By Deeba Ahmed
Undetected for Over 11 Months, AsyncRAT Lurked on Systems of Sensitive US Agencies with Critical Infrastructures, reports the…
This is a post from HackRead.com Read the original post: AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs

Undetected for Over 11 Months, AsyncRAT Lurked on Systems of Sensitive US Agencies with Critical Infrastructures, reports the AT&T Alien Labs.

Cybersecurity researchers at AT&T Alien Labs have discovered a campaign delivering the old and notorious AsyncRAT, a remote access trojan, to targeted systems over 11 months. The open-sourced RAT, released in 2019, has been used in multiple campaigns by various threat actors, including the APT Earth Berberoka (or GamblingPuppet) due to its keylogging, exfiltration techniques, and initial access staging.

In early September 2023, AT&T Alien Labs recorded a surge in phishing emails targeting specific individuals in specific companies, containing GIF attachments and SVG files, which facilitate the downloading/execution of “highly obfuscated” JavaScript files, PowerShell scripts, and an AsyncRAT client.

AT&T Alien Labs’ cybersecurity researcher Fernando Martinez wrote in the company’s blog post that users on X (formerly Twitter), including reecDeep and Igal Lytzki, reported this peculiarity in the code, prompting the researchers to continue to look for more AsyncRAT samples going as far back as February 2023.

Researchers discovered that the campaign operators, with a focus on firms managing crucial US infrastructure, meticulously selected their targets. To avoid detection, they implemented obfuscation and anti-sandboxing techniques. The strategy involved random generation of variable names and values to enhance detection evasion. Additionally, they adopted a weekly recycling approach for DGA domains and employed redirection decoys to further thwart analysis efforts.

The loader’s modus operandi is spread over multiple stages with strong obfuscation techniques employed to deliver JavaScript files to targeted victims. The payload is delivered through malicious phishing webpages, containing long strings with randomly positioned words.

A similar sample delivering AsyncRAT in March 2023 (reported by Ankit Anubhav) was hidden between Sanskrit characters. However, it employed different TTPs to deliver the final payload indicating that it was part of another campaign.

The code is constantly changing, obfuscated, and randomized, making it hard to detect. Domains like sduyvzeptop and orivzijetop share common characteristics like a Top Level Domain, 8 random alphanumeric characters, a registrar organization, and a country code, raising suspicion.

The Domain Generation Algorithm (DGA) creates a seed based on the day of the year and makes modifications to ensure a new domain is created every seven days, with Sunday being the purposeful generation. The seed is then used to select 15 letters from ‘a’ to ‘n’, with variables (2024 and 6542) changing in scripts for different domain patterns.

AT&T Labs discovered that an organization, Ivan Govno, has registered numerous domains with the Nicenic registrar, some with TLD top and matching attributes. The domains are hosted on BitLaunch (with identifier 399629), known for allowing payments in cryptocurrencies like Bitcoin, Ethereum, or Litecoin, which attracts cybercriminals.

BitLaunch is the cheapest option, but it offers users the option to pay in crypto and get hosted in a more reliable ASN. The DGA domains are hosted on DigitalOcean.

It is worth noting that this campaign is active, with ongoing domain registration and an OTX pulse providing more information. Nevertheless, AsyncRAT is a threat to individuals and organizations and makes it necessary to implement advanced security solutions and increased vigilance against emerging malware strains.

****_RELATED ARTICLES_****

1.  **Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads**
2.  **Microsoft Disables App Installer After Feature is Abused for Malware**
3.  **UAC-0099 Hackers Using Old WinRAR Flaw in Cyberattack on Ukraine**
4.  **Fake hotel reservation phishing uses PDF links to spread MrAnon Stealer**
5.  **Hacker disrupts Emotet botnet operation by replacing payload with GIFs**

AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs

By Owais Sultan
The web extension, patented in the U.S. and U.K., is now available for pre-order in a limited, pre-sale event.
This is a post from HackRead.com Read the original post: Cyqur Launches A Game-Changing Data Encryption and Fragmentation Web Extension

In today’s almost entirely digitised, cyber world, it’s imperative that private data and passwords remain secure and protected at all times. **According to** Business Insider (2022), Bitcoin investors are likely to lose up to $545 million in 2023, owing to various reasons like forgetting passwords to their wallets or wrongly recording their seed phrases.

In most cases, safeguarding **sensitive access credentials** requires entrusting them to third-party databases. This has proven to be a highly unreliable strategy, with data servers being unavailable or becoming compromised more and more frequently. A new type of solution is needed to combat the ever-growing proliferation of unauthorised data breaches. 

****A new level of data cyber safety** **

Cyqur is an easy-to-install browser extension, geared towards developers, **DeFi** enthusiasts, NFT collectors, remote workers, artists and creators, digital natives, and anyone else who is reluctant to entrust third parties with their most sensitive credentials.

The simple, yet powerful encryption and decryption web extension facilitates the storage and transmission of private data (passwords, seed phrases, etc.). The patented solution helps users achieve unparalleled peace of mind for their digital profiles. 

****What makes Cyqur different****

By design, the Cyqur solution does not store the user data on his behalf either through third-party servers, or any other centralised means. Instead, it encrypts the user data and then fragments that encrypted data across a number of cloud storage locations chosen and controlled by the user.

Because of the fragmentation and decentralisation of data storage in this manner, all cloud storage locations can’t be compromised at the same time. This is a level of security that modern password managers and vaults can’t offer.  

****How Cyqur helps users achieve peace of mind****

1.  **Secure storage**: User access credentials are duplicated, fragmented, encrypted, and scattered across multiple cloud storage locations that the user alone 100% owns and controls, all the while ensuring your data fragments remain encrypted at rest. Cyqur does not have access to any of your data and it doesn’t scrape or share user browsing data. 
2.  **Proprietary approach**: Safeguards user data by using an immutable, automated, unique, independent, public blockchain proof of record for every access credential secured. User digital profile succession planning is ensured through the Custodian of Last Resort.
3.  **Breach protection:** In case of a breach, hackers only access incomplete and useless data, while you retain uninterrupted complete access to your user credentials that remain protected and safe.
4.  **Crypto wallet protection**: Specifically designed to provide next-level peace of mind by securing all access credentials to your valuable wallets, including your previous seed words.
5.  **Uninterrupted access and credential sharing**: Users retain complete and uninterrupted access to their most important data, even offline. 

****Limited opportunity to purchase at a discounted rate****

Users who purchase Cyqur at this time will receive a 70% early-bird discount (from €48 to €15) for the first year. Users can get their annual license and start securing their cyber data **here**.

****About Cyqur****

Cyqur was brought to market by Binarii Labs to offer a new way of securing data. Designed with the utmost care and attention to detail, it provides unprecedented security in online data storage, which isn’t reliant on third-party solutions.

Whether it’s seed phrases, passwords, NFTs, pins, private blockchain keys, usernames, exchange accounts, hot & cold wallets, or any other access credentials that need to remain safe, Cyqur offers its users this high level of protection.

**Contact:**

*   Ciarán McNamee
*   +353874299202
*   \[email protected\]

****_RELATED ARTICLES_****

1.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
2.  **ProtonVPN launches extensions for Chrome and Firefox browsers**
3.  **Guardio: Can This Browser Extension Protect You From Cybercrime?**

Cyqur Launches A Game-Changing Data Encryption and Fragmentation Web Extension

By Waqas
NIST Unveils Insights on AI Vulnerabilities and Potential Threats.w
This is a post from HackRead.com Read the original post: Poisoned Data, Malicious Manipulation: NIST Study Reveals AI Vulnerabilities

The National Institute of Standards and Technology (NIST) has exposed critical AI vulnerabilities that can be exploited by threat actors to create potential avenues for compromising AI systems.

In a comprehensive study, researchers at the National Institute of Standards and Technology (NIST) dug into the vulnerabilities in **artificial intelligence (AI)** systems, revealing the exploitation of untrustworthy data by adversaries and malicious threat actors.

Despite concerns, Artificial Intelligence has become a vital player in our lives. From **detecting dark web cyber attacks** to **diagnosing critical medical conditions** when doctors fall short, it is safe to say that AI is here to stay. However, it requires strong cybersecurity measures to prevent it from falling into the hands of malicious threat actors.

Therefore, the research, titled “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” can be termed a significant contribution to the ongoing effort to establish trustworthy AI.

****AI Vulnerabilities Exposed: No Foolproof Defense****

NIST’s computer scientists have discussed the inherent risks associated with AI systems, revealing that attackers can intentionally manipulate or “poison” these systems to cause malfunction.

The publication emphasizes the absence of a foolproof defence mechanism against such adversarial attacks, urging developers and users to exercise caution amidst claims of impenetrable safeguards.

****AI in the Crosshairs: Understanding Attacks and Mitigations****

The **study** classifies major attacks into four categories: evasion, poisoning, privacy, and abuse. Evasion attacks aim to alter inputs post-deployment, while poisoning attacks introduce corrupted data during the training phase.

Privacy attacks occur during deployment, seeking to extract sensitive information for misuse, and abuse attacks involve inserting incorrect information into AI sources.

If an adversary manipulates an AI system’s decision-making, it can malfunction. For instance, in an “evasion” attack, misleading road markings could cause a driverless car to veer into oncoming traffic. NIST’s new publication outlines such adversarial tactics and suggests mitigation approaches. _Credit: N. Hanacek/NIST_

****Challenges and Mitigations:****

The research acknowledges the challenges in safeguarding AI from misdirection, particularly due to the massive datasets used in training, beyond the scope of human monitoring. NIST provides an overview of potential attacks and corresponding mitigation strategies, emphasizing the community’s need to enhance existing defences.

****AI’s Vulnerability Spotlight: The Human Element****

Highlighting real-world scenarios, the study explores how adversarial actors can exploit vulnerabilities in AI, resulting in undesirable behaviours. **Chatbots**, for instance, may respond with **abusive language** when manipulated by carefully crafted prompts, exposing the vulnerability of AI in handling diverse inputs. For the complete research material behind this study, visit **here** (PDF).

For insights into NIST’s latest study, we reached out to **Joseph Thacker**, principal AI engineer and security researcher at AppOmni, a SaaS security pioneer. Joseph told Hackread.com that NIST’s study is “the best AI security publication he has seen so far.

“This is the best AI security publication I’ve seen. What’s most noteworthy are the depth and coverage. It’s the most in-depth content about adversarial attacks on AI systems that I’ve encountered. It covers the different forms of prompt injection, elaborating and giving terminology for components that previously weren’t well-labelled,” noted Joseph.

“It even references prolific real-world examples like the DAN (Do Anything Now) jailbreak and some amazing indirect prompt injection work. It includes multiple sections covering potential mitigations but is clear about it not being a solved problem yet,” he added.

“There’s a helpful glossary at the end, which I personally plan to use as extra “context” to large language models when writing or researching AI security. It will make sure the LLM and I are working with the same definitions specific to this subject domain. Overall, I believe this is the most successful over-arching piece of content covering AI security,” Joseph emphasised.

****Developers’ Call to Action: Enhancing AI Defenses****

NIST encourages the developer community to assess and improve existing defences against adversarial attacks critically. The study, a collaborative effort between government, academia, and industry, provides a taxonomy of attacks and mitigations, recognizing the evolving nature of AI threats and the imperative to adapt defences accordingly.

****_RELATED ARTICLES_****

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **Dark Web Pedophiles Using Open-Source AI to Generate CSAM**
3.  **AI Model Listens to Typing, Potentially Compromising Sensitive Data**
4.  **AI-powered Customer Communication Platforms for Contact Centers**
5.  **Deepfakes Are Being Used to Circumvent Facial Recognition Systems**

Poisoned Data, Malicious Manipulation: NIST Study Reveals AI Vulnerabilities

By Deeba Ahmed
The most recent cyber attack occurs against the backdrop of escalating tensions between Lebanon and Israel.
This is a post from HackRead.com Read the original post: Beirut Airport Screens Hacked with Anti-Hezbollah Message

The airport’s advertisement and flight information screens were hacked with messages criticizing Hezbollah and its leaders, accusing them of jeopardizing Lebanon and risking war with Israel.

The information display screens at Beirut’s international airport were hacked by anti-Hezbollah groups, highlighting the intensification of ongoing clashes between the Lebanese militant group and the Israeli military. The screens, which display arrival/departure times, displayed a message accusing Hezbollah of putting Lebanon at risk of war with Israel.

“Hassan Nasrallah, you will no longer have supporters if you curse Lebanon with a war for which you will bear responsibility and consequences,” the message read.

> Reporting #Lebanon: ❗️The airport in Beirut (Lebanon) became the victim of a cyber attack. Info screens broadcast a message directed against Hezbollah and Iran.  
> "Hezbollah has not left anyone with any end-of-life experiments. You bombed our port, and now you can bomb our airport" pic.twitter.com/aBQ6VMTXZW
> 
> — godfather (@Truthgodfather) January 8, 2024

The screens featured logos from a hardline anti-LGBTQ+ Christian group called Soldiers of God and a lesser-known group called The One Who Spoke. Soldiers of God posted a video statement denying its involvement whereas The One Who Spoke shared screenshots of the screens on its social media pages.

According to **MTV Lebanon**, the hack disrupted baggage inspection as passengers took photos of the screens and shared them on social media. 

For your information, Hezbollah has been striking Israeli military bases near Lebanon’s northern border since October 8, one day after the Hamas-Israel war began and intensified last week after an Israeli strike killed Hamas official Saleh Arouri in southern Beirut.

On Saturday, Hezbollah leader Sayyed Hassan Nasrallah vowed to keep retaliating, dismissing criticism of a full-scale war with Israel unless the latter launches one. If it happens, Hezbollah predicts a limitless war.  

“We cannot keep silent about a violation of this seriousness because this means that all of our people will be exposed . All of our cities, villages, and public figures will be exposed,” Nasrallah said.

After Arouri’s killing, Hezbollah launched 62 rockets targeting an Israeli air surveillance base on Mount Meron, striking two army posts and causing direct hits. The Israeli military stated that 40 rockets were fired, targeting a base. Israeli army’s spokesperson, Rear Adm. Daniel Hagari, reported no casualties, while Hezbollah claimed six fighters were killed, taking the total death toll to 150 since the beginning of clashes.

Nevertheless, focusing on airport screens is a widely used method for showcasing hacktivism in the region. **In May 2018**, the airport screens at Mashhad city in northeast Iran were hacked and defaced by an unknown group of hackers with messages against the Iranian government.

****_RELATED ARTICLES_****

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **Hackers Defaces Israeli-Made Equipment at US Water Agency**
3.  **Iran State-TV’s Live Transmission Hacked by Edalate Ali Hackers**
4.  **Hezbollah linked hackers hit companies in global malware attack**
5.  **Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack**
6.  **Hamas-Linked Group Revives SysJoker Malware, Leverages OneDrive**

Beirut Airport Screens Hacked with Anti-Hezbollah Message

By Waqas
In-depth analysis reveals concerning patterns in user data collection, with shopping and food delivery apps at the forefront.
This is a post from HackRead.com Read the original post: Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps, Study

According to Surfshark, a third of data collected by these apps is susceptible to tracking by third-party advertisers or data brokers, posing a significant threat to user privacy.

In the latest study conducted by Surfshark’s Research Hub, an in-depth analysis of 100 popular apps has revealed troubling trends in data privacy practices. The research zeros in on shopping and food delivery apps, shedding light on the unsettling reality that Amazon Shopping and Wish are leading when it comes to collecting user data.

It’s not surprising that Amazon is taking the lead, but unfortunately, it’s for all the wrong reasons. Back in November 2023, Atlas VPN **conducted a study** that uncovered some unsettling facts. Amazon, along with eBay and Afterpay, emerged as the top Android shopping apps when it comes to collecting user data, surpassing all other apps in their data-hungry practices.

****Shopping and Food Delivery Apps: Data Hungry Culprits****

Surfshark’s study indicates that among various app categories, shopping and food delivery apps stand out as the most data-hungry, with Amazon Shopping and Wish taking the lead. An unexpected revelation is that more than a third of data collected by these apps is susceptible to tracking by third-party advertisers or data brokers, posing a significant threat to user privacy.

****User Tracking and Linking: The Alarming Statistics****

According to the company’s **report**, On average, shopping and delivery apps collect a staggering 21 out of 32 possible data points, with a startling 95% linked directly to the user’s identity.

Wish emerges as the most data-hungry app within this category, collecting 24 out of 32 data points, and utilizing over a third of the data to track its users. **DoorDash** and Wish stand out, with 40% of collected data points dedicated to user tracking, including sensitive information like email addresses, precise location, and purchase history.

Amazon, on the other hand, while not engaging in user tracking, emerges as a unique data collector, amassing 25 out of 32 possible data points, all intricately linked to the user’s identity.

****Food Delivery Apps and Intrusive Data Practices****

Zooming in on food delivery apps, **Uber Eats** takes the lead in tracking the most data points, sharing 12 out of 21 collected data points with third parties. The study also scrutinizes GrubHub and Instacart, uncovering their respective data collection practices.

****App-wide Data Collection Trends****

An astonishing 1523 data points are collected across the 100 apps under scrutiny, averaging 15 unique data points per app. Notably, 90% of these apps collect essential usage, diagnostic, and identifier data crucial for their functionality. Two-thirds of the apps collect user names and coarse location, while almost half track precise location data.

****Facebook, Instagram, AI Generated Art, and Signal****

Facebook and Instagram emerged as the most privacy-invasive apps, collecting all 32 data points defined by Apple. The app with the lowest data collection appetite is AI Generated Art, standing out as the sole app that refrains from gathering any data points. **Signal**, not so surprisingly, stands out in the top 10 most privacy-sensitive list, collecting only one data point (phone number) that is not linked to or used to track the user.

Surfshark

****Recommendations for Users****

Surfshark advises users to scrutinize developers’ reputations and data retention policies before downloading apps. Additionally, paying attention to constant permission requests for access to sensitive information and limiting app access to information only when in use can contribute to enhanced privacy.

The study analyzed 100 apps across 10 categories, selecting them based on search engine results. Three layers of data points were considered: unique data points collected, data linked to the user, and data used to track the user.

Surfshark’s Lead Researcher, Agneska Sablovskaja, emphasizes, “Understanding an app’s privacy policy is crucial for safeguarding digital autonomy.” With this study, Surfshark aims to empower users with knowledge, allowing them to make informed decisions about the apps they choose to incorporate into their digital lives.

1.  **Watchdog Sues Adobe Over Mass Collection of Citizen Data**
2.  **Amazon Still Selling T95 TV Box with Pre-Installed Malware**
3.  **How data collected in gaming can be used to breach user privacy**
4.  **Lithuania wants users to dump Chinese phones citing data collection**
5.  **‘Off-Facebook Activity Tool’ lets users control data collected by websites**

Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps, Study

By Waqas
According to DNA service provider 23andMe, if you are a user, you are to be blamed for reusing your password on other sites.
This is a post from HackRead.com Read the original post: 23andMe blames its users for the massive data breach

In a lawsuit stemming from a data breach, DNA service provider 23andMe has drawn sharp criticism for its response letter, in which it attempts to pin the blame on the affected customers.

In October 2023, 23andMe, the popular DNA testing company based in Mountain View, California, **experienced a data breach**. During this incident, hackers exposed the personal information of more than 7 million customers.

Additionally, another hacker attempted to sell genetic records of 23andMe users for $100,000 for a bundle of 100,000 profiles. The information taken by the hackers in the data breach included the following details:

*   **Names**
*   **Genders**
*   **Birth years**
*   **Ancestry reports**
*   **Some DNA data**
*   **Self-reported locations**
*   **Predicted relationships**
*   **Most recent login dates**
*   **Relationship labels (e.g., “mother,” “cousin”)**
*   **Health-related information based on genetic profiles**
*   **Percentage of DNA shared with DNA Relatives matches**

As a consequence of the data breach, 23andMe is facing a lawsuit. In a letter filed in the Circuit Court of Cook County, the company attributed the data breach to customers themselves, contending that the breach occurred because users reused their login credentials.

Specifically, the company claims, users employed the same usernames and passwords on 23andMe as on other websites that had experienced previous security breaches. According to 23andMe, this practice and users’ failure to update their passwords after these incidents were unrelated to any security lapses on 23andMe’s part.

The **letter** also claims that threat actors could not have caused “pecuniary harm_”_ as it lacked Personal Identifiable Information (PII) data, such as social security number, driver’s license number, or any payment or financial information.

> _“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”_ “_Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been set to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information)_._”_
> 
> 23andMe

It is worth noting that initially, 23andMe claimed only 14,000 accounts were directly compromised, stating the hackers used “**credential stuffing**“, meaning stolen login credentials from other websites were used to access 23andMe accounts. This led some to criticize the company for suggesting user negligence played a role in the breach.

However, further investigation revealed the attackers accessed information from a much larger number of profiles: 5.5 million **DNA** Relatives profiles and 1.4 million Family Tree profiles connected to the compromised accounts. While 23andMe still maintains the initial breach involved 14,000 accounts, this broader access to information fueled criticism that the company downplayed the severity of the incident.

23andme leaked on a popular Russian hacker and cybercrime forum (Screenshot: Hackread.com)

It’s important to note that relying solely on passwords is considered a security vulnerability. This is why many experts advocate for **two-factor authentication (2FA)** as an additional layer of security. Interestingly, 23andMe introduced mandatory 2FA for all users after the breach, suggesting they acknowledged the password-only system wasn’t sufficient.

For insights into 23andMe’s claims, we reached out to **Nick Rago**, Field CTO at **Salt Security**, adds:, who emphasised that, “In this age of sophisticated social engineering attacks, any claim that a data breach can not cause “pecuniary harm” because it did not consist of social security numbers, driver’s license number, or credit card data has to be done tongue in cheek._”_

Nick countered 23andMe’s version of things explaining hackers do not require PII data to harm unsuspecting users, especially with the emergence of deepfake and AI technologies. Nick also warned that revealing genealogy or relationship details can aid attackers in constructing targeted social engineering attacks on both small and large scales.

“Exposing any genealogy or relationship information would be quite useful to an attacker when building a targeted social engineering attack, whether it be targeted at scamming a consumer, stealing an identity, or as a phase of a more sophisticated attack campaign, such as getting privileged system access in a corporate infrastructure_,”_ said Nick.

**Erfan Shadabi**, Cybersecurity Expert at **comforte AG**, told Hackread.com, “Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity. While it is true that users must follow best practices for account safety, companies also must protect the sensitive information that has been entrusted to them. It is admirable that 23andMe has taken the recent step of requiring two-factor authentication (2FA) to strengthen defences against credential-stuffing attacks._”_

****_RELATED ARTICLES_****

1.  **DNA testing website MyHeritage hacked; 92M user accounts stolen**
2.  **Researchers Encode Physical DNA with Malware to Infect Computers**
3.  **Software firm leaks 25GB worth of subscription, Ancestry.com user data**

23andMe blames its users for the massive data breach

By Waqas
CISA Urges Swift Action as Two Critical Vulnerabilities Emerge.
This is a post from HackRead.com Read the original post: CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts.

The Cybersecurity and Infrastructure Security Agency (CISA) has identified and added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerabilities in question involve a recently patched flaw within Google Chrome and a bug affecting the open-source Perl library “Spreadsheet::ParseExcel,” designed for reading information in Excel files.

The specific vulnerabilities are as follows:

1.  **CVE-2023-7024:** Google Chromium WebRTC Heap Buffer Overflow Vulnerability
2.  **CVE-2023-7101:** Spreadsheet::ParseExcel Remote Code Execution Vulnerability

****CVE-2023-7024:****

CVE-2023-7024 was a critical vulnerability in the WebRTC component of Google Chrome, discovered in December 2023. It allowed attackers to potentially exploit a heap buffer overflow via a specially crafted HTML page, ultimately gaining control of a victim’s computer.

Google patched the security vulnerability in December 2023 and is no longer considered a threat for users who have updated their Chrome browser to the patched version. However, it’s important to keep your browser and other software up to date to protect yourself from future vulnerabilities.

****CVE-2023-7101****

CVE-2023-7101 is a critical vulnerability affecting Spreadsheet::ParseExcel, a Perl module used for parsing Excel files. It exposes a remote code execution (RCE) risk, allowing attackers to potentially take control of a vulnerable system through specially crafted Excel files.

The vulnerability allows attackers to upload a malicious Excel file to a vulnerable system. The vulnerability can also be exploited via the evaluation of Number format strings, leading to arbitrary code execution on the system. This could allow attackers to steal sensitive data (passwords, personal information, etc.), install malware, disrupt system operations and take complete control of the affected system.

Users operating systems with software dependent on Spreadsheet::ParseExcel version 0.65 are currently exposed to this security risk. This vulnerability extends its reach to various applications and frameworks developed with Perl, thereby potentially affecting a broad spectrum of systems.

A patched version, 0.66, has been released by Metacpan to address the identified vulnerability. As a precautionary measure, users are strongly advised to promptly update to this patched version. In cases where immediate updating is not feasible, it is recommended to implement mitigating measures such as restricting file uploads or disabling the functionality associated with Spreadsheet::ParseExcel.

CISA has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts. Agencies are instructed to follow vendor guidelines for resolving these vulnerabilities promptly or cease the use of the affected products.

For insights into the CVE-2023-7101 vulnerability, we reached out to Mr. Aubrey Perin, Lead Threat Intelligence Analyst at Qualys Threat Research Unit who told Hackread.com that, “CVE-2023-7101 is a Perl library vulnerability that has gained notable traction, evidenced by its usage in appliances by network and email security firm Barracuda.”

“Businesses are advised to thoroughly assess their environments for instances of ‘Spreadsheet::ParseExcel’ requiring updates or removal,” Aubrey advised. “Barracuda’s observations indicate that Chinese threat actors utilized this vulnerability to deploy malware. With the vulnerability now public, there is a heightened risk of ransomware threat actors leveraging it for their malicious tooling,” Aubrey warned.

****_RELATED ARTICLES_****

1.  **CISA Offers Recovery Tool for ESXiArgs Ransomware Victims**
2.  **CISA Publishes List of Free Cybersecurity Tools and Services**
3.  **FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat**
4.  **New CISA Advisories Highlight Vulnerabilities in Top ICS Products**
5.  **CISA Warns of Flaws in Propump, Controls’ Osprey Pump Controller**

CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library

By Waqas
The hackers changed Mandiant's Twitter handle from "@Mandiant" to "@phantomsolw."
This is a post from HackRead.com Read the original post: X Account of Google Cybersecurity Firm Mandiant Hacked in Crypto Scam

The attacker utilized the compromised Mandiant account to promote a cryptocurrency scam by posing as the Phantom crypto wallet and luring users with a fake airdrop.

On Wednesday, January 3, 2024, at approximately 8:00 PM, Google’s Mandiant cybersecurity firm experienced a security breach in its X account (formerly known as Twitter).

Following the breach, unidentified hackers, (crypto scammers), exploited the compromised account by carrying out a cryptocurrency scam to the firm’s extensive follower base, which exceeded 122,000 users.

Mandiant, which was acquired by Google for $5.4 billion in September 2022, was observed sending out tweets to unsuspecting users that contained links to Phantom, a cryptocurrency wallet.

The attacker utilized the account to promote a cryptocurrency scam, posing as the Phantom crypto wallet and luring users with a fake airdrop. Additionally, the hackers changed Mandiant’s Twitter handle from “@Mandiant” to “@phantomsolw.”

Although Mandiant managed to regain control of the account, restoring it to its original state proved challenging due to Twitter’s restrictions on frequent name changes. However, at the time of writing, Mandiant’s Twitter account was successfully restored, and the malicious links from the scammers were removed from its timeline.

Screenshots: Hackread.com

The hacking of Mandiant’s Twitter account should not be viewed as a surprising incident. Scammers are notorious for compromising and taking control of high-profile accounts, often by exploiting 0-day vulnerabilities or leaked credentials from past data breaches and leaks.

In July 2020, the world witnessed a series of high-profile Twitter account hacks, orchestrated to execute cryptocurrency scams. Among the compromised accounts were those belonging to prominent figures and companies, such as Barack Obama, Joe Biden, Bill Gates, Elon Musk, Justin Sun, Apple, Uber, Coinbase, Gemini, Kanye West, Jeff Bezos, Kim Kardashian, and others.

In September 2020 and December 2021, the Twitter account of the Indian Prime Minister, Narendra Modi, fell victim to hacking incidents where the attackers exploited the compromised account to promote Bitcoin scams.

Additionally, in June 2022, the Twitter account of the British Military was compromised, and the hackers utilized the breach to push a cryptocurrency scam.

In September 2023, the Twitter account of ETH founder Vitalik Buterin experienced a security breach, resulting not only in unauthorized access but also in the theft of $700,000 by scammers.

Nevertheless, the hacking of a cybersecurity company is a matter that cannot be overlooked. The situation is further complicated by the sale of Twitter accounts with the Gold checkmark by scammers, intensifying challenges in addressing phishing and disinformation on the platform.

If you use social media or are involved in cryptocurrency investment, follow these simple yet vital tips to keep your accounts secure:

*   Never share your private keys or passwords with anyone.
*   Be wary of any investment that seems too good to be true.
*   Use a strong password manager to keep your passwords safe.
*   Only invest in cryptocurrencies that you understand and that have a good reputation.
*   Be careful about clicking on links in emails or social media posts, especially if they promise free money or tokens.

****_RELATED ARTICLES_****

1.  **Mandiant Denies Hacking Claims By LockBit Ransomware**
2.  **Mandiant Tracks 4 Uncategorized Groups Exploiting Citrix Flaw**
3.  **Cybersecurity Firm Acronis Data Breach: Hackers Leak 21GB of Data**
4.  **Twitter Confirms Data Breach as 5.4M Accounts Sold on Hacker Forum**
5.  **Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials**

X Account of Google Cybersecurity Firm Mandiant Hacked in Crypto Scam

By Deeba Ahmed
Buy Your Verified Scam: Researchers Expose Twitter Gold Account Black Market.
This is a post from HackRead.com Read the original post: Scammers Selling Twitter (X) Gold Accounts Fueling Disinfo, Phishing

Scammers are peddling compromised and newly created Twitter Gold accounts, resulting in scams and disinformation.

Cybersecurity researchers at CloudSEK have published a white paper titled “Gold Rush on the Dark Web: Threat Actors Target X (formally Twitter) Gold Accounts,” highlighting the rise in scam campaigns surrounding Twitter’s new tiered verification system, Gold accounts, introduced in December 2022.

As per the company, cybercriminals are actively selling compromised Twitter accounts, specifically leveraging accounts with the platform’s prestigious “Gold” verification badge. Contrary to their intended use, these badges are typically reserved for high-profile individuals and businesses.

These badges, displayed alongside the familiar blue and grey ticks, enhance visibility and provide exclusive features. The cost to obtain a gold verification badge is $1,000 per month in the U.S. Unfortunately, this exclusivity also makes these accounts lucrative and prime targets for cybercriminals.

The paper, authored by Rishika Desai, discusses the unauthorized acquisition of Twitter Gold accounts, risks like phishing and disinformation campaigns, and the need for strong cybersecurity practices.

CloudSEK researchers discovered a rise in sales of Twitter Gold accounts with verification on dark web forums and marketplaces. These ads are traced back to online shops and their marketing partners, with most detected using Google Dork.

In a particular case, a compromised Twitter Gold account had its primary domain set as abc.com. The latest post was published in 2019. Afterwards, in 2022, a new post emerged, creating a clear link to the purchase of gold from cybercriminals occurring after 2019.

The new post directed users to an alternate domain, ‘ABC.XYZ,’ established just two months ago. Investigation into the passive DNS resolution by CloudSEK suggested the account can spread disinformation, phishing websites, job scams, and crypto scams. These accounts can also be redirected to malware or embedded Trojans.

Additionally, researchers discovered accounts with a gold tick mark subscribed, posting links to malicious domains. The price distributions varied based on the type of account, with fresh homegrown accounts costing $0.30, blue tick accounts costing $35, older accounts costing $1.5, and converted accounts costing $1200-$2000. Blue and gold affiliates cost $150 and $500 per account, respectively.

Threat actors offer 15 inactive accounts per week for conversion into gold subscriptions, resulting in over 720 accounts annually, with sales ranging from USD 1200 to USD 2000 and gold badges ranging from USD 1200 to USD 2000.

Screenshot: CloudSEK

Upon further digging, researchers identified that the compromise methods in this campaign include brute-forcing passwords and malware, while scam tactics include phishing links and disinformation campaigns. All purchases are made through a middleman, ensuring authenticity.

Sellers can boost followers of purchased accounts for as low as USD 135, and buyers can add multiple affiliates for free but must pay USD 50 per affiliate to indicate the sub-account is part or affiliated with the Prime Gold account.

Threat actors often replace unused accounts with their data, preventing the primary user from recovering. Researchers at CloudSEK collected six Twitter Gold-enabled accounts, with followers ranging from 2000 to over 72,000.

The first advertisement for Twitter Gold accounts was traced back to March 2023. The scam indicates that Twitter Gold services are not yet mature enough to handle such incidents, and cybercriminals can become guarantors of deals, creating a huge reseller market behind compromised accounts.

To minimize the risk of the Twitter Gold Buy scam, organizations should close dormant accounts if inactive for an extended period and train and educate employees on workplace cybersecurity practices. They must update password policies, educate them against cracked software, encourage using native password managers instead of web browsers, and install endpoint security software on employee devices to detect malicious software.

****_RELATED ARTICLES_****

1.  **SMS-Based 2FA Will Be Limited to Twitter Blue Users**
2.  **Hacker found using Twitter memes to spread malware**
3.  **Pink Drainer Posed as Journalists, Stole $3M from Twitter Users**
4.  **Prominent & verified Twitter accounts hacked to run crypto scam**
5.  **Scammers bought Twitter ads to run verified badge phishing scam**

Scammers Selling Twitter (X) Gold Accounts Fueling Disinfo, Phishing

By Waqas
Despite Google's proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices globally.
This is a post from HackRead.com Read the original post: New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices

The Xamalicious Backdoor can gain complete control over a targeted Android device without detection by the device’s security solution.

McAfee’s Mobile Research Team has uncovered a widespread Android backdoor threat, dubbed Xamalicious, showing sophisticated tactics to compromise user devices. The malware has exploited the Xamarin framework, employing its capabilities to hide malicious code within the APK file build process, enabling it to operate undetected.

This threat aims to gain accessibility privileges through social engineering, communicating with a command-and-control server to download a second-stage payload injected at runtime.

Once installed, the malware takes full control of the device, enabling various fraudulent actions such as clicking on ads, installing apps, and other financially motivated activities without user consent.

****Financial Motivation Unveiled:****

What sets Xamalicious backdoor apart is its direct connection to the notorious ad-fraud app, “Cash Magnet.” This link exposes a financially motivated agenda behind the attacks, as Cash Magnet engages in automated ad clicks, app installations, and other actions to generate fraudulent revenue.

****Ubiquitous Distribution and Persistent Threat:****

According to the McAfee Mobile Research Team’s blog post, approximately 25 malicious apps carrying Xamalicious backdoor have been identified, some of which infiltrated Google Play since mid-2020. Despite Google’s proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices.

The impact of this threat is far-reaching, affecting users across continents. The most significant activities have been observed in the USA, Brazil, Argentina, the UK, Spain, and Germany.

Countries targeted by Xamalicious Backdoor (Screenshot: McAfee Mobile Research Team)

Some of the affected apps that McAfee is urging users to delete are:

*   LetterLink
*   Logo Maker Pro
*   Track Your Sleep
*   Auto Click Repeater
*   Universal Calculator
*   Sound Volume Booster
*   Sound Volume Extender
*   Count Easy Calorie Calculator
*   Step Keeper: Easy Pedometer
*   3D Skin Editor for PE Minecraft
*   Essential Horoscope for Android
*   Astrological Navigator: Daily Horoscope & Tarot
*   NUMEROLOGY: PERSONAL HOROSCOPE & NUMBER PREDICTIONS.

****Dynamic Second-Stage Payload Raises Alarms:****

Once installed, the second-stage payload of the Xamalicious backdoor grants the malware full control over the device. This capability allows the malware to self-update the main APK and execute various activities, from acting as spyware to potentially operating as a banking trojan, all without requiring user interaction.

****Exploitation of Accessibility Services:****

The modus operandi of the Xamalicious backdoor involves tricking users into granting accessibility service permissions. Exploiting vulnerabilities and prompting users to activate these services despite OS warnings manually, the malware gains a foothold on the device.

Malware asking for Invasive permissions (Screenshot: McAfee Mobile Research Team)

****Stealthy Data Collection and Encryption:****

Xamalicious backdoor goes beyond typical malware by collecting extensive device information and communicating with a command-and-control server. The communication is safeguarded through the use of JSON Web Encryption (JWE) tokens. The malware’s DLL contains hardcoded RSA key values, opening the door for potential decryption during analysis.

****Protective Measures for Users:****

If you are using Android devices, it is crucial to protect them from the Xamalicious malware and other emerging Android threats. Users are strongly advised to exercise caution when granting accessibility service permissions, particularly when an app does not have a legitimate need.

Installing reputable security software, such as McAfee Mobile Security, is recommended to mitigate the risks associated with malware infections. Regular updates are crucial to ensure ongoing protection against evolving threats in the mobile landscape. Stay informed, stay protected.

****_RELATED ARTICLES_****

1.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
2.  **Android Malware FjordPhantom Steals Funds Via Virtualization**
3.  **Amazon, eBay and Afterpay as Top Android User Data Collectors**
4.  **New MMRat Android Trojan Uses Fake App Stores for Bank Fraud**
5.  **Android TV Boxes Infected with Backdoors, Hacking Home Networks**