Red Hat Security Advisory 2024-3980-03 - An update for flatpak is now available for Red Hat Enterprise Linux 7.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3980.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: flatpak security updateAdvisory ID:        RHSA-2024:3980-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3980Issue date:         2024-06-18Revision:           03CVE Names:          CVE-2024-32462====================================================================Summary: An update for flatpak is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Flatpak is a system for building, distributing, and running sandboxed desktopapplications on Linux.Security Fix(es):* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32462References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275981

Red Hat Security Advisory 2024-3980-03

Red Hat Security Advisory 2024-3979-03 - An update for flatpak is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3979.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: flatpak security updateAdvisory ID:        RHSA-2024:3979-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3979Issue date:         2024-06-18Revision:           03CVE Names:          CVE-2024-32462====================================================================Summary: An update for flatpak is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.Security Fix(es):* flatpak: sandbox escape via RequestBackground portal (CVE-2024-32462)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32462References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275981

Red Hat Security Advisory 2024-3979-03

Red Hat Security Advisory 2024-3889-03 - Red Hat OpenShift Container Platform release 4.15.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3889.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.18 security update  
Advisory ID:        RHSA-2024:3889-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3889  
Issue date:         2024-06-19  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.18 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.18. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:3892

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* cluster-image-registry-operator: Exposes a secret via env variable in pod  
definition on Azure (CVE-2024-4369)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2278035  
https://issues.redhat.com/browse/OCPBUGS-28928  
https://issues.redhat.com/browse/OCPBUGS-29361  
https://issues.redhat.com/browse/OCPBUGS-30208  
https://issues.redhat.com/browse/OCPBUGS-31461  
https://issues.redhat.com/browse/OCPBUGS-32029  
https://issues.redhat.com/browse/OCPBUGS-32092  
https://issues.redhat.com/browse/OCPBUGS-33206  
https://issues.redhat.com/browse/OCPBUGS-33526  
https://issues.redhat.com/browse/OCPBUGS-33736  
https://issues.redhat.com/browse/OCPBUGS-34423  
https://issues.redhat.com/browse/OCPBUGS-34641  
https://issues.redhat.com/browse/OCPBUGS-34732  
https://issues.redhat.com/browse/OCPBUGS-34843  
https://issues.redhat.com/browse/OCPBUGS-34868  
https://issues.redhat.com/browse/OCPBUGS-34887  
https://issues.redhat.com/browse/OCPBUGS-34997  
https://issues.redhat.com/browse/OCPBUGS-35002  
https://issues.redhat.com/browse/OCPBUGS-35010  
https://issues.redhat.com/browse/OCPBUGS-35059  
https://issues.redhat.com/browse/OCPBUGS-35074  
https://issues.redhat.com/browse/OCPBUGS-35229  
https://issues.redhat.com/browse/OCPBUGS-35255

Red Hat Security Advisory 2024-3889-03

Red Hat Security Advisory 2024-3885-03 - Red Hat OpenShift Container Platform release 4.13.44 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3885.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.44 bug fix and security update  
Advisory ID:        RHSA-2024:3885-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3885  
Issue date:         2024-06-19  
Revision:           03  
CVE Names:          CVE-2022-21708  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.44 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.44. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:3887

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* graphql-go: Denial of service via stack overflow panics (CVE-2022-21708)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2022-21708

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2045014  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://issues.redhat.com/browse/OCPBUGS-24395  
https://issues.redhat.com/browse/OCPBUGS-33777  
https://issues.redhat.com/browse/OCPBUGS-33978  
https://issues.redhat.com/browse/OCPBUGS-33990  
https://issues.redhat.com/browse/OCPBUGS-34342  
https://issues.redhat.com/browse/OCPBUGS-34409  
https://issues.redhat.com/browse/OCPBUGS-34765  
https://issues.redhat.com/browse/OCPBUGS-35094  
https://issues.redhat.com/browse/OCPBUGS-35241

Red Hat Security Advisory 2024-3885-03

Red Hat Security Advisory 2024-1482-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1482.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:1482-03Product:            Red Hat Enterprise Linux SupplementaryAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1482Issue date:         2024-06-19Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.This update upgrades IBM Java SE 8 to version 8 SR8-FP15.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1482-03

Red Hat Security Advisory 2024-1481-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1481.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:1481-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1481Issue date:         2024-06-19Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.This update upgrades IBM Java SE 8 to version 8 SR8-FP15.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1481-03

Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are safely managed, then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can’t afford to allow tags to go unmanaged or become misconfigured. 
Read the

GDPR Compliance / Data Privacy

Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are _safely managed_, then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can't afford to allow tags to go unmanaged or become misconfigured.

Read the full case study here.

Google Tag Manager saves website owners time and money. Its visual interface lets them attach tracking tags to their sites and then modify them as needed without the need to call a developer every time. Such tags gather the marketing and analytics data that power growth, and GTM makes them easier to manage, but with strict rules around data privacy to consider, you can't trust it completely; it needs active oversight.

**The ticket seller**

A case in point that we recently became aware of involves a global company that sells tickets to live events. With global operations it's important to establish who has overall responsibility for a particular function, but in this case, that was lacking. In a culture where the lines of responsibility aren't clear, it isn't surprising that a marketing team outsourced something to an external company because it saw it as a security concern it could offload rather than a marketing issue.

Download the full case study here.

The task was the management of its Google Tag Manager usage. The team may have felt that marketing and growth were their priorities and so this move made sense, but security is one of those strands that runs through everything. The consequence of outsourcing this work was a data breach because the contractor didn't catch a misconfiguration.

GDPR, CCPA, the Cyber Resilience Act, and other privacy-related legislation require companies not to let this happen. They must protect their customers' data and obtain their explicit permission before collecting and sharing it, and because of the misconfiguration this didn't happen. Getting it wrong in this way can be very expensive both in terms of money and reputation, not to mention the fact that cybercriminals have used Google Tag Manager as a vessel for conducting web skimming and keylogging attacks. You can read more about the details of this story in our case study.

**How big a problem is misconfiguration?**

As we explored the case of the global ticketing company, we became curious about Google Tag Manager and wondered how widespread this kind of problem might be. We wondered how many other companies might be exposing themselves to potential multi-million-dollar class action lawsuits brought by masses of individuals whose data they have shared without permission or against local privacy regulations, and how many might be at risk of attracting big penalties from data privacy watchdogs and industry regulators?

**The sample study**

We decided to look at a sample of 4,000 websites that use Google Tag Manager. It turned out that they connect an average website to around five applications, and that 45% of these apps are used for advertising, 30% are pixels and 20% are analytics tools. Here are the apps that we found users connecting with Google Tag Manager the most, in order of popularity.

For more information, read the full case study here.

**The risk**

We found that across all industries, Google Tag Manager and its connected apps account for 45% of all risk exposure among users. Overall, 20% of these apps are leaking personal or sensitive user data due to a misconfiguration.

Misconfigurations showed up in the applications below, which account for 85% of all cases:

**Oh, the irony!**

Ironically, we found that Google Tag Manager itself is responsible for the most cases of misconfigurations that might leak user data and land the website owners who unquestioningly trust it in hot water.

Now, this is not an attack on Google Tag Manager, because it's a very useful and effective tool when handled safely. Our intention is to point out the dangers of not managing the potential risks that come with using it, and to encourage you to read all about the many practical ways of ensuring that your tags behave themselves.

**Continuous protection**

In considering tactics, techniques, and procedures in cyber, organizations must consider employing a continuous web threat management system, such as Reflectiz. Its digital tag management and security tools give your teams complete visibility and control over tags issuing alerts on any changes to tags (and in fact any code on the website) for review and approval. It satisfies the conflicting priorities of both marketing and security teams, allowing Security to do the gatekeeping without restricting the growth and innovation ambitions of Marketing. Read the full case study to find out more.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Case Study: Unmanaged GTM Tags Become a Security Nightmare

Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0.
"The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as

Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed **Void Arachne** that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0.

"The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as AI voice and facial technologies," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim said in a technical report published today.

"The campaign uses \[Search Engine Optimization\] poisoning tactics and social media and messaging platforms to distribute malware."

The cybersecurity firm, which discovered the new threat actor group in early April 2024, said the attacks entail advertising popular software such as Google Chrome, LetsVPN, QuickVPN, and a Telegram language pack for the Simplified Chinese language to distribute Winos. Alternate attack chains leverage backdoored installers propagated on Chinese-language-themed Telegram channels.

The links surfaced via black hat SEO tactics point to dedicated infrastructure set up by the adversary to stage the installers in the form of ZIP archives. For attacks targeting Telegram channels, the MSI installers and ZIP archives are directly hosted on the messaging platform.

The use of a malicious Chinese language pack is interesting not least because it poses a huge attack surface. Other kinds of software purport to offer capabilities to generate non-consensual deepfake pornographic videos for use in sextortion scams, AI technologies that could be used for virtual kidnapping, and voice-altering and face-swapping tools.

The installers are designed to modify firewall rules to allow-list inbound and outbound traffic associated with the malware when connected to public networks.

It also drops a loader that decrypts and executes a second-stage payload in memory, which subsequently launches a Visual Basic Script (VBS) to set up persistence on the host and trigger the execution of an unknown batch script and deliver the Winos 4.0 C&C framework by means of a stager that establishes C&C communications with a remote server.

An implant written in C++, Winos 4.0 is equipped to carry out file management, distributed denial of service (DDoS) using TCP/UDP/ ICMP/HTTP, disk search, webcam control, screenshot capture, microphone recording, keylogging, and remote shell access.

Underscoring the intricacy of the backdoor is a plugin-based system that realizes the aforementioned features through a set of 23 dedicated components compiled for both 32- and 64-bit variants. It can be further augmented via external plugins integrated by the threat actors themselves depending on their needs.

The core component of WinOS also packs in methods to detect the presence of security software prevalent in China, in addition to acting as the main orchestrator responsible for loading the plugins, clearing system logs, and downloading and executing additional payloads from a provided URL.

"Internet connectivity in the People's Republic of China is subject to strict regulation through a combination of legislative measures and technological controls collectively known as the Great Firewall of China," the researchers pointed out.

"Due to strict government control, VPN services and public interest in this technology have notably increased. This has, in turn, enhanced threat actors' interest in exploiting the heightened public interest in software that can evade the Great Firewall and online censorship."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers

A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.
The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC,

Cybercrime / Cryptocurrency

A threat actor who goes by alias **markopolo** has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.

The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS), Recorded Future's Insikt Group said in an analysis published this week.

"This campaign, primarily targeting cryptocurrency users, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications," the cybersecurity company noted, describing markopolo as "agile, adaptable, and versatile."

There is evidence connecting the Vortax campaign to prior activity that leveraged trap phishing techniques to target macOS and Windows users via Web3 gaming lures.

A crucial aspect of the malicious operation is its attempt to legitimize Vortax on social media and the internet, with the actors maintaining a dedicated Medium blog filled with suspected AI-generated articles as well as a verified account on X (formerly Twitter) carrying a gold checkmark.

Downloading the booby-trapped application requires victims to provide a RoomID, a unique identifier to a meeting invitation that's propagated via replies to the Vortax account, direct messages, and cryptocurrency-related Discord and Telegram channels.

Once a user enters the necessary Room ID on the Vortax website, they are redirected to a Dropbox link or an external website that stages an installer for the software, which ultimately leads to the deployment of the stealer malware.

"The threat actor that operates this campaign, identified as markopolo, leverages shared hosting and C2 infrastructure for all of the builds," Recorded Future said.

"This suggests that the threat actor relies on convenience to enable an agile campaign, quickly abandoning scams once they are detected or producing diminishing returns, and pivoting to new lures."

The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.

The development comes as Enea revealed SMS scammers' abuse of cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to trick users into clicking on bogus links that direct to phishing landing pages that siphon customer data.

"Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .HTML files) containing embedded spam URLs in their source code," security researcher Manoj Kumar said.

"The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket."

In the final stage, the website automatically redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript and deceives them into parting with personal and financial information.

"Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning," Kumar said. "Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

The new book World on the Brink: How America Can Beat China in the Race for the 21st Century lays out what might actually happen if China were to invade Taiwan in 2028.

_In late March, a Taiwanese data analyst posted on social media about an odd satellite image: It appeared that the Chinese military had erected at one of its remote military bases in Inner Mongolia a series of roads that perfectly re-created the roads around the presidential palace in Taipei. The revelation only appeared to underscore the seriousness with which Chinese officials are proceeding with President Xi Jinping’s directive to be ready to invade the independent island by the late 2020s. As part of the research for his new book, World on the Brink: How America Can Beat China in the Race for the 21st Century, Dmitri Alperovitch journeyed to Taiwan, talked with multiple high-level officials and national security planners in Taiwan and the United States, and walked the possible invasion terrain to imagine just how such an invasion might occur. His scenario, excerpted here and which he imagines taking place on November 13, 2028, serves as the new book’s prologue._

Courtesy of Hachette Book Group

The winter season in Taiwan—lasting from November till March—is great for surfers. It’s no Bali or Hawaii, as the size of the waves and their consistency may vary, but the Northeast Monsoon, which brings in the cold China Coastal Current water into the Taiwan Strait, where it meets the warm Kuroshio Branch Current coming from the south, is known to form some significant waves. The Taiwan Strait is only about a hundred meters deep—shallow enough that during ice ages and the time of glaciers the island of Taiwan was physically connected to the Chinese mainland; but even in the modern era the 200-mile-long passage—which varies in width from about 100 nautical miles down to just 70 nautical miles and is one of the most vital shipping routes in the world—is known for frequent storms, large swells, and blinding fog and is bedeviled by annual summer typhoons from roughly May to October. Between the typhoons in the summer and the stormy high-wave winter season, there is no predictably perfect and easy time to launch a large-scale amphibious invasion of Taiwan, especially with the strait registering about 150 days a year of winds above 20 knots, rough seas for amphibious ships and landing craft. Any landing on Taiwan’s windy, shallow, and rocky beaches during that time is fraught and risky. Which is why, in the end, China decided to forego a beach landing and attempt an air assault on the island’s port and airfield facilities, the seizure of which would allow for rapid arrival of follow-on troops and logistical supplies to facilitate a successful occupation.

The operations planners in the People’s Liberation Army had had years to deliberate their invasion strategy, adjusting year after year as China’s own military capabilities grew and advanced. In the end, due to the unpredictability of the rough Taiwan Strait waters and the heavy fortifications the Taiwanese had built up around potential beach landing sites, the PLA came up with an innovative invasion plan—the opening stages of which they’d practiced repeatedly as the late 2020s unfolded. For several years, China had engaged in full-scale military exercises—loading up vast armadas of military and civilian ships with tens of thousands of troops, equipment, and matériel and heading toward Taiwan, always stopping just short of the 12-nautical-mile limit that marks the start of the island’s territorial waters. They figured they could practice with some impunity, because they knew Taiwan could never afford to respond aggressively. One of the island’s greatest defense dilemmas had long been its inability to respond to hostile provocations and threats with force—lest it be accused of instigating a conflict. US officials had warned Taiwanese leadership for years that under no circumstances could they fire the first shot—they had to take the Chinese punch before retaliating. Portraying China as the aggressor would be a critical step in building the international case that Chinese leader Xi Jinping was alone responsible for starting any war. The stakes couldn’t have been higher: After all, even if the Taiwanese fired first at the PLA armada after it crossed Taiwan’s territorial boundary, Beijing could still dispute the shooting as unprovoked and claim that it occurred in international waters—muddying the geopolitical waters such that Taiwan risked losing key moral and diplomatic support around the world. Too many countries wanted the excuse—they would only be too eager to continue trading with China, the world’s second largest economy, irrespective of the conflict. If Taiwan was to survive and rally the world to its cause, it couldn’t afford to offer that excuse.

The final Chinese PLA plan counted on precisely that Taiwanese restraint when China’s ships entered Taiwan’s waters and closed in on the vital northwestern coastal Port of Taipei, a modern facility completed in 2012 that boasted 4,500 feet of so-called berth space, a substantial amount of space available for cargo offloading. There the PLA planned to leverage existing infrastructure to rapidly unload hundreds of thousands of troops and thousands of tanks, armored vehicles, heavy engineering equipment, weapons, munitions, and the logistics supplies needed for the conquest of the island. While Taipei wasn’t the largest port in Taiwan, the rapid capture of its docks was essential to the success of the operation, since other Taiwanese port facilities were too far away from the capital city. That distance and Taiwan’s extensive array of steep mountains and winding rivers made the rapid transport of a large PLA armored force from any other port or beach to the capital all but impossible.

The operational plan called for moving eight modern Type 075 Yushen-class amphibious assault ships, each with more than 30,000-ton displacement, right up to Taiwan’s maritime border, while being protected by PLA Navy (PLAN) guided-missile destroyers. Xi Jinping’s regime had rapidly constructed the Yushen ships specifically with this mission in mind; each was a highly capable delivery platform for air assault operations, carrying a mix of up to 28 attack and heavy transport helicopters and 800 troops. In the early morning hours, once the final order was given, 200 Z-8 and Z-20 transport helicopters, all backed up by Z-10 attack gunships, would take off from the ship landing docks and head for the Taipei port, as well as the Taoyuan International Airport, 10 miles south, and the smaller Taipei Songshan Airport, located right in the center of the capital city, just three miles north of the Zhongzheng government district. The plan called for helicopters to make the journey in 10 minutes. (Ironically, these aircraft were built based on legally acquired Western technology—the Z-8 came from an original French-licensed design and the Z-20 from the UH-60 Black Hawk, which America had sold to China in the 1980s. The Z-10 was built with Pratt & Whitney engines and assisted by European Airbus and AgustaWestland transmission and rotor installation designs.)

The heliborne brigades of the PLA Air Force (PLAAF) Airborne Corps, China’s equivalent to the United States’ 101st Airborne Division, would assault, capture, and secure the port and airport facilities, in preparation for follow-on forces with armored vehicles that would land at the airfields on the Chinese Y-20 and Russian-made IL-76 troop transport planes. As those transport planes descended, dozens of large roll-on/roll-off (RORO) ferries and vehicle transport ships—all built with “national defense requirements” and appropriated from Chinese industry by the PLAN—would rush into the captured port and unload tens of thousands of troops and hundreds of additional tanks and infantry fighting vehicles. Anticipating that the Taiwanese might manage to destroy the port’s infrastructure ahead of the Chinese landing, the PLA has spent years practicing rapid offloading of these vessels in ports with minimal cargo handling infrastructure, such as a lack of pier-side ramps or tugboat support. Simultaneously, PLAAF land-based missiles, rockets, and bombers, along with attack aircraft deployed from two Chinese carriers positioned off Taiwan’s eastern coast, would pummel Taiwan’s air bases in an attempt to take the island’s relatively small air force out of commission before it could get into the fight—destroying runways, fuel depots, and maintenance infrastructure and targeting the island’s prized fleet of F-16 fighter jets. Mainland-based precision-guided ballistic and cruise missiles, together with long-range, truck-mounted PHL-16 multiple rocket launchers and kamikaze drones, would all target stationary radars, fixed weapons platforms, critical command, control, communications nodes, naval facilities, energy infrastructure, and TV and radio transmission towers to sow chaos and impede the highly centralized decisionmaking of the Taiwanese military. American-built Patriot air defense batteries, as well as Taiwan’s indigenously developed Sky Bow systems, troop barracks, and anti-ship batteries were also high priority targets.

Latest News