Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome is up to date

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

**Technical details**

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU\-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Patch now! New Chrome update for two critical vulnerabilities 

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

Source: Tierfotoagentur via Alamy Stock Photo

Researchers have uncovered a fresh browser attack that compromises "private" application programming interfaces (APIs) in Opera to allow carte blanche over victims' browsers.

Browser APIs provide a bridge between Web applications and browser functionalities — including those related to security, storage, performance optimization, geolocation, and more — enabling the websites you visit to provide better, more robust features and experiences. Most browser APIs are publicly known, available to all, and rigorously reviewed.

Companies, however, have a habit of giving special permissions to their own preferred apps and sites. The Opera browser, for example, saves "private" APIs for several preferred third-party domains — such as Instagram, Atlassian, and Russia's Yandex and VK — as well as its own internal development domains, and those that are publicly reachable in the production version of the browser.

These private APIs may be useful for developers, but researchers from Guardio demonstrated how they could be accessed by hackers, too, allowing cyberattackers an array of powers imaginable from a browser: changing settings, hijacking accounts, disabling security extensions, adding further malicious extensions, and more. They did so with a canine-themed proof-of-concept attack they called "CrossBarking."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**CrossBarking Opera Browser Attack**

The goal of CrossBarking is to run malicious code in the context of sites with access to those powerful, private APIs. To do that, one could make use of, for example, a cross-site scripting (XSS) vulnerability. Or, even easier, a malicious browser extension.

Getting a malicious extension onto Opera is no small feat. Many a developer has complained about just how drawn out its manual review process can be — taking months or even years in some cases. The upside is the comfort that Opera's 350 million active users enjoy: that the extensions they add to their browsers have been well and thoroughly vetted.

That isn't as much the case, however, for Chrome extensions, which Opera allows its users to download. Chrome add-ons undergo a largely automated review process, and might go live within just hours or days of being submitted for approval.

So, to leverage privileged Opera sites, Guardio researchers developed a Chrome extension, not an Opera one. They designed it to add pictures of puppies to webpages — a guise for running scripts on any given site — and covered its maliciousness enough to get approved on the Chrome store. If a puppy-loving Opera user adopted the extension and visited a site with private API access, it would perform a direct script injection attack to run malicious code and gain access to any powers afforded by those private APIs.

Related:When Cybersecurity Tools Backfire

To demonstrate the full breadth of power afforded by CrossBarking, Guardio researchers targeted the settingsPrivate API, which allows for reading and editing any available browser settings. They used settingsPrivate to change a hypothetical victim's Domain Name System (DNS) settings, funneling all of their browser activity through a malicious DNS server. From there, the researchers had full view into the victim's browsing activity, plus the ability to manipulate the content of webpages or redirect the victim to malicious pages.

"You could almost take control over the entire browser, and the computer hosting it," explains Nati Tal, head of Guardio Labs. Though his PoC focused on changing a specific browser setting, "in the same way, you can change any other setting. There are many more APIs to hack — \[we didn't\] have enough time to check all of the possibilities."

**Security vs. Functionality in Browser APIs**

In the eternal struggle between functionality and security, browser developers will not easily part with the special APIs that allow them powers beyond those afforded to the hoi polloi. That applies to Opera, and other browsers as well. In May, Guardio discovered a not-dissimilar issue with a private API used for marketing in another Chromium browser, Microsoft Edge.

Related:Recurring Windows Flaw Could Expose User Credentials

To fix the CrossBarking issue, Opera did not do away with its private APIs or its Chrome extension cross-compatibility. On Sept. 24, though, it did adopt a sort of quick-fix solution already implemented in Chrome: blocking the ability of any extension to run scripts on domains with private API access.

"The infrastructure of Chromium is \[such that\] vendors need to take control of their security, and think about all the possible attack vectors there are. There are so many possible vectors," Tal concludes.

He adds: "In this case, again, it wasn't even in their \[app store\]. Opera is not responsible for Chrome Store, but they do allow extensions from there, so they need to think about it as well. \[They have to see\] the entire ecosystem, not only this vulnerability, to keep up with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'CrossBarking' Attack Targets Secret APIs, Exposes Opera Browser Users

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.
The attack, codenamed CrossBarking, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.
To demonstrate the issue, the company said it managed to publish a

Browser Security / Vulnerability

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs.

The attack, codenamed **CrossBarking**, could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said.

To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack.

"This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.

The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not the first time security flaws have been identified in the browser.

Earlier this January, details emerged of a vulnerability tracked as MyFlaw that takes advantage of a legitimate feature called My Flow to execute any file on the underlying operating system.

The latest attack technique hinges on the fact that several of Opera-owned publicly-accessible subdomains have privileged access to private APIs embedded in the browser. These domains are used to support Opera-specific features like Opera Wallet, Pinboard, and others, as well as those that are used in internal development.

The names of some of the domains, which also include certain third-party domains, are listed below -

*   crypto-corner.op-test.net
*   op-test.net
*   gxc.gg
*   opera.atlassian.net
*   pinboard.opera.com
*   instagram.com
*   yandex.com

While sandboxing ensures that the browser context remains isolated from the rest of the operating system, Guardio's research found that content scripts present within a browser extension could be used to inject malicious JavaScript into the overly permissive domains and gain access to the private APIs.

"The content script does have access to the DOM (Document Object Model)," Tal explained. "This includes the ability to dynamically change it, specifically by adding new elements."

Armed with this access, an attacker could take screenshots of all open tabs, extract session cookies to hijack accounts, and even modify a browser's DNS-over-HTTPS (DoH) settings to resolve domains through an attacker-controlled DNS server.

This could then set the stage for potent adversary-in-the-middle (AitM) attacks when victims attempt to visit bank or social media sites by redirecting them to their malicious counterparts instead.

The malicious extension, for its part, could be published as something innocuous to any of the add-on catalogs, including the Google Chrome Web Store, from where users could download and add it to their browsers, effectively triggering the attack. It, however, requires permission to run JavaScript on any web page, particularly the domains that have access to the private APIs.

With rogue browser extensions repeatedly infiltrating the official stores, not to mention some legitimate ones that lack transparency into their data collection practices, the findings underscore the need for caution prior to installing them.

"Browser extensions wield considerable power — for better or for worse," Tal said. "As such, policy enforcers must rigorously monitor them."

"The current review model falls short; we recommend bolstering it with additional manpower and continuous analysis methods that monitor an extension's activity even post-approval. Additionally, enforcing real identity verification for developer accounts is crucial, so simply using a free email and a prepaid credit card is insufficient for registration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad…

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad device compatibility. Enjoy seamless access to geo-restricted content securely.

Some geo-restricted content can only be unlocked and streamed using a Virtual Private Network (VPN). A VPN for streaming services allows you to watch content seamlessly while protecting your online identity.

With so many VPNs available, not all perform equally, making it challenging to find the best VPNs without interruptions. In this article, we’ll break down essential features to consider when selecting the top VPNs for streaming.

**Server Locations and Coverage**

An important feature in a streaming VPN is server locations and coverage, which determine the content you can access. Choose a VPN with a wide range of high-speed servers to prevent connectivity issues. A strong network spread across multiple countries will allow access to geo-restricted content. Look for VPN providers that frequently update servers, as this indicates a commitment to maintaining quality.

**Speed and Bandwidth**

To support HD streaming, ensure your VPN offers speeds of at least 100 Mbps, with no bandwidth limits or throttling. A VPN optimized for streaming should minimize buffering and reduce latency for smoother content loading.

****Encryption and Security****

When choosing a VPN for streaming, prioritize strong encryption and security. Look for AES-256 encryption or higher, and support for OpenVPN, IKEv2, and WireGuard protocols. The VPN should also include DNS leak protection to keep your IP address secure. If the VPN connection drops, an automatic internet disconnect feature ensures data remains private. These protections ensure that your data will not be exposed to third parties.

****Streaming Optimization****

Streaming optimization is key. The VPN should be optimized for high-speed, low-latency streaming, with custom protocols tailored to this purpose. Look for features that automatically select the best server for streaming, reducing buffering and enhancing speed.

****Device Compatibility****

Your VPN should support all the devices you plan to connect, including Windows, macOS, iOS, Android, and Linux. Look for compatibility with smart TVs (such as Samsung TV, Android TV, and Apple TV) and gaming consoles (PlayStation, Xbox, Nintendo Switch). It should also work with popular streaming platforms like Roku, Chromecast, and Amazon Fire TV. Browser extensions for Chrome, Firefox, and Safari add versatility, making it easier to stream across multiple devices.

****Simultaneous Connections****

Choose a VPN that supports at least five simultaneous connections. This feature lets you connect multiple devices without altering individual settings, which is convenient for families or business use. Check the VPN documentation for setup guides and confirm compatibility with less common devices like Linux and Chromebook. Additionally, look for split tunneling to configure specific device connections.

****Customer Support****

Reliable customer support is essential when using a VPN for streaming. Quick access to assistance for any issues or questions is critical. Look for providers that offer guides, FAQs, and tutorials for self-help, and a prompt email response time (ideally within 3 hours). Social media support is a plus. Effective customer support indicates a provider’s commitment to user satisfaction and technical support.

****Pricing and Payment Options****

Consider affordability and payment flexibility. Some VPNs offer discounts for long-term plans, free trials, money-back guarantees, and even cryptocurrency options. Make sure you’re getting value for your investment and review refund policies carefully. Look out for hidden fees or sudden price hikes, and ensure pricing transparency before subscribing.

****Logging Policy****

Opt for a VPN with a strict no-logs policy. It should avoid storing IP addresses, tracking online activities, or saving connection metadata. This policy helps ensure your privacy, reduces data breach risks, and underscores the VPN’s commitment to protecting client data.

****Compatibility with Popular Streaming Services****

Ensure the VPN is compatible with major streaming platforms you want to access, such as Netflix, Disney+, Hulu, Amazon Prime Video, HBO Max, and BBC iPlayer. Compatibility with these services ensures a smooth streaming experience and value for your subscription.

****Conclusion****

When selecting a VPN for streaming, consider these key features to make an informed choice. Look for speed, encryption, extensive server locations, streaming optimization, and privacy protections. Ensure the VPN provider doesn’t store user data and that its pricing, support, and device compatibility meet your expectations. Taking these steps will give you the best streaming experience while maintaining your online privacy.

1.  **Everything you need to know about VPN tracking**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **Surfshark VPN Data Breach Awareness with See-Through Toilet**
4.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
5.  **Google Launches Verification Badges for Security Tested VPN Apps**

Top VPN Features to Consider When Choosing the Right Streaming Service

There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

With the holidays around the bend, many are looking for gifts for their family and friends. And since we somehow decided we want to give more each time, we’re also looking for good deals.

But European law enforcement agency Europol issued a warning about buying fake goods. Sure, they are cheaper, but they do come with a dark side.

According to Europol’s report titled “Uncovering the ecosystem of intellectual property crime, ”approximately 86 million fake items were seized in the European Union (EU) in 2022 alone, with an estimated total value exceeding EUR 2 billion (US$ 2.1 billion).

Not only does this ecosystem provide buyers with substandard goods, it also enables crimes like intellectual property (IP) crime, cybercrime, money laundering, and environmental crime.

Intellectual property is what drives innovation. Criminals don’t come up with new inventions, they just create cheap copies of popular items without regards for safety of the product, working conditions, or environmental regulations. The only thing counterfeiters are innovating are ways to exploit consumer demand for counterfeit and pirated goods.

The report states:

> “The rise of social media, influencers and online commerce have changed consumers’ behavior, increasing their appetite for IP infringing goods or content, while having a low awareness of risks.”

Criminals fully abuse the social media platform algorithms that reach potential buyers using customized ads that speak to their personal interests and preferences. These are often removed after automated reviews.

So, there is another critical role in advertising counterfeit goods, which are influencers. Through their channels, influencers may direct customers to product listings on online stores that evade security protocols about counterfeit adverts.

By buying counterfeit goods you are also unwittingly enabling cybercriminals that are engaged in fraud, corruption, labor exploitation, environmental crime, money laundering, and cybercrime.

On the other hand, the risks of getting caught and the relatively low penalties make IP crime a low-risk, high-benefit criminal activity.

Consumers, however, are not always aware of the fact they are buying counterfeit goods. As sophisticated technologies are used to replicate holograms, logos, and packaging, unaware consumers are more likely than ever to be deceived, and recognizing counterfeit items has become a task that requires specific knowledge and an expert eye.

**How to avoid counterfeit goods**

Nonetheless, there are a few pointers to be given on how to avoid buying counterfeit goods.

*   Where possible, buy from the brand’s own store. When that’s not an option look for authorized retailers. Many brands publish lists of authorized sellers on their websites. And some of the larger webstores use “Authenticity Guarantee” badges on their listings.
*   When it comes to pricing, follow the old saying: “If it’s too good to be true, it probably is.”
*   A legitimate webstore should have contact information, look professional, and specify consumer rights.
*   Review advertisements on social media, influencer channels, and chat platforms with a little bit of extra caution.
*   Look for consumer reviews. Interestingly, it could be a red flag if the reviews of the product and company are universally bad—or if there are no bad reviews at all.

If you’re not completely sure about the product or the website, at least make sure to use a secured payment page and preferably use your credit card, in case you need to recover your money.

If you have bought a counterfeit product:

*   Stop and think before you use it, to consider whether it is safe to use. The materials used for production are likely to be sub-standard and could pose a risk to your health.
*   Report it to the platform where you made the purchase and to the legitimate brand.
*   Report it to the proper authorities.

Use Malwarebytes Browser Guard to block advertisements, scams, and trackers. It’s a free browser extension for Chrome, Firefox, Edge, and Safari.

 Europol warns about counterfeit goods and the criminals behind them 

Debian Linux Security Advisory 5799-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5799-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 28, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-10229 CVE-2024-10230 CVE-2024-10231Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.69-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcfKnwACgkQZF0CR8Nudje0sBAAsYJO23wXH5WDVCouanWuxcBKHrXDSF0RrlPOQP5tJURzc8teVhQodU6aohwckqSyCeYI3/z6NvfVcZFOWVlNQLktcNo8nWw7pMTMkhynk9OA3KCR/LDA3b6TIZxW3z55Sza4TkcJrj+DIUgBFRBzQvFolwP6MRMcjI+kT4To9YemZlED8ZlhtNt4/abKD2suwV5nyzRFPh14sgujtwuF/zPNivuHMQFXNwWfnbIBmJlC+3XO3Ox1IVZ3IcN2tCWM0hvtkGOCOA5e3OXUGuLgWdQWg0J/hlZ8wYwlamDutp/BS3zPxurshDrEY1WOgb7oSl2rM3IgitsnHyyccICgasto7vlYpKJBCfhXDyuR00a+Sfihn91hT2lCodp8x6HazMD8HxutTa+xiihBFgKON/NFK2GvS0EbaCUe5lQe893y7cBAYhHwliXmKuL+9D/H53+UhPJSE97ZOvsLoopTzk2+cgInstHfX1SpNR4rPKN5Sk0VxDbnDiKuSUmPOGqG4xnWLhg9g04lWWNB34nHkq8cPLfGDd0erk8GHHX7/PYTqlLf8cmJppnwNoZffi3B6mk/zbwPCMVaM8odDL9Pc41zooLCGkykglmR6Yw/xbdC9+vrlsFJ/O2ligILTl/9Yf5ZaxemdcE/QEv65VyoYIDs7BkXcpgRIMqo55l5FTI==Rr/n-----END PGP SIGNATURE-----

Debian Security Advisory 5799-1

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.
This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the

Cyber Security / Hacking News

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.

This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the knowledge you need to stay safe.

So grab your popcorn (and maybe a firewall), and let's dive into the latest cybersecurity drama!

**⚡ Threat of the Week**

**Critical Fortinet Flaw Comes Under Exploitation:** Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.

 **🚢🔐 Kubernetes Security for Dummies**

How to implement a container security solution and **Kubernetes Security best practices** all rolled into one. This guide includes everything essential to know about building a strong security foundation and running a well-protected operating system.

Get the Guide**️🔥 Trending CVEs**

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

**🔔 Top News**

*   **Severe Cryptographic Flaws in 5 Cloud Storage Providers:** Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull them off.
*   **Lazarus Exploits Chrome Flaw:** The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
*   **AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed:** A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
*   **SEC Fines 4 Companies for Misleading SolarWinds Disclosures:** The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
*   **4 REvil Members Sentenced in Russia:** Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.

**📰 Around the Cyber World**

*   **Delta Air Lines Sues CrowdStrike for July Outage:** Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. "CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," it said. "If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed." CrowdStrike said "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
*   **Meta Announces Secure Way to Store WhatsApp Contacts:** Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone's contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS "aims to store a WhatsApp user's in-app contacts on WhatsApp servers in a privacy-friendly way" and that "WhatsApp servers do not have visibility into the content of a user's contact metadata." All the identified shortcomings have been fully fixed as of September 2024.
*   **CISA, FBI Investigating Salt Typhoon Attacks:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the "malicious activity" was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Multiple reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
*   **Fraudulent IT Worker Scheme Becomes a Bigger Problem:** While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn't just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it's not clear what they were after. "Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process," HYPR said. "Video-based verification is a critical identity control, and not just at onboarding."
*   **Novel Attacks on AI Tools:** Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to "accept and respond with content that would normally be blocked" by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.

**🔥 Resources & Insights****🎥 Infosec Expert Webinar**

**Master Data Security in the Cloud with DSPM**: Struggling to keep up with data security in the cloud? Don't let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today's data-driven world.

**🛡️Ask the Expert**

**Q:** What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?

**A:** The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.

**🔒 Tip of the Week**

**Level Up Your DNS Security:** While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn't track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card's authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).

**Conclusion**

And there you have it – another week's worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We'll be back next Monday with more news and insights to help you navigate the digital landscape.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)

Cybersecurity researchers have warned of a spike in phishing pages created using a website builder tool called Webflow, as threat actors continue to abuse legitimate services like Cloudflare and Microsoft Sway to their advantage.
"The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for

Cybersecurity researchers have warned of a spike in phishing pages created using a website builder tool called Webflow, as threat actors continue to abuse legitimate services like Cloudflare and Microsoft Sway to their advantage.

"The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft 365 login credentials," Netskope Threat Labs researcher Jan Michael Alcantara said in an analysis.

The cybersecurity company said it tracked a 10-fold increase in traffic to phishing pages crafted using Webflow between April and September 2024, with the attacks targeting more than 120 organizations across the world. A majority of those targeted are located in North America and Asia spanning financial services, banking, and technology sectors.

The attackers have been observed using Webflow to create standalone phishing pages, as well as to redirect unsuspecting users to other phishing pages under their control.

"The former provides attackers stealth and ease because there are no phishing lines of code to write and detect, while the latter gives flexibility to the attacker to perform more complex actions as required," Michael Alcantara said.

What makes Webflow a lot more appealing than Cloudflare R2 or Microsoft Sway is that it allows users to create custom subdomains at no additional cost, as opposed to auto-generated random alphanumeric subdomains that are prone to raise suspicion -

*   Cloudflare R2 - https://pub-<32\_alphanumeric\_string>.r2.dev/webpage.htm
*   Microsoft Sway - https://sway.cloud.microsoft/{16\_alphanumeric\_string}?ref={sharing\_option}

In an attempt to increase the likelihood of success of the attack, the phishing pages are designed to mimic the login pages of their legitimate counterparts in order to deceive users into providing their credentials, which are then exfiltrated to a different server in some instances.

Netskope said it also identified Webflow crypto scam websites that use a screenshot of a legitimate wallet homepage as their own landing pages and redirect the visitor to the actual scam site upon clicking anywhere on the bogus site.

The end goal of the crypto-phishing campaign is to steal the victim's seed phrases, allowing the attackers to hijack control of the cryptocurrency wallets and drain funds.

In the attacks identified by the cybersecurity firm, users who end up providing the recovery phrase are displayed an error message stating their account has been suspended due to "unauthorized activity and identification failure." The message also prompts the user to contact their support team by initiating an online chat on tawk.to.

It's worth noting that chat services such as LiveChat, Tawk.to, and Smartsupp have been misused as part of a cryptocurrency scam campaign dubbed CryptoCore by Avast.

"Users should always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or clicking any other links," Michael Alcantara said.

The development comes as cybercriminals are advertising novel anti-bot services on the dark web that claim to bypass Google's Safe Browsing warnings on the Chrome web browser.

"Anti-bot services, like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, have become a cornerstone of complex phishing operations," SlashNext said in a recent report. "These services aim to prevent security crawlers from identifying phishing pages and blocklisting them."

"By filtering out cybersecurity bots and disguising phishing pages from scanners, these tools extend the lifespan of malicious sites, helping criminals evade detection longer."

Ongoing malspam and malvertising campaigns have also been discovered propagating an actively-evolving malware called WARMCOOKIE (aka BadSpace), which then acts as a conduit for malware such as CSharp-Streamer-RAT and Cobalt Strike.

"WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments," Cisco Talos said.

An analysis of the source code suggests that the malware is likely developed by the same threat actors as Resident, a post-compromise implant deployed in as part of an intrusion set dubbed TA866 (aka Asylum Ambuscade), alongside the Rhadamanthys information stealer. These campaigns have singled out the manufacturing sector, followed closely by government and financial services.

"While long-term targeting associated with the distribution campaigns appears indiscriminate, most of the cases where follow-on payloads have been observed were in the United States, with additional cases spread across Canada, United Kingdom, Germany, Italy, Austria and the Netherlands," Talos said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Use Webflow to Deceive Users into Sharing Sensitive Login Credentials

Lawo AG vsm LTC Time Sync versions prior to 4.5.6.0 suffer from a path traversal vulnerability.

    SEC Consult Vulnerability Lab Security Advisory < 20241024-0 >=======================================================================              title: Unauthenticated Path Traversal Vulnerability            product: Lawo AG - vsm LTC Time Sync (vTimeSync) vulnerable version: <4.5.6.0      fixed version: 4.5.6.0         CVE number: CVE-2024-6049             impact: high           homepage: https://docs.lawo.com/vsm-ip-broadcast-control-system/vsmgear-user-manual/discontinued-products/vsmltc              found: 2024-01-11                 by: Sandro Einfeldt                     Dennis Jung                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"Lawo designs and manufactures video, audio, control and monitoringtechnology for broadcast, performing arts, installed sound and corporateapplications. All products are developed in Germany and manufacturedaccording to highest quality standards at the company's headquartersin the Rhine valley town of Rastatt, Germany."Source: https://lawo.com/company/about-us/Business recommendation:------------------------The vendor provides a patch which should be installed immediately.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)The web interface of vsm LTC Time Sync (vTimeSync) is vulnerable to a pathtraversal vulnerability. By sending a specially crafted HTTP request, anunauthenticated remote attacker can download arbitrary files from the vulnerablesystem. As a limitation, the exploitation is only possible if the requested filehas a file extension, e.g. .exe or .txt.The web server is running with highest SYSTEM privileges per default, whichenables an attacker to gain access to privileged files.Proof of concept:-----------------1) Unauthenticated Path Traversal Vulnerability (CVE-2024-6049)To exploit the vulnerability it is sufficient to use the following curl-commandto send a request to the vulnerable web server:curl http://$host:8033/.../.../.../.../.../.../.../.../.../<Path to file>For example, the following command can be used to request the default filewin.ini:curl http://$host:8033/.../.../.../.../.../.../.../.../.../Windows/win.iniIf the application is running with SYSTEM-privileges (default), the followingcommand can be used to exfiltrate the Powershell history of the Windowsadministrator, which might leak sensitive information:curl http://$host:8033/.../.../.../.../.../.../.../.../.../Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txtVulnerable / tested versions:-----------------------------The following version has been tested which was the latest version availableat the time of the test:* 4.4.12.0According to the vendor, versions before 4.5 are affected and v4.5.6.0includes the fixes.Vendor contact timeline:------------------------2024-01-22: Contacting vendor through info@lawo.com; no response2024-02-14: Contacting vendor again, adding support@lawo.com email2024-02-15: Vendor response (support), asking for details.2024-02-15: Asking where to submit the advisory, whether encryption            is supported.2024-02-16: Vendor, submit either via email or JIRA; informing us            that broadcasting software security levels are not that high            as the network is usually not connected to the outside.2024-02-16: Submitting security advisory to vendor JIRA; explaining            our severity estimation and risks by exposing the affected            service.2024-02-20: Vendor has taken a look at the advisory, asking whether            HTTPS would solve the issue.            Telling vendor, that HTTPS won't fix the problem, describing            the security issue again, providing link to OWASP path traversal            page, etc.2024-02-21: Vendor cannot reproduce issue in Chrome browser.            Explaining how we exploited the vulnerability.2024-03-11: Asking for a status update; no update from R&D yet, vendor will            keep us updated.2024-04-09: Asking for a status update, whether vendor needs further support.2024-04-10: Vendor pinged their PM, will let us know as soon as feedback is            available.2024-05-15: Vendor recently introduced "a login" for vTimeSync which only            lets people with a username and a PW access the page. Vendor asks            us whether this would cover the vulnerability.2024-05-23: Telling the vendor that a login does not fix the identified            path traversal issue; no response.2024-06-17: Asking for a status update again.2024-06-17: Vendor support has forwarded our feedback internally.2024-09-25: Asking for a status update, CVE and affected/fixed version number.            Preparing for release in October.2024-09-25: Vendor support still has no updates, asking product management and            RnD team again.2024-09-26: Asking the vendor to keep us informed.2024-09-27: Vendor support will review the case next Wednesday.2024-10-10: Asking for a status update.            Vendor has no news, this topic is in the R&D backlog, no date yet            when development will be started.2024-10-11: Vendor states that the developers have already fixed the issue in            the current release.2024-10-17: Asking for the version numbers (affected / patched).            Vendor provides download to version 4.5.6.0 including changelog.            Changelog contains information about security fix in version 4.4.13,            but also changes regarding SSL/HTTPS and logon feature in 4.5.0 and 4.5.1.            Asking the vendor again, in which version the issue has been            fixed.            Vendor informs us the problem is fixed after v4.5 and we should use            the latest version.2024-10-21: Confirming version numbers, sending draft advisory to vendor and            assigned CVE-2024-6049.2024-10-24: Coordinated release of security advisory.Solution:---------The vendor provides a patch in versions after v4.5 which can be downloaded from thefollowing URL, such as version 4.5.6.0.https://lawo.com/lawo-downloads/Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Sandro Einfeldt, Dennis Jung, Johannes Greil / @2024

Lawo AG vsm LTC Time Sync Path Traversal

North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…

North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with a deceptive and fake NFT game. The attackers use social engineering and malicious software to steal sensitive data and potentially deploy further malware.

The infamous North Korean hacking group, Lazarus Group, has launched a sophisticated attack campaign targeting cryptocurrency investors. This campaign, uncovered by Kaspersky researchers, involves a multi-layered attack chain that leverages social engineering, a fake game website, and a zero-day exploit in Google Chrome.

According to the report, Kaspersky Total Security discovered a new attack chain in May 2024 targeting an unnamed Russian national’s personal computer using the Manuscrypt backdoor. 

Kaspersky researchers Boris Larin and Vasily Berdnikov estimate that the campaign started in February 2024. Delving deeper into the attack researchers found that the attackers have created a website called “detankzonecom” that appears to be a legitimate platform for a “DeFiTankZone” game.

This game supposedly combines Decentralized Finance (DeFi) elements with Non-Fungible Tokens (NFTs) within a Multiplayer Online Battle Arena (MOBA) setting. The website even features a downloadable trial version, further enhancing the illusion of legitimacy. However, beneath the surface lies a malicious trap. 

The fake NFA game site and the hidden exploit loader (Via Kaspersky)

“Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC,” researchers wrote.

The exploit contains code for two vulnerabilities: one allowing attackers to access the entire address space of the Chrome process from JavaScript (CVE-2024-4947) and the second allows bypassing the V8 sandbox to access memory outside the bounds of the register array. Google patched CVE-2024-4947, a type confusion bug in the V8 JavaScript and WebAssembly engine, in March 2024, but it’s unclear if the attackers discovered it earlier and weaponized it as a zero-day or exploited it as an N-day vulnerability.

An n-day vulnerability refers to a security flaw or weakness that has already been discovered, publicly disclosed, and typically patched or mitigated by the software vendor. The term “n-day” indicates that the vulnerability has been known for “n” days, where n represents the number of days since the vulnerability was first disclosed or patched.

Following successful exploitation, the attackers deploy a custom script (validator) to gather system information and determine if the infected device holds any valuable assets worth further exploitation. The specific payload delivered after this stage remains unknown.  

In this campaign, Lazarus has targeted influential figures in the cryptocurrency space, leveraging social media platforms like X (formerly Twitter) and LinkedIn. They established a social media presence with multiple accounts on X, actively promoting the fake game, and employed generative AI and graphic designers to create high-quality promotional content for the DeTankZone game. Additionally, the group sent specially crafted emails to individuals of interest, posing as blockchain companies or game developers seeking investment opportunities.

The DeTankZone website itself appears to be built upon the stolen source code of a legitimate blockchain game called DeFiTankLand (DFTL). This game experienced a security breach in March 2024, leading to the theft of $20,000 worth of cryptocurrency.

While the developers suspected an insider, Kaspersky researchers believe Lazarus Group might be responsible for both the theft and the repurposing of the stolen source code for their malicious campaign.  

This campaign highlights the evolving tactics of the Lazarus Group. It’s crucial to be wary of unsolicited investment opportunities, especially those involving downloadable game clients or suspicious social media promotions. Additionally, keeping browser software like Chrome updated with the latest security patches is essential to mitigate the risk of zero-day exploits.  

1.  **How Bad is the North Korean Cyber Threat?**
2.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
3.  **North Korean Hackers Deploy Linux FASTCash ATM Malware**
4.  **Fake North Korean IT Workers Infiltrate Firms, Demand Ransom**
5.  **Nexera DeFi Protocol Hacked: $1.8M Stolen in Smart Contract Exploit**

Tag

#chrome