By Deeba Ahmed
Google will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions.
This is a post from HackRead.com Read the original post: Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

According to Google, once your Gmail account is deleted, it will not be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books that you may have acquired using your Google account.

Google has officially released its inactive account policy according to which it will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions. This policy applies to personal Google Accounts, not those not set up through school, work, or other organizations.

However, this policy doesn’t apply to paid Google Workspace accounts or accounts with an active subscription. For instance, if you have subscribed to Google One, your account will remain active even without regular sign-ins. If you maintain any paid subscriptions within an app via Google Play, this will also be considered an activity.

A Google Account is necessary to access the different Google products, including Gmail, YouTube, and Google Ads, with a single username and password. The updated policies were announced in May 2023 and will be implemented starting 1st December 2023.

So, if it’s been two years since you used your free Google account, Google may delete it. Per the policies, if deleted, it won’t be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books you may have acquired using your Google account. If you want to keep your Google account active, sign into it at least once every two years and perform any activity.  

For your information, Google considers a Google account active that is regularly used. This is indicated by several activities, such as watching a YouTube video, Google search, downloading apps, using Google Drive, or checking Gmail.

The account tracks Google account activity, and not the device, so any actions taken on a device while being signed into a Google Account will be an activity. You must also sign in to Photos at least once every two years to maintain access to Google Photos and any photos uploaded from your free account. To sign in, you can use Google Photos web or mobile version.

It is possible to maintain access to your Google account and its content because Google lets you choose people who can access your account if you cannot do so yourself. Before deleting the account, Google will notify the account owner via emails sent to the Google Account and to the recovery email (if applicable).

If you don’t want or need a Google account, you can allow it to be deleted after a period of inactivity or delete it yourself. However, make sure to export any stored data using Google Takeout.

To delete a Google account, sign in with the account you want to delete, go to the Data & Privacy page, scroll to the bottom, and select Delete Your Google Account. Follow the prompts to authenticate and confirm that you want to delete the account.

Keeper Security’s VP of Security and Compliance, Patrick Tiquet, shared the following comment on this newly implemented policy with Hackread.com.

“Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorized access and potential misuse by cybercriminals for phishing attacks or data exposure. When you combine the personal information stored in these accounts and potential interconnections to other services, there is a heightened risk of identity theft and unauthorized access to linked accounts. Additionally, the lack of monitoring for inactive accounts increases the likelihood of users being unaware of suspicious activities, allowing bad actors more time to exploit the compromised accounts.”

Synopsys Software Integrity Group’s associate principal security consultant, Ben Hutchison, also shared his thoughts on this development.

“Continuing to maintain a large number of inactive accounts is a little bit like not replacing those old, cracked windows on your property and in essence the potential attack surface of the system. Inactive accounts provide a means of potential ingress or compromise for attackers to take advantage of, and since they have by definition gone unused for long periods of time, they may be protected by weak locks (passwords) and their owners (users) are unlikely to notice signs of compromise or unauthorized activity.”

“Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers,” Hutchison added.

****_RELATED ARTICLES_****

1.  Google offers Dark Web monitoring for US Gmail users
2.  Google will ‘auto-delete’ your location & web activity data
3.  How to Delete Your Facebook Account Permanently – Guide
4.  Is It Possible to Delete Yourself From the Internet Altogether?
5.  Facebook Messenger to offer Unsend feature to delete sent messages

Google to Delete Inactive Gmail Accounts From Today: What You Need to Know

By Waqas
Immediate Action Required: Update Your Apple Devices, Including iPads, MacBooks, and iPhones, NOW!
This is a post from HackRead.com Read the original post: Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

Apple has recently released security updates to tackle two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that hackers are actively exploiting.

Apple Inc. today released crucial security updates aimed at mitigating two critical zero-day vulnerabilities identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities have been actively exploited by hackers, posing a significant risk to a wide range of Apple devices.

The vulnerabilities allow attackers to execute arbitrary code and access sensitive data on compromised devices. These security flaws are particularly concerning because they can be exploited through malicious web pages, exploiting a memory corruption bug to gain unauthorized access.

****Affected Devices****

Apple’s advisory lists a comprehensive range of devices vulnerable to these exploits:

*   iPhone XS and later models
*   iPad Pro 10.5-inch
*   iPad (6th generation and later)
*   iPad Air (3rd generation and later)
*   iPad mini (5th generation and later)
*   iPad Pro 11-inch (1st generation and later)
*   iPad Pro 12.9-inch (2nd generation and later)
*   Mac computers running macOS Monterey, Ventura, and Sonoma

****Immediate Action Recommended****

Apple urges all users of these devices to update their software immediately. The updates are designed to patch the vulnerabilities and protect devices from potential exploits. Users can update their devices by going to the ‘Settings’ menu, selecting ‘General’, and then tapping on ‘Software Update’.

The urgent release of these security patches highlights the growing challenges in cybersecurity. Security experts advise users to always keep their software updated to the latest version and to be cautious of suspicious web pages and downloads.

In a comment to Hackread.com, Michael Covington, VP of Portfolio Strategy at Apple device security and management company Jamf, urged users to immediately update their devices.

“These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content,” Michael said. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users,” he wanted.

****How to Update Your Apple Devices?****

Apple provides detailed instructions to ensure that users update their devices effectively. For iPhone and iPad users, navigate to Settings > General and click on Software Update.

For macOS users, click on the Apple menu (), go to System Settings, select General, and then click on Software Update. Automatic updates should be enabled to receive the Rapid Security Response patches seamlessly. Restarting the device may be necessary to complete the update process.

****_RELATED ARTICLES_****

1.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
2.  **Update NOW! Pegasus Spyware Exploiting iPhones on Latest iOS**
3.  **Apple issues iPhone software update after fake police ransomware scam**

Apple Issues Urgent Security Patches for Zero-Day Vulnerabilities

By Waqas
Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000).
This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Currently, the FjordPhantom malware appears to be active in Southeast Asia, covering countries including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

Cybersecurity firm Promon has identified a novel Android malware named FjordPhantom that employs virtualization to target applications. This technique has not been observed in any malware previously. FjordPhantom propagates through messaging services and combines app-based malware with social engineering to deceive banking customers.

Promon indicated in its report published on November 30, 2023, that only one sample of FjordPhantom has been obtained. However, researchers suspect that the malware is operational in Southeast Asia, encompassing countries such as Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

“In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000 – £225,000) at the time of writing,” noted the report author Benjamin Adolphi and shared with Hackread.com ahead of publication on Thursday.

Further probing revealed that the malware is distributed through emails, SMS messages, and messaging apps. Users are tricked into downloading a bogus banking app, which contains FjordPhantom.

When this app gets installed, the attackers, posing as customer service representatives, guide the users about the steps to run the app. The malware uses virtualization to create a virtual container to run this app and attackers can monitor the user’s actions and steal their credentials.

The malware integrates various open-source/free projects from GitHub, incorporating a virtualization solution and a hooking framework. FjordPhantom utilizes virtualization solutions to circumvent the Android sandbox, enabling different apps to operate within the same sandbox.

This facilitates attackers in gaining access to files and memory, conducting debugging, and injecting code into other apps. The approach involves virtualization solutions loading their own code into a new process before loading the hosted app’s code. Consequently, the malware can evade traditional code injection detection methods, as it doesn’t modify the original application.

The malware leverages the hooking framework to evade SafetyNet rooting detection, screenreader detection, and dismiss dialog boxes warning the user of ongoing malicious activity on the system. Additionally, the malware logs various actions performed by the targeted applications, signifying active development and suggesting potential targeting of other apps in the future.

Screenshot credit: Promon

Researchers believe that FjordPhantom is a sophisticated Android malware used to commit real-world fraud. Here are 5 tips for Android users to protect themselves from malware, especially banking trojan:

1.  **Download apps only from trusted sources:** The safest way to get apps for your Android device is to download them from the official Google Play Store. Apps in the Play Store have been reviewed by Google and are less likely to be malicious. If you need to download an app from a third-party source, make sure to do your research and only download apps from reputable websites.
2.  **Be careful about the permissions you give apps:** When you install an app, it will ask you for permission to access certain data or features on your device. Only give apps the permissions they need to function. For example, if you’re installing a banking app, it will need permission to access your contacts and call history. However, there’s no reason for it to need permission to access your photos or location.
3.  **Keep your device up to date:** Google regularly releases updates for Android that fix security vulnerabilities. Make sure to install these updates as soon as they become available. You can enable automatic updates in your device’s settings.
4.  **Install a mobile security app:** A mobile security app can help to protect your device from malware by scanning apps and files for threats. It can also block malicious websites and phishing attempts. There are many different mobile security apps available, so do some research to find one that’s right for you.
5.  **Be cautious about what you click on:** Be careful about clicking on links in emails or text messages, even if they appear to be from someone you know. These links could take you to malicious websites that could install malware on your device.

****_RELATED ARTICLES_****

1.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**
4.  **Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots**
5.  **Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw**

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

By Deeba Ahmed
The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic,…
This is a post from HackRead.com Read the original post: 68% of US Websites Exposed to Bot Attacks

The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic, encompassing sectors such as banking, e-commerce, and ticketing businesses.

Bad bots are plaguing the internet, making up over 30% of internet traffic today. Cybercriminals can use them to target online businesses with fraud and other types of attacks, according to the latest research from online fraud and mitigation company DataDome.

According to a report from DataDome, a company specializing in bot and online fraud protection, released on November 28, 68% of US websites lack adequate protection against simple bot attacks, highlighting how vulnerable US businesses could be to automated cyberattacks.

The researchers assessed more than 9,500 of the largest transactional websites in terms of traffic, including banking, e-commerce, and ticketing businesses. They found that the US websites face significant risks ahead of the busy holiday shopping season. The findings also highlighted that traditional CAPTCHAs aren’t effective in preventing automated attacks.

As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.

Among the 2,587 websites featuring one CAPTCHA tool, less than 5% could detect/block all bots. Interestingly, gambling sites were the most well-protected against bot attacks, with 31% blocking all the test bots. Only 10.2% successfully blocked all malicious bot requests.

DataDome’s Head of Research, Antoine Vastel, referred to bots as “silent assassins”, adding that bots are becoming sophisticated day-by-day and US businesses are unprepared for the “financial and reputational damage” bot attacks can cause.

This, as per Vastel, includes threats like ticket scalping, inventory hoarding, and account fraud. Vastel explained that bad bots can wreak havoc on businesses and consumers, exposing them to “unnecessary risk.”

These findings highlight the urgent need for US businesses to enhance their bot protection measures. Here are 5 key points on how owners and administrators can protect their wbsites against bot attacks:

1.  **Implement CAPTCHA and reCAPTCHA:** CAPTCHAs and reCAPTCHAs are effective tools for distinguishing between humans and bots. They can be used to prevent bots from submitting forms, signing up for accounts, or accessing restricted areas of your website.
2.  **Use IP blacklisting:** IP blacklisting involves identifying and blocking IP addresses that are known to be associated with malicious activity. This can help to prevent bots from accessing your website altogether.
3.  **Monitor website traffic:** By monitoring website traffic, you can identify patterns that may be indicative of bot activity. For example, if you see a sudden surge in traffic from a single IP address, this could be a sign that your website is under attack from a botnet.
4.  **Implement rate limiting:** Rate limiting is a technique that can be used to limit the number of requests that a user can make to your website in a given period of time. This can help to prevent bots from overwhelming your website with requests.
5.  **Use web application firewalls (WAFs):** WAFs are designed to protect websites from a variety of attacks, including bot attacks. They can be used to block malicious traffic and prevent bots from exploiting vulnerabilities in your website’s code.

****_RELATED ARTICLES_****

1.  IBM X-Force Discovers Gootloader Malware Variant- GootBot
2.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
3.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
4.  Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots
5.  Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw

68% of US Websites Exposed to Bot Attacks

By Waqas
A critical Zoom Room vulnerability allowed exploiting service accounts for unauthorized tenant access.
This is a post from HackRead.com Read the original post: Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

The Zoom vulnerability was originally discovered in June 2023. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

Zoom Rooms, the cloud-based video conferencing platform by **Zoom**, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant.

Exploiting this Zoom vulnerability allows attackers to hijack meetings, manipulate the Contacts feature, infiltrate organization-wide whiteboards, and extract sensitive data from Team Chat channels, even without an invitation. What’s particularly concerning is that these actions can be carried out without detection.

In June 2023, a researcher at AppOmn discovered a vulnerability in Zoom Rooms during HackerOne’s live hacking event, **H1-4420**, where Zoom was a participating company. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

In a **blog post** shared with Hackread.com ahead of its scheduled publication on Tuesday, Ciarán Cotter from AppOmni outlined that once attackers gain access to an organization’s tenant, they can infiltrate confidential data shared within Team Chat, Whiteboards, and other Zoom applications.

For your information, **Zoom Rooms** allow team members from different physical locations to collaborate over Zoom. To set it up, the Zoom Rooms app must be installed on a device, such as an iPad. It serves as a terminal for everyone in the room. This device is of critical importance as it attends the meetings on behalf of all. 

When a user creates a Zoom Room, their service account is automatically created with licenses for Whiteboards and Meetings. These accounts possess extensive access within the tenant because of their function as regular team members. 

Exploiting the Zoom vulnerability enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information. The issue arose because the Zoom Rooms service account ID was directly inherited from the user with the Owner role in the tenant during the account creation process.

This flaw meant that being in the same meeting as a Zoom Room and messaging it on Team Chat could expose the entire email address, given that it followed the format:  **rooms_<account ID>@companydomain.com.** 

With this information, attackers could create an arbitrary Outlook email address that matches the format: **room__<account ID>@outlook.com** and use it to follow the Zoom sign-up flow. They would receive the activation link sent to the Zoom Room’s email address. With the control of the email inbox, they can click the link and activate the account.

The issue was further intensified by the fact that service accounts couldn’t be removed from Team Chat channels. However, there’s nothing to be wary of as Zoom has addressed this vulnerability by removing the ability to activate Zoom Room accounts. This prevents threat actors from exploiting this predictable email format and claiming unauthorized access to Zoom room service accounts.

Still, this finding highlights the potential misuse of service accounts to gain unauthorized access to **SaaS** systems. Service accounts are frequently used by third-party applications to access SaaS data. Therefore, safeguarding these applications and service accounts is critical for maintaining a robust SaaS security posture.

****_RELATED ARTICLES_****

1.  Zoom Phishing Scam Steals Microsoft Exchange Credentials
2.  Fake Zoom installers infect PCs with RevCode WebMonitor RAT
3.  Zoom web client flaw could’ve let hackers crack meetings passcode
4.  Zoom adds Two-factor authentication (2FA) as extra layer of security
5.  Fake Zoom meeting invite phishing scam harvests Microsoft credentials
6.  ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

By Waqas
US Treasury Sanctions Sinbad.io for Laundering Millions in Stolen Funds Linked to North Korea's Lazarus Group.
This is a post from HackRead.com Read the original post: US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

According to the US government, Sinbad.io provided its services to the Lazarus group to launder money stolen from numerous data breaches, including those affecting Horizon Bridge, Axie Infinity, and Atomic Wallet.

The official domain of Sinbad.io, a popular Bitcoin “mixer” service has been seized by the United States government. The reason to seize the service given by the US Treasury is that the service apparently, was involved in laundering millions of dollars stolen by North Korean state-based notorious Lazarus group.

Those visiting Sinbad.io can now encounter a homepage uploaded by the government of the United States, announcing the following:

> _This service has been seized as part of a coordinated law-enforcement action between the Federal Bureau of Investigation, the Financial Intelligence and Investigation Service (FIOD), and the National Bureau of Investigation taken against the Sinbad.io cryptocurrency mixing service. The Federal Bureau of Investigation has seized the service in accordance with a seizure warrant pursuant to 18 U.S.C. 55 981 and 982 as part of a coordinated international law-enforcement operation._

In a press release dated November 29, 2023, the Treasury accused Sinbad.io of processing hundreds of millions of dollars worth of cryptocurrency obtained from various sources. These sources reportedly include large-scale data breaches, notably the $100 million hack affecting Horizon Bridge in June 2022, the $620 million from the Axie Infinity hack in March 2022, and the impact on customers of Atomic Wallet in June 2023.

What Sinbad.io’s homepage shows to visitors (Image credit: Hackread.com)

The US government further claimed that Sinbad.io is not only used for financial crimes but is also a tool employed by cybercriminals for “obfuscating transactions” associated with activities such as sanctions evasion, drug trafficking, purchasing child sexual abuse materials, and other illicit sales on dark web marketplaces.

The Lazarus group, operating under the control of the Democratic People’s Republic of Korea (DPRK), is infamous for its hacking activities. The US alleges that Sinbad.io serves as a “key money-laundering tool” for the already-sanctioned Lazarus group, which is believed to have stolen a staggering $2 billion worth of digital assets over its operational history.

According to the Q3 2023 Crypto Losses Report by Immunefi, a blockchain cybersecurity firm, the cryptocurrency industry incurred a loss of $685.5 million, marking the highest quarterly loss for the year.

The two largest exploits of the quarter were on Mixin Network and Multichain, which together accounted for 47.5% of all losses. The Lazarus Group, a North Korean state-sponsored hacking group, was responsible for $208.6 million in stolen funds, representing 30% of the total losses.

As for Sinbad.io, it operates on the Bitcoin blockchain and is considered by experts to be a successor to the previously sanctioned crypto mixer, Blender.io. The Office of Foreign Assets Control (OFAC) sanctioned Blender.io on May 6, 2022.

However, ddespite authorities shutting down the original Sinbad.io address, a mirrored site surfaced, registered in Moscow on November 18. A Google search for the original Sinbad.io now shows a copycat site, 1sinbadgo.com, as the second result. Notably, the copycat site, which also boasts a .Onion domain, claims to provide identical services to the original seized domain.

(Image credit: Hackread.com)

Nevertheless, the sanctions imposed by the US require the blocking and reporting of “all property and interests in property” belonging to Sinbad.io that are within the United States or under the possession or control of US persons, according to the press release.

****_RELATED ARTICLES_****

1.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
2.  **Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm**
3.  **Lazarus-Linked BlueNoroff APT Hits macOS with ObjCShellz Malware**
4.  **N. Korean Lazarus Group Suspected in $37.3M CoinsPaid Crypto Heist**
5.  **Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity**

US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

By Deeba Ahmed
The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it.
This is a post from HackRead.com Read the original post: Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

The recently discovered GoTitan botnet is built on the Golang programming language, whereas PrCtrl Rat is a .NET program.

Fortinet’s FortiGuard Labs published new research highlighting that a critical Apache ActiveMQ vulnerability tracked as **CVE-2023-46604** is under active exploitation by numerous threat actors.

Despite the release of a patch a month ago, FortiGuard researchers continue to identify various malware strains exploiting a known flaw. The persistent exploitation by cybercriminals is concerning, as it allows them to execute arbitrary code on susceptible servers.

FortiGuard Labs’ report has brought attention to several new threats, such as the emergence of a Golang-based botnet named GoTitan and a .NET program called PrCtrl Rat, which possesses remote control capabilities.

Apache recently issued an advisory regarding a vulnerability related to the deserialization of untrusted Apache data. The Cybersecurity and Infrastructure Security Agency (CISA) has categorized this flaw in its Known Exploited Vulnerabilities **(KEV) catalogue**, underscoring its high risk and potential impact.

Researchers claim that this flaw is currently being exploited to distribute various malware strains, including GoTitan, PrCtrl Rat, Kinsing, Silver, and Ddostff.

Silver, designed as an advanced penetration testing tool and red teaming framework, has the capability to support various callback protocols, including TCP, DNS, and HTTP(S). **Kinsing malware** specializes in supporting cryptojacking operations and can exploit newly discovered security vulnerabilities. On the other hand, **Ddostff botnet** has been widely employed in Distributed Denial of Service (DDoS) attacks since 2016.

GoTitan, a recently uncovered botnet, is coded in the **Go programming language**. Users typically download this botnet from a malicious URL, and it is currently compatible with x64 architectures. Upon installation, the botnet initiates a system scan and generates a debug file named c.log to document execution time and status.

Following its initial installation, GoTitan replicates itself as .mod within the system, establishing a recurring execution by registering in the Cron. To facilitate communication, the botnet retrieves the Command and Control (C2) IP address. It utilizes this connection to transmit stolen data, encompassing details about the infected device, such as memory, CPU specifications, and architecture information.

According to Fortinet Labs’ **blog post,** for data transmission, it uses “<==>” as separators. The message starts with “Titan<==>” whereas it communicates with the C2 by sending “FE FE” as a heartbeat signal and waits for further instructions. GoTitan supports ten different methods of launching DDoS attacks.

The exploitation process begins with the attacker establishing a connection to the ActiveMQ server using the OpenWire protocol, commonly on port 61616. Subsequently, the attacker sends a carefully crafted packet, inducing the system to unmarshal a class under their control.

This action prompts the vulnerable server to fetch and load a class configuration XML file from a designated remote URL. Within this malicious XML file, arbitrary code is defined, aiming to execute on the compromised machine.

GoTiten and PrCtrl Rat’s XML file (Credit: FortiGuard Labs

Technical details and proof-of-concept (PoC) code for the vulnerability are publicly accessible. Users are advised to stay vigilant against active exploits by Sliver, Kinsing, and Ddostf. Prioritizing system updates and patching is crucial, and regular monitoring of security advisories is recommended to effectively mitigate the risk of exploitation.

****_RELATED ARTICLES_****

1.  **Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer**
2.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**
3.  **Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool**
4.  **Golang malware infecting Windows, Linux servers with XMRig miner**
5.  **Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps**

Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

By Owais Sultan
In today’s era, where streaming platforms reign supreme in the music industry, internet radio continues to thrive as…
This is a post from HackRead.com Read the original post: How Internet Radio Hosting Royalties Fuel the Digital Airwaves

In today’s era, where streaming platforms reign supreme in the music industry, internet radio continues to thrive as a way for people to discover and enjoy music. With its collection of songs spanning genres, internet radio has garnered a dedicated global audience.

However, beneath the surface of this experience lies a complex system that ensures artists and creators receive their royalties. This article explores the realm of internet radio hosting royalties and delves into how they power the airwaves.

****Understanding the Basics of Internet Radio Hosting****

To comprehend how hosting royalties and Internet radio hosting royalties included operate, it’s essential to grasp how Internet radio functions. Unlike FM or AM frequencies, which rely on broadcasting signals through mediums, internet radio stations transmit music over the web. These stations offer listeners access to an array of tunes across genres.

Unlike on-demand streaming services, where users can select tracks at will, internet radio stations curate playlists based on themes or moods. These stations often establish music licensing agreements with performing rights organizations (PROs) such as ASCAP, BMI, SESAC in the United States, or SOCAN in Canada.

****The Role of PROs in Collecting Royalties****

PROs play a role as intermediaries between songwriters, composers, publishers, and music users, including streaming and broadcasting platforms. Their primary responsibility is to collect performance royalties from these platforms and distribute them to their member composers and publishers based on the usage data provided.

These organizations engage in negotiations with platforms to establish licensing agreements and set rates for performance usage. Subsequently, they ensure that the collected royalties are fairly distributed among their members, taking into account factors such as play count data provided by broadcasters or streaming services.

****Determining Royalty Payments for Internet Radio Hosting****

Internet radio station owners need to obtain licenses from PROs like ASCAP, BMI, or SOCAN to legally broadcast copyrighted music. The licensing fees may vary depending on factors such as the size of the station’s audience and the duration and type of music played.

The fees collected from internet radio stations are then allocated among artists, songwriters, and publishers using a formula. This calculation considers various factors, including the station’s listenership music play count details of PRO membership as industry standard rates.

It is important to note that although these calculations may seem complex at a glance, they are designed to ensure compensation for artists while providing an accurate system for monitoring music usage across multiple internet radio stations.

****The Significance of Royalties in Internet Radio Hosting****

Royalties in internet radio hosting play a role in supporting artists’ careers. For musicians who aspire to gain exposure in a competitive industry, having their music featured on popular internet radio stations can greatly enhance their visibility. Additionally, the royalties generated from internet radio hosting serve as consistent income streams for artists who may not earn revenue from avenues such as record sales or streaming platforms with lower payout rates.

Internet radio also enriches the listening experience by introducing audiences to lesser-known artists who may need marketing budgets but possess incredible talent. By allocating royalties based on usage data from internet radio stations, performing rights organizations (PROs) contribute to the growth of these creative individuals.

****Embracing Technology’s Impact on Distributing Royalties****

Determining royalty shares was a task that involved sample surveys and extrapolation methods that might not have accurately reflected current musical trends. However, thanks to advancements, PROs now have access to play count data directly from internet radio broadcasting platforms.

This improved data collection ensures that royalties are distributed accurately each year based on usage rather than estimation models. These advancements promote transparency among all parties involved in this ecosystem.

****Conclusion****

The world of Internet radio is constantly evolving and has become a platform for discovering music and supporting talented artists worldwide. By establishing licensing agreements with PROs (performing rights organizations) and implementing systems to track usage data, internet radio platforms ensure that artists are fairly compensated for their creative work.

With a number of listeners tuning in to internet radio stations every day, these digital airwaves have become a space where artists gain recognition and receive support. So, when you come across a captivating but known song playing on your favourite internet radio station, remember that many individuals are working behind the scenes to ensure that the creators of these songs receive the royalties they deserve.

How Internet Radio Hosting Royalties Fuel the Digital Airwaves

By Deeba Ahmed
The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10.
This is a post from HackRead.com Read the original post: OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

OwnCloud has fixed the issue in version 10.9.01 but urges customers to change their OwnCloud admin password, database and mail server credentials.

A critical vulnerability has been identified in the OwnCloud “graphapi” app, enabling threat actors to gain access to sensitive information in containerized deployments. This includes admin passwords, mail server credentials, and license keys.

According to a security advisory released by OwnCloud, the vulnerability affects versions 0.2.0 to 0.3.0. The company publicly disclosed this issue on 21 November 2023.

For your information, OwnCloud is a file server/collaboration platform offering safe storage, sharing, and synchronization of sensitive files.

The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. It was assigned the identifier oC-SA-2023-0011. 

On the other hand, data security firm GreyNoise has observed mass exploitation of this flaw in the wild starting from 25 November, raising serious concerns within the cybersecurity community.

What happens is that attackers can exploit this vulnerability to access a URL that can reveal the configuration details of the PHP environment (phpinfo). 

It is worth noting that the vulnerability was detected in the OwnCloud server and caused by a third-party library, which provides the URL, that reveals the configuration details, including all the environment variables like mail server credentials or admin passwords of the webserver. 

OwnCloud has fixed the issue in version 10.9.01. The company noted that Docker-Containers from before February 2023 aren’t vulnerable to credential exposure.

Nevertheless, the company suggests users must act promptly to mitigate the threat. This involves deleting the file OwnCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabling the phpinfo function in Docker containers. 

The advisory explained that simply disabling the graphapi app cannot eliminate the issue because phpinfo can expose sensitive configuration data that attackers can exploit to collect system-related information. This means even if OwnCloud isn’t running in a containerized environment, the threat will persist.

Therefore, users should change their OwnCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access key. These steps will help mitigate the risk of attackers exploiting the vulnerability to access sensitive information.

Casey Ellis, Founder and Chief Strategy Officer at San Francisco, Calif.-based crowdsourced cybersecurity firm Bugcrowd shared a comment with Hackread on the disclosure, calling it “concerning.” 

“This one is concerning because OwnCloud is the type of software that home users and small businesses tend to set up and then forget,” explained Ellis. “The combination of the impact of this vulnerability and the type of personal/valuable data stored in ownCloud instances provides a wide variety of options for attackers looking to exploit it – I’d be very surprised if we don’t start hearing about ransomed ownCloud instances in the coming days.”

****_RELATED ARTICLES_****

1.  **Google Workspace Vulnerable to Takeover**
2.  **Outdated Wallets Threatening Billions in Crypto Assets**
3.  **OracleIV DDoS Botnet Malware Targets Docker Engine API Instances**
4.  **Domain Squatting, Brand Hijacking: A Silent Threat to Digital Enterprises**
5.  **Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw**

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

By Waqas
Hamas launches a new variant of Rust-based, multi-platform backdoor sysJoker against targets in Israel.
This is a post from HackRead.com Read the original post: Hamas-Linked Group Revives SysJoker Malware, Leverages OneDrive

Originally identified in December 2021, the SysJoker Malware is recognized for its capability to target Windows, macOS, and Linux systems.

Amid the escalating tensions in the **Israel-Hamas** conflict, Check Point Research’s (CPR) team has unearthed a new variant of a multi-platform backdoor SysJoker. According to CPR, which has been monitoring the cybersecurity activities in the two countries, SysJoker malware was used by a Hamas-affiliated APT (advanced persistent threat) group to target Israel recently.

For your information, SysJoker was **discovered by Intezer in 2021**. It is a multi-platform backdoor, which means it can target Windows, macOS, and Linux systems. The malware has been under active evolution since its discovery and today it is equipped with a range of tactics to evade detection. The new SysJoker variant is written in Rust language.

In their technical report, CPR researchers noted that the malware code has been rewritten completely but the malware still maintains its original functionalities. The primary modification is that instead of Google Drive, the **Rust** variant utilizes OneDrive to store dynamic C2 URLs.

SysJoke features two different modes for string decryption. The first method is rather simple and part of many SysJoker variants. It entails multiple base64-encoded encrypted data blobs and a base64-encoded key.

When decrypting, it decodes both base64 blobs and XORs them to produce plain text strings. The second method is much more complex and involves generating a complex string decryption algorithm.

In its **report** shared with Hackread.com ahead of publication on Tuesday, cybersecurity researchers at Check Point Research revealed that “The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.”

The report offers in-depth insights on the Rust variant of SysJoker and its Windows variants with their attributions along with infection vectors, the C2 communication mechanism, and malware’s functionalities, which include downloading/uploading files, executing commands, and capturing screenshots.

The screenshot shared by CPR shows the metadata of the OneDrive file containing the encrypted C2 server

“It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version,” researchers noted.

Researchers found evidence of the malware’s ties to **Gaza Cybergang** as they have used it in their previous campaigns. They also found behavioural similarities between SysJoker’s new variants and the Operation Electric Powder campaign, which crippled Israeli organizations **in 2016-2017**.

This campaign was also loosely connected to Gaza Cybergang. This gang is reportedly pro-Palestine and often launches attacks to safeguard Palestinian interests. Nevertheless, the resurgence of SysJoker malware adds to the arsenal of cyberweapons employed by hacktivists. Before this incident, Hamas hackers were discovered using a new Linux malware named **BiBi-Linux Wiper** against Israeli targets.

****_RELATED ARTICLES_****

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **Pro-Palestinian TA402 APT Using IronWind Malware in New Attack**
3.  **Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware**
4.  **Deadglyph Backdoor Linked to Stealth Falcon APT in the Middle East**
5.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
6.  **Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine**
7.  **Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack**

Source

HackRead