Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites.

Wordfence, which publicly disclosed the flaw, calls it one of the most severe vulnerabilities reported in its 12-year history, warning that it allows remote attackers to gain full administrative access to impacted sites.

To make matters worse, the flaw can be exploited en masse using automated scripts, potentially leading to large-scale website takeover campaigns.

Such is the risk that Wordfence proposes that hosting providers force-update the plugin on customer sites and scan their databases to ensure nobody runs a vulnerable version.

2FA leading to weaker security

The critical severity flaw in question is CVE-2024-10924, discovered by Wordfence's researcher István Márton on November 6, 2024.

It is caused by improper handling of user authentication in the plugin's two-factor REST API actions, enabling unauthorized access to any user account, including administrators.

Specifically, the problem lies in the 'check_login_and_get_user()' function that verifies user identities by checking the 'user_id' and 'login_nonce' parameters.

When 'login_nonce' is invalid, the request isn't rejected, as it should, but instead invokes 'authenticate_and_redirect(),' which authenticates the user based on the 'user_id' alone, effectively allowing authentication bypass.

The flaw is exploitable when two-factor authentication (2FA) is enabled, and even though it's disabled by default, many administrators will allow it for stronger account security.

CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the "free," "Pro," and "Pro Multisite" releases.

The developer addressed the flaw by ensuring that the code now correctly handles 'login_nonce' verification fails, exiting the 'check_login_and_get_user()' function immediately.

The fixes were applied to version 9.1.2 of the plugin, released on November 12 for the Pro version and November 14 for free users.

The vendor coordinated with WordPress.org to perform force security updates on users of the plugin, but website administrators still need to check and ensure they're running the latest version (9.1.2).

Users of the Pro version have their auto-updates disabled when the license expires, so they must manually update 9.1.2.

As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

"T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," T-Mobile told the Wall Street Journal, which first reported about the breach.

"We will continue to monitor this closely, working with industry peers and the relevant authorities."

T-Mobile shared a similar statement with BleepingComputer, stating it has found no evidence of any customer data being accessed or exfiltrated.

"Due to our security controls, network structure and diligent monitoring and response we have seen no significant impacts to T-Mobile systems or data," T-Mobile told BleepingComputer after the publishing of this story.

"We have no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced."

Last month, The Wall Street Journal reported that Chinese state-sponsored threat actors known as Salt Typhoon had breached multiple U.S. telecommunication companies, including AT&T, Verizon, and Lumen.

Salt Typhoon (aka Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) is a sophisticated Chinese state-sponsored hacking group active since at least 2019 and typically focuses on breaching government entities and telecommunications companies in Southeast Asia.

WSJ reports that the hacking campaign allowed the threat actors to target the cellphone lines of senior U.S. national security and policy officials across the U.S. government to steal call logs, text messages, and some audio.

In a joint statement from the FBI and CISA earlier this week, the U.S. government confirmed that the threat actors stole call data, communications from targeted people, and information about law enforcement requests submitted to telecommunication companies.

"Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,," reads the joint statement.

"We expect our understanding of these compromises to grow as the investigation continues."

These attacks were reportedly conducted through vulnerabilities in Cisco routers responsible for routing internet traffic. However, Cisco previously stated there were no indications that their equipment was breached during these attacks.

This breach is the ninth T-Mobile suffered since 2019, with the other incidents being:

• In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers.
• In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information.
• In December 2020, threat actors accessed customer proprietary network information (phone numbers, call records).
• In February 2021, an internal T-Mobile application was accessed by unknown attackers without authorization.
• In August 2021, hackers brute-forced their way through the carrier's network following a breach of a T-Mobile testing environment.
• In April 2022, the Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.
• In January 2023, T-Mobile confirmed attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022.
• In May 2023, T-Mobile disclosed a breach impacting only 836 customers, but that exposed sensitive information.

Update 11/16/24: Added statement from T-Mobile.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Developed by Virgin Media O2, 'Daisy' is an AI-generated tool that has the voice of a grandmother. Its purpose is to engage fraudsters in conversation, wasting their time as much as possible. O2 notes,

O2 has today unveiled the newest member of its fraud prevention team, ‘Daisy’. As ‘Head of Scammer Relations’, this state-of-the-art AI Granny’s mission is to talk with fraudsters and waste as much of their time as possible with human-like rambling chat to keep them away from real people, while highlighting the need for consumers to stay vigilant as the UK faces a fraud epidemic.

Daisy can keep talking to a scammer for up to 40 minutes at a time. It keeps the scammers engaged by talking about her passion for knitting and providing fraudsters with fake details such as fabricated bank details, addresses, etc.

The AI-generated tool is developed using a custom-trained large language model with the help of one of YouTube's best scam baiters, Jim Browning. Daisy is trained to respond to any questions from the scammers without needing any input from her creators. It listens to the caller, transcribes the text, sends it to LLM, and sends the generated response using text-to-speech.

Murray Mackenzie, Director of Fraud at Virgin Media O2, said, "We’re committed to playing our part in stopping the scammers, investing in everything from firewall technology to block out scam texts to AI-powered spam call detection to keep our customers safe." He further recommended that anyone in the UK worried about fraud can forward any call or messages they suspect from being a scammer to 7726 for free so that it can be investigated.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

As Gen Digital security researchers who first spotted it while investigating a recent phishing campaign said, this information-stealing malware is "relatively simple and contains minimal obfuscation or protection mechanisms," indicating that it's very likely in its early development stages.

During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails.

The Glove Stealer .NET malware can extract and exfiltrate cookies from Firefox and Chromium-based browsers (e.g., Chrome, Edge, Brave, Yandex, Opera).

It's also capable of stealing cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, password data from Bitwarden, LastPass, and KeePass, as well as emails from mail clients like Thunderbird.

"Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications," said malware researcher Jan Rubín.

"These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others."

Basic App-Bound encryption bypass capabilities

To steal credentials from Chromium web browsers, Glove Stealer bypasses Google's App-Bound encryption cookie-theft defenses, which were introduced by Chrome 127 in July.

To do that, it follows the method described by security researcher Alexander Hagenah last month, using a supporting module that uses Chrome's own COM-based IElevator Windows service (running with SYSTEM privileges) to decrypt and retrieve App-Bound encrypted keys.

It's important to note that the malware first needs to get local admin privileges on the compromised systems to place this module in Google Chrome's Program Files directory and use it to retrieve encrypted keys.

However, although impressive on paper, this still points to Glove Stealer being in early development since it's a basic method that most other info stealers have already surpassed to steal cookies from all Google Chrome versions, as researcher g0njxa told BleepingComputer in October.

Malware analyst Russian Panda previously said to BleepingComputer that Hagenah's method looks similar to early bypass approaches other malware took after Google first implemented Chrome App-Bound encryption.

Multiple infostealer malware operations are now capable of bypassing the new security feature to allow their "customers" to steal and decrypt Google Chrome cookies.

"This code [xaitax's] requires admin privileges, which shows that we've successfully elevated the amount of access required to successfully pull off this type of attack," Google told BleepingComputer last month.

Unfortunately, even though admin privileges are required to bypass App-Bound encryption, this has yet to put a noticeable dent in the number of ongoing information-stealing malware campaigns.

Attacks have only increased since July when Google first implemented App-Bound encryption, targeting potential victims via vulnerable drivers, zero-day vulnerabilities, malvertising, spearphishing, StackOverflow answers, and fake fixes to GitHub issues.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

“From ordering the kit, to receiving your results online, your personal data is kept protected during each stage,” Atlas Biomed claimed on the now-defunct website.

“User Data are securely stored on certified servers located within the European Union. SHA-256 with RSA Encryption. Full UK GDPR and EU GDPR compliance. Registered with the Information Commissioner's Office.”

The clients can no longer access their accounts or retrieve reports, and the firm itself appears to have ‘vanished.’

“I have a history of 16 tests I can't now access, hundreds of pounds invested, but the data wasn't downloadable, so relying on the website,” a Facebook user commented on the company’s post nine months ago.

Other customers reported paying for subscriptions or tests without receiving services. Soma labeled the company a scam. Atlas Biomed hasn’t posted anything on any of its social media accounts for more than a year now.

The BBC was the first to report the mystery surrounding the DNA-testing firm. The company has not responded to the BBC’s request for comment, but the Information Commissioner’s Office has received complaints about it. The firm’s financial accounts are now overdue, but it is still listed as active with the UK’s Companies House.

Cybernews attempted to reach out to the CEO, Sergei Musienko, to no avail.

The most sensitive information in limbo

The firm’s clients now have no clue what happened to their personal information.

Atlas Biomed collected a vast trove of sensitive data, including phone numbers, emails, addresses, cookies and website usage, health and lifestyle information, and biological samples. It also derived genetic data and interpretation results.

“These include health, nutrition, sports, ancestry, and personal traits data which are derived from interpretation of your health and lifestyle information and raw data and which we display to you in your personal account,” the privacy policy reads.

Malwarebytes Labs found no evidence that any of the data has been misused but noted that “it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.”

Four out of eight company officers have resigned, and the two remaining are listed at the same address in Moscow. The address is linked to a Russian billionaire who previously resigned as director.

“DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people, it’s their cheapest chance of finding out whether they are affected by some genetic disorder,” Malwarebytes Labs said.

This mystery adds to the uncertainty surrounding genetic data security. In 2018, an incident at MyHeritage exposed 92 million users’ emails and hashed passwords. In 2020, the investment firm Blackstone's acquisition of Ancestry raised concerns about the potential commercialization and data transfers.

Last year started the ongoing saga surrounding 23andMe, which experienced a data breach affecting about 6.9 million users. This week, 23andMe announced major layoffs and financial struggles.

The security firm recommends researching the genetic companies you want to trust with your most sensitive data before submitting biological samples. Lying is also an option.

“Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account,” Malwarebytes said.

There are worries that DNA testing, while offering valuable personal discoveries, also creates permanent digital records that can be misused for insurance discrimination, targeted marketing, such as Alzheimer’s or cancer preventative nutrition, racial profiling by police officers or employers, identity theft, and others.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Threads is one of the alternatives to X, but the platform hasn't been able to gain as much limelight as X. It is expected that the upcoming change could shift the vibe a bit. There are plenty of companies that use Threads to promote their businesses. However, one thing that is still missing from Threads is sponsored content, a staple on X and other platforms.

Reportedly, Threads is expected to start showing ads as soon as January 2025, though with a different approach. Initially, Threads will work with a limited group of advertisers and, based on that experience, will tailor its approach to broaden its advertiser base.

Back in October, Instagram head Adam Mosseri, also confirmed that Meta is planning to bring ads to Threads. He said, "I get why people have concerns, but at the end of the day we're a business and Threads needs to make enough money to pay for the people and servers that it takes to run the service and provide it to people for free."

The introduction of ads on Threads will require a bit of adjusting for regular users, but it shouldn't be a big concern, because other social media platforms have included ads for years. Meta's other properties, such as Facebook and Instagram, are no strangers to ads, and the company may want to bring Threads to the same dais.

For now, you can enjoy Threads without ads. But do share your thoughts are ads simply ruining the communication experience or are they a part of the modern social media landscape?

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.

According to Bitdefender's analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.

The researchers note that ShrinkLocker's operators seem to be low-skilled, using redundant code and typos, leaving behind reconnaissance logs in the form of text files, and rely on readily available tools.

However, the threat actor has had successful attacks on corporate targets.

In a report today, Bitdefender highlights a ShrinkLocker attack against a healthcare organization where attackers encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups.

The encryption process finished in 2.5 hours and the organization lost access to critical systems, potentially facing difficulties in providing patient care.

Bitdefender is releasing a free decryption tool that can help ShrinkLocker victims recover their files.

ShrinkLocker attacks

Instead of using custom encryption implementations like traditional ransomware, ShrinkLocker uses Windows BitLocker with a randomly generated password that is sent to the attacker.

The malware first runs a Windows Management Instrumentation (WMI) query to checks if BitLocker is available on the target system, and installs the tool if not present.

Next, it removes all default protections that keep the drive from being encrypted by accident. For speed, it uses the '-UsedSpaceOnly' flag to have BitLocker only encrypt occupied space on the disk.

The random password is generated using network traffic and memory usage data, so there are no patterns to make brute-forcing feasible.

The ShrinkLocker script will also delete and reconfigure all BitLocker protectors, to make more difficult the recovery of the encryption keys.

"Protectors are mechanisms used by BitLocker to protect the encryption key. They can include hardware protectors like TPMs or software protectors like passwords or recovery keys. By deleting all protectors, the script aims to make it impossible for the victim to recover their data or decrypt the drive," Bitdefender explains.

For propagation, ShrinkLocker uses Group Policy Objects (GPOs) and scheduled tasks, modifies Group Policy settings on Active Directory domain controllers, and creates tasks for all domain-joined machines to ensure the encryption of all drives on the compromised network.

After reboot, victims see a BitLocker password screen that also includes the threat actor's contact details.

Bitdefender releases decryptor

Bitdefender created and released a decryptor that reverses the sequence in which ShrinkLocker deletes and reconfigures BitLocker's protectors.

The researchers say that they identified "a specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks," which allows them to decrypt and recover the password set by the attacker.

This makes it possible to reverse the encryption process and bring the drives back to their previous, unencrypted state.

ShrinkLocker victims can download the tool and use it from a USB drive connected to the impacted systems. When the BitLocker recovery screen shows, users should enter BitLocker Recovery Mode and skip all the steps to get to Advanced options, which provides a command prompt that allows launching the decryption tool.

The researchers warn that the time to decrypt the data depends on the system's hardware and the complexity of the encryption and could take some time.

When done, the decryptor will unlock the drive and disable smart card-based authentication.

Bitdefender notes that the decryptor only works on Windows 10, Windows 11, and recent Windows Server versions and is most effective when used shortly after the ransomware attack, when BitLocker's configurations are not fully overridden yet and can be recovered.

Unfortunately, this method will not work to recover BitLocker passwords created using other methods.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The vulnerability was discovered in the D-Link DSL6740C modem by security researcher Chaio-Lin Yu (Steven Meow), who reported it to Taiwan’s computer and response center (TWCERTCC).

It is worth noting that the device was not available in the U.S. and reached end-of-service (EoS) phase at the beginning of the year.

In an advisory today, D-Link announced that it won't fix the issue and recommends "retiring and replacing D-Link devices that have reached EOL/EOS."

Chaio-Lin Yu reported to TWCERTCC two other vulnerabilities, an OS command injection and a path traversal issue:

The three flaws issues are summarized as follows:

• CVE-2024-11068: Flaw that allows unauthenticated attackers to modify any user’s password through privileged API access, granting them access to the modem’s Web, SSH, and Telnet services. (CVSS v3 score: 9.8 “critical”).
• CVE-2024-11067: Path traversal vulnerability allowing unauthenticated attackers to read arbitrary system files, retrieve the device’s MAC address, and attempt login using the default credentials. (CVSS v3 score: 7.5 “high”)
• CVE-2024-11066: Bug enabling attackers with admin privileges to execute arbitrary commands on the host operating system through a specific web page. (CVSS v3 score: 7.2 “high”)

A quick search on the FOFA search engine for publicly exposed devices and software shows that there are close to 60,000 D-Link DSL6740C modems reachable over the internet, most of them in Taiwan.

TWCERTCC has published advisories for four more high-severity OS command injection vulnerabilities that impact the same D-Link device. The bugs are tracked as CVE-2024-11062, CVE-2024-11063, CVE-2024-11064, and CVE-2024-11065.

Although the number of vulnerable devices exposed on the public web is significant, D-Link has made it clear in the past [1, 2] that end-of-life (EoL) devices are not covered by updates, even when critical bugs are concerned.

If users can't replace the affected device with a variant that the vendor still supports, they should at least restrict remote access and set secure access passwords.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.

"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned.

"In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."

As they also revealed, 12 out of the top 15 vulnerabilities routinely abused in the wild were addressed last year, lining up with the agencies warning that threat actors focused their attacks on zero-days (security flaws that have been disclosed but are yet to be patched).

Here is the complete list of last year's most exploited vulnerabilities and relevant links to the National Vulnerability Database entries.

CVE-2023-3519, a code injection vulnerability in NetScaler ADC / Gateway that enables attackers to gain remote code execution on unpatched servers, took the first spot after state hackers abused it to breach U.S. critical infrastructure organizations.

By early August 2023, this security flaw had been leveraged to backdoor at least 640 Citrix servers worldwide and over 2,000 by mid-August.

Today's advisory highlights 32 other vulnerabilities often exploited last year to compromise organizations and provides information on how defenders can decrease their exposure to attacks abusing them in the wild.

This June, MITRE also unveiled the 25 most dangerous software weaknesses for the previous two calendar years and, in November 2021, a list of the most important hardware weaknesses.

"All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time," said Jeffrey Dickerson, NSA's cybersecurity technical director, on Tuesday.

"Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025."

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

What you need to know

• Google recently transitioned Google Chrome's extension support from the Manifest V2 framework to V3.
• The company indicated the Manifest V3 framework provides better privacy and security for users.
• New research shows malicious browser extensions can bypass the new framework's security measures, leaving users susceptible to phishing scams.

Extensions are essential and provide an enhanced and seamless browsing experience for users. As you may know, Google transitioned Google Chrome's extension support from the Manifest V2 framework to the Manifest V3 framework.

The drastic change impacted many browser extensions, including uBlock Origin, potentially leaving over 30 million Chrome users susceptible to intrusive ads. Google attributed the drastic change to privacy and security concerns with the Manifest V2 framework. According to Google, the Manifest V2 framework "presents security risks by allowing unreviewed code to be executed in extensions."

Google touts Manifest V3 as a better and safer option since it only allows an extension to execute JavaScript as part of its package, ultimately mitigating the risk. However, new research by SquareX shows some browser extensions can still circumvent the Manifest V3 framework's security measures (via TechRadar Pro). The report further suggests that this loophole places users at risk, potentially giving bad actors access to personal and sensitive information.

According to the research team's findings, malicious browser extensions can bypass the Manifest V3 framework's security, granting them unauthorized access to live video streams, including Google Meet and Zoom Web. Google faced similar issues with the Manifest V2 framework, potentially influencing the transition to V3.

The malicious extensions reportedly allow bad actors to add unauthorized collaborators to private GitHub repositories. Even worse, they can be leveraged to lure unsuspecting users into phishing scams fronted as password managers. This way, the extensions access your browsing and download history, cookies, bookmarks, and more.

As you may know, security solutions like Secure Access Service Edge (SASE) or endpoint protection can't assess browser extensions, leaving users susceptible to security risks. However, the researchers have highlighted several solutions to mitigate these issues, including fine-tuning policies that allow admins to control extension access based on reviews, ratings, extension permissions, and update history.

According to SquareX Founder & CEO Vivek Ramachandran:

The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized.

An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.

The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses:

• DNS-320 Version 1.00
• DNS-320LW Version 1.01.0914.2012
• DNS-325 Version 1.01,  Version 1.02
• DNS-340L Version 1.08

In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter.”

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27" 

“This curl request constructs a URL that triggers the cgi_user_add command with a name parameter that includes an injected shell command,” the researcher explains.

A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products.

If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions.

The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

Back then, FOFA internet scans returned 92,589 results.

Responding to the situation at the time, a D-Link spokesperson told BleepingComputer that the networking firm no longer makes NAS devices, and the impacted products had reached EoL and will not be receiving security updates.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The free book is designed for those responsible for Windows Server security in enterprise environments. It helps you get a better understanding of the protections now embedded in Windows Server. Best of all, the PDF document is just 19 pages long, so if you hate reading, it won't take long to get through it.

The book is split up into eight chapters and covers system hardening and baselines, credential protection and application control, silicon-assisted security innovations, operational security and continuous monitoring, workload security for virtual machines and containers, enhanced network security with micro-segregation, and advanced compliance and threat detection.

With increasing digitalization and heightened geopolitical tensions, the International Monetary Fund warns that cyberattacks has risen in recent years. For this reasons, administrators of Windows Server 2025 need to be on their toes now more than ever and by reading this book from Microsoft they can be better prepared to fend off attacks.

The information packed into this book will benefit readers for the next decade with mainstream support ending in October 2029 and extended support lasting until October 2034, so it's definitely worth the time to read it if you're an administrator.

To get the new book, just head over to this link to get the PDF.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The malware bundle dropper is distributed through forums and torrent trackers as a crack tool that activates legitimate versions of various software like Foxit PDF Editor, JetBrains and AutoCAD.

Using a vulnerable driver for privilege escalation is common for state-sponsored threat actors and ransomware groups. However, the technique now appears to extend to info-stealing malware attacks.

Kaspersky researchers discovered the SteelFox campaign in August but say that the malware has been around since February 2023 and increased distribution lately using multiple channels (e.g. torrents, blogs, and posts on forums).

According to the company, its products detected and blocked SteelFox attacks 11,000 times.

SteelFox infection and privilege escalation

Kaspersky reports that malicious posts promoting the SteelFox malware dropper come with complete instructions on how to illegally activate the software. Below is a sample of such a post providing directions on how to activate JetBrains:

The researchers say that while the dropper does have the advertised functionality, users also infect their systems with malware.

Since the software targeted for illegal activation is typically installed in the Program Files, adding the crack requires administrator access, a permission that the malware uses later in the attack.

Kaspersky researchers say that "the execution chain looks legitimate until the moment the files are unpacked." They explain that a malicious function is added during the process, which drops on the machine code that loads SteelFox.

Having secured admin rights, SteelFox creates a service that runs WinRing0.sys inside, a driver vulnerable to CVE-2020-14979 and CVE-2021-41285, which can be exploited to obtain privilege escalation to NT/SYSTEM level.

Such permissions are the highest on a local system, more powerful than an administrator's, and allow unrestricted access to any resource and process.

The WinRing0.sys driver is also used for cryptocurrency mining, as it is part of the XMRig program for mining Monero cryptocurrency. Kaspersky researchers say that the threat actor uses a modified version of the miner executable that connects to a mining pool with hardcoded credentials.

The malware then establishes a connection with its command-and-control (C2) server using SSL pinning and TLS v1.3, which protects the communication from being intercepted.

It also activates the info-stealer component that extracts data from 13 web browsers, information about the system, network, and RDP connection.

The researchers note that SteelFox collects from the browsers data like credit cards, browsing history, and cookies.

Kaspersky says that although the C2 domain SteelFox uses is hardcoded, the threat actor manages to hide it by switching its IP addresses and resolving them through Google Public DNS and DNS over HTTPS (DoH).

SteelFox attacks do not have specific targets but appear to focus on users of AutoCAD, JetBrains, and Foxit PDF Editor. Based on Kaspersky's visibility, the malware compromises systems in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka.

Although SteelFox is fairly new, "it is a full-featured crimeware bundle," the researchers say. Analysis of the malware indicates that it's developer is skilled in C++ programming and they managed to create formidable malware by integrating external libraries.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Canadian authorities have arrested a man on suspicion he breached hundreds of accounts belonging to users of cloud storage provider Snowflake and used that access to steal personal data belonging to millions of people, authorities said Tuesday.

“Following a request by the United States, Alexander Moucka (aka Connor Moucka) was arrested on a provisional arrest warrant on Wednesday, October 30, 2024,” an official with the Canada Department of Justice wrote in an email Tuesday. “He appeared in court later that afternoon, and his case was adjourned to Tuesday, November 5, 2024. As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”

Word of the arrest first came from Bloomberg News and was later confirmed by 404 Media.

Scourge of the infostealers

The Snowflake compromise came to light in late May, following the disclosure by Live Nation that data held by its Ticketmaster group had been stolen and put up for sale online. The data included the full names, addresses, phone numbers, and partial credit card numbers for 560 million Ticketmaster customers. Live Nation later told TechCrunch the data had been stored in an account on Snowflake.

Mandiant, a Google-owned security firm Snowflake retained to investigate the breach has said that 165 customers of the cloud storage provider may have had data stolen during that spree. Data purporting to be taken from many customers was later put up for auction online, creating major risks for the breached companies and the individual holders of that personal data.

Mandiant went on to say that all the compromises it had tracked were the result of login credentials for Snowflake accounts being stolen by infostealer malware and stored in vast logs, sometimes for years at a time, before eventually making their way into the hands of the threat actors who used them in the individual breaches.

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.

Credit: Mandiant

None of the affected accounts used multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password. After that revelation, Snowflake enforced mandatory MFA for accounts and required that passwords be at least 14 characters long.

Mandiant had identified the threat group behind the breaches as UNC5537. The group has referred to itself ShinyHunters. Snowflake offers its services under a model known as SaaS (software as a service).

“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant wrote in an emailed statement. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Mandiant said a co-conspirator, John Binns, was arrested in June. The status of that case wasn’t immediately known.

Besides Ticketmaster, other customers known to have been breached include AT&T and Spain-based bank Santander. In July, AT&T said that personal information and phone and text message records for roughly 110 million customers were stolen. WIRED later reported that AT&T paid $370,000 in return for a promise the data would be deleted.

Other Snowflake customers reported by various news outlets as breached are Pure Storage, Advance Auto Parts, Los Angeles Unified School District, QuoteWizard/LendingTree, Neiman Marcus, Anheuser-Busch, Allstate, Mitsubishi, and State Farm.

KrebsOnSecurity reported Tuesday that Moucka has been named in multiple charging documents filed by US federal prosecutors. Reporter Brian Krebs said specific charges and allegations are unknown because the cases remain sealed.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Tracked as CVE-2024-43047 and CVE-2024-43093, the two issues are marked as exploited in limited, targeted attacks.

"There are indications that the following may be under limited, targeted exploitation," says Google's advisory.

The CVE-2024-43047 flaw is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges.

The flaw was first disclosed in early October 2024 by Qualcomm as a problem in its Digital Signal Processor (DSP) service.

CVE-2024-43093 is also a high-severity elevation of privilege flaw, this time impacting the Android Framework component and Google Play system updates, specifically in the Documents UI.

Google did not disclose who discovered the CVE-2024-43093 vulnerability.

While Google did not share any details on how the vulnerabilities were exploited, as researchers at Amnesty International discovered CVE-2024-43047, it could indicate that the flaw was used in targeted spyware attacks.

Out of the remaining 49 flaws fixed this time, only one, CVE-2024-38408, is classified as critical, also impacting Qualcomm's proprietary components.

The security issues fixed this month impact Android versions between 12 and 15, with some being limited to specific versions of the mobile operating system.

Google issues two patch levels each month, in this case, November 1 (2024-11-01 Patch Level) and November 5 (2024-11-05 Patch Level).

The first level addresses core Android vulnerabilities, with 17 issues this time, while the second patch level encompasses those plus vendor-specific fixes (Qualcomm, MediaTek, etc.), counting an additional 34 fixes this month.

To apply the latest update, head to Settings > System > Software updates > System update. Alternatively, go to Settings > Security & privacy > System & updates > Security update. A restart will be required to apply the update.

Android 11 and older are no longer supported but may receive security updates to critical issues for actively exploited flaws through Google Play system updates, though that's not guaranteed.

The best course of action for devices still running those older releases should be either to replace them with newer models or use a third-party Android distribution that incorporates the latest security fixes.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Launched at the end of September 2024, Interlock has since claimed attacks on six organizations, publishing stolen data on their data leak site after a ransom was not paid. One of the victims is Wayne County, Michigan, which suffered a cyberattack at the beginning of October.

Not much is known about the ransomware operation, with some of the first information coming from incident responder Simo in early October, who found a new backdoor [VirusTotal] deployed in an Interlock ransomware incident.

Soon after, cybersecurity researcher MalwareHuntTeam found what was believed to be a Linux ELF encryptor [VirusTotal] for the Interlock operation. Sharing the sample with BleepingComputer, we attempted to test it on a virtual machine, where it immediately crashed.

Examining the strings within the executable indicated that it was compiled specifically for FreeBSD, with the Linux "File" command further confirming it was compiled on FreeBSD 10.4.

interlock.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=c7f876806bf4d3ccafbf2252e77c2a7546c301e6, for FreeBSD 10.4, FreeBSD-style, not stripped

However, even when testing the sample on a FreeBSD virtual machine, BleepingComputer was unable to get the sample to properly execute.

While it is common to see Linux encryptors created to target VMware ESXi servers and virtual machines, it is rare to see ones created for FreeBSD. The only other ransomware operation known to have created FreeBSD encryptors is the now-defunct Hive ransomware operation, which was disrupted by the FBI in 2023.

This week, researchers from cybersecurity firm Trend Micro shared on X that they found an additional sample of the FreeBSD ELF encryptor [VirusTotal] and a sample of the operation's Windows encryptor [VirusTotal].

Trend Micro further said that the threat actors likely created a FreeBSD encryptor as the operating system is commonly used in critical infrastructure, where attacks can cause widespread disruption.

"Interlock targets FreeBSD as it's widely utilized in servers and critical infrastructure. Attackers can disrupt vital services, demand hefty ransoms, and coerce victims into paying," explains Trend Micro.

The Interlock ransomware

While BleepingComputer could not get the FreeBSD encryptor working, the Windows version ran without a problem on our virtual machine.

According to Trend Micro, the Windows encryptor will clear Windows event logs, and if self-deletion is enabled, will use a DLL to delete the main binary using rundll32.exe. 

When encrypting files, the ransomware will append the .interlock extension to all encrypted file names, and create a ransom note in each folder.

This ransom note is named !__README__!.txt and briefly describes what happened to the victim's files, makes threats, and links to the Tor negotiation and data leak sites.

Each victim has a unique "Company ID" that is used along with an email address to register on the threat actor's Tor negotiation site. Like many other recent ransomware operations, the victim-facing negotiation site just includes a chat system that can be used to communicate with the threat actors.

When conducting attacks, Interlock will breach a corporate network and steal data from servers while spreading laterally to other devices. When done, the threat actors deploy the ransomware to encrypt all of the files on the network.

The stolen data is used as part of a double-extortion attack, where the threat actors threaten to publicly leak it if a ransom is not paid.

BleepingComputer has learned that the ransomware operation demands ransoms ranging from hundreds of thousands of dollars to millions, depending on the size of the organization.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Microsoft is modernizing how its Windows Hello authentication, which includes facial and fingerprint recognition, works in Windows 11. The revamp to the Windows Hello experience is now in beta testing with Windows Insiders, and includes visual changes, new iconography, and improvements to passkeys.

 

Not only will this new UI appear on the Windows 11 login screen, but also when you’re using passkeys to sign into websites and apps. “We redesigned Windows security credential user experiences for passkey creating a cleaner experience that supports secured and quick authentication,” explains the Windows team. “Users will now be able to switch between authentication options and select passkey / devices more intuitively.”

 

The new Windows Hello UI on the login screen of Windows 11.

Image: Microsoft

 

Microsoft currently supports passkeys in Windows 11, but the experience of using one from a mobile device involves scanning QR codes and an outdated UI. A new sign-in UI for passkeys and Microsoft account authentication will improve this greatly, as part of this Windows Hello UI overhaul.

 

Microsoft has also built a new API for third-party password and passkey managers that can let developers plug directly into this modern Windows Hello experience. It will also allow Windows 11 users to use passkey from a mobile device to authenticate with apps and websites on a PC. This new passkeys experience will also support saving passkeys to third-party apps or syncing them to your Microsoft account.

 

The new passkey sign-in process.

Image: Microsoft

 

Microsoft has started testing this new Windows Hello experience for the beta channel (23H2), and it should also appear in the dev channel (which is based on 24H2) once builds resume soon. I’d expect we’ll see this new Windows Hello UI appear for all Windows 11 users in the coming months.

 

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

LastPass is a popular password manager that utilizes a LastPass Chrome extension to generate, save, manage, and autofill website passwords.

Threat actors are attempting to target a large swath of the company's user base by leaving 5-star reviews with a fake LastPass customer support number.

These reviews urge users facing any problems with the app to contact the LastPass online customer service at 805-206-2892, which is not associated with the vendor.

Instead, a scammer answering the phone will impersonate LastPass and direct individuals to a site at 'dghelp[.]top' where they must enter a code to download a remote support program.

"Individuals calling this fake support number will be greeted by an individual asking what product they are having issues with and then a series of questions regarding whether they are attempting to access LastPass via a computer or a mobile device and what operating system they are using," explains LastPass.

"They will then be directed to the site dghelp[.]top while the threat actor remains on the line and attempts to get the potential victim to engage with the site, exposing their data."

BleepingComputer has discovered that entering the code on this page will download a ConnectWise ScreenConnect agent [VirusTotal] that will give the scammer full access to a person's computer.

From there, one threat actor can keep the caller engaged with questions. At the same time, another scammer uses ScreenConnect in the background to install other programs for unattended remote access, steal data, or steal data from the computer.

BleepingComputer found that the ScreenConnect client will make connections to attacker-controlled servers at molatorimax[.]icu and n9back366[.]stream. Both of these sites have previously been associated with an IP address in Ukraine before being hidden behind Cloudflare.

LastPass users are reminded never to share their master password with anyone, not even legitimate customer support, as this would private access to all of the passwords and data stored in LastPass vaults.

Linked to a larger scam campaign 

BleepingComputer has learned that the phone number associated with the fake LastPass support center is linked to a much larger campaign.

The phone number, 805-206-2892, was also found promoted as a support number for numerous other companies, including Amazon, Adobe, Facebook, Hulu, YouTube TV, Peakcock TV, Verizon, Netflix, Roku, PayPal, Squarespace, Grammarly, iCloud, Ticketmaster, and Capital One.

These fake support numbers are posted not only to Chrome extension reviews but also to sites that allow anyone to create content, such as company forums and Reddit.

While many of these posts are taken down as they are created, others are still available, with new ones created throughout the day.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company's Synology Photos and BeePhotos for BeeStation software.

As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.

"The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability," Midnight Blue said.

"However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required."

Synology says it addressed the vulnerabilities in the following software releases; however, they're not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

• BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
• BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
• Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
• Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company's SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).

While Synology and QNAP hurried out security updates, vendors are given 90 days until Trend Micro's Zero Day Initiative releases details on bugs disclosed during the contest and usually take their time to release patches.

This is likely because NAS devices are commonly used to store sensitive data by both home and enterprise customers, and they're also often exposed to Internet access for remote access. However, this makes them vulnerable targets for cybercriminals who exploit weak passwords or vulnerabilities to breach the systems, steal data, encrypt files, and extort owners by demanding ransoms to provide access to the lost files.

As Midnight Blue security researchers who demoed the Synology zero-days during Pwn2Own Ireland 2024 told cybersecurity journalist Kim Zetter (who first reported on the security updates), they found Internet-exposed Synology NAS devices on the networks of police departments in the U.S. and Europe, as well as critical infrastructure contractors from South Korea, Italy, and Canada.

QNAP and Synology have warned customers for years that devices exposed online are being targeted by ransomware attacks. For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly, with two large-scale ones reported in June 2019 (against QNAP and Synology devices) and in June 2020 standing out.

In more recent attack waves, threat actors have also used other malware strains (including DeadBolt and Checkmate ransomware) and various security vulnerabilities to encrypt Internet-exposed NAS devices.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The flaw, introduced in a commit on April 6, 2010, was eventually fixed in the latest release, version 5.0.1, on October 28, 2024, more than 14 years later.

qBittorrent is a free, open-source client for downloading and sharing files over the BitTorrent protocol. Its cross-platform nature, IP filtering, integrated search engine, RSS feed support, and modern Qt-based interface have made it particularly popular.

However, as security researcher Sharp Security highlighted in a blog post, the team fixed a notable flaw without adequately informing the users about it and without assigning a CVE to the problem.

One problem, multiple risks

The core issue is that since 2010, qBittorrent accepted any certificate, including forged/illegitimate, enabling attackers in a man-in-the-middle position to modify network traffic.

"In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86," explains the security researcher.

"The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago.

SSL certificates help ensure that users connect securely to legitimate servers by verifying that the server's certificate is authentic and trusted by a Certificate Authority (CA).

When this validation is skipped, any server pretending to be the legitimate one can intercept, modify, or insert data in the data stream, and qBittorrent would trust this data.

Sharp Security highlights four main risks that arise from this issue: 

1. When Python is unavailable on Windows, qBittorrent prompts the user to install it via a hardcoded URL pointing to a Python executable. Due to the lack of certificate validation, an attacker intercepting the request can replace the URL's response with a malicious Python installer that can perform RCE.
2. qBittorrent checks for updates by fetching an XML feed from a hardcoded URL then parses the feed for a new version's download link. Lacking SSL validation, an attacker could substitute a malicious update link in the feed, prompting the user to download malicious payloads.
3. qBittorrent's DownloadManager is also used for RSS feeds, enabling attackers to intercept and modify the RSS feed content and inject malicious URLs posing as safe torrent links.
4. qBittorrent automatically downloads a compressed GeoIP database from a hardcoded URL and decompresses it, allowing the exploitation of potential memory overflow bugs via files fetched from a spoofed server.

The researcher comments that MitM attacks are often seen as unlikely, but they could be more common in surveillance-heavy regions.

The latest version of qBittorrent, 5.0.1, has addressed the above risks, so users are recommended to upgrade as soon as possible.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Unsuspecting users clicking on those products are redirected to a network of hundreds of fake web stores that steal their personal details and money without shipping anything.

According to HUMAN's Satori Threat Intelligence team that discovered Phish n' Ships, the campaign has impacted hundreds of thousands of consumers, causing estimated losses of tens of millions of dollars.

The Phish n' Ships operation

The attack starts by infecting legitimate sites with malicious scripts by exploiting known vulnerabilities (n-days), misconfigurations, or compromised administrator credentials.

Once a site is compromised, the threat actors upload inconspicuously named scripts such as "zenb.php" and "khyo.php," with which they upload fake product listings.

These items are complete with SEO-optimized metadata to increase their visibility on Google search results, from where victims can be drawn.

When victims click on these links, they are redirected through a series of steps that ultimately lead to fraudulent websites, often mimicking the interface of the compromised e-store or using a similar design.

All of these fake shops are connected to a network of fourteen IP addresses, according to Satori researchers, and they all contain a particular string in the URL that makes them identifiable.

Attempting to purchase the item on the fake shop takes victims through a fake checkout process designed to appear legitimate but does not include any data verification, a sign of potential fraud.

The malicious sites steal the information victims enter in the order fields, including their credit card details, and complete the payment using a semi-legitimate payment processor account controlled by the attacker.

The purchased item is never shipped to the buyer, so the victims lose both their money and data.

Satori has found that over the five years during which Phish n' Ships has been active, the threat actors abused multiple payment providers to cash out the proceeds of the scam.

More recently, they adapted to implementing a payment mechanism on some of the fake e-shop sites so they can snatch the victim's credit card details directly.

Campaign disrupted

HUMAN and its partners coordinated a response to Phish n' Ships, informing many of the impacted organizations and reporting the fake listings to Google so they could be removed.

As of writing, most malicious search results have been cleaned, and nearly all identified shops have been taken offline.

Also, payment processors who facilitated cashouts for the fraudsters were informed accordingly and removed the offending accounts from their platforms, significantly disrupting the threat actor's ability to generate profit.

Despite all that, the threat actors can adapt to this disruption. Although Satori continues monitoring the activity for resurgence, it's unlikely that they will give up and not try to establish a new shopper-defrauding network.

Consumers are recommended to look out for unusual redirects when browsing e-commerce platforms, validate they are on the correct shop URL when attempting to buy an item, and report fraudulent charges to their bank and authorities as soon as possible.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP's SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later.

The zero-day flaw was patched one week after allowing YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS device at Pwn2Own Ireland 2024.

On Tuesday, the company fixed another zero-day in its HBS 3 Hybrid Backup Sync disaster recovery and data backup solution, exploited by Viettel Cyber Security's team at Pwn2Own to execute arbitrary commands and hack a TS-464 NAS device.

Team Viettel won Pwn2Own Ireland 2024 after four days of competition, during which more than $1 million in prizes were awarded to hackers who demonstrated over 70 unique zero-day vulnerabilities.

While QNAP patched both vulnerabilities within a week, vendors usually take their time to release security patches after the Pwn2Own contest, given that they have 90 days until Trend Micro's Zero Day Initiative releases details on bugs disclosed during the contest.

To update the software on your NAS device, log in to QuTS hero or QTS as an administrator, go to the App Center, search for "SMB Service," and click "Update." This button will not be available if the software is already up-to-date.

Patching quickly is highly recommended, as QNAP devices are popular targets for cybercriminals because they're commonly used for backing up and storing sensitive personal files. This makes them easy targets for installing information-stealing malware and the perfect leverage for forcing victims to pay a ransom to get back their data.

For instance, in June 2020, QNAP warned of eCh0raix ransomware attacks, which exploited Photo Station app vulnerabilities to hack into and encrypt QNAP NAS devices.

QNAP also alerted customers in September 2020 of AgeLocker ransomware attacks targeting publicly exposed NAS devices running older and vulnerable Photo Station versions. In June 2021, eCh0raix (QNAPCrypt) returned with new attacks exploiting known vulnerabilities and brute-forcing NAS accounts using weak passwords.

Other recent attacks targeting QNAP devices include DeadBolt, Checkmate, and eCh0raix ransomware campaigns, which abused various security vulnerabilities to encrypt data on Internet-exposed NAS devices.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

Tracked as CVE-2024-50388, the security flaw is caused by an OS command injection weakness in HBS 3 Hybrid Backup Sync version 25.1.x, the company's disaster recovery and data backup solution.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," QNAP said in a Tuesday security advisory.

The company has addressed the security bug in HBS 3 Hybrid Backup Sync 25.1.1.673 and later.

To update HBS 3 on your NAS device, log in to QTS or QuTS hero as an administrator, open the App Center, and search for "HBS 3 Hybrid Backup Sync".

If an update is available, click "Update". However, the "Update" button will not be available if your HBS 3 Hybrid Backup Sync is already up-to-date.

The zero-day was patched five days after enabling Ha The Long and Ha Anh Hoang of Viettel Cyber Security to execute arbitrary code and gain admin privileges on the third day of Pwn2Own Ireland 2024.

However, after the Pwn2Own contest, vendors usually take their time to release security patches, seeing that they're given 90 days until Trend Micro's Zero Day Initiative publishes details on security bugs demoed and disclosed during the contest.

Team Viettel won Pwn2Own Ireland 2024, which ended after four days of competition, on Friday, October 25. More than $1 million in prizes were awarded to hackers who disclosed over 70 unique zero-day vulnerabilities.

Three years ago, QNAP also removed a backdoor account in its Hybrid Backup Sync solution (CVE-2021-28799), which was exploited together with an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On(CVE-2020-36195) to deploy Qlocker ransomware onto Internet-exposed NAS devices to encrypt files.

QNAP devices are a popular target among ransomware gangs because they store sensitive personal files, making them perfect leverage for forcing victims to pay a ransom to decrypt data.

In June 2020, QNAP warned of eCh0raix ransomware attacks exploiting Photo Station app security flaws. One year later, eCh0raix (aka QNAPCrypt) returned in attacks exploiting known vulnerabilities and brute-forcing accounts with weak passwords.

QNAP also alerted customers in September 2020 of AgeLocker ransomware attacks targeting publicly exposed NAS devices running older and vulnerable Photo Station versions.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

The tool, named 'Chrome-App-Bound-Encryption-Decryption,' was released by cybersecurity researcher Alexander Hagenah after he noticed that others were already figuring out similar bypasses.

Although the tool achieves what multiple infostealer operations have already added to their malware, its public availability raises the risk for Chrome users who continue to store sensitive data in their browsers.

Google's app-bound encryption problems

Google introduced Application-Bound (App-Bound) encryption in July (Chrome 127) as a new protection mechanism that encrypts cookies using a Windows service that runs with SYSTEM privileges.

The goal was to protect sensitive information from infostealer malware, which runs with the permissions of the logged user, making it impossible for it to decrypt stolen cookies without first gaining SYSTEM privileges and potentially raising alarms in security software.

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," explained Google in July.

"Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

However, by September, multiple information stealers had found ways to bypass the new security feature and provide their cybercriminal customers the ability to once again steal and decrypt sensitive information from Google Chrome.

Google told BleepingComputer then that the "cat and mouse" game between info-stealer developers and its engineers was always expected and that they never assumed that their defense mechanisms would be bulletproof.

Instead, with the introduction of App-Bound encryption, they hoped they would finally lay the ground for gradually building a more sound system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen.

 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users." - A Google spokesperson

Bypass now publicly available

Yesterday, Hagenah made his App-Bound encryption bypass tool available on GitHub, sharing source code that allows anyone to learn from and compile the tool.

"This tool decrypts App-Bound encrypted keys stored in Chrome's Local State file, using Chrome's internal COM-based IElevator service," reads the project description.

"The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future)."

To use the tool, users must copy the executable into the Google Chrome directory usually located at C:\Program Files\Google\Chrome\Application. This folder is protected, so users must first gain administrator privileges to copy the executable to that folder.

However, this is commonly easy to achieve as many Windows users, especially consumers, use accounts that have administrative privileges.

In terms of its actual impact on Chrome security, researcher g0njxa told BleepingComputer that Hagenah's tool demonstrates a basic method that most infostealers have now surpassed to steal cookies from all versions of Google Chrome.

Toyota malware analyst Russian Panda also confirmed to BleepingComputer that Hagenah's method looks similar to the early bypassing approaches infostealers took when Google first implemented App-Bound encryption in Chrome.

"Lumma used this method – instantiating the Chrome IElevator interface through COM to access Chrome's Elevation Service to decrypt the cookies, but this can be quite noisy and easy to detect," Russian Panda told BleepingComputer.

"Now, they are using indirect decryption without directly interacting with Chrome's Elevation Service".

However, g0njxa commented that Google has still not caught up, so user secrets stored in Chrome can be easily stolen using the new tool.

In response to the release of this tool, Google shared the following statement with BleepingComputer:

"This code [xaitax's] requires admin privileges, which shows that we've successfully elevated the amount of access required to successfully pull off this type of attack," Google told BleepingComputer.

While it is true admin privileges are required, it does not seem to have impacted information-stealing malware operations, which have only increased over the past six months, targeting users through zero-day vulnerabilities, fake fixes to GitHub issues, and even answers on StackOverflow.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend