Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter mac at /goform/GetParentControlInfo.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40897: founded-0-days/ac8/GetParentControlInfo/1.md at main · peris-navince/founded-0-days

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter macFilterType and parameter deviceList at url /goform/setMacFilterCfg.

CVE-2023-40901: founded-0-days/ac10/fromSetStaticRouteCfg/1.md at main · peris-navince/founded-0-days

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter macFilterType and parameter deviceList at /goform/setMacFilterCfg.

CVE-2023-40904: founded-0-days/ac10/formSetMacFilterCfg/1.md at main · peris-navince/founded-0-days

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter macFilterType and parameter deviceList at /goform/setMacFilterCfg.

CVE-2023-40899: founded-0-days/ac8/formSetMacFilterCfg/1.md at main · peris-navince/founded-0-days

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter list and bindnum at /goform/SetIpMacBind.

CVE-2023-40902: founded-0-days/ac10/SetIpMacBind/1.md at main · peris-navince/founded-0-days

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter list and bindnum at /goform/SetIpMacBind.

CVE-2023-40896: founded-0-days/ac8/SetIpMacBind/1.md at main · peris-navince/founded-0-days

Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter list at /goform/SetNetControlList.

CVE-2023-40900: founded-0-days/ac8/formSetQosBand/1.md at main · peris-navince/founded-0-days

The latest activity from Lazarus Groups, .gov domains scamming people out of "V-Bucks" and more in this week's edition.

Thursday, August 24, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I have no idea how “Fortnite” keeps coming up in this newsletter, but here we are again.

Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.

After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.

Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.

These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.

This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.

For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.

The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.

Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.

I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.

But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.

**The one big thing**

The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.

**Why do I care?**

Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.

**So now what?**

Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.

**Top security headlines of the week**

**The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists.** The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)

**A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia.** Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)

**The Clop threat actor was responsible for more than a third of all ransomware attacks in July,** according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #151: Hacktivism is quietly growing, especially when it comes to Russia's invasion of Ukraine
*   Three vulnerabilities in NVIDIA graphics driver could cause memory corruption
*   Generating FLIRT signatures for Nim and other non-C programming languages
*   Cisco: Bringing More Intelligence to Bear on the Threat Landscape

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf  
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551  
**Typical Filename:** rcx4d83.tmp  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Pykspa::tpd

Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams

Categories: Personal
Cybersecurity isn't limited to defending against malware anymore; it's about ensuring your entire digital identity remains unscathed and your private details remain private.



(Read more...)




The post Malwarebytes acquires Cyrus Security   appeared first on Malwarebytes Labs.

Posted: August 24, 2023 by

Today, I am absolutely thrilled to share some exciting news: Malwarebytes is officially welcoming Cyrus Security into our family. This acquisition signifies an exciting chapter in our journey, and I wanted to share why this development is so special, and what it means for the millions who trust Malwarebytes to keep them safe.

We have always been committed to keeping you safe and secure in the digital landscape. But cybersecurity isn't limited to defending against malware anymore; it's about ensuring your entire digital identity remains unscathed and your private details remain private. With Cyrus Security's specialized solutions, we can further our promise, delivering a more comprehensive protective shield.

Cyrus Security, much like Malwarebytes, has been an innovative force in the cybersecurity realm.

Its relentless focus on protecting users from identity theft and ensuring online privacy has consistently impressed us. Merging our forces means bringing together two of the industry's brightest minds.

Cyrus security's skills, expertise and technology will complement Malwarebytes' advanced threat detection and remediation capabilities in a number of exciting ways:

**Mobile security expertise**

One of the standout aspects of Cyrus Security is its unparalleled expertise in mobile user experience. As our world becomes more mobile-centric, this proficiency is crucial. With Cyrus on board, our users can expect even more robust protection on their mobile devices, ensuring safety on-the-go.

**Expanding our toolset**

Cyrus Security's cutting-edge technologies will soon be integrated into our product suite. Imagine the robust Malwarebytes protection you know and love, now amplified with Cyrus's identity protection tools. It's a combination that promises to enhance the security of our customers, no matter what device they are using.

**Growth and learning**

Every acquisition is a two-way street. While we're eager to integrate Cyrus Security's tools into our portfolio, we're equally excited about the knowledge exchange, the shared learnings, and the new perspectives that will enrich our team.

**A Future Full of Possibilities**

With the combination of Malwarebytes and Cyrus Security, we are gearing up to explore emerging aspects of cybersecurity we haven't ventured into before. This acquisition isn't just about what we can offer now, but what we can develop and deliver in the future.

To our Malwarebytes family–both old and new–this acquisition is a testament to our commitment to you. Your safety, your trust, and your peace of mind are what drive us every day. With Cyrus Security on board, we're more equipped than ever to champion these values.

**RELATED ARTICLES**

Malwarebytes acquires Cyrus Security  

By Deeba Ahmed
Meet Telekopye, a new phishing toolkit that uses a Telegram bot to carry out its operations.
This is a post from HackRead.com Read the original post: Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks

*   **Telekopye Toolkit Unveiled:** ESET research exposes a potent phishing toolkit named Telekopye, designed by Russian hackers, enabling even inexperienced scammers to carry out phishing attacks without technical expertise.

*   **E-commerce Under Siege:** Scammers leverage Telekopye to target popular Russian and non-Russian online marketplaces like OLX, Yula, JOFOGAS, BlaBlaCarm Sbazar, and eBay, causing concerns for both platforms and users.

*   **Neanderthal Scammers:** ESET researchers have named the scammers utilizing Telekopye as Neanderthals, who employ deceptive tactics and social engineering to persuade victims into sharing sensitive information.

*   **Cryptocurrency Laundering:** Once scammers acquire sensitive data, they employ it to launder cryptocurrency through cryptomixers, masking their stolen gains and complicating the tracking of funds.

*   **Hierarchical Scammer System:** Telekopye’s unique shared account structure assigns different roles like administrators, moderators, and workers, each with distinct commission fees, creating a layered payment ecosystem for scammers.

According to the latest research from ESET, Russian hackers have come up with a new toolkit dubbed Telekopye allowing even novice scammers to conduct phishing attacks without any technical expertise.

Telekopye toolkit allows scammers to create phishing websites, send fraudulent SMS messages and emails, and target popular Russian and non-Russian online marketplaces, including OLX, Yula, JOFOGAS, BlaBlaCarm Sbazar, and eBay.

An SMSishing link and an eBay phishing page made out of Teleopye (ESET)

E-commerce platforms and users of these services have long been the targets of scammers and fraudsters. Radek Jizba, security researcher and the author of ESET’s blog post on Telekopye, wrote that the toolkit is named after its targeted platform Telegram, and Kopye is a Russian term for spear. Victims of Telekopye are referred to as Mammoths by the scammers, therefore, ESET researchers named the scammers as Neanderthals.

> “We discovered the source code of a toolkit that helps scammers so much in their endeavours that they don’t need to be particularly well-versed in IT. Instead, they only need a silver tongue to persuade their victims.”
> 
> Radek Jizba -ESET

It is worth noting that researchers have detected various versions of this toolkit, the latest one seen in April 2023. Researchers believe that this toolkit has been available since 2015 and the language used in the comments in the code hints that its primary user base is in Russia, Uzbekistan, and Ukraine. Some of its versions can store sensitive user data such as payment card details or email addresses stored on the targeted system’s disk.

It is designed as a Telegram bot, which is added to a Telegram group chat and features several “easy to navigate” menus as clickable buttons to facilitate multiple Neanderthals. The information obtained from Telekopye is uploaded to VirusTotal. The toolkit comes with predesigned templates to create phishing pages, which further makes the job easier for the scammers.

Regarding how Mammoths are hunted by Telekopye operators, in their blog post, ESET researchers noted that the Neanderthals first gained the victim’s trust by claiming to be a legitimate entity and compelling them to visit a genuine-looking phishing web page sent to them via SMS or email. Victims are then tricked into entering sensitive data such as credentials or credit card details.

Scam Overview (ESET)

Once the information is obtained, the scammers can use it to launder cryptocurrency through cryptomixers to hide stolen money. However, researchers couldn’t determine how the scammers find their victims. They did note that stolen funds aren’t directly transferred to the scammers’ accounts because they use a shared Telekopye account, which is owned by the Telekopye administrator.

They also noted that Telekopye tracks every scammer’s success by featuring their individual contributions to the shared account and they are paid by the administrator accordingly. Interestingly, the shared account serves as a payment system for the scammers and there’s a hierarchical system in place where scammers are divided into different classes (administrators, moderators, good workers/support bots, workers, and blocked) with varying commission fees and perks.

The only way to prevent financial loss is to stay vigilant and avoid spending money to buy goods from online marketplaces unless fully confident about their legitimacy.

1.  RIG Exploit Toolkit Distributing CeidPageLock Malware
2.  New credit card skimmers channel funds through Telegram
3.  New Phishing Attack Spoofs Microsoft 365 Authentication System

Tag

#git