**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-2024-10229: Chromium: CVE -2024-10229 Inappropriate implementation in Extensions

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Source: MAHATHIR MOHD YASIN via Shutterstock

North Korea's infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.

The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.

**Elaborate Campaign**

"Over the years, we have uncovered many \[Lazarus\] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," said researchers at Kaspersky, after discovering the latest campaign while investigating a recent malware infection. "Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it," the security vendor noted.

The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus — and subgroups such as Andariel and Bluenoroff — have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets from major pharmaceutical companies during the height of the pandemic.

Analysts believe that many of the group's financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the money-strapped North Korean government's missile program.

In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.

**A Chrome Zero-Day and a Second Bug**

Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google addressed the vulnerability in May after Kaspersky reported the flaw to the company.

The other Chrome vulnerability that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscrypt.

What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.

"The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," Larin and Berdnikov wrote.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie…

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie malware from the BadSpace family. Learn about the threat actor’s persistent attacks, sophisticated tactics, and the advanced tools used to compromise systems.

Cybersecurity researchers at Cisco Talos have revealed new information about the sophisticated operations of TA866, also known as Asylum Ambuscade, a threat actor known for its persistent and adaptable attack strategies. 

TA866 has been active since 2020, focusing on financially motivated malware campaigns and espionage. The group uses numerous tools and techniques, including commodity and custom-built ones as part of its attack.

The group has also adopted a calculated approach, seeking to maintain their presence in compromised environments, carefully assessing the situation, and deploying tools as needed to achieve their objectives.

****The Infection Chain: A Multi-Stage Process****

According to Cisco Talos’ investigation, TA866’s attacks involve a multi-stage infection chain, beginning with the delivery of a malicious JavaScript downloader, which acts as a gateway, retrieving subsequent payloads from attacker-controlled servers. These payloads often take the form of MSI packages, which contain malware such as WasabiSeed.  

WasabiSeed is a crucial downloader component in the infection chain, ensuring persistence by establishing itself on compromised systems using an LNK shortcut. It can continuously poll for additional payloads from attacker-controlled servers, allowing TA866 to deliver subsequent attack stages.

TA866 also uses the Screenshotter malware family to capture periodic screenshots of the infected system. These screenshots provide valuable insights into the victim’s activities and allow TA866 to identify sensitive information or potential targets for further exploitation.  

In addition, TA866 frequently deploys AHK Bot, a modular malware family that uses AutoHotKey scripts to perform various functions such as system enumeration, screenshot capture, domain identification, keystroke logging, credential theft, and more. AHK Bot’s modular nature allows TA866 to customize its capabilities based on the specific needs of each attack.

****WarmCookie and TA866 Connection****

Cisco Talos’ research also highlights connections between WarmCookie malware and TA866, including similar lure themes, overlapping infrastructure, the deployment of CSharp-Streamer-RAT, Cobalt Strike as a follow-on payload, and the use of programmatically generated SSL certificates.

WarmCookie, a notorious malware family also called BadSpace, emerged in April 2024 and has been distributed through malspam and malvertising campaigns. It serves as a backdoor, allowing threat actors long-term access to compromised systems. It offers a wide range of functions like payload deployment, file manipulation, command execution, screenshot collection, and persistence.

> _“We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.”_
> 
> Cisco Talos Research Team

Researchers also revealed how it is consistently used in invoice-related and job agency themes to lure victims to access hyperlinks in email bodies or attached documents like PDFs. A recent WarmCookie campaign used malspam and invoice lures to distribute malicious PDF attachments. These PDFs redirected victims to JavaScript downloaders on servers linked to the LandUpdates808 infrastructure.

Screenshot: Cisco Talos

TA866’s evolution highlights the complex challenges faced by organizations in defending against cyber threats. Organizations need to stay informed about the latest threat intelligence and implement advanced security measures to mitigate the risks posed by this advanced threat actor.

1.  **Fake CAPTCHA Pages Spread Lumma Stealer Fileless Malware**
2.  **Chinese “ChamelGang” Uses Attacks for Disruption, Data Theft**
3.  **Octo2 Malware Uses Fake NordVPN, Chrome Apps in its Attacks**
4.  **Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms**
5.  **Fake ESET Emails Used to Target Israeli Firms with Wiper Malware**

TA866 Group Linked to New WarmCookie Malware in Espionage Campaign

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted cloud keys. This security flaw could lead to unauthorized access, data breaches, and service disruptions.

Research conducted by cybersecurity experts at Symantec has revealed that popular apps on both Android and iOS platforms contain hardcoded, unencrypted cloud service credentials, putting millions of users’ sensitive data and backend services at risk of unauthorized access and potential data breaches.

The issue comes from developers embedding access and secret keys directly in the app’s code instead of using secure storage methods. This makes it easy for attackers to access sensitive data, steal user information, or disrupt services.

Among the affected Android apps, Pic Stitch: Collage Maker, with over 5 million downloads, and Meru Cabs, Sulekha Business, and ReSound Tinnitus Relief, each with hundreds of thousands of downloads, were found to contain hardcoded AWS and Azure credentials, respectively. These credentials grant access to critical cloud storage and other backend services.

On the iOS side, popular apps like Crumbl (over 3.9 million ratings), Eureka: Earn Money for Surveys (402.1K ratings), and Videoshop – Video Editor (357.9K ratings) were also found to have hardcoded AWS credentials, including access keys and even WebSocket Secure (WSS) endpoints, further simplifying potential attacks.

Eureka IDA code with hardcoded AWS credentials (Via Symantec)

****Full list of impacted apps on iOS and Android****

*   **Crumbl (over 3.9 million ratings)**
*   **Meru Cabs (over 5 million downloads)**
*   **Sulekha Business (over 500,000 downloads)**
*   **Videoshop – Video Editor (over 357,000 ratings)**
*   **ReSound Tinnitus Relief (over 500,000 downloads)**
*   **Pic Stitch: Collage Maker (over 5 million downloads)**
*   **Eureka: Earn Money for Surveys (over 402,000 ratings)**

This issue, found on both Android and iOS, is a serious concern. It could lead to anything from individual data breaches to major service disruptions. Symantec’s findings show the urgent need for developers to follow security best practices.

To mitigate these risks, developers are advised to follow best practices for managing sensitive information within their applications. These include using environment variables, implementing secrets management, encrypting sensitive data, conducting regular code reviews and audits, and automating security scanning.

“This repeated pattern of insecure credential management across multiple apps underscores the critical need for developers to prioritize security in the mobile app development lifecycle,” **said** a Symantec spokesperson.

For users, Symantec advises installing **reputable security software**, downloading apps only from trusted sources, keeping software updated, carefully reviewing app permissions, and regularly backing up important data. These precautions can help mitigate the risks associated with insecure apps while developers work to address these critical vulnerabilities.

1.  Google reveals spyware attack on Android, iOS, and Chrome
2.  Study: Android sends more data to Google than iOS to Apple
3.  Bluetooth Falw Enables Keystroke Injection on Android and iOS
4.  WiFi Flaws Allow Network Traffic Interception on iOS and Android
5.  Instagram iOS, Android app flaw allowed account access to hackers

Millions of iOS and Android Users at Risk as Popular Apps Expose Cloud Keys

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Source: Rawpixel via Shutterstock

Cybercriminals have found a new way to get around what has been an effective deterrent to phishing attacks, with novel anti-bot services sold on the Dark Web that allow them to bypass the protective "Red Page" warning in Google Chrome that alerts users to potential fraud.

The anti-bot services aim to prevent security crawlers from identifying phishing pages and blocklisting them by filtering out cybersecurity bots and disguising phishing pages from Google scanners, according to new research published today by SlashNext.

They do this by rendering ineffective the Red Page, a feature of Google Safe Browsing — which itself is a feature of Chromium-based browsers and other Google services — that aims to protect users from harmful websites by warning them of potential dangers, such as phishing attempts. The page is so-named because it is displayed in red and provides a warning that a site to which someone is navigating may be deceptive, advising them to avoid it.

In doing so, the warning can "severely" limit "the potential success of phishing attacks," according to the post, providing "a massive hurdle" to threat campaigns. That's because these campaigns rely on high click-through rates, which is significantly lowered when Google's detection flags a phishing page and adds it to a blocklist.

Now various anti-bot services found on the Dark Web, such as Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, "threaten to undermine this line of defense, potentially exposing more users to sophisticated phishing attempts," according to the post.

**How Anti-Bot Services Work**

Though each service has its own unique features, they are all based on a combination of several techniques that allow malicious content to bypass Google's Red Page feature. Most rely on bot detection mechanisms that analyze user-agent strings and IP addresses to filter known security bot traffic that would otherwise be blocked, according to SlashNext.

"Public lists of cybersecurity crawlers are widely available (for example, Shodan), making it easy to filter known security bot traffic," according to the post. "Once an IP address or user-agent is flagged as a security crawler, it is blocked, ensuring the page remains accessible to real users but hidden from cybersecurity entities."

The services also use cloaking techniques such as context-switching or JavaScript obfuscation to serve different content based on the visitor’s profile. These techniques effectively redirect security crawlers to benign content while directing a user to a phishing page.

Another common feature of the anti-bot services is to introduce CAPTCHA or challenge pages to filter out automated scanners that typically would analyze a webpage for malicious content. "Since most bots cannot solve CAPTCHAs, this technique effectively blocks them while allowing real users through," according to the post.

Some anti-bot services might even introduce a time delay, which further confuses security bots by making them "time out" before they can scan the page and thus warn users of a potential security threat.

They also can bypass the Google Red Page by delivering region-specific content and blocking foreign traffic, according to SlashNext. For example, if a phishing campaign is targeting a Korean bank, the service might allow only Korean traffic to visit the site while blocking foreign IP addresses, the researchers noted. Moreover, these methods can get extremely specific in terms of geography, even narrowing campaigns down to the city level, which would prevent international cybersecurity services from detecting the page entirely, according to the post.

**Not Completely Foolproof**

While these anti-bot services can significantly reduce the scope of Google Red Page, they do have their limitations, the researchers noted. The malicious services work best in less sophisticated phishing campaigns because they can identify and block known crawlers in the user-agent string — where many security vendors declare their bots and crawlers, the researchers noted.

"This allows cybercriminals to filter out bot traffic, prolonging the lifespan of phishing campaigns," according to the post. However, in more sophisticated phishing operations, manual analysis by analysts will eventually detect the page, leading to its inclusion on blocklists.

Still, anything that can limit the detection of phishing by end users is a threat to the overall security, not just of individuals but also enterprises. That's because despite being one of the oldest forms of cybercrime, phishing is still one of the primary ways attackers gain initial entry onto corporate networks to perform other types of malicious activities, such as ransomware attacks.

Moreover, the rise in the availability of phishing kits that make it easy for attackers to create campaigns, the growing sophistication of phishing tactics and now the emergence of anti-bot services make detection by individuals and defenders more complex.

The best defense against the use of anti-bot services to bypass Google Red Page is to use security platforms that can detect threats in real-time across email, mobile, and messaging apps with as much accuracy as possible, according to SlashNext. Aforementioned manual analysis of phishing pages and the subsequent addition of malicious sites to blocklists also can prevent these services from being effective.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Debian Linux Security Advisory 5793-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5793-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 20, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957                  CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961                  CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965                  CVE-2024-9966Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.58-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcUsNcACgkQZF0CR8Nudjd6rg//bZLkI/saFvjiULKRewv88ToCLOpx5l4ht0nHNYjW0Sy1I0FP3YtN8oZN4jJ+pJjDbxEkNDFmoPWVZP+wsUEtBottwQ1mkhSVroH9dJeNs9jWs4Rnxp7S6d3wsIYEQ99gQrPpjBr8jTSjffrLZzc0QlltdiVoc3A2RW9+RSKb/Yql+ylIRJGNI4frHDTkuFVRpC6m+T25Fbak3zF7v8tSOiQNH/2LE/Ez9wV3/PwQxTj6eGRLrJ0SkvwlDh8Z9Y8rm6auLTOxriA3dJfZR1rcmJN4kROyTMBwJTmdfCx03kyHQhxLowEABflzpyUdhqvrFAnnrfLqxTDO9odXJl7uu7sQiM4ed0LSKaX+ycrtHUhmZjWSlhbdE7eywZNAKX9rWf3ZkzqMz8gj256YPbAf1stq/I5vMlophU91X70KNMkogNIdo86ntxkB+vl6ded4LLcUFZYKrdurWD86QNNx0lQRXTlBGfTN+f0ujySbpvBGalpgK2UwLUVhP44q5ZhB1vvgw7ZwVQhpF7Cr1mb0bgR3WYg4XUZKG0jv+UQMR6yW2RxMaOkaKGbUXod+/L0OgN28yw10mg0PKBJKCR5iIxMj+jIAhlOPxiMBZbGYwYzPM5bgqwFRvXdgW1CiVrnRKVp2gN/RPmqF54ExcqyQN1TN4uguzHST/A1xUbtWtt8==vfgN-----END PGP SIGNATURE-----

Debian Security Advisory 5793-1

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access…

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access to sensitive data like the camera and microphone. Patch now to stay protected.

A vulnerability discovered by cybersecurity researchers at Microsoft Threat Intelligence in macOS allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, granting unauthorized access to sensitive user data.

Dubbed “HM Surf” by researchers; researchers warned that active exploitation may be taking place. The vulnerability has been assigned CVE-2024-44133.

The HM Surf vulnerability involves removing the TCC protection for the **Safari browser** directory and modifying a configuration file, enabling attackers to access users’ browsing history, camera, microphone, and location without their consent. The vulnerability is serious as it also allows attackers to gather sensitive information and use it for malicious purposes.

****How the Vulnerability Works****

The **TCC technology** prevents apps from accessing users’ personal information without their prior consent and knowledge. However, the HM Surf vulnerability exploits a weakness in the way TCC protects the Safari browser directory. By removing the TCC protection and modifying the configuration file, attackers can gain access to sensitive user data.

Microsoft’s blog post shared with Hackread.com ahead of publishing on October 18, 2024, detected “potential exploitation” activity associated with **Adload**, a prevalent macOS malware (adware) family.

The company’s behavioural monitoring protections in Microsoft Defender for Endpoint have identified suspicious activity, including anomalous modification of the Preferences file through HM Surf or other methods.

**John Bambenek**, President at Bambenek Consulting weighed in on the situation, urging users to install patches and save their data, especially their videos.

_“_In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do and the most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use,_“_ John warned. _“_Security teams should update, however, it is important to have defences in place that prevent malware getting on the machines in the first place._“_

****Apple’s Response****

Apple has released a fix for the vulnerability as part of **security updates for macOS Sequoia**, which was released on September 16, 2024. The company has also introduced new APIs for App Group Containers that make System Integrity Policy (SIP) protect configuration files from being modified by an external attacker.

To protect themselves from this vulnerability, macOS users are urged to apply the security updates as soon as possible. Additionally, users should be cautious when granting permissions to apps and ensure that they only allow access to sensitive information when necessary.

****Install Patches ASAP!****

The identification, reporting, and patching of the HM Surf vulnerability highlight one key point: cross-platform threat intelligence sharing is essential for a secure cybersecurity future. Businesses and users should install the security patches released by Apple in September. For the future, it’s recommended to enable auto-updates on macOS devices so that such threats are automatically addressed with new security updates.

1.  **Apple Safari Safest, Google Chrome Riskiest Browser**
2.  **Apple Issues Device Updates to Patch Critical Vulnerability**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple and Google**
5.  **Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!**

“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic – Patch Now!

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Tag

#chrome