Tenda F1202 V1.2.0.9, PA202 V1.1.2.5, PW201A V1.1.2.5 and FH1202 V1.2.0.9 were discovered to contain a stack overflow via the page parameter in the SafeEmailFilter function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38932: IoT-Vulns/tenda/formSafeEmailFilter at main · FirmRec/IoT-Vulns

Soon after Russian troops invaded Ukraine in February 2022, sensors in the Chernobyl Exclusion Zone reported radiation spikes. A researcher now believes he’s found evidence the data was manipulated.

The Mystery of Chernobyl’s Post-Invasion Radiation Spikes

ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3).

Skip to content

Open Issue created Jul 22, 2023 by **Richard Laager@rlaager**Maintainer

**segfault in libcrypto.so**

A Debian bug was filed regarding a crash in NTPsec 1.2.2.

His ntp.conf is the (Debian) stock ntp.conf. With comments removed, it is:

    driftfile /var/lib/ntpsec/ntp.drift
    leapfile /usr/share/zoneinfo/leap-seconds.list
    tos maxclock 11
    tos minclock 4 minsane 3
    pool 0.debian.pool.ntp.org iburst
    pool 1.debian.pool.ntp.org iburst
    pool 2.debian.pool.ntp.org iburst
    pool 3.debian.pool.ntp.org iburst
    restrict default kod nomodify nopeer noquery limited
    restrict 127.0.0.1
    restrict ::1

The ntpsec version of ntpd starts as expected, but randomly crashes in a few hours. It reports the following information to the kern.log file:

    2023-06-17T01:12:52.873519+00:00 karita kernel: [258683.650167] ntpd[23269]: segfault at 10 ip 00007f6d3ece0ab3 sp 00007ffc9c364830 error 4 in libcrypto.so.3[7f6d3ecc5000+278000] likely on CPU 1 (core 0, socket 1)
    2023-06-17T01:12:52.873554+00:00 karita kernel: [258683.650185] Code: 1f 84 00 00 00 00 00 48 83 ec 08 48 c7 c0 ff ff ff ff 48 85 ff 0f 84 63 04 00 00 48 85 d2 0f 84 5a 04 00 00 41 ba 00 08 00 10 <0f> 10 07 0f 57 e4 44 23 15 e4 fa 39 00 48 8d 42 10 81 fe 00 01 00

Here's a backtrace from the latest ntpsec coredump.

    root@karita:/var/lib/systemd/coredump# export
    DEBUGINFOD_URLS="https://debuginfod.debian.net"
    root@karita:/var/lib/systemd/coredump# coredumpctl debug                
                      PID: 61726 (ntpd)
               UID: 110 (ntpsec)
               GID: 117 (ntpsec)
            Signal: 11 (SEGV)
         Timestamp: Fri 2023-06-30 02:33:27 UTC (59min ago)
      Command Line: /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf
    -g -N -u ntpsec:ntpsec
        Executable: /usr/sbin/ntpd
     Control Group: /system.slice/ntpsec.service
              Unit: ntpsec.service
             Slice: system.slice
           Boot ID: 0e943a6b0cfe4fdd9e032c3d91c9d58d
        Machine ID: 0e50b80b858599a4a8aa8383662e5bb4
          Hostname: karita
           Storage:
    /var/lib/systemd/coredump/core.ntpd.110.0e943a6b0cfe4fdd9e032c3d91c9d58d.61726.1688092407000000.zst
    (present)
      Size on Disk: 775.6K
           Message: Process 61726 (ntpd) of user 110 dumped core.
    
                    Module libnss_systemd.so.2 from deb
    systemd-252.6-1.amd64
                    Stack trace of thread 61726:
                    #0  0x00007f280d4e0ab3 aesni_set_encrypt_key
    (libcrypto.so.3 + 0xe0ab3)
                    #1  0x00007f280d6f3d45 cipher_hw_aesni_initkey
    (libcrypto.so.3 + 0x2f3d45)
                    #2  0x00007f280d7397fb cipher_generic_init_internal
    (libcrypto.so.3 + 0x3397fb)
                    #3  0x00007f280d7398cb ossl_cipher_generic_einit
    (libcrypto.so.3 + 0x3398cb)
                    #4  0x00007f280d60993b EVP_CipherInit_ex (libcrypto.so.3
    + 0x20993b)
                    #5  0x0000560b2e1246f3 AES_SIV_Init (ntpd + 0x4c6f3)
                    #6  0x0000560b2e1255df AES_SIV_Decrypt (ntpd + 0x4d5df)
                    #7  0x0000560b2e10f40d nts_unpack_cookie (ntpd +
    0x3740d)
                    #8  0x0000560b2e10f85b extens_server_recv (ntpd +
    0x3785b)
                    #9  0x0000560b2e0f78ce receive (ntpd + 0x1f8ce)
                    #10 0x0000560b2e0ed8ea read_network_packet (ntpd +
    0x158ea)
                    #11 0x0000560b2e0ef3cf input_handler (ntpd + 0x173cf)
                    #12 0x0000560b2e0e819f mainloop (ntpd + 0x1019f)
                    #13 0x00007f280d16718a __libc_start_call_main (libc.so.6
    + 0x2718a)
                    #14 0x00007f280d167245 __libc_start_main_impl (libc.so.6
    + 0x27245)
                    #15 0x0000560b2e0e84e1 _start (ntpd + 0x104e1)
                    ELF object binary architecture: AMD x86-64
    
    GNU gdb (Debian 13.1-3) 13.1
    Copyright (C) 2023 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <https://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /usr/sbin/ntpd...
    Reading symbols from
    /usr/lib/debug/.build-id/8b/c6f9398efb6b8c446b2d719831f5738d563c84.debug...
    [New LWP 61726]
    
    This GDB supports auto-downloading debuginfo from the following URLs:
      <https://debuginfod.debian.net>
    Enable debuginfod for this session? (y or [n]) y
    Debuginfod has been enabled.
    To make this setting permanent, add 'set debuginfod enabled on' to
    .gdbinit.
    Downloading separate debug info for
    /lib/x86_64-linux-gnu/libnss_systemd.so.2
    Downloading separate debug info for /lib/x86_64-linux-gnu/libgcc_s.so.1
    Downloading separate debug info for system-supplied DSO at
    0x7ffc94772000
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library
    "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Core was generated by `/usr/sbin/ntpd -p /run/ntpd.pid -c
    /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec'.
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  aesni_set_encrypt_key () at crypto/aes/aesni-x86_64.s:4104
    Download failed: Invalid argument.  Continuing without source file
    ./build_shared/crypto/aes/aesni-x86_64.s.
    4104    crypto/aes/aesni-x86_64.s: No such file or directory.
    (gdb) bt
    #0  aesni_set_encrypt_key () at crypto/aes/aesni-x86_64.s:4104
    #1  0x00007f280d6f3d45 in cipher_hw_aesni_initkey (dat=0x560b2f082b50,
        key=<optimized out>, keylen=<optimized out>)
        at ../providers/implementations/ciphers/cipher_aes_hw_aesni.inc:37
    #2  0x00007f280d7397fb in cipher_generic_init_internal
    (ctx=0x560b2f082b50,
        key=0x10 <error: Cannot access memory at address 0x10>, keylen=16,
    iv=0x0,
        ivlen=0, params=0x0, enc=1)
        at ../providers/implementations/ciphers/ciphercommon.c:218
    #3  0x00007f280d7398cb in ossl_cipher_generic_einit (vctx=<optimized
    out>,
        key=<optimized out>, keylen=<optimized out>, iv=<optimized out>,
        ivlen=<optimized out>, params=<optimized out>)
        at ../providers/implementations/ciphers/ciphercommon.c:228
    #4  0x00007f280d60993b in EVP_CipherInit_ex (ctx=<optimized out>,
        cipher=<optimized out>, impl=impl@entry=0x0, key=<optimized out>,
        iv=iv@entry=0x0, enc=enc@entry=1) at ../crypto/evp/evp_enc.c:412
    #5  0x00007f280d60995b in EVP_EncryptInit_ex (ctx=<optimized out>,
        cipher=<optimized out>, impl=impl@entry=0x0, key=<optimized out>,
        iv=iv@entry=0x0) at ../crypto/evp/evp_enc.c:450
    #6  0x0000560b2e1246f3 in AES_SIV_Init (ctx=ctx@entry=0x560b2f01e5b0,
        key=key@entry=0x0, key_len=<optimized out>)
        at ../../libaes_siv/aes_siv.c:329
    #7  0x0000560b2e1255df in AES_SIV_Decrypt (ctx=0x560b2f01e5b0,
        out=out@entry=0x7ffc94695850 "\001",
    out_len=out_len@entry=0x7ffc94695848,
        key=key@entry=0x0, key_len=<optimized out>,
        nonce=nonce@entry=0x560b2ef65364
    "t\347CoA\av\236TA\022\200xge\270r\302\027\020\234\215\262\210\rv\324wtM벧\264\230pC\356@4:\336g",
    nonce_len=16,
        ciphertext=0x560b2ef65374
    "r\302\027\020\234\215\262\210\rv\324wtM벧\264\230pC\356@4:\336g",
    ciphertext_len=80, ad=0x560b2ef65360 "", ad_len=20)
        at ../../libaes_siv/aes_siv.c:582
    #8  0x0000560b2e10f40d in nts_unpack_cookie (cookie=0x560b2ef65360 "",
        cookielen=100, aead=aead@entry=0x7ffc94695962,
        c2s=c2s@entry=0x560b2ef663e8 "", s2c=s2c@entry=0x560b2ef66428 "",
        keylen=keylen@entry=0x560b2ef663e4) at ../../ntpd/nts_cookie.c:428
    #9  0x0000560b2e10f85b in extens_server_recv (
        ntspacket=ntspacket@entry=0x560b2ef66394,
        pkt=pkt@entry=0x560b2ef65308 "#", lng=<optimized out>)
        at ../../ntpd/nts_extens.c:182
    #10 0x0000560b2e0f78ce in receive (rbufp=rbufp@entry=0x560b2ef652c0)
        at ../../ntpd/ntp_proto.c:800
    #11 0x0000560b2e0ed8ea in read_network_packet (fd=fd@entry=19,
        itf=itf@entry=0x560b2ef6de60) at ../../ntpd/ntp_io.c:2243
    #12 0x0000560b2e0ef3cf in input_handler (fds=0x7ffc94696bf0)
        at ../../ntpd/ntp_io.c:2373
    #13 io_handler () at ../../ntpd/ntp_io.c:2280
    #14 0x0000560b2e0e819f in mainloop () at ../../ntpd/ntpd.c:940
    #15 main (argc=9, argv=<optimized out>) at ../../ntpd/ntpd.c:881
    (gdb)

Edited Jul 22, 2023 by James Browning

CVE-2023-4012: segfault in libcrypto.so (#794) · Issues · NTPsec / ntpsec · GitLab

By Habiba Rashid
A new investigation by cybersecurity researcher Jeremiah Fowler from VPNmentor reveals an elaborate cryptocurrency scam that employs over 300 fake websites to steal funds from unsuspecting victims and lure new investors.
This is a post from HackRead.com Read the original post: Researcher Exposes Cryptocurrency Scam Network of 300 Domains

*   **The new investigation uncovers intricate cryptocurrency scams exploiting victims’ trust.**
*   **Scammers pose as acquaintances, directing victims to professional-looking fake websites with fabricated financial data.**
*   **Victims are enticed with minor withdrawals and encouraged to recruit friends and family into the scheme.**
*   **Withdrawal attempts lead to demands for additional fees, trapping victims in a cycle of payments.**
*   **The investigation exposes a vast network of nearly 300 websites, pointing to an international scam operation.**

In a digital age where financial opportunities and risks coexist, the world of cryptocurrency investment has become a breeding ground for fraudulent activities. As more novice investors enter the crypto market seeking substantial returns, scammers have devised increasingly sophisticated schemes to prey on their aspirations. A recent investigation by Jeremiah Fowler from VPNmentor reveals the intricate workings of these scams. 

The scam begins with social engineering tactics, exploiting victims’ trust by posing as acquaintances who have reaped benefits from the fraudulent investment scheme. Victims are provided with website links, often adorned with professional designs and fabricated graphs, projecting fake deposits and withdrawals. The illusion of legitimacy is bolstered by the inclusion of trust logos from renowned credit cards and payment methods.

Once victims invest, they may receive minor withdrawals and even modest profits, cementing their belief in the scam. The fraudsters escalate the deception by offering multi-tiered membership levels, promising exorbitant returns as high as 20%. Manipulating human psychology, they encourage victims to enlist friends and family, leveraging their established relationships to lure more investors into the scheme.

Reality strikes when victims attempt to withdraw their investments, only to be met with demands for additional fees. These fraudulent fees act as a barrier to prevent victims from accessing their funds, driving them into a nightmarish cycle of further payments. As the investigator’s account reveals, scammers are relentless in their pursuit of more money, resorting to threats and intimidation when victims refuse to comply.

According to the report shared by VPNmentor with Hackrad.com, delving into the digital footprints of these scams, the investigator uncovered a sprawling network of nearly 300 websites. While the domains were often masked by privacy protection, their investigation led to domains registered to individuals in Nigeria and the US, pointing towards an international network of scammers.

Names of hosting and domain registrars where scam domains have been provided services (1) – A victim revealing they have been scammed (2) (Screenshot via: VPNmentor)

As this exposé unravels the intricacies of these scams, it also sheds light on the industry’s need for reform. Hosting providers and domain registrars play a pivotal role in enabling these fraudulent operations to thrive.

While generating substantial revenue, these entities often lack measures to thwart cybercriminals abusing their services. Suggestions for change include the implementation of Know Your Customer (KYC) systems, akin to those used by banks, to validate the identity of domain registrants and deter anonymous registrations.

The lesson for potential investors is clear: meticulous research and scepticism are vital when considering crypto investments. To avoid falling victim to scams, investors must verify the credibility of companies, seek independent advice, and refrain from making hasty decisions under pressure.

By promoting awareness and advocating for industry regulations, stakeholders can contribute to a safer and more secure crypto landscape, sparing countless individuals from the devastating consequences of investment scams.

**RELATED ARTICLES**

1.  13 Domains Linked to DDoS-For-Hire Services Seized
2.  Scammers Netted $7.7 Billion worth of Cryptocurrency in 2021
3.  US Seizes 7 Domains used in Pig Butchering Cryptocurrency Scam
4.  170 fraudulent Android apps scamming cryptocurrency enthusiasts
5.  42,000 phishing domains discovered masquerading as popular brands
6.  Microsoft pwns domains used by hackers for large-scale cyber attacks

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Researcher Exposes Cryptocurrency Scam Network of 300 Domains

Since 2018, a dedicated team within Microsoft has attacked machine learning systems to make them safer. But with the public release of new generative AI tools, the field is already evolving.

For most people, the idea of using artificial intelligence tools in daily life—or even just messing around with them—has only become mainstream in recent months, with new releases of generative AI tools from a slew of big tech companies and startups, like OpenAI's ChatGPT and Google's Bard. But behind the scenes, the technology has been proliferating for years, along with questions about how best to evaluate and secure these new AI systems. On Monday, Microsoft is revealing details about the team within the company that since 2018 has been tasked with figuring out how to attack AI platforms to reveal their weaknesses.

In the five years since its formation, Microsoft's AI red team has grown from what was essentially an experiment into a full interdisciplinary team of machine learning experts, cybersecurity researchers, and even social engineers. The group works to communicate its findings within Microsoft and across the tech industry using the traditional parlance of digital security, so the ideas will be accessible rather than requiring specialized AI knowledge that many people and organizations don't yet have. But in truth, the team has concluded that AI security has important conceptual differences from traditional digital defense, which require differences in how the AI red team approaches its work.

“When we started, the question was, ‘What are you fundamentally going to do that’s different? Why do we need an AI red team?’” says Ram Shankar Siva Kumar, the founder of Microsoft's AI red team. “But if you look at AI red teaming as only traditional red teaming, and if you take only the security mindset, that may not be sufficient. We now have to recognize the responsible AI aspect, which is accountability of AI system failures—so generating offensive content, generating ungrounded content. That is the holy grail of AI red teaming. Not just looking at failures of security but also responsible AI failures.”

Shankar Siva Kumar says it took time to bring out this distinction and make the case that the AI red team's mission would really have this dual focus. A lot of the early work related to releasing more traditional security tools like the 2020 Adversarial Machine Learning Threat Matrix, a collaboration between Microsoft, the nonprofit R&D group MITRE, and other researchers. That year, the group also released open source automation tools for AI security testing, known as Microsoft Counterfit. And in 2021, the red team published an additional AI security risk assessment framework.

Over time, though, the AI red team has been able to evolve and expand as the urgency of addressing machine learning flaws and failures becomes more apparent. 

In one early operation, the red team assessed a Microsoft cloud deployment service that had a machine learning component. The team devised a way to launch a denial of service attack on other users of the cloud service by exploiting a flaw that allowed them to craft malicious requests to abuse the machine learning components and strategically create virtual machines, the emulated computer systems used in the cloud. By carefully placing virtual machines in key positions, the red team could launch “noisy neighbor” attacks on other cloud users, where the activity of one customer negatively impacts the performance for another customer.

The red team ultimately built and attacked an offline version of the system to prove that the vulnerabilities existed, rather than risk impacting actual Microsoft customers. But Shankar Siva Kumar says that these findings in the early years removed any doubts or questions about the utility of an AI red team. “That’s where the penny dropped for people,” he says. “They were like, ‘Holy crap, if people can do this, that’s not good for the business.’”

Crucially, the dynamic and multifaceted nature of AI systems means that Microsoft isn't just seeing the most highly resourced attackers targeting AI platforms. “Some of the novel attacks we’re seeing on large language models—it really just takes a teenager with a potty mouth, a casual user with a browser, and we don’t want to discount that,” Shankar Siva Kumar says. “There are APTs, but we also acknowledge that new breed of folks who are able to bring down LLMs and emulate them as well.”

As with any red team, though, Microsoft's AI red team isn't just researching attacks that are being used in the wild right now. Shankar Siva Kumar says that the group is focused on anticipating where attack trends may go next. And that often involves an emphasis on the newer AI accountability piece of the red team's mission. When the group finds a traditional vulnerability in an application or software system, they often collaborate with other groups within Microsoft to get it fixed rather than take the time to fully develop and propose a fix on their own. 

“There are other red teams within Microsoft and other Windows infrastructure experts or whatever we need,” Shankar Siva Kumar says. “The insight for me is that AI red teaming now encompasses not just security failures, but responsible AI failures.”

Microsoft’s AI Red Team Has Already Made the Case for Itself

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix.

While exploring the security aspects of ManageEngine ADAudit Plus I discovered a security vulnerability (CVE-2023-32783) that may have far-reaching implications for other product users.

My findings indicate that ADAudit Plus contains a vulnerability allowing Windows user accounts to remain completely invisible to ADAudit Plus. User accounts leveraging this vulnerability will be undetected by ADAudit Plus, and all audit and security events raised by that user will be missed (i.e., Windows accounts logging in successfully or unsuccessfully). This vulnerability poses a potentially significant risk to organizations relying on ADAudit Plus to perform audit, compliance, and security functions accurately.

Following responsible disclosure guidelines, I secured the CVE but withheld public disclosure of the vulnerability for 90 days, allowing ManageEngine adequate time to address the issue or work with me on a timeline. Unfortunately, despite communication attempts, I could only get them to acknowledge but couldn't get them to provide any updates or collaborate. The 90-day disclosure period has expired, and this CVE is now public.

**Steps to Reproduce**

**1\. Setup:**

*   Install ManageEngine ADAudit Plus (Version: 7.1.1) on a Windows machine designated to monitor Windows Event Log activity for user accounts (e.g., a domain controller or event forwarding server).
    
*   Access the ADAudit Plus portal page at http://localhost:8081.
    
*   Navigate to the Reports section and select "User Logon Activity" (or any other report screen that displays user activities).
    

**2\. Execution:**

*   Carry out actions that trigger the generation of Windows event logs, such as logging into machines using domain accounts, locking screens, attempting logins with incorrect passwords, etc. ADAudit Plus will successfully detect all these activities, as advertised.
    

**3\. Exploit:**

*   Create a new user account on any machine that will generate Windows Event Logs to be observed by ADAudit Plus. Ensure the user account ends with a "$" symbol (e.g., "duser$").
    

*   Log in using this new account (in this example, "duser$") and perform various actions that result in creating Windows Event Logs.
    
*   Observe that the ADAudit Plus portal does not recognize this user, and any actions taken by the user (whether successful or not) do not appear in any of the user or activity reports.
    
*   Note that any user previously observed by ADAudit Plus will become invisible if they rename their user login to end with a '$' symbol.
    

**Threat Vector**

A malicious user, whether internal or external to the org, aware of this vulnerability can create a new or rename an existing user account to have a $ suffix, and then move undetected across different machines and perform different actions that are all undetected by ADAudit Plus.

**Severity: "Medium to High"**

Rated "Medium to High" for the following reasons:

1.  This product is extensively utilized by organizations that depend on its accurate execution of audit, compliance, and security tasks.
    
2.  The simplicity of exploitation
    
3.  The potential impact on an organization's threat detection capabilities, given the possible invisibility of an adversary
    
4.  Suspected Issue and Proposed Solution
    

**Suspected Issue and Proposed Solution**

Windows Event Logs are notoriously challenging to work with, leading to a demand for products that can filter out the noise and extract meaningful information. I suspect the ADAudit Plus code may examine event properties, match the “TargetUserName,” and disregards any entry ending with a "$." and that AD Audit Plus incorrectly assumes that such entries only represent system accounts leading to the vulnerability described. Consequently, a legitimate Windows user account (non-system) would be invisible to the product.

The solution would be to avoid relying on the "$" suffix to identify system accounts to distinguish user accounts from system accounts more accurately.

CVE-2023-32783: ManageEngine ADAudit Plus  (CVE-2023-32783)

A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information.
Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "

A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information.

Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "preying on beginner hackers."

OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks. It takes in a configuration file that's tailored to a specific website and can combine it with a password list procured through other means to log successful attempts.

"OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions," the company said. "This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping up."

The configurations, essentially a piece of executable code to generate HTTP requests against the target website or web application, are also traded, or sold within criminal communities, lowering the bar for criminal activity and enabling script kiddies to mount their own attacks.

"The interest in the purchase of configs, for example, could indicate that the users of OpenBullet are relatively unsophisticated," Israeli cybersecurity company Cybersixgill noted back in September 2021.

"But it could also be yet another example of the dark web's highly efficient division of labor. That is, threat actors advertise that they want to buy configs because they don't know how to script them, but because it's easier and faster."

This flexibility can also be a double-edged sword, as it opens up a new vector, only it targets other criminal actors who are actively seeking such configuration files on hacking forums.

The campaign discovered by Kasada employs malicious configs shared on a Telegram channel to reach out to a GitHub repository to retrieve a Rust-based dropper called Ocean that's designed to fetch the next-stage payload from the same repository.

The executable, a Python-based malware referred to as Patent, ultimately launches a remote access trojan that utilizes Telegram as a command-and-control (C2) mechanism and issues instructions to capture screenshots, list directory contents, terminate tasks, exfiltrate crypto wallet information, and steal passwords and cookies from Chromium-based web browsers.

Targeted browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and Mincoin.

The trojan also functions as a clipper to monitor the clipboard for cryptocurrency wallet addresses and substitute contents matching a predefined regular expression with an actor-controlled address, leading to unauthorized fund transfers.

Two of the Bitcoin wallet addresses operated by the adversary have received a total of $1,703.15 over the past two months, which were subsequently laundered using an anonymous crypto exchange known as Fixed Float.

"The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies," the researchers said.

"This presents an opportunity for attackers to shape their collection to a specific target group and obtain other members' funds, accounts, or access. As the old saying goes, there is no honor amongst thieves."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs

By Habiba Rashid
Revolutionary AI Model Predicts Keystrokes Through Sound: A New Wave of Acoustic Attacks.
This is a post from HackRead.com Read the original post: AI Model Listens to Typing, Potentially Compromising Sensitive Data

1.  **Cornell researchers unveil AI model decoding keyboard inputs from audio signals.**
2.  **New attack predicts keystrokes by analyzing acoustic signatures of different keys.**
3.  **Implications for data security and emergence of acoustic cyberattacks raise concerns.**
4.  **AI model achieves 93% accuracy, setting a new record for audio-based classification systems.**
5.  **Countermeasures like noise introduction can reduce accuracy, limiting widespread malicious use.**

Researchers at Cornell University have unveiled a groundbreaking deep-learning model capable of deciphering keyboard input solely from audio signals. This pioneering advancement, led by Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad, has significant implications for data security and the emergence of acoustic cyberattacks.

In a recently published paper titled “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards,” the Cornell team introduced an Artificial intelligence (AI) model capable of accurately predicting keystrokes by analyzing the unique acoustic signatures produced by different keys on a keyboard.

The technique involves training the model to associate specific audio patterns with corresponding characters, allowing it to virtually ‘listen’ to typing and transcribe it with astonishing accuracy.

Traditional cyberattacks often exploit software vulnerabilities or rely on phishing tactics, but this new wave of attacks leverages the physical characteristics of keyboards, emphasizing the significance of sound as a potential security vulnerability. The implications are far-reaching, as this method could compromise user passwords, conversations, messages, and other sensitive information.

The team’s research indicates that the model achieves an impressive accuracy rate of 93% when trained using Zoom recordings, marking a new record for audio-based classification systems. The process of training the model involves exposing it to multiple instances of each keystroke on a specific keyboard. The researchers utilized a MacBook Pro, pressing each of its 36 keys 25 times to develop a comprehensive dataset for training.

Screenshot (Arxiv)

Despite its remarkable potential, the AI model does come with certain limitations and vulnerabilities. Changing typing styles or utilizing touch typing can significantly reduce the model’s accuracy, dropping it to a range of 40% to 64%. Additionally, countermeasures like introducing noise to the audio signal can obfuscate the keystrokes and diminish the model’s accuracy.

However, the researchers are clear that the model’s effectiveness is dependent on the specific keyboard’s sound profile. This dependence restricts the applicability of the attack to keyboards with similar acoustic characteristics, limiting its scope for widespread malicious use.

As the digital landscape evolves, the arms race between cyberattacks and defence measures continues to escalate. The development of AI-based acoustic side-channel attacks underscores the need for enhanced security measures, including innovative noise-cancellation solutions like NVIDIA’s RTX Broadcast, which can counteract these types of attacks.

For a comprehensive exploration of the Cornell team’s findings and methodologies, readers can refer to the official research paper (PDF) available for further study. As the boundaries of AI and cybersecurity continue to blur, understanding these advancements is crucial for individuals and organizations to stay ahead of potential threats.

**RELATED ARTICLES**

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Stealing data from air-gapped PC by turning RAM into Wi-Fi Card
3.  Locating malicious drone operators through deep neural networks
4.  Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables
5.  Malware can extract data from air-gapped PC through power supply

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

AI Model Listens to Typing, Potentially Compromising Sensitive Data

In Gitea through 1.17.1, repo cloning can occur in the migration function.

**Gitea erroneous repo clones**

Moderate severity GitHub Reviewed Published Aug 7, 2023 to the GitHub Advisory Database • Updated Aug 9, 2023

GHSA-8j3v-68w3-3848: Gitea erroneous repo clones

A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.

From: Laszlo Ersek <lersek@redhat.com>
To: linux-kernel@vger.kernel.org, lersek@redhat.com
Cc: Eric Dumazet <edumazet@google.com>,
	Lorenzo Colitti <lorenzo@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Pietro Borrello <borrello@diag.uniroma1.it>,
	netdev@vger.kernel.org, stable@vger.kernel.org
Subject: \[PATCH 0/2\] tun/tap: set sk\_uid from current\_fsuid()
Date: Mon, 31 Jul 2023 18:42:35 +0200	\[thread overview\]
Message-ID: <20230731164237.48365-1-lersek@redhat.com> (raw)

The original patches fixing CVE-2023-1076 are incorrect in my opinion.
This small series fixes them up; see the individual commit messages for
explanation.

I have a very elaborate test procedure demonstrating the problem for
both tun and tap; it involves libvirt, qemu, and "crash". I can share
that procedure if necessary, but it's indeed quite long (I wrote it
originally for our QE team).

The patches in this series are supposed to "re-fix" CVE-2023-1076; given
that said CVE is classified as Low Impact (CVSSv3=5.5), I'm posting this
publicly, and not suggesting any embargo. Red Hat Product Security may
assign a new CVE number later.

I've tested the patches on top of v6.5-rc4, with "crash" built at commit
c74f375e0ef7.

Cc: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Pietro Borrello <borrello@diag.uniroma1.it>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org

Laszlo Ersek (2):
  net: tun\_chr\_open(): set sk\_uid from current\_fsuid()
  net: tap\_open(): set sk\_uid from current\_fsuid()

 drivers/net/tap.c | 2 +-
 drivers/net/tun.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4

next             reply	other threads:\[~2023-07-31 16:43 UTC|newest\]

**Thread overview:** 4+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2023-07-31 16:42 Laszlo Ersek \[this message\]**
2023-07-31 16:42 \` \[PATCH 1/2\] net: tun\_chr\_open(): set sk\_uid from current\_fsuid() Laszlo Ersek
2023-07-31 16:42 \` \[PATCH 2/2\] net: tap\_open(): " Laszlo Ersek
2023-08-03 16:43 \` \[PATCH 0/2\] tun/tap: " Jakub Kicinski

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20230731164237.48365-1-lersek@redhat.com \\
    --to=lersek@redhat.com \\
    --cc=borrello@diag.uniroma1.it \\
    --cc=edumazet@google.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=lorenzo@google.com \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=stable@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Tag

#git