A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB.
The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial

A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB.

The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial instruments after gaining their trust under the guise of a romantic relationship or an investment advisor.

Such manipulative and social engineering operations often end with the victims losing their funds, and in some cases, extracting even more money from them by requesting various fees and other payments.

The Singapore-headquartered company said the campaign has a global reach, with victims reported across Asia-Pacific, European, Middle East and Africa. The bogus apps, built using the UniApp Framework, have been classified under the moniker **UniShadowTrade**.

The activity cluster is said to have been active since at least mid-2023, luring victims with malicious apps with the promise of quick financial gain. A noteworthy aspect of the threat is that one of the apps managed to even get past Apple's App Store review process, thus lending it an illusion of legitimacy and trust.

The app in question, SBI-INT, is no longer available for download from the app marketplace, but it masqueraded as software for "commonly used algebraic mathematical formulas and 3D graphics volume area calculation."

It's believed that the cybercriminals accomplished this by means of a check that included the app's source code that checked if the current date and time is earlier than July 22, 2024, 00:00:00, and if so, launched a fake screen with formulae and graphics.

But once it was taken down weeks after it was published, the threat actors behind the operation are said to have pivoted to distributing the app, for both Android and iOS, via phishing websites.

"For iOS users, pressing the download button triggers the download of a .plist file, prompting iOS to ask for permission to install the application," Group-IB researcher Andrey Polovinkin said.

"However, after the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational."

Users who end up installing the app and opening it are greeted with a login page, requiring users to provide their phone number and password. The registration process involves entering an invitation code in the app, suggesting that the attackers are targeting specific individuals to pull off the scam.

A successful registration triggers a six-step attack process wherein the victims are urged to provide identity documents as proof, personal information, and current job details, after which they are asked to agree to the service's terms and conditions in order to make the investments.

Once the deposit has been made, the cybercriminals send further instructions on which financial instrument to invest in and often guarantee that they will yield high returns, thereby deceiving users into investing more and more money. To maintain the ruse, the app is rigged to display their investments as making gains.

Trouble starts when the victim attempts to withdraw the funds, at which point they are asked to pay additional fees to recover their principal investments and purported gains. In reality, the funds are stolen and diverted to accounts under the attackers' control.

Another novel tactic adopted by the malware authors is the use of an embedded configuration that includes specifics about the URL that hosts the login page and other aspects of the purported trading application launched within the app.

This configuration information is hosted in a URL associated with a legitimate service called TermsFeed that offers compliance software for generating privacy policies, terms and conditions, and cookie consent banners.

"The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL," Polovinkin said. "In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets."

This, per Group-IB, is a deliberate approach taken by the threat actors to minimize the chances of detection and avoid raising red flags when the app is distributed through the App Store.

Furthermore, the cybersecurity firm said it also discovered one of the fake stock investment scam apps on the Google Play Store that went by the name FINANS INSIGHTS (com.finans.insights). Another app linked to the same developer, Ueaida Wabi, is FINANS TRADER6 (com.finans.trader)

While both Android apps are not present in the Play Store, statistics from Sensor Tower show that they were downloaded less than 5,000 times. Japan, South Korea, and Cambodia were the top three countries served by FINANS INSIGHTS, whereas Thailand, Japan, and Cyprus were the primary regions where FINANS TRADER6 was available.

"Cybercriminals continue to use trusted platforms such as the Apple Store or Google Play to distribute malware disguised as legitimate applications, exploiting users' trust in secure ecosystems," Polovinkin said.

"Victims are lured in with the promise of easy financial gains, only to find that they are unable to withdraw funds after making significant investments. The use of web-based applications further conceals the malicious activity and makes detection more difficult."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fake Trading Apps Target Victims Globally via Apple App Store and Google Play

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently **reported** a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka **evilsocket**), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

****Uptycs Research****

Uptycs threat research team **identified** vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

****Akamai Research****

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s **blog post** published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

****The Scope of the Problem:****

*   Akamai identified over 198,000 internet-connected devices running CUPS.
*   Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
*   Outdated CUPS versions (released as far back as 2007) were the most susceptible.
*   Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including **CVE-2024-47175** (libppd), **CVE-2024-47176** (cups-browsed), **CVE-2024-47177** (cups-filters), and **CVE-2024-47076** (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**
5.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

A previously undocumented threat actor called CeranaKeeper has been linked to a string of data exfiltration attacks targeting Southeast Asia.
Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor.
"The

Cyber Espionage / Cloud Security

A previously undocumented threat actor called **CeranaKeeper** has been linked to a string of data exfiltration attacks targeting Southeast Asia.

Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor.

"The group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration," security researcher Romain Dumont said in an analysis published today.

"CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools."

Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state-sponsored threat actors in recent years.

ESET described CeranaKeeper as relentless, creative, and capable of swiftly adapting its modus operandi, while also calling it aggressive and greedy for its ability to move laterally across compromised environments and hoover as much information as possible via various backdoors and exfiltration tools.

"Their extensive use of wildcard expressions for traversing, sometimes, entire drives clearly showed their aim was massive data siphoning," the company said.

The exact initial access routes employed by the threat actor remain unknown as yet. However, a successful initial foothold is abused to gain access to other machines on the local network, even turning some of the compromised machines into proxies or update servers to store updates for their backdoor.

The attacks are characterized by the use of malware families such as TONESHELL, TONEINS, and PUBLOAD – all attributed to the Mustang Panda group – while also making use of an arsenal of never-before-seen tools to aid data exfiltration.

"After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a tool to dump credentials, and used a legitimate Avast driver and a custom application to disable security products on the machine," Dumont said.

"From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers in the network. Additionally, CeranaKeeper used the compromised server to store updates for TONESHELL, turning it into an update server."

The newly discovered custom toolset is as follows -

*   WavyExfiller - A Python uploader that harvests data, including connected devices like USBs and hard drives, and uses Dropbox and PixelDrain as exfiltration endpoints

*   DropboxFlop - A Python DropboxFlop that's a variant of a publicly-available reverse shell called DropFlop that comes with upload and download features and uses Dropbox as a command-and-control (C&C) server

*   OneDoor - A C++ backdoor that abuses Microsoft OneDrive REST API to receive commands and exfiltrate files

*   BingoShell - A Python backdoor that abuses GitHub's pull request and issues comment features to create a stealthy reverse shell

"From a high-level point of view, \[BingoShell\] leverages a private GitHub repository as a C&C server," ESET explained. "The script uses a hard-coded token to authenticate and the pull requests and issues comments features to receive commands to execute and send back the results."

Calling out CeranaKeeper's ability to quickly write and rewrite its toolset as required to evade detection, the company said the threat actor's end goal is to develop bespoke malware that can allow it to collect valuable information on a large scale.

"Mustang Panda and CeranaKeeper seem to operate independently of each other, and each has its own toolset," it said. "Both threat actors may rely on the same third party, such as a digital quartermaster, which is not uncommon among China-aligned groups, or have some level of information sharing, which would explain the links that have been observed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked CeranaKeeper Targeting Southeast Asia with Data Exfiltration

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Python-Based Malware Slithers Into Systems via Legit VS Code

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applicant lures.
"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection,"

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More\_eggs, indicating persistent efforts to single out the sector under the guise of fake job applicant lures.

"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more\_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis.

More\_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts.

It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08), Cobalt, and Evilnum.

Earlier this June, eSentire disclosed details of a similar attack that leverages LinkedIn as a distribution vector for phony resumes hosted on an attacker-controlled site. The files, in reality, are Windows shortcut (LNK) files that, upon opening, trigger the infection sequence.

The latest findings from Trend Micro mark a slight deviation from the earlier observed pattern in that the threat actors sent a spear-phishing email in a likely attempt to build trust and gain their confidence. The attack was observed in late August 2024, targeting a talent search lead working in the engineering sector.

"Shortly after, a recruitment officer downloaded a supposed resume, John Cboins.zip, from a URL using Google Chrome," the researchers said. "It was not determined where this user obtained the URL. However, it was clear from both users' activities that they were looking for an inside sales engineer."

The URL in question, johncboins\[.\]com, contains a "Download CV" button to entice the victim into downloading a ZIP archive file containing the LNK file. It's worth noting that the attack chain reported by eSentire also includes an identical site with a similar button that directly downloads the LNK file.

Double-clicking the LNK file results in the execution of obfuscated commands that lead to the execution of a malicious DLL, which, in turn, is responsible for dropping the More\_eggs backdoor via a launcher.

More\_eggs commences its activities by first checking if it's running with admin or user privileges, followed by running a series of commands to perform reconnaissance of the compromised host. It subsequently beacons to a command-and-control (C2) server to receive and execute secondary malware payloads.

Trend Micro said it observed another variation of the campaign that includes PowerShell and Visual Basic Script (VBS) components as part of the infection process.

"Attributing these attacks is challenging due to the nature of MaaS, which allows for the outsourcing of various attack components and infrastructure," it said. "This makes it difficult to pin down specific threat actors, as multiple groups can use the same toolkits and infrastructure provided by services like those offered by Golden Chickens."

That said, it's suspected that the attack could have been the work of FIN6, the company noted, citing the tactics, techniques, and procedures (TTPs) employed.

The development comes weeks after HarfangLab shed light on PackXOR, a private packer used by the FIN7 cybercrime group to encrypt and obfuscate the AvNeutralizer tool.

The French cybersecurity firm said it observed the same packer being used to "protect unrelated payloads" such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it could also be leveraged by other threat actors.

"PackXOR developers might indeed be connected to the FIN7 cluster, but the packer appears to be used for activities that are not related to FIN7," HarfangLab said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as…

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as legitimate platforms, these apps defraud investors, bypassing store checks and exploiting unsuspecting users globally.

A fraud campaign targeting **Apple iOS and Android users** has been discovered by GroupIB, involving fake trading apps. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors in Asia-Pacific, Middle East & Africa, and European regions.

Group-IB’s Threat Intelligence, and Fraud Protection analysts first discovered these fake mobile applications in May 2024 and have been investigating the campaign ever since.

According to their **report** shared with Hackread.com ahead of publishing on Wednesday, these applications were developed for Android using a single cross-platform framework. One was distributed through the Google Play store, while another targeted iOS devices.

What’s worse, unlike traditional mobile trojans, these applications had no typical malicious features and cybercriminals have created a facade of a legitimate trading platform to defraud victims.

The fraudulent apps check the current date and time to bypass Apple’s App Store checks, launching a fake activity with mathematical formulas and graphics if it is earlier than 22 July 2024, 00:00:00. Android samples were designed to display a fraudulent trading application hosted on the api.fxbrokerscc domain, part of a larger fraudulent infrastructure.

According to researchers, these fake trading apps and downloader apps mimic legitimate platforms and may include features like account settings, transaction history, and stock information. Downloader apps, found in the Apple App Store or distributed through phishing websites, prompt victims to install the fraudulent app.

Fake app on Apple Store (left) – Fake app on Google Play Store (Screenshot: Ground-IB)

The malware family used in the pig butchering scam is **UniShadowTrade**, classified under the UniApp Framework. This name is given by Group-IB analysts to categorize the fraudulent applications involved in the scam. For your information, the UniApp framework enables developers to create cross-platform applications with a single codebase, making it easier for scammers to develop and distribute malware.

****What Exactly is Pig Butchering?****

For your information, **Pig butchering** is a notorious digital scam that involves a meticulous process of grooming victims, building trust, and ultimately defrauding them of their money.

This particular campaign follows a specific pattern: target identification through social media, grooming and trust-building through social engineering techniques, offering a seemingly lucrative investment opportunity in cryptocurrency or other investments, encouraging a small initial investment, and building confidence through small profits.

Scammers pressure victims into making large investments, transfer funds they cannot withdraw, and disappear. This process continues until the victim is unable to withdraw the funds, causing significant financial loss and affecting their financial stability.

Nevertheless, scams Pig butchering can have devastating consequences for victims. Understanding scammers’ tactics and taking proactive measures can reduce the risk of falling victim to such fraud.

****Alert for Android and iOS users****

It is a fact that Google, which owns Android, and Apple, which owns the iOS App Store, try their best to keep the marketplace safe from malware and other cybersecurity threats. Despite constant monitoring, cybercriminals often slip into these stores with malicious apps, draining the bank accounts and crypto wallets of unsuspecting users.

Just last week, **Google approved** a crypto drainer app on the Play Store that stole over $70,000 from Android users. On the other hand, **in February 2024**, Apple approved a fake LastPass Password Manager app on its iOS App Store. The same month, Apple approved a **fake Rabby Wallet app** that stole millions from unsuspecting users.

Therefore, be extra careful when downloading an app from any of these stores. Check their reviews, search for the official app on Google, find their social media platforms, and confirm whether the app advertised on app stores is legitimate or not.

1.  **Phishing Scam Hits European Bank Users on iOS and Android**
2.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple, Google**
3.  **Pink Drainer Posed as Journalists, Stole $3M from Twitter Users**
4.  **Hackers Posed as Google Support to Steal $243 Million in Crypto**
5.  **Apple mistakenly approved malware masked as Adobe Flash Player**

Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores

Proof of concept remote command execution exploit for CUPS that leverages the vulnerability outlined in CVE-2024-47176.

CUPS Arbitrary Command Execution

ALEOS versions 4.16 and below denial of service proof of concept exploit.

ALEOS 4.16 Denial Of Service

Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.

Suricata IDPE 7.0.7

Ubuntu Security Notice 7051-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.

    ==========================================================================Ubuntu Security Notice USN-7051-1October 02, 2024python-asyncssh vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:A protocol flaw was fixed in AsyncSSH.Software Description:- python-asyncssh: asyncio-based client and server implementation of SSHv2 protocolDetails:Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSHprotocol was vulnerable to a prefix truncation attack. If a remote attackerwas able to intercept SSH communications, extension negotiation messagescould be truncated, possibly leading to certain algorithms and featuresbeing downgraded. This issue is known as the Terrapin attack. This updateadds protocol extensions to mitigate this issue.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  python3-asyncssh                2.10.1-2ubuntu0.1Ubuntu 22.04 LTS  python3-asyncssh                2.5.0-1ubuntu0.1~esm1                                  Available with Ubuntu ProUbuntu 20.04 LTS  python3-asyncssh                1.12.2-1ubuntu0.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7051-1  CVE-2023-48795Package Information:https://launchpad.net/ubuntu/+source/python-asyncssh/2.10.1-2ubuntu0.1https://launchpad.net/ubuntu/+source/python-asyncssh/1.12.2-1ubuntu0.1

Latest News