monitoring service for free to all affected customers.

WordPress MediaElement Cross Site Scripting Vulnerability

Vulnerable:

WordPress WordPress 4.9.1
WordPress WordPress 4.8.3
WordPress WordPress 4.8.2
WordPress WordPress 4.8.1
WordPress WordPress 4.7.4
WordPress WordPress 4.7.2
WordPress WordPress 4.7.1
WordPress WordPress 4.6.1
WordPress WordPress 4.5.2
WordPress WordPress 4.5.1
WordPress WordPress 4.5
WordPress WordPress 4.4.1
WordPress WordPress 4.4
WordPress WordPress 4.2.4
WordPress WordPress 4.2.3
WordPress WordPress 4.2.2
WordPress WordPress 4.2.1
WordPress WordPress 4.1.2
WordPress WordPress 4.1.1
WordPress WordPress 4.1
WordPress WordPress 3.9.2
WordPress WordPress 3.9.1
WordPress WordPress 3.9
WordPress WordPress 3.8.2
WordPress WordPress 3.8.1
WordPress WordPress 3.7.4
WordPress WordPress 3.7.1
WordPress WordPress 4.9
WordPress WordPress 4.7.5
WordPress WordPress 4.7.3
WordPress WordPress 4.7
WordPress WordPress 4.6
WordPress WordPress 4.5.3
WordPress WordPress 4.4.2
WordPress WordPress 4.3.1
WordPress WordPress 4.3
WordPress WordPress 4.2
WordPress WordPress 4.0.1
WordPress WordPress 4.0
WordPress WordPress 3.9.3
WordPress WordPress 3.9
WordPress WordPress 3.8.5
WordPress WordPress 3.8.4
WordPress WordPress 3.8.3
WordPress WordPress 3.8
WordPress WordPress 3.7.5
WordPress WordPress 3.7

Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012

dark-caracal-android-malware-app.png

A global mobile espionage campaign collecting a trove of sensitive personal information from victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.

It’s one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.

The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries, according to a new report from the Electronic Frontier Foundation (EFF) and security firm Lookout.

After mistakenly leaking some of its files to the internet, the shadowy hacking group is traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country’s intelligence agencies, in Beirut.

“Based on the available evidence, it’s likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” the report reads.

According to the 51-page-long report [PDF], the APT group targeted “entities that a nation-state might attack,” including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, and civilians from numerous other fields.

dark-caracal-android-malware

Researchers also identified at least four different personas associated with Dark Caracal’s infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, and Rami Jabbour — with the help of email address op13@mail[.]com.

“The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by that name. When we looked at the phone number associated with Nancy in the WHOIS information, we discovered the same number listed in exfiltrated content and being used by an individual with the name Hassan Ward.”

dark-caracal-malware-trace

“During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command and control server offline. Within a matter of days, we observed it being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This allowed us to identify several other domains listed under the same WHOIS email address information, running similar server components. “

Multi-Platform Cyber Espionage Campaign

dark-caracal-android-malware-spying

Dark Caracal has been conducting multi-platform cyber-espionage campaigns and linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, and Linux, and 60 domain/IP based IOCs.

However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East and Asia.

The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, and location data—basically every information that allows the APT group to identify the person and have an intimate look at his/her life.

To get its job done, Dark Caracal did not rely on any “zero-day exploits,” nor did it has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.

One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin. 

This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.

Here’s How Dark Caracal Group Infects Android Users

dark-caracal-malware-apps

Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets’ mobile devices.

Pallas is a piece of surveillance malware that’s capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes, from victims’ devices.

“Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there is functionality that allows an attacker to instruct an infected device to download and install additional applications or updates.” report says.

“Theoretically, this means it’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access.”

Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool that is often marketed to law enforcement and government agencies—and a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, and OS X operating systems.

Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5.” report says.

According to the researchers, though Dark Caracal targeted macOS and Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers that were left open for analysis, revealing 48GB was stolen from around 500 Android phones.

Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages and 150,000 call records from infected Android devices. Sensitive data such as personal photos, bank passwords and PIN numbers were also stolen.

The best way to protect yourself from such Android-based malware attacks is to always download applications from the official Google Play Store market rather than from any third-party website.

Software and Security Information