The Sui Foundation supports native USDC on the Sui network with $120M in liquidity, marking the 3rd largest…

The Sui Foundation supports native USDC on the Sui network with $120M in liquidity, marking the 3rd largest USDC supply. NAVI integrates USDC on day 1, enhancing capital efficiency and user experience.

**New York, US, October 9, 2024** – The Sui Foundation recently announced support for native USDC on the Sui network. As the inaugural and top DeFi & liquidity protocol on Sui, NAVI announced that it will integrate Circle’s native USDC asset on DAY 1. 

With $120M in USDC liquidity, this constitutes the 3rd largest USDC supply in the industry, next to Aave and Compound. The integration of Circle’s USDC stablecoin directly into the Sui network enhances capital efficiency and improves the user experience across the ecosystem. 

This move strengthens Sui’s standing in the blockchain industry, enhancing user experience and promoting wider adoption of the Sui ecosystem through NAVI fully supporting native USDC with a suite of in-application migration features and a capital-efficient native USDC Liquidity Pool, including native USDC liquidity support, flash loan capabilities, among other functionalities.

As more blockchain networks adopt USDC, with Sui being the latest, the role of permissionless composability has fueled the rapid expansion of new applications and blockchain networks by leveraging existing open technologies.

****Native vs Bridged USDC on Sui****

The introduction of native USDC to the Sui network simplifies transaction processes and enhances liquidity within the ecosystem. Users will now have the ability to access USDC directly on Sui, streamlining workflows and increasing overall value for participants. 

Moreover, with the adoption of Cross-Chain Transfer Protocol (CCTP), users can eliminate delays typically associated with bridge withdrawals, thereby establishing a new standard for blockchain efficiency.

Native USDC offers distinct advantages compared to bridged USDC (wUSDC). Native issuance guarantees that the asset is fully reserved and can always be redeemed 1:1 for US dollars. This adds a layer of trust for developers and users alike, who can rely on the integrity of the underlying asset.

****Native USDC on NAVI****

In its pursuit to provide the highest level of asset composability on the Sui network, the NAVI Protocol will fully integrate native USDC as a lending and borrowing liquidity pool. As part of a broader ecosystem initiative, NAVI aims to incentivize users to transition away from bridged USDC and adopt native USDC entirely.

NAVI Protocol is committed to delivering the best possible experience for lending and borrowing, which includes the integration of native USDC, fully backed by US dollars and redeemable on a 1:1 basis. The upcoming migration plan is expected to accelerate the adoption of native USDC, thereby contributing to the growth and improvement of the Sui DeFi ecosystem.

A comprehensive migration plan will be shared in the coming days, outlining the steps necessary for a seamless transition.

****About Circle****

Circle is building the largest, most widely used stablecoin network so billions around the world can access digital dollars for payments and liquidity. The company currently manages USDC, the #2 stablecoin by market cap. It combines the power and stability of US Dollars with the speed of the internet, setting the groundwork for a new global and decentralized financial system. 

****About NAVI Protocol****

NAVI is the inaugural liquidity protocol native to the Sui network. It seeks to establish the cornerstone for chains based on the Move system and aspires to be the premier liquidity protocol in the Sui DeFi ecosystem.

****Media Contact****

*   Ivan Djordjevic
*   Marketing Lead
*   \[email protected\]

Sui to Make Native USDC Available Through NAVI Protocol

Chatbot companion platform muah.ai was hacked and had its chatbot prompts stolen.

A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, according to 404 Media.

The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats.

As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn’t sell any data to third parties.

Absolute privacy promised

The stolen data, however, tells a different story. It includes chatbot prompts that reveal users’ sexual fantasies. These prompts are in turn linked to email addresses, many of which appear to be personal accounts with users’ real names.

Mauh.ai says it believes in freedom of speech and to uphold that right, it says:

> “AI technology should be for everyone, and its use case to be decided by each mature, individual adult. So that means we don’t actively censor or filter AI. So any topic can be discussed without running into a wall.”

Unfortunately, that means that filth is created to satisfy the needs of some sick users, and some of the data contains horrifying explicit references to children.

Presumably those users in particular don’t want their fantasies to be discovered, which is exactly what might happen if they are connected to your email address.

The hacker describes the platform as “a handful of open-source projects duct-taped together.” Apparently, it was no trouble at all to find a vulnerability that provided access to the platform’s database.

The administrator of Muah.ai says the hack was noticed a week ago and claims that it must be sponsored by the competitors in the “uncensored AI industry.” Which, who knew, seems to be the next big thing.

The administrator also said that Muah.ai employs a team of moderation staff that suspend and delete ALL child-related chatbots on its card gallery (where users share their creations), Discord, Reddit, etc, But in reality, when two people posted about a reportedly underage AI character on the site’s Discord server, 404 Media claims a moderator told the users to not “post that shit” here, but to go “DM each other or something.”

Muah.ai is just one example of a new breed of uncensored AI apps that offer hundreds of role-play scenarios with chatbots, and others designed to behave like a long-term romantic companion.

404 Media says it tried to contact dozens of people included in the data, including users who wrote prompts that discuss having underage sex. Not surprisingly, none of those people responded to a request for comment.

**Innovation before security**

Emerging platforms like these are often rushed into existence because there is money to be made. Unfortunately, that usually happens at the expense of security and privacy, so here are some things to bear in mind:

*   Don’t trust AI platforms that promise privacy and encryption just because they say so
*   Don’t login with your Google/Facebook/Microsoft credentials or by using your regular email address or phone number
*   Remember that anything you put online, including a service that promises privacy, has a risk of being made public

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 AI girlfriend site breached, user fantasies stolen 

Since April, attackers have increased their use of Dropbox, OneDrive, and SharePoint to steal the credentials of business users and conduct further malicious activity.

Source: JLStock via Shutterstock

Threat actors are upping the ante on business email compromise (BEC) campaigns by combining social engineering with the use of legitimate, cloud-based file-hosting services to create more convincing attacks; the campaigns bypass common security protections and ultimately compromise the identity of enterprise users.

Since April, Microsoft has seen a rise in campaigns that have emerged over the past two years in which attackers weaponize legitimate file-sharing services like Dropbox, OneDrive, or SharePoint, which many enterprises use for workforce collaboration, Microsoft Threat Intelligence warned this week.

"The widespread use of such services … makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures," according to the Microsoft Threat Intelligence blog post.

Attackers are combining their use with social engineering in campaigns that target trusted parties in a business user's network, and base lures on familiar conversation topics. Threat actors are thus successfully phishing credentials for business accounts, which they then use to conduct further malicious activity, such as financial fraud, data exfiltration, and lateral movement to endpoints.

Trusted cloud services are an increasingly weak enterprise security link. Indeed, various researchers have discovered attackers — including advanced persistent threat (APT) groups — using legitimate file-sharing services to deliver remote access Trojans (RATs) and spyware, among other malicious activity.

**A Typical BEC Attack Scenario**

According to Microsoft, A common attack scenario begins with the compromise of a user within an enterprise. The threat actor then uses that victim's credentials to host a file on that organization's file-hosting service and share it with the real target: those within an external organization that have trusted ties to the victim.

Attackers are specifically using Dropbox, OneDrive, or SharePoint files with either restricted access or view-only restrictions to evade common detection systems and provide a launching pad for credential-harvesting activity. The former "requires the recipient to be signed in to the file-sharing service … or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service," establishing a trust relationship with the content. The latter can bypass analysis by email detonation systems, by "disabling the ability to download and consequently, the detection of embedded URLs within the files," according to Microsoft. "These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted."

To further ensure this bypass, attackers also use other techniques, including only allowing the intended recipient to view the file, or making the file accessible only for a limited time.

"This misuse of legitimate file-hosting services is particularly effective because recipients are more likely to trust emails from known vendors," according to Microsoft. Indeed, users from trusted vendors are added to allow lists through policies set by the organization on collaboration products used with the service, such as Exchange Online, so emails that are linked to phishing attacks pass through undetected.

After the files are shared on the hosting service, the targeted business user receives an automated email notification with a link to access the file securely. This is a legitimate notification about activity on the file-sharing service, so the email bypasses any protections that might have blocked a suspicious message.

**Adversary-in-the-Middle; Leveraging Familiarity**

When the targeted user accesses the shared file, he or she is prompted to verify identity by providing their email address, after which the address \[email protected\]\[.\]com sends a one-time password that the user can input to view the document.

That document often masquerades as a preview with another link purporting to allow the user to "view the message," according to Microsoft. However, it actually redirects the user to an adversary-in-the-middle (AiTM) phishing page that prompts the user is prompted to provide the password and complete the multifactor authentication (MFA) challenge.

"The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign," according to Microsoft.

Hosted files typically use lures to subject matter that would be a familiar topic or use familiar context based on an existing conversation held between employees of the organizations that the threat actor would be able to access thanks to the prior compromise of the anchor victim. For example, if two organizations have prior interactions related to an audit, the malicious shared files could be named "Audit Report 2024," according to Microsoft.

Attackers also leverage the oft-used psychological tactic of urgency to lure users into opening malicious files, using file names such as "Urgent:Attention Required" and "Compromised Password Reset" to get people to take the bait.

**Detecting Suspicious File-Sharing**

With these highly sophisticated BEC campaigns that neither users nor traditional email security systems detect on the rise, Microsoft recommends that enterprises use extended detection and response (XDR) systems to query for suspicious activity related to BEC campaigns that use legitimate file-sharing services.

Such queries could include identifying files with similar-sounding or the same file names that have been shared with various users. "Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection," according to Microsoft

Defenders also can use identity-focused queries related to sign-ins from VPS or VPN providers, or successful sign-ins from a non-compliant device, "to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor," according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks

Social media accounts help shape a brand’s identity and reputation. These public forums engage directly with customers as they are a hub to connect, share content and answer questions. However, despite the high profile role these accounts have, many organizations overlook social media account security. Many lack the safeguards to prevent unauthorized access — a situation no organization wants as

SaaS Security / Identity Security

Social media accounts help shape a brand's identity and reputation. These public forums engage directly with customers as they are a hub to connect, share content and answer questions. However, despite the high profile role these accounts have, many organizations overlook social media account security. Many lack the safeguards to prevent unauthorized access — a situation no organization wants as it can quickly spiral to include reputational damage and financial losses.

With the impact this high, the need for deep understanding of social media risks as well as how to protect an organization's social media account are more crucial than ever. This article dives into the details of social media accounts, how social media can be misused and how to protect oneself.

**Understanding the Layers of Social Media Access**

Platforms like Facebook, Instagram, and LinkedIn typically have two layers of access.

1.  **The Public Facing Page**: where brands post content and engage with users.
2.  **The Advertising Account**: Used to run targeted ad campaigns, and generate leads, often linked to payment methods.

These two layers are interconnected but operate independently. Each page has its own access roles, permissions, and configuration settings. Permissions are often granted to external agencies, who handle different aspects of social media. Non-human identities, such as social media management platforms, can be posted on behalf of companies, executives, and high-profile employees. Monitoring both these layers is essential, as each layer allows users to post on the brand's behalf.

**Three Risks for Social Media Breaches**

Social media platforms are typically managed by multiple internal and external stakeholders. This type of dispersed access allows, if not properly managed, the 'keys' to potentially fall into the wrong hands. Unauthorized users can then make changes, post, or comment on behalf of the brand without approval — which of course has the potential for reputational harm and other kinds of damage.

Furthermore, poor governance of social media accounts can lead to finger-pointing when something goes wrong. A lack of visibility into who is doing what exposes organizations to operational inefficiencies and security threats.

Thirdly, those who gain access to the ad accounts can mismanage or misappropriate resources. With ad accounts connected to an approved payment mechanism, a threat actor could launch expensive ad campaigns promoting a different agenda. There needs to be properly configured ad account users and permissions — or else this could spend an entire marketing budget and cause reputational damage.

**Mitigating Social Media Risks with SSPM**

SaaS Security Posture Management (SSPM) tools aren't traditionally used to secure social media accounts, however, leading SSPM platforms have the capability — and should be utilized to do just that. These integrations provide centralized visibility so that social media managers and security teams will have visibility into users, their levels of access, and their permissions. This will make for a much stronger governance model to better protect that social ecosystem.

An SSPM can also run security checks to identify high-risk configurations. This ensures that accounts have spending limits in place, and provides visibility into which internal and external users can access payment mechanisms within the platform.

Identity Threat Detection and Response (ITDR) capabilities can also detect unusual activity within such accounts, enabling real-time response to imminent threats.

**Gain Social Media Security: Use Cases**

Monitoring social media accounts enables companies to protect themselves in the following use cases.

*   **Control over posting and engagement:** Ensure that only authorized users can post, comment, and engage on the brand's behalf
*   **Monitor agencies and external collaborators:** Set boundaries and gain transparency into external user behavior
*   **Marketing resource management:** Verify spend caps and control user access to mitigate the risk of unauthorized spending
*   **Account activity audits:** Detect and stop unusual or high-risk behavior

**Secure Your Social Presence with SSPM**

The digital landscape is constantly changing, and with it, the nature of threats. Social media now plays a crucial role in an organization's brand and reputation, making it imperative to secure these accounts as part of a comprehensive SaaS security strategy. SSPM social media integrations offer the visibility, control, and protection required to safeguard these essential assets.

Learn how to secure your social accounts now

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Social Media Accounts: The Weak Link in Organizational SaaS Security

Cybercriminals exploit disaster relief efforts to target vulnerable individuals and organizations in Florida, compromising the integrity of relief…

Cybercriminals exploit disaster relief efforts to target vulnerable individuals and organizations in Florida, compromising the integrity of relief efforts. Learn more about FEMA claim scams, phishing attacks, and malicious files disguised as FEMA documents.

As Florida recovers from Hurricane Helene and braces for Hurricane Milton, a Category 5 storm expected to hit Tampa on October 9, 2024, a new challenge emerges in the online world: Cybercriminals are taking advantage of the disaster victims and relief organizations, exploiting the confusion and urgency of the moment for financial gain.

Veriti, a cybersecurity research firm, recently uncovered three disturbing cybersecurity threats that have surfaced amid the disastrous situation. These scams, which target both individuals and organizations, involve fraudulent Federal Emergency Management Agency (**FEMA**) claims, phishing campaigns, and malware disguised as legitimate FEMA documents.

****Phishing Using FEMA****

While FEMA claims scamming is a direct attack on disaster victims, phishing campaigns are another method cybercriminals are using to exploit the hurricane’s aftermath. Veriti researchers have reported a spike in newly registered domains that appear to be linked to hurricane relief efforts.

These websites, with names like **hurricane-helene-relief(.)com** and **hurricanehelenerelief(.)com**, are designed to trick users into providing sensitive data such as Social Security numbers and financial information.

These fake websites often create a sense of urgency, offering immediate relief or grant opportunities, which makes victims more likely to fall for the scam. The phishing campaigns are typically carried out via email, where recipients are directed to these **fraudulent sites** under the guise of applying for aid. Once victims enter their personal information, the attackers either sell the data or use it for financial fraud.

****Fake FEMA Assistance Providers****

According to Veriti’s **blog post** shared with Hackread.com ahead of publishing on Tuesday, October 8, cybercriminals are posing as FEMA assistance providers and creating fake FEMA claims to steal personal information and disaster relief funds from vulnerable storm survivors.

One such cybercrime forum is BlackBones, where scammers have openly shared strategies for tricking victims, with one user going by the alias “brokedegenerate” even posting detailed instructions on how to submit fraudulent FEMA claims.

****Malware in FEMA Documents****

Cybercriminals are also disguising malware as legitimate FEMA documents, adding an extra layer of danger for those seeking aid. In one instance, a file called fema\_grants\_manager\_user\_manual.pdf was uploaded to **VirusTotal**, a virus-scanning service. While it appeared to be a legitimate FEMA document related to disaster recovery, Veriti researchers discovered that it contained malicious code.

The file, which referenced official FEMA grant systems like the Grants Manager and Grants Portal, aimed to lure users into trusting it. However, hidden within the document was a malicious payload that would redirect users to a suspicious website, infecting their systems with malware. Although no active infections have been reported yet, the existence of such files indicates that cybercriminals are ready to strike whenever disaster relief efforts are in full swing.

Nevertheless, as Florida residents work to rebuild their homes and lives after Hurricane Helene, cybercriminals are grabbing the opportunity to take advantage of the situation. Staying aware of these threats and taking steps to protect yourself can help keep these scams from making an already tough situation worse.

1.  Hackers Dropping Malware in Fake “terror alert” Emails
2.  FEMA leaks sensitive details of 2.3 million disaster survivors
3.  Online Scam Alert Associated with the Nepal Earthquake Disaster
4.  Hackers Sending Fake Ebola Virus reports in emails with Malware
5.  Fancy Bears Hacked MH17 crash investigators with phishing attack

Scammers Hit Florida Hurricane Victims with Fake FEMA Claims, Malware Files

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.

Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -

*   **CVE-2024-43572** (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
*   **CVE-2024-43573** (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
*   **CVE-2024-43583** (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
*   **CVE-2024-20659** (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
*   **CVE-2024-6197** (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)

It's worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.

Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.

"Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.

Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.

"An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database," it said.

Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).

"Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset," Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.

"One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly."

**Software Patches from Other Vendors**

Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Apache Avro
*   Apple
*   AutomationDirect
*   Bosch
*   Broadcom (including VMware)
*   Cisco (including Splunk)
*   Citrix
*   CODESYS
*   Dell
*   Draytek
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Okta
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Salesforce Tableau
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   Veritas
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft is warning of cyber attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic.
The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise (BEC) attacks, which ultimately result

Enterprise Security / Identity Theft

Microsoft is warning of cyber attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic.

The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise (BEC) attacks, which ultimately result in financial fraud, data exfiltration, and lateral movement to other endpoints.

The weaponization of legitimate internet services (LIS) is an increasingly popular risk vector adopted by adversaries to blend in with legitimate network traffic in a manner such that it often bypasses traditional security defenses and complicates attribution efforts.

The approach is also called living-off-trusted-sites (LOTS), as it leverages the trust and familiarity of these services to sidestep email security guardrails and deliver malware.

Microsoft said it has been observing a new trend in phishing campaigns exploiting legitimate file hosting services since mid-April 2024 that involve files with restricted access and view-only restrictions.

Such attacks often begin with the compromise of a user within a trusted vendor, leveraging the access to stage malicious files and payloads on the file hosting service for subsequent sharing with a target entity.

"The files sent through the phishing emails are configured to be accessible solely to the designated recipient," it said. "This requires the recipient to be signed in to the file-sharing service — be it Dropbox, OneDrive, or SharePoint — or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service."

What's more, the files shared as part of the phishing attacks are set to "view-only" mode, preventing the ability to download and detect embedded URLs within the file.

A recipient who attempts to access the shared file is then prompted to verify their identity by providing their email address and a one-time password sent to their email account.

Once they are successfully authorized, the target is instructed to click on another link to view the actual contents. However, doing so redirects them to an adversary-in-the-middle (AitM) phishing page that steals their password and two-factor authentication (2FA) tokens.

This not only enables the threat actors to seize control of the account, but also use it to perpetuate other scams, including BEC attacks and financial fraud.

"While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants," the Microsoft Threat Intelligence team said.

The development comes as Sekoia detailed a new AitM phishing kit called Mamba 2FA that's sold as phishing-as-a-service (PhaaS) to other threat actors to conduct email phishing campaigns that propagate HTML attachments impersonating Microsoft 365 login pages.

The kit, which is offered on a subscription basis for $250 per month, supports Microsoft Entra ID, AD FS, third-party SSO providers, and consumer accounts. Mamba 2FA has been actively put to use since November 2023.

"It handles two-step verifications for non-phishing-resistant MFA methods such as one-time codes and app notifications," the French cybersecurity company said. "The stolen credentials and cookies are instantly sent to the attacker via a Telegram bot."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks

Pro-Ukrainian hacktivists from DumpForums claim to have breached Russian cybersecurity giant Dr.Web, stealing over 10 TB of sensitive…

Pro-Ukrainian hacktivists from DumpForums claim to have breached Russian cybersecurity giant Dr.Web, stealing over 10 TB of sensitive data, including internal projects, client databases, and critical infrastructure access.

DumpForums, a pro-Ukrainian hacktivist forum, claims to have breached Dr.Web, a Russian cybersecurity company and antivirus solutions provider. As a result, hackers have announced stealing over 10 TB of internal, customer/client data, Hackread.com can exclusively confirm.

The attack dates back to Saturday, September 14th, when Dr.Web (also known as Doctor Web, Doctor Web Ltd., and Company Doctor Web) identified that it had suffered a cyberattack. After investigating, the Russian cybersecurity giant published a brief blog post on September 17, 2024, revealing that the company was targeted in a cyberattack aimed at its “resources.” At that time, Doctor Web claimed that it had “prevented the attack in a timely manner” and that no user data was accessed or stolen.

However, as Hackread.com’s research team discovered, on the morning of October 8th, 2024, DumpForums hacktivists used their Telegram account to announce and claim responsibility for the September attack. The hacktivists’ Telegram post contradicted what Doctor Web had stated about the hack in September.

The screenshot shows Dr.Web’s Telegram post (left) and DumpForums’ post on the right. The original Russian-language screenshots have been translated into English using Yandex AI Image Translator (Credit: Hackread.com).

****DumpForums Hacktivists Claim Dr.Web’s Infrastructure Hack****

According to the post, the hacktivists stated they had hacked the infrastructure of Dr.Web, adding that they infiltrated the company’s local network after planning everything in advance. After that, they systematically hacked more servers and resources “within just a few days.”

Additionally, the hackers claimed to have hacked and extracted data from Dr.Web’s corporate GitLab server, where internal developments and projects were stored, including the corporate email server, Confluence, Redmine, Jenkins, Mantis, and RocketChat.

The hackers also claimed to have accessed and downloaded the entire client/user database, which they had already leaked on their official forum.

To further authenticate their claims, the hackers provided several dumps of databases from internal resources such as ldap.dev.drweb.com, vxcube.drweb.com, bugs.drweb.com, antitheft.drweb.com, and rt.drweb.com, among others.

****Accessing Dr.Web’s domain controller?****

What’s even more concerning are the claims from the hacktivists that they gained control of Dr.Web’s domain controller, a critical part of the company’s infrastructure. The domain controller manages authentication and access to all systems within a network. By compromising it, the attackers would have had unlimited access to the entire network, allowing them to continuously extract massive amounts of sensitive data.

This level of control reportedly enabled them to remain undetected for a month while siphoning off around 10 terabytes of data. The group also pointed out Dr.Web’s alleged poor security, stating that they spent an “entire month” in the system while the company continued selling products to secure others.

It is important to note that Hackread.com has reached out to Dr.Web regarding the claims made by DumpForums hacktivists, and this article will be updated accordingly.

****Ukraine and Russia Cyberwarfare****

It is also worth noting that DumpForums is known for attacking critical Russian infrastructure. In June 2022, the same group was behind the hack and defacement of the Russian Ministry of Construction, Housing, and Utilities. The hackers also stole the ministry’s entire database and demanded 0.5 BTC as ransom to prevent the data from being leaked online.

Nevertheless, the cyber warfare between Russia and Ukraine is gaining new momentum. Hackers from both countries have been targeting each other’s critical infrastructure since the conflict began on February 24, 2022.

According to Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), there has been a significant shift in Russian cyber operations against Ukraine in the first half of 2024. The new strategy marks a departure from previous broad-spectrum attacks to a more targeted approach focusing on Ukraine’s military and defence sectors.

On the other hand, Ukrainian hackers have been quite active over the past few months. Some of their claimed cyberattacks include targeting banks and shutting down ATMs in Russia, targeting the government sector and damaging petabytes of data, crippling the country’s tax system, and other actions.

1.  Ukrainian Hacktivists Trick Russian Military Wives for Personal Info
2.  Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
3.  Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”
4.  57,000 Kaspersky Fan Club Forum User Data Leaked in Hosting Breach
5.  Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI

DumpForums Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web

Consumers are victims of online scams and have their data stolen, but they are lagging on adopting security tools to protect themselves.

Source: Consumer Cyber Readiness Report, Consumer Reports

Consumers are aware that their information can be stolen by cybercriminals and that they are vulnerable to attack. While many people are taking steps to improve their cybersecurity online, the pace they are adopting security tools remains low, according to the latest Consumer Cyber Readiness Report from Consumer Reports.

Nearly half of the respondents of a recent Consumer Reports survey on digital scams and consumer cyber readiness say they have been personally targeted by an online scam in the past year, but they don't seem to be taking any specific steps to reduce their exposure to threats or to shore up their defenses. In fact, consumer behavior remains largely unchanged from 2023 to 2024, the report found.

Despite the long list of organizations that have been breached and personal information stolen over the last few years, just 28% of respondents say they have identity theft protection services. This is a worryingly low number considering breached organizations offer identity theft protection for free.

Just 54% of consumers said they have software to block or remove malware and viruses on the personal electronic device they use the most, which is a 2% decline from the 56% who said they had such software in 2023. Less than half (42%) said they have a firewall installed on their device, but what's worrying is that a little over a quarter of respondents (26%) are not sure if a firewall is installed on their device. This is also another decline from last year, as 46% claimed to have a firewall in 2023.

Around 7 in 10 consumers (71%) said they apply software updates on their personal device as soon as the updates are available, which is a slight increase from last year's 67%.

"Staying updated is the simplest and most effective step consumers can take to safeguard their digital lives," the report quotes Tarah Wheeler, CEO of Red Queen Dynamics. "It's encouraging to see more Americans prioritizing this essential aspect of cybersecurity."

While users are generally more keen on keeping devices updated, only 10% are using encryption software on devices to keep files protected. Three-quarters of respondents said they do not, and 15% weren’t sure if they did or didn’t.

On the privacy front, things weren't much better. Nearly a quarter of respondents aren’t sure if they have browser extensions that block trackers. About a third of respondents say they do use a VPN for accessing the internet, but 17% were not sure if they do or don't.

This year's Consumer Cyber Readiness Report from Consumer Reports is based on a survey of about 4,000 people.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Despite Prevalence of Online Threats, Users Aren't Changing Behavior

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.

**Microsoft** today released security updates to fix at least 117 security holes in **Windows** computers and other software, including two vulnerabilities that are already seeing active attacks. Also, **Adobe** plugged 52 security holes across a range of products, and **Apple** has addressed a bug in its new **macOS 15** “**Sequoia**” update that broke many cybersecurity tools.

One of the zero-day flaws — CVE-2024-43573 — stems from a security weakness in **MSHTML**, the proprietary engine of Microsoft’s **Internet Explorer** web browser. If that sounds familiar it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024.

**Nikolas Cemerikic**, a cybersecurity engineer at **Immersive Labs**, said the vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate thanks to the way Windows handles certain web elements.

“Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” he said.

Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable.

“This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online,” he said.

Probably the more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system.

**Satnam Narang**, senior staff research engineer at **Tenable**, observed that the patch for CVE-2024-43572 arrived a few months after researchers at **Elastic Security Labs** disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges.

“Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.”

Microsoft also patched **Office,** **Azure**, **.NET**, **OpenSSH for Windows**; **Power BI**; **Windows Hyper-V**; **Windows Mobile Broadband**, and **Visual Studio**. As usual, the **SANS Internet Storm Center** has a list of all Microsoft patches released today, indexed by severity and exploitability.

Late last month, Apple rolled out macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by a number of vendors, including CrowdStrike, SentinelOne and Microsoft. On Oct. 7, Apple pushed an update to Sequoia users that addresses these compatibility issues.

Finally, Adobe has released security updates to plug a total of 52 vulnerabilities in a range of software, including **Adobe Substance 3D Painter**, **Commerce**, **Dimension**, **Animate**, **Lightroom**, **InCopy**, **InDesign**, **Substance 3D Stager**, and **Adobe FrameMaker**.

Please consider backing up important data before applying any updates. Zero-days aside, there’s generally little harm in waiting a few days to apply any pending patches, because not infrequently a security update introduces stability or compatibility issues. **AskWoody.com** usually has the skinny on any problematic patches.

And as always, if you run into any glitches after installing patches, leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.

Tag

#git