A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole…

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole crypto assets from unsuspecting victims. Learn how to protect yourself from similar scams.

Check Point Research (CPR) has discovered the first-ever mobile crypto drainer app on Google Play, deceptively posing as the legitimate WalletConnect tool. The app targeted users directly on their mobile devices, stealing around $70,000 from at least 150 victims. This marks the first time a drainer has exclusively targeted mobile device users, using advanced social engineering tactics and sophisticated evasion techniques.

The fake crypto drainer and wallet app (Screenshot: CPR)

This app capitalized on the trusted name “WalletConnect,” a well-known protocol for connecting wallets to Decentralized Applications (dApps). By appearing as a genuine WalletConnect solution, it lured users who were struggling to connect their wallets to Web3 applications using traditional methods into installing it.

Once installed, the app would prompt users to connect their wallets. This seemingly harmless request was a trap. Upon connection, the app would silently activate the MS Drainer, a powerful toolkit designed to steal various crypto assets.

The MS Drainer would then scan the victim’s wallet for valuable assets like tokens and NFTs. It would prioritize stealing the most valuable ones, using clever techniques to minimize fees and avoid detection. The app also employed deceptive tactics to trick users into signing transactions that would grant the attacker permission to withdraw funds.

These transactions appeared legitimate, leading many victims to unknowingly compromise their assets. This process is repeated across multiple blockchain networks, allowing attackers to systematically steal victims’ assets.

The malicious WalletConnect app used advanced social engineering and technical manipulation, exploiting the complexities of the legitimate WalletConnect protocol, to deceive users into thinking it was a safe tool for connecting their cryptocurrency wallets to Web3 applications.

According to Check Point’s detailed technical report shared with Hackread.com ahead of publishing on Thursday, the app also used advanced evasion techniques, such as fake positive reviews, to remain undetected on Google Play’s verification process for nearly five months, causing significant damage. It managed to accumulate over 10,000 downloads and received numerous fake positive reviews, further deceiving potential victims.

Fake reviews (Screenshot: CPR)

This indicates the growing sophistication of cybercriminals in the decentralized finance ecosystem. Crypto drainers, which steal digital assets, are increasingly used by attackers, often using phishing websites and apps that mimic legitimate platforms. This case highlights the importance of user awareness and security in the DeFi space, reminding us yet again that even seemingly legitimate apps can harbour malicious intent.

Commenting on this, Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software warned Android users to watch out before downloading an app from third-party as well as Google’s very own Google Play or Play Store.

“This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance,” Alexander explained.

“This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. Both users and developers must stay informed and take proactive measures to secure their digital assets.”

1.  Trezor Data Breach Exposes Email and Names of 66,000 Users
2.  Pink Drainer Posed as Journalists, Stole $3M from Twitter Users
3.  Hackers Posed as Google Support to Steal $243 Million in Crypto
4.  Apple Approves Fake App Before Real Rabby Wallet, Funds Stolen
5.  Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

First Mobile Crypto Drainer on Google Play Steals $70K from Users

Companies in this industry vertical tend toward large financial transactions with partners, suppliers, and customers.

Source: devilmaya via Alamy Stock Photo

A small group of transportation and logistics companies in North America has been targeted in cunning business email compromise (BEC) attacks.

Since May, an unknown threat actor has weaponized at least 15 email accounts associated with its targeted companies. In a blog published on Sept. 24, Proofpoint researchers could not say how the threat actor first obtained access to these accounts. What is known is that the attacker is using the accounts to bury initial access malware inside of existing email chains, betting that recipients will have their guards down so deep into ongoing conversations with colleagues.

"Thread hijacking is obviously very effective," says Daniel Blackford, director of threat research for Proofpoint. "Once an account takeover has happened, this increased legitimacy makes it much harder for anyone but those who are the most vigilant" to spot it.

**Bespoke Phishing Attacks**

From May to July, the threat actor primarily hid payloads inside of Google Drive files leading to Internet shortcut (URL) files. When executed, the attack chain uses server message block (SMB) to retrieve an executable file from a remote share, which installs one of a number of different, known malware tools. Among them: Lumma, the most common infostealer in the world today; StealC; and the legitimate tool NetSupport.

In August, the attacker shifted to using the "ClickFix" technique for tricking victims into downloading its malware. With ClickFix, a malicious webpage presents the victim with a fake pop-up error message. Through a series of dialogue boxes, the victim is instructed to copy and paste a supposed fix for the issue into a PowerShell terminal or Windows Run. In fact, the so-called fix is a script, which downloads and runs an executable. In these recent phishing attempts, the executables for download included DanaBot and Arechclient2 (aka SectopRAT).

Why ClickFix works at all — despite asking for much more active engagement and technical monkeying from the victim — can seem confounding.

"The human psychology behind why really convoluted attack chains work continues to astonish me on a yearly basis," Blackford admits. He does, though, have a theory. "Something that I've heard is that it can be annoying to deal with IT, so if the 'solution' is right in front of you, and you don't have to communicate with a help desk and have people remote into your to your system to fix them, then maybe it's actually less trouble to just try to execute it yourself."

**Why Transport and Logistics Make Attractive Targets**

Various threat actors have disguised ClickFix behind fake Windows and Chrome updates. In this case, the attacker impersonated Samsara, AMB Logistics, and Astra TMS, platforms highly specialized for fleet and freight management, demonstrating the highly targeted nature of the campaign.

As Blackford notes, transport and logistics companies can make attractive targets for financially motivated cyberattacks. "They do business with lots of entities — suppliers for a lot of industrial manufacturers, for example," he says. "They're going to be corresponding with a lot of different companies. There's going to be a lot of moving parts — a lot of things in and out, constantly moving — so a lot of opportunities to find connected, future victims from just one company."

With fertile ground to sneak in amongst the many moving players and deals, he notes, "There are requests for quotes and invoices that are of a fairly large magnitude — that are, in terms of the finances involved, maybe an order of magnitude higher than in some other industries."

He adds that, while rare, "There also is some evidence recently of threat actors trying to redirect legitimate shipments to locations that are under their control."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Transport, Logistics Orgs Hit by Stealthy Phishing Gambit

Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?

Source: National Picture Library via Alamy Stock Photo

A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.

"SloppyLemming" is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group's latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India's borders.

Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan's sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming's attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors, and there have been hints of potential targeting in or around Australia's capital, Canberra.

The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare's own "Workers" platform together in phishing attack chains that end in credential harvesting and email compromise.

**Hackers Using Cloudflare Workers**

SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station's IT department. It distinguishes itself more in step two when it abuses Cloudflare's Workers service.

Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare's global servers. They're essentially chunks of JavaScript that intercept requests made to a user's website in transit — before they reach the user's origin server and apply some sort of function to them, for example, redirecting links or adding security headers.

Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called "BlackWater" used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.

SloppyLemming uses a custom-built tool called "CloudPhish" to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target's webmail login page, and creates a malicious copycat with it. When the target enters their login information, it's stolen via a Discord webhook.

**Abusing Cloud Services**

SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.

Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a "high" severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.

"They use at least three, or four, or five different cloud tools," notes Blake Darché, head of Cloudforce One at Cloudflare. "Threat actors generally are trying to take advantage of companies by using different services from different companies, so \[victims\] can't coordinate what they're doing."

To make sense of attack chains that spread across so many platforms, he says, "You've got to have good control of your network, and implement zero-trust architectures so you understand what's going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

**Multi Branch School Management System 3.5 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Multi Branch School Management System version 3.5 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | b4c3fb3408f8d7a80baf2b5ec0b035520c60a8b287134c61abe01863834639ea

Download | Favorite | View

**Multi Branch School Management System 3.5 Backup Disclosure**

    =============================================================================================================================================| # Title     : Multi Branch School Management System 3.5 Backup Disclosure Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://school.ramomcoder.com/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /uploads/db_backup/[+] http://127.0.0.1/Multi/uploads/db_backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Multi Branch School Management System 3.5 Backup Disclosure

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

Posted Sep 25, 2024

Authored by indoushka

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | e760cf3c5b44d7d8984817fcf92204fd9912a026b5d02720406cc72f12ac70ed

Download | Favorite | View

**Complete Multi Hospital Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Complete Multi Hospital Management System 1.0 Backup Disclosure Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/free-download-complete-multi-hospital-management-system/                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /files/backups/[+] http://127.0.0.1/multihospital/files/backups/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,950)
*   Arbitrary (17,099)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,293)
*   Encryption (2,395)
*   Exploit (54,302)
*   File Inclusion (4,275)
*   File Upload (1,020)
*   Firewall (822)
*   Info Disclosure (2,922)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,304)
*   Local (14,858)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,281)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,903)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,306)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,121)
*   Web (10,143)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,304)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,592)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,327)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,893)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,867)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Complete Multi Hospital Management System 1.0 Backup Disclosure

The advanced Python-based PysSilon malware can steal data, record keystrokes, and execute remote commands. The attackers behind it are promising to leak details of deleted X posts related to accused rapper and music producer Sean Combs.

Source: Photo 12 via Alamy Stock Photo

Threat actors are using the public's interest in a current scandal surrounding celebrity rapper Sean "Diddy" Combs to spread spyware, via files promising to reveal details of deleted posts related to Combs from the X social media platform.

Researchers have uncovered a version of the open source PySilon RAT, a remote access Trojan called "PdiddySploit" hiding in files posted online and then submitted to VirusTotal, according to analysis from Veriti Research published Sept. 24.

PySilon RAT is an advanced Python-based malware that can steal sensitive information, record keystrokes, capture screen activity, and execute remote commands, posing "serious threats to personal and organizational security," according to the post by Veriti.

Combs (aka P. Diddy), a rapper, record producer, and entrepreneur who has been in the public eye since the 1990s, is facing multiple charges of sexual assault and misconduct in New York, which has thrust him into the recent media spotlight. One area of acute public interest are controversial posts related to Combs and alleged illicit activity on X by fellow celebrities and musicians, such as Usher and Pink, as well as Combs himself that have since been deleted, according to Veriti.

"One of the most concerning aspects of this trend is the use of files related to Combs' social media activity, particularly from X.com," according to the post.

Related:Security Concerns Plague Emerging Chip Architecture

Specifically, the researchers uncovered files containing posts and replies from Combs' now-deleted account on VirusTotal, where they were uploaded by a user named @lamps\_apple. "These files are part of an automated process of 'collecting posts and replies,' but they pose a high risk because they can be easily armed with malicious payloads," according to Veriti.

**Taking Advantage of Current Events**

The activity demonstrates how attackers are quick to take advantage of current events or media stories of interest to the public to spread malware by weaponizing content related to them. One clear example of this activity was during the COVID-19 pandemic, when multiple phishing and other malicious campaigns leveraged public interest in the virus and other health-related topics to spread malware.

"Given the intense media coverage surrounding P. Diddy and other public figures, attackers are using these files to lure curious users into downloading them, only to be infected with malware," according to Veriti. "The fact that P. Diddy and others have deleted their social media content adds an additional layer of intrigue, tempting users to open these files to see what was deleted."

Related:How to Establish & Enhance Endpoint Security

PsySilon RAT — discovered in 2022 — also has seen a surge in recent use by multiple threat actors, with more than 300 samples reported on VirusTotal since June 2023, according to Cyble Research and Intelligence Labs (CRIL). Attackers use the malware to infiltrate systems, steal information, and even control devices remotely, according to Veriti.

PsySilon RAT is currently in version 3.6 and has been detected in numerous samples that imitate software, tools, and cracks, which likely originate from phishing websites, free software-downloading websites, and the like, according to Cyble.

Given the discovery of the RAT lurking behind the cover of PdiddySploit, it's likely that as the related scandal continues to attract attention, even more attackers will "leverage this malware to exploit public interest," according to Veriti.

**Don't Let Curiosity Cloud Safe Judgment**

It's perfectly natural for people to take an interest in trending topics and celebrity scandals, the researchers noted. However, that doesn't mean people should throw caution to the wind when interacting with any related files or content online.

"Curiosity can be dangerous," Veriti researchers warned, especially as attackers are well-versed in social engineering and "are always looking for ways to exploit human nature."

Related:RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary

To avoid falling prey to attackers aiming to capitalize on this and other news of public interest, Veriti advised that people avoid downloading suspicious files, especially if they encounter files claiming to contain deleted posts or exclusive content related to a celebrity scandal. They should always verify the source of these or any files before downloading something from the Internet, the researchers noted.

People also should be wary of email attachments because phishing emails remain a primary way that attackers spread malware. "If you receive an email with attachments related to the P. Diddy scandal, think twice before opening it," according to Veriti. Using up-to-date antivirus software and other protections to secure email accounts also effectively can delete malware or malicious files before they even reach someone's inbox.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sophisticated RAT Hides Behind P. Diddy Scandal Lures

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent.
"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said

Data Protection / Online Tracking

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent.

"Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said. "In essence, the browser is now controlling the tracking, rather than individual websites."

Noyb also called out Mozilla for allegedly taking a leaf out of Google's playbook by "secretly" enabling the feature by default without informing users.

PPA, which is currently enabled in Firefox version 128 as an experimental feature, has its parallels in Google's Privacy Sandbox project in Chrome.

The initiative, now abandoned by Google, sought to replace third-party tracking cookies with a set of APIs baked into the web browser that advertisers can talk to in order to determine users' interests and serve targeted ads.

Put differently, the web browser acts as a middleman that stores information about the different categories that users can be slotted into based on their internet browsing patterns.

PPA, per Mozilla, is a way for sites to "understand how their ads perform without collecting data about individual people," describing it as a "non-invasive alternative to cross-site tracking."

It's also similar to Apple's Privacy Preserving Ad Click Attribution, which allows advertisers to measure the effectiveness of their ad campaigns on the web without compromising on user privacy.

The way PPA works is as follows: Websites that serve ads can ask Firefox to remember the ads in the form of an impression that includes details about the ads themselves, such as the destination website.

If a Firefox user ends up visiting the destination website and performs an action that's deemed valuable by the business – e.g., making an online purchase by clicking on the ad, also called "conversion" – that website can prompt the browser to generate a report.

The generated report is encrypted and submitted anonymously using the Distributed Aggregation Protocol (DAP) to an "aggregation service," after which the results are combined with other similar reports to create a summary such that it makes it impossible to learn too much about any individual.

This, in turn, is made possible by a mathematical framework called differential privacy that enables the sharing of aggregate information about users in a privacy-preserving manner by adding random noise to the results to prevent re-identification attacks.

"PPA is enabled in Firefox starting in version 128," Mozilla notes in a support document. "A small number of sites are going to test this and provide feedback to inform our standardization plans, and help us understand if this is likely to gain traction."

"PPA does not involve sending information about your browsing activities to anyone. Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."

It's this aspect that noyb has found fault with, as it's in violation of the European Union's (E.U.) stringent data protection regulations by enabling PPA by default without seeking users' permissions.

"While this may be less invasive than unlimited tracking, which is still the norm in the US, it still interferes with user rights under the E.U.'s GDPR," the advocacy group said. "In reality, this tracking option doesn't replace cookies either, but is simply an alternative - additional - way for websites to target advertising."

It further noted that a Mozilla developer justified the move by claiming that user's cannot make an informed decision and that "explaining a system like PPA would be a difficult task."

"It's a shame that an organization like Mozilla believes that users are too dumb to say yes or no," Felix Mikolasch, data protection lawyer at noyb, said. "Users should be able to make a choice and the feature should have been turned off by default."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent

Cybercriminals are exploiting the ongoing Sean “Diddy” Combs scandal by spreading the new PDiddySploit malware hidden in infected…

Cybercriminals are exploiting the ongoing Sean “Diddy” Combs scandal by spreading the new PDiddySploit malware hidden in infected files, targeting curious and unsuspecting social media users, particularly those on X.com (formerly Twitter).

Cybercriminals are wasting no time exploiting the recent scandal involving Sean “Diddy” Combs. As the public’s curiosity surges over the music mogul controversy, cybercriminals have seized the moment to spread a new strain of malware designed to take advantage of the growing interest.

According to Veriti’s research team, a new Trojan malware dubbed PDiddySploit has been identified. This malware, part of the PySilon RAT (Remote Access Trojan) family, is developed to exploit those seeking information about Diddy’s now-deleted social media activity on platforms like X.com (formerly Twitter).

The Trojan, which has advanced capabilities for stealing sensitive data, monitoring keystrokes, recording screen activity and remotely controlling infected systems, can severely compromise anyone’s security and privacy.

****The PDiddySploit Threat****

First discovered on September 13, 2024, PDiddySploit is a direct variant of the PySilon RAT, which is notorious for its adaptability and malicious functionalities. PySilon, an open-source **Python-based malware**, has become a preferred tool for threat actors due to its ability to evolve and spread quickly.

The current version of PySilon RAT is version 3.6 and since June 2023 alone over 300 samples have been found on **VirusTotal**, showing how cybercriminals are continuously refining this tool.

****Celebrity Scandals as a Gateway for Malware Attacks****

According to Veriti’s **report** shared with Hackread.com ahead of publishing on Tuesday, one of the most alarming aspects of this wave of attacks is how closely they are tied to Diddy’s deleted social media content.

One major part of this malware attack is how cybercriminals are uploading files that claim to contain “removed” posts and replies from Diddy’s X.com account, and these files are being used as bait to lure unsuspecting users. Curious individuals who want to see what was deleted are being tricked into downloading these files, unknowingly infecting their devices with the PDiddySploit Trojan.

One of the malicious files with deleted Diddy posts was uploaded by a now-deleted account @lamps\_apple on Virus Total (Screenshot via Veriti)

This tactic is effective because of the public’s curiosity. As the scandal gets more media attention, attackers know that many users will search for more information, especially content that has been taken down.

Veriti’s analysis uncovered several of these malicious files on platforms like VirusTotal, all associated with Diddy’s deleted posts. These files, packaged to appear like legitimate screenshots or documents, are loaded with malware, turning curiosity into a cybersecurity nightmare.

****Diddy and Malware****

Interestingly, this is not the first time Sean “Diddy” Combs’ name has been associated with malware. **Back in 2013**, a similar attack was launched, using Diddy’s hit song “I’m Coming Home” as the bait. That malware, disguised as an MP3 file, targeted users who wanted to download the track.

In similar attacks, hackers exploited the nude celebrity photo leaks scandal **in December 2016** to lure victims into downloading malicious PDF files loaded with malware. **In February 2020**, cybercriminals used Oscar movie nominations as bait, tricking users into downloading malware disguised as “free downloads” of movies nominated for the 2020 Oscar Best Picture award.

Nevertheless, while it may be tempting to explore deleted content or hidden details, letting curiosity take over can expose your device to malware. Additionally, the increasing sophistication of malware like PySilon RAT, added with the lure of celebrity conspiracy, sets the stage for successful cyberattacks. Therefore, watch out for social media trends, especially those addressing high-profile scandals.

1.  **Hackers Hiding DcRAT Malware in Fake OnlyFans Content**
2.  **Crooks using Marvel’s Black Widow movie to spread malware**
3.   **Torrent uploader CracksNow distributed GrandCrab ransomware**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **Russian Hackers Control Malware via Britney Spears Instagram Posts**

PDiddySploit Malware Hidden in Files Claiming to Reveal Deleted Diddy Posts

A water treatment facility in a small city took serious precautions to prevent any bad outcomes from a hazy cyber incident.

Source: Dmitry Kaminsky via Alamy Stock Photo

The water treatment facility for a small city in Kansas experienced a "cybersecurity incident" on the morning of Sept. 22.

Arkansas City — population 12,000, a two-hour drive north of Oklahoma City — sits at the junction of the Walnut and Arkansas Rivers, the latter of which supplies the town's drinking water. A notice from the city's Environmental Services Administration revealed that on Sept. 22, its treatment facility experienced a "cybersecurity incident." Authorities were contacted and precautionary measures taken. Most notably, the facility moved to fully manual operations — a temporary decision made "out of caution," according to city manager Randy Frazer in the notice.

"Despite the incident, the water supply remains completely safe, and there has been no disruption to service," Frazer wrote. "Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."

The administration added that "Cybersecurity experts and government authorities are working to resolve the situation and return the facility to normal operations. Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents."

Dark Reading has reached out to Arkansas City for more information about the incident. In lieu of details, Shawn Waldman, CEO and founder of Secure Cyber, points out that a switch to manual operations could indicate some degree of seriousness.

"In a breach that we investigated last November, we actually never went to manual mode," he recalls. "We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, and we let the plant operate as normal. There's a lot of strain on employees when you put a plant in manual mode. That's the last case scenario — you don't want to go into manual mode unless you have to."

**The Problem With State-of-the-Art Systems**

Industrial control systems have long struggled to match old, legacy equipment to the demands of modern day cybersecurity.

Less often spoken of is the opposite problem: newer facilities designed with greater connectivity in mind, which introduce attack surfaces that the dinosaur, often analog machines, didn't have.

The new 5.4 million-gallon-per-day water treatment facility in Arkansas City opened in February 2018. It cost $22 million to build, and sports "advanced technology" estimated to save the city up to 20% on operational and maintenance costs. The exact nature of its cybersecurity posture is unknown. 

"Just because a city comes out and says: 'We just upgraded everything, and it's all new, and we should be good' — well, that's great, but what about cybersecurity?" asks Waldman. "Some cities are not making a proper investment into securing their critical infrastructure.

"My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure."

To ensure that cities don't leave security out of their budgets, Waldman says, "The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed. They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on the water systems in the United States. Because, big surprise, Iran reads the US news."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Kansas Water Plant Pivots to Analog After Cyber Event

A mitigation bypass / privilege escalation flaw has been discovered in Apple's iOS Screen Time functionality, granting one access to modify the restrictions. It allows a local attacker to acquire the Screen Time Passcode by bypassing the anti-bruteforce protections on the four-digit Passcode, and in consequence gaining total control over Screen Time (Parental Control) settings. Version 17.2.1 is affected.

    Document Title:===============Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass)Release Date:=============2024-09-24Affected Product(s): ==================== Vendor: Apple Inc.Product: Apple iOS 17.2.1 (possibly all < 18.0 excluding 18.0)References:====================VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo The vulnerability has been patched in the latest release of the operating system (iOS 18.0).Abstract Advisory Information:==============================A mitigation bypass / privilege escalation flaw has been discovered in Apple's iOS Screen Time functionality, granting one access to modify the restrictions.It allows a local attacker to acquire the Screen Time Passcode by bypassing theanti-bruteforce protections on the four-digit Passcode, and in consequencegaining total control over Screen Time (Parental Control) settings.Common Weakness Enumeration====================================CWE-307: Improper Restriction of Excessive Authentication AttemptsCWE-799: Improper Control of Interaction FrequencyExploitation Technique:=======================LocalSeverity Level:===============ModerateDiscovery Status:=================Full DisclosureTechnical Details & Description:================================1. The Screen Time Passcode input is generally immune to bruteforce attacks, and the following document reveals a weakness in the implementation of thesemitigations.2. The Passcode always consists of four digits, therefore the range of values an attacker needs to check is low. 3. The usage of an external HID, particularly a keyboard, whether one connected through USB-C, Lightning or Bluetooth, simplifies andenhances the speed and practicality of the brute force attack.4. In nearly all cases, the Screen Time Passcode input form is fortified with strict mitigations, such as time delay imposed upon reachinga certain threshold of subsequent failed attempts.5. This can be noticed when one attempts to manually guess the Passcode in "Settings > Screen Time", where multiple consecutive failed attempts triggerthe anti-bruteforce mitigation.6. The aforementioned mitigation is akin to the one in the Screen Lock input,with increasingly long delays after every block, making it a solid mitigation against bruteforce attacks.7. In one case, such mitigations are absent, enabling rapid bruteforce attacksagainst a low-complexity, four-digit input, suggesting a CWE-307 vulnerability.8. Because of this case, all the other protections of the Screen Time Passcode in practice become null and void.9. It is possible to create an user friendly, cross-platform software, thatwould allow children, or other people under Screen Time, to easily acquirethe code to its settings.10. It is often the case that such codes are exactly the same on every deviceassociated with one iCloud account, extending the impact to other devices.Proof of Concept (PoC):=======================Assumptions: Screen Time is enabled, and the Screen Time Passcode is set.1. Open "Settings"2. Go to "General"3. Scroll down to "Erase Content and Settings"4. Once prompted, choose "Erase Content and Settings" again.5. Agree with the dialogue, proceed further. 6. Press the red button asking for confirmation of the erasure.7. Enter the current Device Passcode or Password. 8. Now you will be asked to enter the Screen Time Passcode (if one is set).This four digit input form is vulnerable to unlimited bruteforce attacks.9. Once the correct Passcode is provided, the "Uploading Data to iCloud" screen should appear. 10. The moment it happens, go back IMMEDIATELY (use the arrow on the upper left corner of the screen to stop the process before it begins erasing data)11. The device erasure process should now be stopped.12. The Screen Time Passcode should now be well-known.VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo Security Risk:==============The security risk is estimated as moderate, and context dependent.Abuse of this vulnerability results in full control over tScreen Time settings imposed on the device, making it possible to disarm all the restrictions. It is worth mentioning, that the Passcode could be shared among other devicesassociated with the same iCloud account. If this is the case, the impact of the vulnerability becomes more significant.Example restrictions provided by Screen Time, that could be then deactivated:- Harmful content protection (adult / traumatizing content, malicious websites)- Restrictions on communication with strangers- Device usage time limits (Downtime, daily usage limits).- Camera, location and microphone access permissions for specific applications.- Device activity monitoring and reporting.- Application-specific usage time limits.- Application-specific functionality limits.- Security settings that require the Screen Time Passcode to access and modify. - and possibly more...The attack, when executed properly:- can be repeated, in case the Screen Time Passcode gets changed by the parent.- can be used to change the Passcode to an arbitrary one, or disable it. - can be used to shut down all the system parental control settings on the,device, and possibly acquire similar power against other synchronized devices.- gives one the silent knowledge of the Passcode, which makes it more stealthyand detection resilient.There are no known protections against this attack, other than an upgrade of all the devices running on vulnerable versions, to the latest version.Solution - Fix & Patch:=======================Patched in iOS 18.0, despite not being acknowledged by the vendor.Fixed with a silent rate-limit enforced on the vulnerable input. Vulnerability Disclosure Timeline:==================================2023-12-21: The vulnerability has been reported to the vendor.2023-12-23: The vendor has refused to acknowledge the vulnerability.2023-12-27: The vulnerability has been reported again, more details included,and real-world impact scenarios, complete with a clear video demonstration. 2024-01-02: The vendor has refused to acknowledge the vulnerability once again.2024-09-16: The vulnerability has been patched in the next major release of the vulnerable system (iOS 18.0).2024-09-24: Full disclosure of the vulnerability.Credits & Authors:==================SivertPL (kroppoloe@protonmail.ch)

Tag

#apple