Tag Archives: HumanVM

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Leave a reply

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege – Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass – Windows Mark of the Web “LNK Stomping” (CVE-2024-38217)
🔻 03:50 Spoofing – Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution – VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting – Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

Attack on the complainer

Leave a reply

Attack on the complainer

Attack on the complainer. Let’s say you ordered a product or service from some organization (marketplace, online store, service center – it doesn’t matter) and something went wrong. It’s quite natural to find the official community of this organization on a social network and write a complaint. Communication with the support team is good, but with some public stimulation it’s even better, right? 😉

Only since the complaint is public, it can be read not only by the organization’s employees, but also by attackers. 🤷‍♂️ They can write to you in a private message, posing as a representative of the organization, and promise to resolve all issues.

You just need to
🔻 go to the website (a phishing one 🪝)
🔻 fill out the form (with personal and card data 💳)
🔻 enter SMS code (2FA from Government Services website 🛂)
🔻 download and run the “helper application” (malware 👾)

There can be many attack scenarios. And there is only one way to resist them – vigilance.

На русском

Fake reCAPTCHA

Leave a reply

Fake reCAPTCHA

Fake reCAPTCHA. Probably the most interesting example of exploitation of human vulnerability in the last month. This trick works for two reasons:

🔹 Various captcha services have taught people to do the strangest things: click on pictures with certain content, retype words, solve some puzzles. Many people do not even think when they see another window “prove that you are not a robot” and just do what they are asked. 🤷‍♂️

🔹 Websites have the ability to write arbitrary text to the site visitor’s clipboard. 😏

Fake captcha asks the user to launch the Run window in Windows (Win + R), then paste a malicious command from the clipboard into this window (Ctrl + V) and run the command (Enter). Very primitive, but it works! 🤩 This is how attackers trick victims into running malicious PowerShell scripts and HTA applications. 👾

John Hammond recreated the code of such a “captcha”. You can use it in anti-phishing training.

На русском