By Deeba Ahmed
All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack.
This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

According to Google’s Threat Analysis Group (TAG), the group exploiting the vulnerability comprises Sandworm, Fancy Bear, and APT40, all associated with the Russian government and military.

**_**KEY FINDINGS**_**

**Google’s TAG researchers have found that government-sponsored hackers are actively exploiting an already discovered WinRAR vulnerability.**

**This vulnerability lets hackers execute arbitrary code on the targeted device.**

**Attackers can steal sensitive data, hijack the victim’s computer, and install malware.**

**State-sponsored actors from a number of countries are exploiting this vulnerability in their malicious operations.**

**Google has urged users to immediately apply the latest WinRAR patch to prevent their devices from being invaded by state-backed actors.**

**Organizations must protect their networks by implementing a robust vulnerability management program and deploying endpoint security solutions.**

On August 25, 2023, Hackread.com reported a 0-day vulnerability in WinRAR, which was actively exploited worldwide, targeting 130 traders to successfully steal funds. It has now come to light that the vulnerability continues to be exploited, despite the availability of a security patch.

Google’s Threat Analysis Group (TAG) has discovered that state-backed threat actors are continuously exploiting a known vulnerability in the popular file archiver tool for Windows, WinRAR. The vulnerability is tracked as CVE-2023-38831, and it was exploited for the first time in early 2023 by cybercrime groups before it was identified by defenders. Now state-backed actors are exploiting it. Until August, this bug was exploited as zero-day. It was first reported by Group-IB researchers.

TAG’s Kate Morgan wrote in the report published on 18 October that despite that a patch was released soon after it was discovered, many devices remain unpatched and are vulnerable to exploitation. This is probably because the WinRAR tool doesn’t have an auto-update feature. It was fixed in WinRAR versions 6.24 and 6.23. Users have to download the patch manually.

Regarding the state-sponsored actors exploiting the WinRAR bug, TAG noted that three different clusters of attackers are involved. These include Sandworm aka FROZENBARENTS, Russian APT28 aka Fancy Bear or FROZENLAKE, and APT40 aka ISLANDDREAMS. 

For your information, Sandworm is affiliated with the Russian Armed Forces’ Main Directorate of the General Staff Unit 74455 and likes to target the energy sector. The Ukrainian drone-based email campaign Sandworm launched on September 6th exploits this bug to deliver a ZIP archive file. 

APT28 is also linked to the same unit but focuses on targeting Ukrainian government entities with a spearphishing campaign. APT40 is associated with the Chinese government and exploited this bug in late August to launch a phishing campaign targeting Papua New Guinea.

This vulnerability lets attackers execute arbitrary code on their targeted device by tricking the victim into opening a specially designed PNG file with a ZIP archive, leading to the stealing of sensitive data, installation of malware, or hijacking of the infected device. Since April 2023, cybercriminals have actively used this bug to target cryptocurrency trading accounts. 

> _“A logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces.”_
> 
> Google’s Threat Analysis Group (TAG)

This widespread exploitation highlights that “exploits for known vulnerabilities can be highly effective, despite a patch being available” and indicates the importance of prompt application of security patches. 

****Update Your WinRAR Installer to the Latest Version****

To safeguard your system and personal data from potential threats, it’s crucial to keep your WinRAR installer up-to-date with the latest version. Updating your WinRAR software ensures that you have the latest security patches and enhancements, significantly reducing the risk of falling victim to cyberattacks.

You can get WinRaR’s latest version on its official website. Don’t wait – stay protected by regularly checking for updates and applying them as soon as they become available. Your digital security depends on it.

**_**RELATED ARTICLES**_**

1.  The Best Way to Install and Set-Up WinRAR 64-bit
2.  WinRAR vulnerability allowed attackers to remotely hijack systems
3.  Hackers are using 19-year-old WinRAR bug to install nasty malware

APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

By Deeba Ahmed
Researchers report a surge in QR code-related cyberattacks exploiting phishing and malware distribution, especially QRLJacking and Quishing attacks.
This is a post from HackRead.com Read the original post: Hackers Exploit QR Codes with QRLJacking for Malware Distribution

QRLJacking tricks you with fake QR codes to log into fake websites or apps, while Quishing uses QR codes to deceive you into visiting malicious sites or downloading malware.

Quick Response Codes (aka QR Codes) have made life hassle-free for everyone as these versatile codes offer access to everything. However. according to SaaS-based cloud messaging security firm SlashNext, this versatility of QR codes makes them a potential target of exploitation. And, the company has discovered several ways in which threat actors are exploiting QR codes.

Security experts have noted a spike in QR-code-based phishing attacks, highlighting how easy it is to manipulate them. Since the codes can encode complex data and redirect users to external apps/websites, adversaries try to manipulate them. SlashNext’s research revealed two prominent methods threat actors are relying on to exploit QR codes- Quishing and QRLJacking.

Quishing attack is offered on cybercrime forums to facilitate phishing-for-hire services. In this attack, a QR code embedded with malware download or phishing link is circulated on different platforms/channels such as social media, posters, restaurant menus, ads, and phishing emails. When someone scans it, they are redirected either to a phishing website or malware gets downloaded on their devices.

Cofense discovered a similar phishing campaign in August 2023, where attackers used malicious QR codes to target high-profile organizations, including a US energy firm.

QRLJacking (quick response code login jacking) is a social engineering-based method exploiting the login with QR code feature in apps and websites and mostly exploits frequently expiring QR codes. If successful, the attack can lead to a complete account takeover.

In QRLJacking, the adversary creates a phishing site identical to the login page of their targeted website/app and creates a fake QR code. The phishing link is sent to the victim through messaging apps, email, or SMS.

When the code is scanned, they get logged into the bogus session and not the real app, and their sensitive data such as access tokens are stolen. An incident of QRLJacking was reported in August 2023 by cybersecurity researcher Cristian ‘void’ Giustini targeting the Steam gaming platform.

“Phishing Email with Malicious QR Code Targeting Microsoft Users and Steam’s QR-Enabled Phishing Page”

In a blog post, Daniel Kelley of SlashNext wrote that attackers can employ a wide range of techniques to exploit QR codes, such as:

*   **Phishing:** Through phishing attacks, threat actors can exploit QR codes to redirect users to bogus websites mimicking legitimate ones, and lure them into entering sensitive data like financial information or login credentials.
*   **Malware Distribution:** Cybercriminals can embed QR codes with links that deploy malware on the user’s devices and allow them to gain unauthorized access.
*   **Social Engineering:** QR codes can be manipulated to display misleading information/promotion offers to trick users into taking actions that offer monetary benefits to the attacker.

Being cautious is essential to protect yourself against QR code-based attacks. Always scan QR codes from trusted sources and cross-check the destination URL before scanning. Regularly update anti-virus software. Organizations should implement secure QR code generation and management systems and conduct security audits of QR code usage regularly.

****_RELATED ARTICLES_****

1.  Barcode Reader Apps on Play Store Infected with Adware
2.  Stream-Jacking: Malicious YouTube Livestreams Aid Malware
3.  How to make a QR code to accept Bitcoin while keeping it secure
4.  “Picture in Picture” Technique Exploited in Deceptive Phishing Attack
5.  Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Hackers Exploit QR Codes with QRLJacking for Malware Distribution

By Waqas
Cybercriminals are using phishing emails and text messages to steal sensitive data from plastic surgery clinics and offices, such as patient records and financial information.
This is a post from HackRead.com Read the original post: FBI Warns of Extortionists Stealing Plastic Surgery Data for Ransom

The FBI also warns that cybercriminals are using this stolen data to extort victims, threatening to release it to the public or to the victims’ employers or families.

Cybercriminals are using phishing emails and text messages to gain access to plastic surgery offices’ networks and steal sensitive data, such as **patient records, photos** and financial information, the FBI warns.

Once they have this data, they threaten to release it to the public or to the victims’ employers or families unless they receive a **ransom payment in cryptocurrency**.

The FBI **says** that cybercriminals are using a three-phase approach to carry out this scam:

****1: Data Harvesting****

Cybercriminals use phishing emails and text messages to trick plastic surgery offices into clicking on malicious links or opening attachments. Once a victim clicks on a malicious link or opens an attachment, malware is installed on their computer. This malware allows cybercriminals to steal sensitive data, such as patient records and financial information.

****2: Data Enhancement****

Cybercriminals use open-source information, such as social media profiles, to “enhance” the stolen data. This means that they gather additional information about the victims, such as their employment history, photos, family members, and friends. Cybercriminals then use this enhanced data to make their extortion threats more credible.

****3: Extortion****

Cybercriminals contact plastic surgeons and their patients via social media, email, text messages, or messaging apps to demand ransom payments. They threaten to release the victims’ sensitive data to the public or to their employers or families unless they pay a ransom in cryptocurrency.

Claude Mandy, Chief Evangelist, Data Security at **Symmetry Systems**, a San Francisco, Calif.-based leader in data security posture management argued the data security practises and capabilities of plastic surgery clinics stating that most regular doctor’s offices face the challenge of needing to share this information to safeguard lives, but lack the security capabilities to ensure data protection and monitor for unauthorized access or suspicious activity.

_“_Cybercriminals are focused on monetizing access to data through either impacts to the availability of lifesaving data, or increasingly the threat of releasing sensitive and sometimes embarrassing data to the public,_“_ said Claude. _“_Nation states may use similar tactics to coerce users to perform activities in their interests. Medical records, especially some forms of plastic surgery, have become obvious targets as a result._“_

****FBI’s Recommendations****

The FBI recommends that plastic surgery offices and patients take the following steps to protect themselves from this scam:

*   Be suspicious of unsolicited emails and text messages, especially those that ask for personal information or financial data.
*   Do not click on links in emails or text messages from unknown senders.
*   Use strong passwords and enable multi-factor authentication on all accounts.
*   Keep software up to date on all devices.
*   Back up data regularly.

****Here are some additional tips to protect yourself from this scam:****

*   Be careful about what information you share online, especially on social media.
*   Be careful about who you give your contact information to.
*   Be aware of the signs of phishing emails and text messages.
*   If you receive an email or text message that seems suspicious, do not click on any links or open any attachments.
*   If you are unsure about whether an email or text message is legitimate, contact the sender directly.

If you are a plastic surgery office or patient and you believe you may have been the victim of this scam, you should report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.

****_RELATED ARTICLES_****

1.  FBI and NCSC Warn of Foreign Cyberattacks on US Space Sector
2.  FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat

FBI Warns of Extortionists Stealing Plastic Surgery Data for Ransom

By Waqas
Prepare to pay for Twitter (X).
This is a post from HackRead.com Read the original post: Elon Musk’s X (Twitter) to Charge $1 for Basic Features

To start, X will charge $1.43 NZD from new users in New Zealand and ₱42.51 PHP per year from new users in the Philippines.

Elon Musk’s X (formerly Twitter), has announced that the platform will start charging new users $1 per year for basic account features as part of his “Not-A-Bot” initiative.

The fee will initially apply to new users in New Zealand and the Philippines, and X plans to expand it to all new users globally. The fee will apply to basic features such as tweeting, replying to tweets, liking and bookmarking tweets, and creating lists. Existing users will not be affected by the fee.

> _“New users will be able to perform certain actions on the web version of the platform: post content, Like posts, Reply, Repost and Quote other accounts’ posts, and Bookmark posts.”_
> 
> _“New users who opt out of subscribing will only be able to take “read only” actions, such as: Read posts, Watch videos, and Follow accounts.”_
> 
> **X**

The company said the fee is necessary to reduce the number of bots and spammers on the platform. He has also said that he wants to make X more sustainable and that charging users a small fee will help to cover the costs of running the platform.

There has been some mixed reaction to the news. Some users have expressed support for the fee, saying that it is a small price to pay to keep the platform free of bots and spammers. Others have expressed concern that the fee will make X less accessible to users in developing countries.

It remains to be seen how the fee will impact X’s user base and overall growth. However, Musk is serious about making X more profitable.

> Starting today, we’re testing a new program (Not A Bot) in New Zealand and the Philippines. New, unverified accounts will be required to sign up for a $1 annual subscription to be able to post & interact with other posts. Within this test, existing users are not affected.
> 
> This…
> 
> — Support (@Support) October 17, 2023

****Why New Zealand and the Philippines?****

In 2022, 47.4% of all internet traffic came from bots, while at 52.6%, human traffic decreased to its lowest level in eight years. According to the 2023 State Of The Web from Gloucester, United Kingdom-based domain and hosting experts Fasthosts, “._bot_ is predicted to be a TLD (top-level domain) to watch out for as registrations to the word bot are set to see a huge increase.”

The press release from Fasthosts titled “X’s War on Bots” shared with Hackread.com, implies that Elon Musk’s decision to charge users is a component of his “Not-A-Bot” initiative. This initiative has revealed that the majority of bot accounts on the social media platform are registered in specific locations, namely New Zealand and the Philippines.

**Analysis**

Musk’s decision to charge users for basic features is a controversial one. It is unclear how the fee will impact X’s user base and overall growth. Yet, the fee could help to reduce the number of bots and spammers on the platform. It could also generate additional revenue for X, which could be used to invest in new features and improve the platform’s overall user experience.

However, the fee could also make X less accessible to users in some countries. It could also discourage some users from signing up for an account or using the platform regularly. Overall, it remains to be seen how Musk’s decision to charge users for basic features will impact X in the long term.

1.  Elon Musk deletes Tesla & Space X Facebook pages
2.  YouTube Takes on Ad Blockers with Warning Pop-Ups
3.  Why torrenting on Elon Musk’s Starlink is not a good idea?

Elon Musk’s X (Twitter) to Charge $1 for Basic Features

By Deeba Ahmed
Qubitstrike Malware Uses Discord for C2 Communications in Cryptojacking Campaign Targeting Jupyter Notebooks.
This is a post from HackRead.com Read the original post: Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking and Cloud Data

****_KEY FINDINGS_****

**Cryptojackers are targeting Jupyter Notebooks to deploy Qubitstrike malware, reports Cado Security.**

**Exposed Jupyter Notebooks are exploited in this campaign, mainly those deployed in cloud environments.**

**The objective is to steal cloud service providers’ credentials and access cloud services.**

**Qubitstrike is an evolving malware campaign looking for vulnerabilities in Jupyter Notebooks configurations and supporting SSH propagation.**

**Attacks can install additional malware, steal sensitive data, and interrupt research activities.**

Jupyter Notebooks are widely used tools by data scientists and researchers. According to new research from Cado Security Labs, threat actors are targeting vulnerable Jupyter Notebooks configurations to obtain unauthorized access to target systems and deploy Qubitstrike malware.

The primary objective of this campaign is to steal cloud services provider (CSP) credentials and install cryptominers. This indicates threat actors are trying to disrupt scientific research. Cado researchers noted that attackers use stolen CSP credentials to expand their scope of exploitation.

It is a multi-stage attack in which malware developers infiltrate the targeted system by sending phishing emails to unsuspecting users or using social engineering tactics. After successful infiltration, the malware establishes a connection with a remote C2 server to control the compromised system remotely. Once this is done, the attackers exploit the notebooks’ ability to execute arbitrary code for executing a malicious mi.sh shell script, disguised as a legitimate data analysis tool.

This script retrieves/executes an XMRig miner and ensures it is executed every time the system is rebooted. It also terminates any existing mining operations in the system, adds the adversary’s SSH key to the system to create a persistent backdoor, and installs a rootkit to hide malicious processes.

Now, attackers can perform a wide range of nefarious activities, including installing additional malware/backdoors on the system, stealing intellectual property or sensitive data such as cloud service provider credentials, and interrupting/sabotaging research. Attackers can deliver the shell script to related hosts through SSH as well. The data is exfiltrated via Telegram Bot API.  

Qubitstrike campaign payloads are hosted on the Git hosting platform’s alternative service, codeberg.org, and Discord is used for command and control communications. Cado Security researchers claim that this is the first time they discovered this platform being used in an active malware campaign.                                            

It’s possible that Codeberg’s up-and-coming status makes it attractive as a hosting service for malware developers,” Cado Security’s report read.

Qubitstrike output displayed in Discord (Cado Security)

Qubitstrike malware’s advanced C2 infrastructure using Discord’s bot functionality for issuing commands on compromised nodes or tracking the campaign’s progress highlights the need to focus on this emerging threat targeting scientific computing environments and employ robust cybersecurity measures in these domains.

For your information, Jupyter Notebooks are web-based interactive computing platforms designed for remote or on-premise servers but generally, these are used in cloud environments. It hosts individual code snippets and lets users execute the code in an isolated environment. Google and Amazon Web Services (AWS) offer Jupyter Notebooks as managed services.

**_**RELATED ARTICLES**_**

1.  SSH Remains Most Targeted Service in Cado’s Cloud Threat Report
2.  Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users
3.  Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking and Cloud Data

By Owais Sultan
In the complex, fast-paced universe of the internet, where businesses battle fiercely to rank higher on search engine…
This is a post from HackRead.com Read the original post: Link Farming: SEO Boost or Cybersecurity Threat?

In the complex, fast-paced universe of the internet, where businesses battle fiercely to rank higher on search engine results pages (SERPs), search engine optimization (SEO) has emerged as an indispensable marketing strategy. An aspect of SEO that has sparked widespread discussions and debates among digital marketers and cybersecurity professionals is “link farming”. 

Link farming poses an interesting duality. On one hand, it’s perceived as a potential method to boost SEO rankings; on the other, it is associated with considerable cybersecurity threats. After analyzing this comprehensive review: What is Link Farming, we’ve compiled a brief explanation of the nature of link farming and analyzed its safety as a method of search engine optimization.

****SEO and the Allure of Link Farming****

SEO can be best understood as the strategic optimization of online content, with the end goal of making it more visible on search engines. When a webpage links to any other page, search engines consider it a ‘vote’ for the page’s credibility and relevance. Subsequently, pages with more votes (links) tend to be ranked higher on search engines such as Google, Bing, or Yahoo – which is the main answer to the “why are backlinks important” question. 

Herein lays the allure of link farming – a practice involving the creation of a network of websites that interlink with each other, aiming to increase the number of inbound links to a particular website and, theoretically, elevate its SEO ranking. The concept of increasing a website’s visibility and accessibility through amplified linkage seems plausible and promising; however, this particular approach comes with a set of potential pitfalls that are important to consider.

****Link Farms and the Cybersecurity Abyss****

As tempting as the immediate SEO boost offered by link farming might be, it is crucial to delve deeper into the inherent cybersecurity risks it possesses. Link farms are often operated through automated programs and bots, which create a mesh of websites, most of which are of low quality and contain irrelevant or spammy content. 

For users, clicking on these links can be like stepping into a minefield of potential cybersecurity threats. These can range from phishing attacks to the delivery of malware. For businesses relying on link farming to artificially inflate their online presence, inadvertently becoming a cog in the wheel of a potentially harmful network can tarnish reputation, decrease genuine web traffic, and even result in punitive actions from search engines.

****A Deeper Insight into Link Farming Networks****

Link farms function by creating a network of websites that all link to each other, manipulating search engines into believing that a site is more important or relevant than it truly is. By artificially inflating a website’s perceived importance through an abundance of interlinked websites, link farming aims to mislead search engines’ algorithms.

However, sophisticated search engines, especially Google, have grown adept at identifying and penalizing websites involved in farming links through sophisticated algorithms, such as Google’s Penguin update, which specifically targets and penalizes websites employing manipulative linking schemes. Consequentially, websites that partake in link farming are at risk of being demoted in search engine rankings or de-indexed altogether.

Moreover, for businesses associating with link farms, even unknowingly, the potential risk transcends beyond SEO penalties. By being part of a link-farming network, businesses inadvertently expose their users to a plethora of cybersecurity threats, thereby compromising user trust and integrity.

****Navigating Safely Through SEO Practices****

While the risks involved with link farming are substantial, the fundamental desire to enhance SEO rankings is valid and critical for online success. So, how can businesses navigate through the intricate web of SEO, boosting their online presence without resorting to harmful and risky strategies such as link farming?

*   **White-Hat SEO:** Engage in ‘white-hat’ SEO practices, which adhere to ethical guidelines and focus on creating valuable, relevant content for genuine human users, rather than trying to deceive algorithms.
*   **Quality over Quantity:** Focus on generating high-quality content that is genuinely valuable to your target audience, thereby naturally attracting inbound links from reputable websites.
*   **Secure and Monitor Backlinks:** Regularly audit and monitor your website’s backlinks to ensure that you are not unintentionally part of a link farm, utilizing tools and services that provide insights into your backlink profile.

****Conclusion: Weighing the Scales****

Link farming stands on a precarious pedestal, presenting a tempting yet potentially hazardous path toward SEO enhancement. While the immediate gratification of swiftly amplified SEO rankings might be appealing to some, the multifaceted risks embedded within the practice of link farming — from penalization by search engine algorithms to potential cybersecurity threats — provide a compelling counter-narrative.

Businesses and web administrators must, therefore, reflect upon the broader, more lasting impact of their SEO strategies, opting for practices that safeguard both their digital presence and cybersecurity. Through ethical SEO practices and a strong cybersecurity framework, businesses can pave a sustainable path toward genuine online visibility and user engagement, effectively weaving through the intricate, dual-faced web of link farming.

Link Farming: SEO Boost or Cybersecurity Threat?

By Waqas
The Fantom Foundation has acknowledged the breach and is currently conducting an investigation after hackers managed to steal more than $550,000 in cryptocurrency.
This is a post from HackRead.com Read the original post: Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw

It has been revealed that the main target of the attack was an employee of the Fantom Foundation.

The Fantom Foundation, a non-profit organization that supports the Fantom blockchain network, suffered a data breach apparently, due to a **zero-day security vulnerability** in Google Chrome.

Apparently, the attackers were able to exploit the flaw to steal the private keys to the Fantom Foundation’s wallets, which allowed them to steal over $550,000 in cryptocurrency. This was confirmed by the Foundation on its official Twitter (Now X) account, though the incident is still under investigation for a definitive conclusion.

While information regarding the hack is scarce, discussions among users on The Fantom Foundation’s Telegram channel suggest that the exploited zero-day vulnerability may be related to a heap buffer overflow vulnerability within Google Chrome’s WebP format, assigned a high 8.8 CVSS score (**CVE-2023-4863**). This vulnerability enables a remote attacker to execute an out-of-bounds memory write through a specially crafted HTML page.

According to the Fantom Foundation, only a small number of wallets were compromised and the significant majority of Fantom Foundation funds (more than 99%) were unaffected and remain secure. It was also disclosed that the primary target of the attack was an employee of the Foundation.

> _“A Fantom employee’s personal wallets were compromised. Some of these impacted wallets were labelled “Foundation Wallets”, but they were no longer being utilized by the organization and had been reassigned to a Fantom employee, making this a targeted personal attack. The funds lost by the employee are currently being tracked and investigated.”_
> 
> The Fantom Foundation

On the other hand, Crypto and Blockchain security firm CertiK has also **confirmed** the data breach by tweeting that “Fantom Foundation wallets have been drained on Ethereum and Fantom. So far we can confirm that Fantom: Foundation Wallet 20 lost ~$470k on FTM and Fantom: Foundation Wallet 18 lost at least ~$187k on ETH._“_

Here’s what The Fantom Foundation shared in its official **announcement** on Twitter (X) and **Telegram**:

The Fantom Foundation has stated that it is working with authorities to investigate the attack. The foundation has also advised its users to update their Google Chrome browsers to the latest version.

The Fantom Foundation data breach is a reminder of the importance of **employee cybersecurity training**, regular software updates, and strong security measures to safeguard data. It also highlights the inherent risks in cryptocurrency usage.

**What is a zero-day vulnerability?**

A **zero-day vulnerability** is a security flaw that is not yet known to the software vendor or the security community. Attackers often exploit zero-day vulnerabilities to launch attacks before the vendor has a chance to patch the vulnerability.

**How to protect yourself from zero-day vulnerabilities**

The best way to protect yourself from zero-day vulnerabilities is to keep your software up to date. Software vendors regularly release security updates that patch known vulnerabilities. It is important to install these updates as soon as they are released.

You can also use security software, such as antivirus software and a firewall, to protect your computer from attack. Security software can help detect and block malicious activity, even exploiting a zero-day vulnerability.

Finally, it is important to be careful about what websites you visit and what attachments you open. Attackers often use malicious websites and attachments to exploit zero-day vulnerabilities. If you are unsure about a website or attachment, it is best to err on the side of caution and avoid it.

****_RELATED ARTICLES_****

1.  Zero-Day Exploit Threatens 200,000 WordPress Websites
2.  Critical Chrome Update Counters Spyware Vendor’s Exploits
3.  US Police Recover $3M Stolen by Pakistani Crypto Scammers
4.  Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware
5.  Crypto Industry Lost $685 Million in Q3 2023, 30% by Lazarus Group

Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw

By Deeba Ahmed
KEY FINDINGS Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular…
This is a post from HackRead.com Read the original post: Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users

****_KEY FINDINGS_****

**Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular communication and e-commerce platforms.**

**The targeted platforms include Telegram, Alibaba Cloud, and AWS.**

**Attackers are injecting malicious code into open-source projects and compromising systems.**

**They leveraged Starjacking and Typosquatting techniques to lure developers to the malicious packages.**

**The campaign was active throughout September 2023.**

Cybersecurity firm Checkmarx discovered a new supply chain attack, which they believe was launched by a low-key threat actor it tracks as kohlersbtuh15. This campaign was active in September 2023. 

The recent surge in these malicious attacks prompted the Open Source Security Foundation (OpenSSF) to introduce its latest initiative, the Malicious Packages Repository, just last week.

As per the Checkmarx report authored by Yehuda Gelb, the attacker used the Python programming software repository (Pypi) and launched attacks using Starjacking and Typosquatting techniques.

Further probing revealed that the actor is exploiting vulnerabilities in platforms, such as Telegram, Amazon Web Services (AWS), and Alibaba Cloud Elastic Compute Service (ECS) to target developers and users. They are exploiting Aliyun’s services, and these three platforms are a part of it.

The attacker injects malicious code into the open-source projects these platforms are using to compromise users’ devices and steal sensitive data, financial and personal information, and login credentials. The malicious code is injected into specific software functions, which makes it pretty challenging to detect foul play and address the issue.

The code embedded into these packages doesn’t execute automatically but is strategically hidden inside different functions and triggers when one of these functions is called. Reportedly, kohlersbtuh15 launched a series of malicious packages to the PyPi package manager, targeting the open-source community.

Using typosquatting, the attackers craft a package mirroring the legitimate one, but the fake package has a hidden malicious dependency, which triggers the malicious script running in the background. The victim would not suspect anything as everything happens behind the scenes.

Starjacking refers to linking a package hosted on a package manager to an unrelated package repository on GitHub. Through this technique, unsuspecting developers are tricked into considering it an authentic package. To enhance the scope of this attack, threat actors have combined these two techniques in the same software package.

For instance, the Telethon 2 package is a typosquatted version of the popular Telethon package that also performs starjacking via the official Telethon package’s GitHub repository. This indicates the threat actor has copied the source code exactly as it is from the official package and embedded malicious lines in the telethon/client/messages.py file. The malicious code is executed with the command Send Message only.

The screenshot displays a list of malicious packages and the countries with the highest downloads of these packages, as reported by Checkmarx.

“By targeting popular packages used in platforms such as Telegram, AWS, and Alibaba Cloud, the attacker demonstrated a high level of precision. This was not a random act, but a deliberate effort to compromise specific users who rely on these widely-used platforms, potentially impacting millions of people,” Gelb wrote.

The damage caused by this attack is far greater than compromised devices as all types of data linked with these platforms, like communication details from Telegram or AWS cloud data and business-related data from Alibaba Cloud, could be accessed and exploited. This attack highlights that supply chain attacks continue to be a threat as attackers are eyeing vulnerabilities in third-party services/software to access targeted systems and steal data.

****_RELATED ARTICLES_****

1.  Understanding Software Supply Chain and How to Secure It
2.  Luna Grabber Malware Hits Roblox Devs Through npm Packages
3.  6 official Python repositories plagued with cryptomining malware
4.  CISA warns of trojanized versions of JavaScript library’s NPM package
5.  VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
6.  Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript

Supply Chain Attack Targeting Telegram, AWS and Alibaba Cloud Users

By Waqas
The launch of the Malicious Packages repository comes at a time when cyberattacks, leveraging malicious open source packages, are on the rise.
This is a post from HackRead.com Read the original post: OpenSSF Launches Malicious Packages Repository

The repository has already amassed over 15,000 reports of malicious packages, drawing data from various sources, including the OpenSSF Package Analysis project, Checkmarx security, and exports of malicious packages tracked by GitHub.

In a bid to counter the increasing threat of malicious open source packages, the Open Source Security Foundation (**OpenSSF**) has introduced a new initiative called the Malicious Packages Repository. This repository could turn out to be a major player in the fight against malicious code and is aimed at enhancing the security and integrity of open source software ecosystems.

****A Response to Growing Threats****

The launch of the Malicious Packages Repository comes at a time when cyberattacks, leveraging malicious open source packages, are on the rise. For instance, the Lazarus Group, a notorious North Korean state-backed hacking entity, recently targeted the blockchain and cryptocurrency sectors, employing cunning tactics that included deceptive npm packages to infiltrate various software supply chains.

According to crypto security experts at Immunefi, the crypto industry lost $685 million in Q3 2023, with 30% of those funds being stolen by the Lazarus Group. In such a scenario, a centralized repository for shared intelligence could have acted as an early warning system, allowing the global community to thwart such attacks more swiftly.

****Decoding the Menace: What Is a Malicious Package?****

Malicious packages are a form of malware that poses as open source packages and are subsequently published to popular package repositories like PyPI and NPM. While vulnerable code possesses unintentional weaknesses that can be exploited, malicious code is sophisticatedly crafted with the intent to harm or compromise its targets.

These malicious packages are used to attack unsuspecting developers or organizations that install and run them. The repercussions can range from unauthorized access and data leaks to excessive resource consumption and data destruction, with most endpoint antivirus software ill-equipped to detect these intricate attack vectors.

****A Look at Recent Attacks****

In a span of recent months, developers have been targeted by a string of malicious attacks. **On October 5th**, an NPM Typosquatting attack deployed the r77 rootkit via legitimate packages. Just a few days earlier, **on October 2**, FortiGuard Labs uncovered a series of malicious NPM packages specifically designed to steal data.

In late August, the developer community was shaken when the **Luna Grabber malware** exploited vulnerabilities through npm packages, particularly affecting those working on Roblox. **On August 6t**h, the VMCONNECT malicious PyPI package was added to the growing list of threats, expertly mimicking common Python tools.

These incidents underscore the growing risks encountered by developers, emphasizing the necessity for robust security measures within the software development ecosystem. This further underscores the importance of having OpenSSF’s Malicious Packages Repository.

****The Package Analysis Project: Vigilance in Action****

OpenSSF’s Package Analysis project was conceived to detect malicious packages as soon as they emerge. This proactive approach involves downloading, installing, and executing packages from widely-used open source package repositories as they are released. During this process, executed commands and network traffic are thoroughly monitored.

Additionally, a set of stringent rules is then applied to scrutinize the package’s behaviour, distinguishing between legitimate and malicious actions. In cases where a package exhibits malicious intent, a detailed report is generated and subsequently published in the new Malicious Packages Repository.

****Unifying the Response****

The handling of malicious packages currently varies from one open source package repository to another. Typically, when a community member reports a malicious package, the repository’s security team removes the package and its related metadata.

Unfortunately, these actions are often executed without any public record, making it challenging to discover the extent of malicious packages in circulation. The Malicious Packages Repository fills this information void by establishing a comprehensive public database that aggregates reports of malicious packages discovered across open source repositories.

This invaluable resource has the potential to intercept malicious dependencies in their tracks, enhance detection mechanisms, scan for and prevent usage in various environments, and expedite incident response.

****Leveraging the OSV Format****

In a **blog post** published by OpenSSF on October 12th, 2023, reports in the Malicious Packages Repository are formatted using the Open Source Vulnerability (**OSV**) format, which is employed for specifying vulnerabilities in open source projects.

By utilizing the OSV format for malicious packages, it becomes feasible to integrate existing tools and services, including the osv.dev API, the osv-scanner tool, and deps.dev. This format is also customizable, allowing for the inclusion of additional data such as indicators of compromise or classification details.

**Henrik Plate**, a security researcher at application security startup, Endor Labs says it is great to see an open source project address this problem for a larger variety of ecosystems. This supports all the existing efforts of academic and corporate security researchers to secure the open source ecosystem.

“For academic researchers, in particular, it offers a nice opportunity to explore and test new approaches to malware detection without being required to redo the basic plumbing over and over again, e.g. the monitoring of new package publications on various package registries like PyPI or npm,” he added. “Thankfully, this part is covered by the associated OpenSSF **package-feeds** project, which goes hand in hand with the OpenSSF **package**–**analysis** project to populate the database mentioned in the blog post.

****15,000 Reports Already****

Remarkably, the repository has already amassed over 15,000 reports of malicious packages, drawing data from various sources, including the OpenSSF Package Analysis project, Checkmarx security, and exports of malicious packages tracked by GitHub.

Nonetheless, the Malicious Packages Repository by OpenSSF serves as a stronghold of collective protection, arming the open source community with the necessary tools and know-how to shield against harmful intrusions, safeguard software integrity, and fortify the core of open source development.

OpenSSF Launches Malicious Packages Repository

By Waqas
Another day, another critical vulnerability hits Cisco!
This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers

**Cisco is aware of the active exploitation of this vulnerability, but there are no workarounds available.**

Cisco has warned customers of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software that is being actively exploited by attackers. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which could further allow them to gain full control of the device.

The vulnerability (CVE-2023-20198) affects Cisco IOS XE Software if the web UI feature is enabled, which is done by default. Cisco recommends that customers disable the HTTP Server feature on all internet-facing systems to mitigate the risk of exploitation.

In its security advisory, Cisco said that the company is aware of the active exploitation of this vulnerability, and there are no workarounds available. Cisco is working on a software patch to address the vulnerability, but a release date has not yet been announced.

John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company commented on the advisory and warned that “The fact there isn’t a patch yet makes this issue all the more urgent and admins should take this opportunity to ensure their Cisco IOS devices either disable the Web UI or only have it accessible from private administrative LANs that are restricted to authorized users.”

Mayuresh Dani, Manager, Threat Research at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions stressed that Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable.”

Dani disclosed concerning statistics regarding Cisco devices with their web UI exposed to the internet. These findings indicate that more than 40,000 Cisco devices fall into this category, with the majority of them actively listening on port 80.

“Devices that have web UI and management services publicly exposed to the internet or to untrusted networks should be modified so that they are not exposed to untrusted networks by means of ACLs or other solutions. 2. Disable the web UI component on these devices,” Dani advised.

****Indicators of Compromise****

To determine whether a system may have been compromised, customers can check the system logs for the presence of the following log messages:

*   %SYS-5-CONFIG\_P: Configured programmatically by process SEP\_webui\_wsma\_http from console as user on line
*   %SEC\_LOGIN-5-WEBLOGIN\_SUCCESS: Login Success at 03:42:13 UTC Wed Oct 11 2023

Customers can also use the following command to check for the presence of the implant:

    curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"
    

If the request returns a hexadecimal string, the implant is present.

****Recommendations****

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode.

Customers who cannot disable the HTTP Server feature should restrict access to those services to trusted networks.

Cisco is also working on a software patch to address the vulnerability, and customers are advised to apply the patch as soon as it is available.

****_RELATED ARTICLES_****

1.  Cisco’s new tool will detect malware in encrypted traffic
2.  New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
3.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
4.  Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
5.  Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks