Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.
Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024.

Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services, and banking services.

"Threat actors using the kit to deploy phishing websites often rely on Cloudflare's anti-bot and hosting obfuscation capabilities to prevent detection," Netcraft said in a report published Thursday.

Some aspects of the phishing kit were documented by security researchers Will Thomas (@ BushidoToken) and Fox\_threatintel (@banthisguy9349) last month.

Phishing kits like Xiū gǒu pose a risk because they could lower the barrier of entry for less skilled hackers, potentially leading to an increase in malicious campaigns that could lead to theft of sensitive information.

Xiū gǒu, which is developed by a Chinese-speaking threat actor, provides users with an admin panel and is developed using technologies like Golang and Vue.js. The kit is also designed to exfiltrate credentials and other information from the fake phishing pages hosted on the ".top" top-level domain via Telegram.

The phishing attacks are propagated via Rich Communications Services (RCS) messages rather than SMS, warning recipients of purported parking penalties and failed package deliveries. The messages also instruct them to click on a link that's shortened using a URL shortener service to pay the fine or update the delivery address.

"The scams typically manipulate victims into providing their personal details and making payments, for example, to release a parcel or fulfill a fine," Netcraft said.

RCS, which is primarily available via Apple Messages (starting with iOS 18) and Google Messages for Android, offers users an upgraded messaging experience with support for file-sharing, typing indicators, and optional support for end-to-end encryption (E2EE).

In a blog post late last month, the tech giant detailed the new protections it's taking to combat phishing scams, including rolling out enhanced scam detection using on-device machine learning models to specifically filter out fraudulent messages related to package delivery and job opportunities.

Google also said it's piloting security warnings when users in India, Thailand, Malaysia, and Singapore receive text messages from unknown senders with potentially dangerous links. The new protections, which are expected to be expanded globally later this year, also block messages with links from suspicious senders.

Lastly, the search major is adding the option to "automatically hide messages from international senders who are not existing contacts" by moving them to the "Spam & blocked" folder. The feature was first enabled as a pilot in Singapore.

The disclosure comes as Cisco Talos revealed that Facebook business and advertising account users in Taiwan are being targeted by an unknown threat actor as part of a phishing campaign designed to deliver stealer malware such as Lumma or Rhadamanthys.

The lure messages come embedded with a link that, when clicked, takes the victim to a Dropbox or Google Appspot domain, triggering the download of a RAR archive packing a fake PDF executable, which serves as a conduit to drop the stealer malware.

"The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware," Talos researcher Joey Chen said, adding the activity has been ongoing since July 2024.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance."

Phishing campaigns have also been observed impersonating OpenAI targeting businesses worldwide, instructing them to immediately update their payment information by clicking on an obfuscated hyperlink.

"This attack was sent from a single domain to over 1,000 recipients," Barracuda said in a report. "The email did, however, use different hyperlinks within the email body, possibly to evade detection. The email passed DKIM and SPF checks, which means that the email was sent from a server authorized to send emails on behalf of the domain. However, the domain itself is suspicious."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Phishing Kit Xiū gǒu Targets Users Across Five Countries With 2,000 Fake Sites

Chinese APTs lurked in Canadian government networks for five years — and that's just one among a whole host of threats from Chinese bad actors.

Source: tunasalmon via Alamy Stock Photo

Chinese state-backed actors have become Canada's most pressing cyber threat, with the People's Republic of China (PRC) collecting data from Canada's government networks for the past five years.

The Canadian Centre for Cyber Security's National Cyber Threat Assessment calls Beijing's cyber operations "second to none," and noted that at least 20 Canadian government agencies and departments have been breached by PRC state-backed actors. The cyberattackers are mainly attempting to gain information that could lead to strategic, economic, and diplomatic advantages — a play that has only grown in its intensity due to escalating tensions between the West and the PRC.

The center assured the public that the federal government networks that were compromised have since been resolved, but it warned that the threat actors who are responsible for the intrusions are now very familiar with these networks, and could be back to try again. It also stressed that the PRC's aggressive cyber campaigns represent some of the most sophisticated and active threats Canada is facing.

On a related note, the center's researchers also found that the cyber landscape around critical infrastructure in Canada is growing and becoming more complex and unpredictable, with a cast of a variety of threat actors from cybercriminals to hacktivists targeting the sector.

"We assess that our adversaries very likely consider civilian critical infrastructure to be a legitimate target for cyber sabotage in the event of a military conflict," reads their report.

Other key findings include adversaries using network attacks and online information campaigns to disrupt and shape public opinion, and the center flagged ransomware as the top cybercrime threat that Canada's critical infrastructure must grapple with.

**About the Author**

Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.
"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ

Spyware / Mobile Security

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.

"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week.

LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device.

Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837.

This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy's Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0).

"After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the \[command-and-control\] data and working directory," the Dutch security company said.

"Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data."

The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL.

The exact distribution vehicle for the spyware is unclear, although it's believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date.

However, there is some evidence that the operators are likely based in China owing to the fact that the location plugin "recalculates location coordinates according to a system used exclusively in China." It's worth noting that Chinese map service providers follow a coordinate system called GCJ-02.

"The LightSpy iOS case highlights the importance of keeping systems up to date," ThreatFabric said. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

The Case Against Abandoning CrowdStrike Post-Outage

On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.

Source: US Navy Photo via Alamy Stock Photo

Just days after Chinese state-sponsored hackers attacked the presidential campaigns of both Donald Trump and Kamala Harris, Beijing is leveling accusations at unnamed foreign entities, accusing them of using secret maritime buoys and seabed equipment to spy on its naval activities.

In a message on WeChat — China's biggest social media app — the country's Ministry of State Security (MSS) claimed it has discovered devices designed for "reconnaissance and monitoring of our country's waters" and "intelligence collection and technical theft activities."

It went on to allege that foreign "secret guards" are lurking as drifting "spies" and acting as "lighthouses" to guide outsider submarines.

"Faced with the severe and complex situation of covert struggle in the deep-sea security field and the real threat of foreign espionage intelligence agencies, the national security agencies will ... firmly defend our sovereignty," the MSS reportedly said. 

"It’s highly unlikely we will ever find out for definite if these claims are accurate, but when it comes to the culprits, suspicion will definitely land on the West," says Ryan McConechy, chief technology officer at Barrier Networks. "The key lesson here is that the online world has become the preferred playing field for all adversaries today. Nation-states and criminals can operate much stealthier, they can often get deeper into networks and secrets than physical access would allow, and it is much safer for the troops who can physically distance themselves from targets."

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

William Wright, CEO of Closed Door Security, noted that at-sea ships do make for juicy espionage targets.

"Few people fully understand the importance of the maritime industry today, but vessels are like floating computers, and they often contain highly sensitive information," he explains. "Whether the information relates to China's rapidly growing navy, or information on trading, it could prove to be very valuable to another nation-state and China is clearly concerned."

**Tit for Tat? News Follows Reported Chinese Campaign Hacks**

The claims from Beijing come on the heels of reports from the Washington Post and Reuters last weekend that an unnamed advanced persistent threat (APT) infiltrated the Verizon Communications telecom network and intercepted phone calls and texts made by campaign staffers for both Trump and Harris.

In addition, the eavesdroppers also reportedly targeted Trump's own phone calls, along with those of his running mate JD Vance — though how successful these latter attempts were is unknown.

Related:Facebook Businesses Targeted in Infostealer Phishing Campaign

Following the reports, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed they were investigating "unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China," and acknowledged they were seeing "specific malicious activity targeting the sector," though they did not name victims or mention the candidates.

Verizon told Reuters meanwhile that it was "aware of a sophisticated attempt to target US telecoms and gather intelligence."

**China-US Tensions: Time to Up Critical Infrastructure Cyber Defense**

The activity aligns with prior attacks from the now-infamous Chinese state-sponsored APT Volt Typhoon, which first came to light in March 2023 after compromising telecom networks in Guam. It has since consistently targeted critical infrastructure in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and across the Pacific.

Similarly, another Chinese APT known as Salt Typhoon attacked US ISPs last month. The focus on high-value communications service provider networks in the US likely indicates a similar dual set of goals, researchers said at the time — to steal information and set up a launchpad for disruptive attacks.

Related:Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

"While it's alarming, the recent campaign targeting is also pretty unsurprising," says Casey Ellis, founder and adviser at Bugcrowd. "Given the US election season, and the access that Salt Typhoon had, I'd be surprised if they didn't target the elected officials and candidates for the presidential election."

All industries should learn from these types of campaigns, says Barrier Networks' McConechy, who notes that the seafaring espionage might be in retaliation for Volt Typhoon's assaults.

"Whether it's spyware implanted into routers, snooping hot air balloons, or spying submersibles, nation-states are getting increasingly creative when it comes to eavesdropping on other countries, so critical industries must be prepared for these assaults," he stresses. "In the digital world, these types of cyber-physical espionage campaigns have become the norm. Most countries will deny they conduct them, but they will be, they just won't want to publicly announce it, or let their target know."

He adds, "All systems must be scanned regularly for malware, and the locations close to where critical infrastructure resides must be continuously monitored for intruders, whether human or robotic. Improving defenses both physically and digitally must be a priority.”

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China Says Seabed Sentinels Are Spying, After Trump Taps

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for…

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for popular software. The malware steals Facebook credentials, hijacks accounts espicially those administrating business pages, and spreads further attacks globally.

A new malvertising campaign is exploiting Meta’s advertising platform to spread the **SYS01 infostealer**, a cybersecurity threat known to Meta and particularly Facebook users for stealing their personal information.

What makes this attack targeted is that millions of users globally, specifically men aged 45 and above, are potential victims of this ongoing attack, which cleverly disguises itself as advertisements for popular software, games, and online services.

This campaign, first detected in September 2024, stands out due to its impersonation tactics and popular brands that it exploits. Instead of focusing on a single lure, the attackers mimic a broad range of trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.

****How the Attack Works:****

According to Bitdefender’s **blog post** shared with Hackread.com ahead of publishing on Wednesday, the malicious ads often lead to MediaFire links offering direct downloads of seemingly legitimate software. These downloads, packaged as zip archives, contain a malicious Electron application.

Once executed, this application drops and **runs the SYS01 infostealer**, often while displaying a decoy app that mimics the advertised software. This deceptive tactic makes it difficult for victims to realize they’ve been compromised.

For your information, an Electron application is a type of desktop app built with web technologies like HTML, CSS, and JavaScript. Electron is an open-source framework developed by GitHub that allows developers to create cross-platform applications that run on Windows, macOS, and Linux, all from a single codebase.

In this attack however, behind the scenes, the Electron app uses obfuscated Javascript code and a standalone 7zip executable to extract a password-protected archive containing the core malware components. This archive includes PHP scripts responsible for **installing the infostealer** and establishing persistence on the victim’s system. The malware also incorporates anti-sandbox checks to evade detection by security researchers.

****Stealing Data and Hijacking Accounts:****

The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used to further attacks/scams.

What’s worse, the attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create **new malicious ads** that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.

Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign (Via Bitdefender)

****Global Reach and Protection****

While the campaign has a global reach, impacting users in the EU, North America, Australia, and Asia, Bitdefender could not verify the full extent of its impact, especially outside the EU, which remains unclear due to limited data transparency.

Nevertheless, if you are on Facebook—especially if you run a business page—you must watch out for SYS01 Infostealer and **similar threats**. While using common sense is essential, here are some vital steps you should take:

1.  **Monitor your accounts:** Regularly check your Facebook and other social media accounts for suspicious activity. Report any unauthorized access immediately and change your passwords.
2.  **Be wary of ads:** Exercise caution when clicking on ads, especially those offering free downloads or deals that seem too good to be true. Verify the source before downloading any software.
3.  **Stick to official sources:** Download software directly from official websites or trusted app stores. Avoid third-party platforms and file-sharing services.
4.  **Use strong security software:** Install reputable security software and keep it updated. Choose a solution that offers real-time protection and advanced threat detection.
5.  **Enable two-factor authentication (2FA):** Activate 2FA on your Facebook and other important online accounts for added security.

1.  **Fake GTA VI Beta Download Spreads Malware**
2.  **ALPHV Ransomware Uses Google Ads to Target Victims**
3.  **Fake WhatsApp clone steals crypto on Android and Windows**
4.  **Facebook, Meta, Apple, Amazon Most Impersonated in Scams**
5.  **Fake ChatGPT and Facebook Ads Used in DNS Investment Scam**

Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer

Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome is up to date

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

**Technical details**

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU\-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Patch now! New Chrome update for two critical vulnerabilities 

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets.
The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300

Cybercrim / Cryptocurrency

Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets.

The package, named "CryptoAITools," is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300 times before being taken down on PyPI.

"The malware activated automatically upon installation, targeting both Windows and macOS operating systems," Checkmarx said in a new report shared with The Hacker News. "A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware performed its malicious ac4vi4es in the background."

The package is designed to unleash its malicious behavior immediately after installation through code injected into its "\_\_init\_\_.py" file that first determines if the target system is Windows or macOS in order to execute the appropriate version of the malware.

Present within the code is a helper functionality that's responsible for downloading and executing additional payloads, thereby kicking-off a multi-stage infection process.

Specifically, the payloads are downloaded from a fake website ("coinsw\[.\]app") that advertises a cryptocurrency trading bot service, but is in fact an attempt to give the domain a veneer of legitimacy should a developer decide to navigate to it directly on a web browser.

This approach not only helps the threat actor evade detection, but also allows them to expand the malware's capabilities at will by simply modifying the payloads hosted on the legitimate-looking website.

A notable aspect of the infection process is the incorporation of a GUI component that serves to distract the victims by means of a fake setup process while the malware is covertly harvesting sensitive data from the systems.

"The CryptoAITools malware conducts an extensive data theft operation, targeting a wide range of sensitive information on the infected system," Checkmarx said. "The primary goal is to gather any data that could aid the attacker in stealing cryptocurrency assets."

This includes data from cryptocurrency wallets (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), saved passwords, cookies, browsing history, cryptocurrency extensions, SSH keys, files stored in Downloads, Documents, Desktop directories that reference cryptocurrencies, passwords, and financial information, and Telegram.

On Apple macOS machines, the stealer also takes the step of collecting data from Apple Notes and Stickies apps. The gathered information is ultimately uploaded to the gofile\[.\]io file transfer service, after which the local copy is deleted.

Checkmarx said it also discovered the threat actor distributing the same stealer malware through a GitHub repository named Meme Token Hunter Bot that claims to be "an AI-powered trading bot that lists all meme tokens on the Solana network and performs real-time trades once they are deemed safe."

This indicates that the campaign is also targeting cryptocurrency users who opt to clone and run the code directly from GitHub. The repository, which is still active as of writing, has been forked once and starred 10 times.

Also managed by the operators is a Telegram channel that promotes the aforementioned GitHub repository, as well as offers monthly subscriptions and technical support.

"This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another," Checkmarx said.

"The CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community. Users who starred or forked the malicious 'Meme-Token-Hunter-Bot' repository are potential victims, significantly expanding the attack's reach."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Apple Security Advisory 10-28-2024-8 - visionOS 2.1 addresses information leakage, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-8 visionOS 2.1

visionOS 2.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121566.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: Apple Vision Pro  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

CoreMedia Playback  
Available for: Apple Vision Pro  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreText  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Foundation  
Available for: Apple Vision Pro  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-44285: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Lock Screen  
Available for: Apple Vision Pro  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44262: Justin Saboo

Managed Configuration  
Available for: Apple Vision Pro  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44258: Hichem Maloufi, Christian Mina, Ismail Amzdak

MobileBackup  
Available for: Apple Vision Pro  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: A logic issue was addressed with improved file handling.  
CVE-2024-44252: Nimrat Khalsa, Davis Dai, James Gill  
(@jjtech@infosec.exchange)

Pro Res  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44277: an anonymous researcher and Yinyi Wu(@_3ndy1) from Dawn  
Security Lab of JD.com, Inc.

Safari Downloads  
Available for: Apple Vision Pro  
Impact: An attacker may be able to misuse a trust relationship to  
download malicious content  
Description: This issue was addressed through improved state management.  
CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Safari Private Browsing  
Available for: Apple Vision Pro  
Impact: Private browsing may leak some browsing history  
Description: An information leakage was addressed with additional  
validation.  
CVE-2024-44229: Lucas Di Tomase

Shortcuts  
Available for: Apple Vision Pro  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

Siri  
Available for: Apple Vision Pro  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)

Siri  
Available for: Apple Vision Pro  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Additional recognition

Calendar  
We would like to acknowledge  K宝(@Pwnrin) for their assistance.

ImageIO  
We would like to acknowledge Amir Bazine and Karsten König of  
CrowdStrike Counter Adversary Operations, an anonymous researcher for  
their assistance.

Messages  
We would like to acknowledge Collin Potter, an anonymous researcher for  
their assistance.

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Photos  
We would like to acknowledge James Robertson for their assistance.

Safari Private Browsing  
We would like to acknowledge an anonymous researcher, r00tdaddy for  
their assistance.

Safari Tabs  
We would like to acknowledge Jaydev Ahire for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/118481. To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcgAfIACgkQX+5d1TXa  
IvpPzw/+OkUnfZKbUwCJy+p9jbg/ZO5i/RRbW4Tk3E6kDx0idc+p/MLRP+Guy3n+  
hJOBSf0cEcebnpu8HYJx4FnkTef0SYWfE2qhEES2Rs8kro5lA+Rr/o3yJjhE9tUN  
rWr3ZqGptThOsFiC7AxIieBlNGJAXI8J7PdtcIuN1anzF/decUf6mf9xO90nk1JH  
Feof4/Mxcks5tq6s2GGJu8jilt+Lm8rjXnrrix9Dw+fUTuz1+1Zd/hxX7M7YhCzb  
VdtLWXGHsmLNc+uxhb0krnI37x8lbfz8WrOYBaSTz3WjBvMhC9HEmFdyT9nl++nm  
HjzI5WE66YyOFufA+XwFpbroPGrSNM4k/ievpTX/39XzCLxVd1ocVHkKi8HZ2F13  
wB/7DKVj+inrXD/dVEHyW7e6dYiXrbgDOAfrkRgqv+aFYm/seuFIYxtHV8VdOrx8  
6gl27L2q4bMPIBicT6YGquyrog5qKfkD+VoiM2QPKaTt7MX70eJD7mywoFbD2cSk  
McS3pu+SPRhD0bpYx9Uy93w6w8AnBI0EtUUshF/+A7Z0bY4oAZKKsTeviqI1yYpw  
YHNSW7AO/Su/Y3mbJge4jENKjiUa8pk9am19Ks8JvMiHZhuGl1KG6GcK2pkLTZd1  
Lub2pxLg5uDPF1OkAG8IbVEi2OIXJZ8wSwphcmaKeQbcfGaVwCE=  
=l6xz  
-----END PGP SIGNATURE-----

Tag

#apple