Red Hat Security Advisory 2024-0733-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include an information leakage vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0733.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update  
Advisory ID:        RHSA-2024:0733-03  
Product:            Red Hat Ansible Automation Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0733  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-43804  
====================================================================

Summary: 

An update is now available for Red Hat Ansible Automation Platform 2.4

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

* ansible-core: possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration (CVE-2024-0690)

* automation-controller: urllib3: Cookie request header isn't stripped during cross-origin (CVE-2023-43804)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Updates and fixes for automation controller:  
* Fixed jobs stuck in pending state after connection to database recover (AAP-19618)  
* Added secure flag option for userLoggedIn cookie if 'SESSION_COOKIE_SECURE' is set to 'True' (AAP-19602)  
* Fixed 'twilio_backend.py' to send SMS to multiple destinations (AAP-19284)  
* Fixed rsyslogd from unexpectedly stop sending events to Splunk HTTP Collector and recover rsyslog from 4xx errors (AAP-19069)  
* Fixed a TypeError in the  Logging Settings Edit form of the automation controller user interface to no longer render the form inputs inaccessible (AAP-18960)  
* Fixed Delinea (previously: Thycotic) DevOps Secrets Vault credential plugin to work with python-dsv-sdk>=1.0.4 (AAP-18701)  
* Updated schedule Prompt on launch fields to persist while editing (AAP-13859)  
* automation-controller has been updated to 4.5.1

Note: The 2.4-5 installer/setup should be used to update automation controller to 4.5.1

Updates and fixes for ansible-core:  
* ansible-core has been updated to 2.15.9

Updates and fixes for installer, setup and setup bundle:  
* Fixed the version check when pinning EDA to an older version (AAP-19399)  
* Fixed rsyslogd from unexpectedly stop sending events to Splunk HTTP Collector and recover rsyslog from 4xx errors (AAP-19069)  
* Automation Hub now uses system crypto-policies in nginx (AAP-18974)  
* installer, setup and setup bundle have been updated to 2.4-5

Additionally, setup bundle 2.4-5 includes the updates released in the following advisories:

RHSA-2024:0322  
* python3-dynaconf/python39-dynaconf 3.1.12-2  
* python3-gitpython/python39-gitpython 3.1.40  
* python3-twisted/python39-twisted 23.10.0

RHBA-2023:7863  
* container images

Solution:

CVEs:

CVE-2023-43804

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/errata/RHSA-2024:0322  
https://access.redhat.com/errata/RHBA-2023:7863  
https://bugzilla.redhat.com/show_bug.cgi?id=2242493  
https://bugzilla.redhat.com/show_bug.cgi?id=2259013

Red Hat Security Advisory 2024-0733-03

Red Hat Security Advisory 2024-0729-03 - Red Hat Advanced Cluster Management for Kubernetes 2.7.11 General Availability release images, which provide security updates and fix bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0729.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Advanced Cluster Management 2.7.11 security and bug fix container update  
Advisory ID:        RHSA-2024:0729-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0729  
Issue date:         2024-02-08  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.7.11 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.11 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following Release Notes documentation for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es):  
CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on  
go-git clients  
CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path  
traversal and RCE on go-git clients

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/install/installing

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0729-03

Red Hat Security Advisory 2024-0642-03 - An update is now available for Red Hat OpenShift Container Platform 4.14. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0642.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.14.11 bug fix and security update  
Advisory ID:        RHSA-2024:0642-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0642  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.11. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0645

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)

* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-11385  
https://issues.redhat.com/browse/OCPBUGS-21795  
https://issues.redhat.com/browse/OCPBUGS-21812  
https://issues.redhat.com/browse/OCPBUGS-22315  
https://issues.redhat.com/browse/OCPBUGS-23395  
https://issues.redhat.com/browse/OCPBUGS-23498  
https://issues.redhat.com/browse/OCPBUGS-23500  
https://issues.redhat.com/browse/OCPBUGS-23738  
https://issues.redhat.com/browse/OCPBUGS-24307  
https://issues.redhat.com/browse/OCPBUGS-24315  
https://issues.redhat.com/browse/OCPBUGS-24401  
https://issues.redhat.com/browse/OCPBUGS-24423  
https://issues.redhat.com/browse/OCPBUGS-24521  
https://issues.redhat.com/browse/OCPBUGS-24660  
https://issues.redhat.com/browse/OCPBUGS-25081  
https://issues.redhat.com/browse/OCPBUGS-25352  
https://issues.redhat.com/browse/OCPBUGS-25800  
https://issues.redhat.com/browse/OCPBUGS-26238  
https://issues.redhat.com/browse/OCPBUGS-26553  
https://issues.redhat.com/browse/OCPBUGS-26568  
https://issues.redhat.com/browse/OCPBUGS-26597  
https://issues.redhat.com/browse/OCPBUGS-27178  
https://issues.redhat.com/browse/OCPBUGS-27193  
https://issues.redhat.com/browse/OCPBUGS-27243  
https://issues.redhat.com/browse/OCPBUGS-27256  
https://issues.redhat.com/browse/OCPBUGS-27275  
https://issues.redhat.com/browse/OCPBUGS-27305  
https://issues.redhat.com/browse/OCPBUGS-27350  
https://issues.redhat.com/browse/OCPBUGS-27362  
https://issues.redhat.com/browse/OCPBUGS-27369  
https://issues.redhat.com/browse/OCPBUGS-27471  
https://issues.redhat.com/browse/OCPBUGS-27485  
https://issues.redhat.com/browse/OCPBUGS-27759  
https://issues.redhat.com/browse/OCPBUGS-27822  
https://issues.redhat.com/browse/OCPBUGS-27851  
https://issues.redhat.com/browse/OCPBUGS-27858  
https://issues.redhat.com/browse/OCPBUGS-28200  
https://issues.redhat.com/browse/OCPBUGS-28249  
https://issues.redhat.com/browse/OCPBUGS-28382  
https://issues.redhat.com/browse/OCPBUGS-28608

Red Hat Security Advisory 2024-0642-03

Red Hat Security Advisory 2024-0641-03 - An update is now available for Red Hat OpenShift Container Platform 4.14. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0641.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.14.11 security and extras update  
Advisory ID:        RHSA-2024:0641-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0641  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.11. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0642

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)

* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-26237

Red Hat Security Advisory 2024-0641-03

A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.

The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.

The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.

The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.

The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 2 million job seekers targeted by data thieves 

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years.
Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam.
"Volt Typhoon's choice of targets and pattern

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as **Volt Typhoon** had been embedded into some critical infrastructure networks in the country for at least five years.

Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam.

"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the U.S. government said.

The joint advisory, which was released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), was also backed by other nations that are part of the Five Eyes (FVEY) intelligence alliance comprising Australia, Canada, New Zealand, the U.K.

Volt Typhoon – which is also called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite – a stealthy China-based cyber espionage group that's believed to be active since June 2021.

It first came to light in May 2023 when Microsoft revealed that the hacking crew managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam for extended periods of time sans getting detected by principally leveraging living-off-the-land (LotL) techniques.

"This kind of tradecraft, known as 'living off the land,' allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behavior making it difficult to differentiate – even by organizations with more mature security postures," the U.K. National Cyber Security Centre (NCSC) said.

Another hallmark tactic adopted by Volt Typhoon is the use of multi-hop proxies like KV-botnet to route malicious traffic through a network of compromised routers and firewalls in the U.S. to mask its true origins.

Cybersecurity firm CrowdStrike, in a report published in June 2023, called out its reliance on an extensive arsenal of open-source tooling against a narrow set of victims to achieve its strategic goals.

"Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim's environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise," the agencies noted.

"The group also relies on valid accounts and leverages strong operational security, which combined, allows for long-term undiscovered persistence."

Furthermore, the nation-state has been observed attempting to obtain administrator credentials within the network by exploiting privilege escalation flaws, subsequently leveraging the elevated access to facilitate lateral movement, reconnaissance, and full domain compromise.

The ultimate goal of the campaign is to retain access to the compromised environments, "methodically" re-targeting them over years to validate and expand their unauthorized accesses. This meticulous approach, per the agencies, is evidenced in cases where they have repeatedly exfiltrated domain credentials to ensure access to current and valid accounts.

"In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts," CISA, FBI, and NSA said.

"Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon's operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment."

The development comes as the Citizen Lab revealed a network of at least 123 websites impersonating local news outlets spanning 30 countries in Europe, Asia, and Latin America that's pushing pro-China content in a widespread influence campaign linked to a Beijing public relations firm named Shenzhen Haimaiyunxiang Media Co., Ltd.

The Toronto-based digital watchdog, which dubbed the influence operation PAPERWALL, said it shares similarities with HaiEnergy, albeit with different operators and unique TTPs.

"A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing's critics are routinely removed from these websites some time after they are published," the Citizen Lab said.

In a statement shared with Reuters, a spokesperson for China's embassy in Washington said "it is a typical bias and double standard to allege that the pro-China contents and reports are 'disinformation,' and to call the anti-China ones' true information.'"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”

New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

“The people are in the streets. We can’t ignore them any longer. Really, we have little choice. Either we heal together, or we tear ourselves apart.” An exclusive excerpt from 2054: A Novel.

2054, Part IV: A Nation Divided

By Uzair Amir
In the exciting world of investment, there are malicious actors who peddle trading bot scams, preying on the aspirations of eager investors.
This is a post from HackRead.com Read the original post: The Anatomy of Trading Bot Scams: Strategies for Secure Investments

In the fast-paced world of fintech, **automation promises convenience** and profitability. Trading bots, algorithms programmed to execute trades based on predefined rules, are increasingly popular. However, within this exciting industry lurk malicious actors peddling trading bot scams, designed to exploit the hopes and naiveté of aspiring investors.

This article digs into the anatomy of these scams, equipping you with the knowledge to protect your hard-earned capital and make informed investment decisions.

****The Rise of Trading Bots****

With the advancement of technology and the availability of high-speed internet, trading bots, while **focusing on price action**, have become increasingly popular among both retail and institutional traders. These bots are designed to execute trades automatically based on pre-defined criteria without the need for human intervention. The primary goal is to remove emotions from trading, as emotions can often lead to impulsive and irrational decisions.

****Unveiling the Scam: Red Flags to Watch Out For****

**Guaranteed Returns:** Any investment promising consistent, risk-free returns is a red flag. Markets are inherently volatile, and no technology can guarantee profits. Be wary of claims like “double your money in a week” or “never lose a trade.”

**Unrealistic Performance:** Testimonials boasting astronomical returns or screenshots of fabricated charts are classic tactics. Remember, past performance is not indicative of future results.

**Hidden Fees:** Scammers often obfuscate fees and charges within complex terms and conditions. Scrutinize every cost associated with the bot, including subscription fees, performance-based commissions, and withdrawal charges.

**Limited Transparency:** Beware of bots with unclear trading strategies, proprietary algorithms, or lack of historical backtesting data. Reputable bots provide detailed explanations of their approach and demonstrate past performance with verifiable data.

**Pressure and Urgency:** Scammers employ pressure tactics to rush you into decisions. Phrases like “limited-time offer” or “act now before spots fill up” are warning signs. Take your time to research and understand the bot before investing.

**Unsolicited Contact:** If someone reaches out to you unsolicited, promising high returns from a trading bot, be extremely cautious. Legitimate financial services rarely resort to cold calling or aggressive online marketing.

**Fake Reviews and Endorsements:** Online reviews and celebrity endorsements can be easily fabricated. Verify the authenticity of such claims before trusting them.

While the aforementioned scams target victims’ funds, malicious threat actors are also known for using malware disguised as fake trading bots to steal personal data. For instance, Fortinet researchers **identified** a fake Bitcoin trading bot that targeted users’ Bitcoin and personal data simultaneously.

****Strategies for Secure Investments: Building Your Defenses****

**Educate Yourself:** Before dipping your toes into the bot world, gain a solid understanding of financial markets, trading strategies, and the potential risks involved.

**Do Your Research:** Don’t blindly trust marketing hype. Conduct thorough research on the bot, its developers, and any associated platforms. Look for independent reviews, user testimonials (with a healthy dose of scepticism), and regulatory compliance.

**Start Small:** If you decide to proceed, invest a small, manageable amount initially. This minimizes potential losses and allows you to test the bot’s effectiveness before committing larger sums.

**Never Grant Full Access:** Avoid bots requiring access to your entire investment portfolio or exchange accounts. Opt for bots that integrate with reputable platforms and allow you to maintain control over your funds.

**Diversify:** Don’t put all your eggs in one basket. Diversify your investments across different assets and platforms to mitigate risk.

**Manage Expectations:** Remember, the financial market is not a get-rich-quick scheme. Expect realistic returns and be prepared for potential losses.

**Report Suspicious Activity:** If you encounter a scam, report it to the relevant regulatory authorities and online platforms to help protect others.

****Beyond Bots: Secure Investment Practices****

**Utilize Reputable Platforms:** Trade only on licensed and regulated exchanges or platforms with robust security measures and user protection protocols.

**Enable Two-Factor Authentication:** Add an extra layer of security to your accounts with two-factor authentication to prevent unauthorized access.

**Beware of Phishing Scams:** Be wary of emails, messages, or websites mimicking legitimate platforms trying to steal your login credentials. Always double-check URLs and sender information before entering sensitive details.

**Stay Informed:** Keep yourself updated with the latest financial news, scams, and regulatory changes to stay ahead of potential threats.

****Remember: Common Sense and Caution is Key****

Cryptocurrency investments are lucrative but also risky. By understanding the anatomy of trading bot scams and adopting secure investment practices, you can navigate this complex world with confidence and protect your hard-earned capital. Remember, caution is key – educate yourself, research thoroughly, and never be afraid to walk away from anything that seems too good to be true.

_**Disclaimer:** This article is for informational purposes only and should not be considered financial advice. Please consult with a qualified financial professional before making any investment decisions._

1.  **How to Identify and Avoid Online Trading Scams**
2.  **What the Bitcoin ETF Approval Mean for the Crypto Market** 
3.  **US Police Recover $3M Stolen by Pakistani Crypto Scammers**
4.  **Utilizing Economic Calendar: Key to Enhancing Safety in Crypto Trading**
5.  **Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam**

The Anatomy of Trading Bot Scams: Strategies for Secure Investments

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.
"The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,"

Endpoint Security / Cyber Threat

The threat actors behind a loader malware called **HijackLoader** have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.

"The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe," CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday analysis. "This new approach has the potential to make defense evasion stealthier."

HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It's also known to share a high degree of similarity with another loader known as IDAT Loader.

Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been propagated via ClearFake and put to use by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.

"Think of loaders like wolves in sheep's clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools," Liviu Arsene, director of threat research and reporting at CrowdStrike, said in a statement shared with The Hacker News.

"This recent variant of HijackLoader (aka IDAT Loader) steps up its sneaking game by adding and experimenting with new techniques. This is similar to enhancing its disguise, making it stealthier, more complex, and more difficult to analyze. In essence, they're refining their digital camouflage."

The starting point of the multi-stage attack chain is an executable ("streaming\_client.exe") that checks for an active internet connection and proceeds to download a second-stage configuration from a remote server.

The executable then loads a legitimate dynamic-link library (DLL) specified in the configuration to activate shellcode responsible for launching the HijackLoader payload via a combination of process doppelgänging and process hollowing techniques that increases the complexity of analysis and the defense evasion capabilities.

"The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user mode hooks using Heaven's Gate and injects subsequent shellcode into cmd.exe," the researchers said.

"The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process."

Heaven's Gate refers to a stealthy trick that allows malicious software to evade endpoint security products by invoking 64-bit code in 32-bit processes in Windows, effectively bypassing user-mode hooks.

One of the key evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called transacted hollowing, which has been previously observed in malware such as the Osiris banking trojan.

"Loaders are meant to act as stealth launch platforms for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the initial stages," Arsene said.

"Investing in new defense evasion capabilities for HijackLoader (aka IDAT Loader) is potentially an attempt to make it stealthier and fly below the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of the existing defense evasion capabilities while also increasing the complexity of analysis for threat researchers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git