In Gitea through 1.17.1, repo cloning can occur in the migration function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-38795: Double check CloneURL is acceptable (#20869) by zeripath · Pull Request #20892 · go-gitea/gitea

By Waqas
North Korean hackers from OpenCarrot and Lazarus breached NPO Mashinostroyeniya, a major Russian missile developer, for at least five months last year.
This is a post from HackRead.com Read the original post: Elite North Korean Hackers Breach Russian Missile Developer

*   **North Korean hackers breached a major Russian missile developer, NPO Mashinostroyeniya, for at least five months.**
*   **Cyber-espionage teams ScarCruft and Lazarus installed stealthy digital backdoors into NPO Mash’s systems.**
*   **It remains unclear if data was stolen or linked to North Korea’s ballistic missile program developments.**
*   **Experts warn that North Korea targets even its allies to acquire critical technologies.**
*   **The breach exposes vulnerabilities in cybersecurity and raises concerns about sensitive technology transfers.**

It has been uncovered that an elite group of North Korean hackers successfully breached the computer networks of a major Russian missile developer for an extended period last year.

The evidence, reviewed by Reuters and analyzed by security researchers, points to cyber-espionage teams associated with the North Korean government, namely ScarCruft (aka APT37, InkySquid, Reaper, and Ricochet Chollima). The same group was also reported to have used the Dolphin Backdoor against South Korea in December 2022.

The researchers also noted tracks of the infamous North Korean state-backed group, Lazarus, in these attacks. This was identified after researchers noted the presence of OpenCarrot Windows OS backdoor. The backdoor is known to be used by the Lazarus group.

These hackers discreetly installed stealthy backdoors into systems at NPO Mashinostroyeniya, commonly referred to as NPO Mash, a prominent rocket design bureau located in Reutov, on the outskirts of Moscow.

Reuters’ investigation did not ascertain whether any data was taken during the intrusion or what information might have been accessed. Nonetheless, it is noteworthy that in the months following the breaches, North Korea declared significant advancements in its banned ballistic missile program, raising suspicions about a possible connection to the breach.

Technical data reveals that the intrusion began approximately in late 2021 and persisted until May 2022 when the company’s IT engineers, as per internal communications reviewed by Reuters, detected the hackers’ activities.

Tom Hegel, a security researcher with US cybersecurity firm SentinelOne, who first uncovered the compromise, highlighted the importance of these findings, providing rare insight into clandestine cyber operations that often elude public scrutiny. Hegel’s team stumbled upon the hack when an NPO Mash IT staffer inadvertently leaked the company’s internal communications while attempting to investigate the North Korean attack by uploading evidence to a private cybersecurity research portal.

> With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.
> 
> Tom Hegel – SentinelOne

Two independent computer security experts, Nicholas Weaver and Matt Tait, verified the exposed email content’s authenticity by cross-referencing cryptographic signatures with a set of keys controlled by NPO Mash. SentinelOne expressed confidence that North Korea was responsible for the hack, as the cyberspies reused previously known malware and malicious infrastructure utilized in other intrusions.

The information potentially accessed by North Korean hackers includes details about NPO Mash’s hypersonic missile, “Zircon,” which Russian President Vladimir Putin had praised as a promising product capable of reaching speeds around nine times that of sound.

However, missile expert Markus Schiller, who has researched foreign aid to North Korea’s missile program, downplayed the immediate impact of obtaining plans for the Zircon. Schiller asserted that merely possessing drawings wouldn’t be sufficient to replicate the missile’s capabilities, as the process involves more complexities than what appears on paper.

Nevertheless, NPO Mash’s role as a leading Russian missile designer and producer makes it a highly valuable target. As the company’s advancements could have strategic implications, the breach raises concerns about the potential transfer of sensitive missile-related technology to North Korea.

The incident underscores the isolated nation’s willingness to target even its allies, as evidenced by the breach of Russia’s defence technologies. NPO Mashinostroyeniya has played a crucial role in developing hypersonic missiles, satellite technologies, and newer generation ballistic armaments—areas of immense interest to North Korea in its pursuit of an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.

**RELATED ARTICLES**

1.  CIA Wants Russians to Share Secret via its Darknet Site
2.  Russian hacking forums warming up to Chinese hackers
3.  Hackers steal personal data of 1,000 North Korean Defectors

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Elite North Korean Hackers Breach Russian Missile Developer

Cisco Talos is seeing an increasing number of ransomware variants emerge, since 2021,  leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

Monday, August 7, 2023 08:08

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

**Code leaks are benefitting threat actors**

Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.

Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.

Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.

When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.

**New variants based on leaked code are becoming more common**

We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.

In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.

Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.

Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.

**Actors repurposing leaked code are demanding low ransom payments  
**

Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.

Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.

**Opportunities for security researchers and defenders**

While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.

By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.

Code leaks are causing an influx of new ransomware actors

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.

Monday, August 7, 2023 08:08

*   Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
*   This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
*   The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

**Threat actor analysis**

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.

Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.

We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.

GitHub repository that contains ransom notes.

**Ransom note**

The actor demands the ransom payment in Bitcoins to the wallet address “bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to pay within three days, according to our ransomware note analysis. The actor has an email address, “nguyenvietphat\[.\]n\[at\]gmail\[.\]com,” for the victims to contact them. At the time of our analysis, we had not observed any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware operation might still be in a nascent stage.

The ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s identity and confuse incident responders.

The ransom note for WannaCry ransomware.

Ransom notes samples of the Yashma variant.

After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems that the operator downloaded this picture from www\[.\]FXXZ\[.\]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.

Yashma variant wallpaper (left) and WannaCry wallpaper (right).

**Customized Yashma ransomware variant**

The actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023.  Yashma is a 32-bit executable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this variant, most of Yashma’s features remained unchanged and have been described by the security researchers at Blackberry, with the exception of a few notable modifications.

Usually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository. This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary.

Contents of the batch file.

Earlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url” bookmark file in the startup folder that points to the dropped executable located at “%AppData%\\Roaming\\svchost.exe”.

A function that creates the bookmark file.

One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.

The code snippet shows the anti-recovery feature of the ransomware.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are **62131 - 62143 and 300633 - 300638.**

ClamAV detections are available for this threat:

Win.Ransomware.Hydracrypt-9878672-0

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**IOCs**

Indicators of Compromise associated with this threat can be found here.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cybercriminals are touting large language models that could help them with phishing or creating malware. But the AI chatbots could just be their own kind of scam.

It didn't take long. Just months after OpenAI’s ChatGPT chatbot upended the startup economy, cybercriminals and hackers are claiming to have created their own versions of the text-generating technology. The systems could, theoretically at least, supercharge criminals’ ability to write malware or phishing emails that trick people into handing over their login information.

Since the start of July, criminals posting on dark-web forums and marketplaces have been touting two large language models (LLMs) they say they’ve produced. The systems, which are said to mimic the functionalities of ChatGPT and Google’s Bard, generate text to answer the questions or prompts users enter. But unlike the LLMs made by legitimate companies, these chatbots are marketed for illegal activities.

There are outstanding questions about the authenticity of the chatbots. Cybercriminals are not exactly trustworthy characters, and there remains the possibility that they’re trying to make a quick buck by scamming each other. Despite this, the developments come at a time when scammers are exploiting the hype of generative AI for their own advantage.

In recent weeks, two chatbots have been advertised on dark-web forums—WormGPT and FraudGPT—according to security researchers monitoring the activity. The LLMs developed by large tech companies, such as Google, Microsoft, and OpenAI, have a number of guardrails and safety measures in place to stop them from being misused. If you ask them to generate malware or write hate speech, they’ll generally refuse.

The shady LLMs claim to strip away any kind of safety protections or ethical barriers. WormGPT was first spotted by independent cybersecurity researcher Daniel Kelly, who worked with security firm SlashNext to detail the findings. WormGPT’s developers claim the tool offers an unlimited character count and code formatting. “The AI models are notably useful for phishing, particularly as they lower the entry barriers for many novice cybercriminals,” Kelly says in an email. “Many people argue that most cybercriminals can compose an email in English, but this isn’t necessarily true for many scammers.”

In a test of the system, Kelly writes, it was asked to produce an email that could be used as part of a business email compromise scam, with a purported CEO writing to an account manager to say an urgent payment was needed. “The results were unsettling,” Kelly wrote in the research. The system produced “an email that was not only remarkably persuasive but also strategically cunning.”

In forum posts, the WormGPT developer claimed the system was built on the GPTJ language model, an open source language model that was developed by AI research group EleutherAI in 2021. They refused to disclose the data sets they used to train the system, according to Kelly’s research.

Meanwhile, the creator of FraudGPT has claimed loftier potential for their system, suggesting it could “create undetectable malware” and find leaks and vulnerabilities, as well as crafting text that could be used in online scams. Rakesh Krishnan, the senior threat analyst at security firm Netenrich who found FraudGPT, says the person selling it has advertised the product on multiple dark-web forums and also on Telegram channels.

Krishnan says the creator of the system published a video appearing to show the chatbot operating and generating a scammy email. They were also trying to sell access to the system for $200 per month, or a yearly cost of $1,700. Krishnan says that in conversations with the developer behind FraudGPT, they claimed to have a few hundred subscribers and pushed for a sale, while the WormGPT creator appeared to have received payments into a cryptocurrency wallet address they shared. “All these projects are in their infancy,” Krishnan says. He adds, “we haven’t got much feedback” into whether people are purchasing or using the systems.

While those touting the chatbots claim they exist, it is hard to verify the makeup and legitimacy of the systems. Cybercriminal scammers are known to scam other scammers, with previous research showing that they frequently try to rip each other off, don’t provide what they claim they are selling, and offer bad customer service. Sergey Shykevich, a threat intelligence group manager at security firm Check Point, says there are some hints that people are using WormGTP. “It seems there is a real tool,” Shykevich says. The seller behind the tool is “relatively reliable” and has a history on cybercrime forums, he says.

There are more than 100 responses to one post about the WormGPT, Shykevich says, although some of these say the seller isn’t very responsive to their inquiries and others “weren’t very excited” about the system. Shykevich is less convinced about FraudGPT’s authenticity—the seller has also claimed to have systems called DarkBard and DarkBert. Shykevich says some of the posts from the seller were removed from the forums. Either way, the Check Point researcher says there’s no sign that any of the systems are more capable than ChatGPT, Bard, or other commercial LLMs.

Kelly says he believes claims about the malicious LLMs created so far are “slightly overexaggerated.” But he adds, “this is not necessarily different from what legitimate businesses do in the real world.”

Despite questions about the systems, it isn’t a surprise that cybercriminals want to get in on the LLM boom. The FBI has warned that cybercriminals are looking at using generative AI in their work, and European law enforcement agency Europol has issued a similar warning. The law enforcement agencies say LLMs could help cybercriminals with fraud, impersonation, and other social engineering faster than before and also improve their written English.

Whenever any new product, service, or event gains public attention—from the _Barbie_ movie to the Covid-19 pandemic—scammers rush to include it in their hacking artillery. So far, scammers have tricked people into downloading password-stealing malware through fake ads for ChatGPT, Bard, Midjourney, and other generative AI systems on Facebook.

Researchers at security firm Sophos have spotted the operators of pig butchering and romance scams accidentally including generated text in their messages—“As a language model of ‘me’ I don’t have feelings or emotions like humans do,” one message said. And hackers have also been stealing tokens to provide them with access to OpenAI’s API and access to the chatbot at scale.

In his WormGPT report, Kelly notes that cybercriminals are often sharing jailbreaks that allow people to bypass the safety restrictions put in place by the makers of popular LLMs. But even unconstrained versions of these models may, thankfully, not be that useful for cybercriminals in their current form.

Shykevich, the Check Point researcher, says that even when he has seen cybercriminals try to use public models, they haven’t been effective. They can “create ransomware strains, info stealers, but no better than even an average developer,” he says. However, those on the cybercrime forums are still talking about making their own clones, Shykevich says, and they’re only going to get better at using the systems. So be careful what you click.

Criminals Have Created Their Own ChatGPT Clones

Categories: Business
The new feature provides comprehensive health score that assesses the quality of your Nebula implementation.



(Read more...)




The post New Security Advisor amps up security in minutes appeared first on Malwarebytes Labs.

Malwarebytes Security Advisor, a transformation of the Nebula customer experience, enables organizations to visualize and improve their organization's security posture in just a few clicks.

“If you’re not fully configured, you aren’t fully protected,” says Jonny Rivera, Director, Customer Experience Strategy. Rivera has worked with Malwarebytes customers to optimize their deployments and saw that there were big gaps in understanding their overall cybersecurity posture, including what assets they had and how policies were configured.

Security Advisor Dashboard

Security Advisor analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds, illuminating gaps in defenses and providing actionable recommendations for improvements that can be made in minutes.

In this post, we’ll demonstrate how Security Advisor works and how it’s improving organizations’ security postures.

Read the full features here: https://service.malwarebytes.com/hc/en-us/articles/18242146189587-Understanding-the-Security-Advisor-in-Nebula

**Why Security Advisor?**

In a world where a whopping 70% of IT security personnel cite increasing workload and lack of visibility into IT infrastructure as top barriers to success, it’s easy to see why simplicity is the key to optimizing security while reducing employee burnout.

But there’s a problem.

Without a real-time snapshot of device usage or quick summaries of outdated applications, for example, IT teams are left scrambling to pick up the pieces of the information most important to them—ultimately increasing the mean time to resolution (MTTR) from days to possibly months.

Enter Malwarebytes Security Advisor.

**A Leap Beyond Traditional Reporting**

Security Advisor overview page

Security Advisor understands the specific tasks IT & security teams must perform, and flags which are crucial before a security issue arises.

With Security Advisor, organizations now have a real-time view into four key areas:

1\. The **CURRENT STATE** of their security posture. Security Advisor provides a comprehensive snapshot of the existing security measures, revealing vulnerabilities and strengths such as properly configured policies or endpoint deployment.

2\. The steps to **IMPROVE** the organization’s current security posture. Once the current state is understood, Security Advisor outlines actionable steps that organizations can take to enhance security measures, mitigate risk and safeguard assets.

Security Advisor policy optimization 

3\. How to **MAINTAIN** the improved security posture. Since security doesn't end with the implementation of improvements, Security Advisor guides customers on how to maintain the elevated security status over time, ensuring sustained protection.

4\. How to **REPORT** the organization's current posture. Crucial for transparency and accountability, Security Advisor equips users with the tools to effectively communicate the company’s security status.

By guiding and facilitating immediate actions, Security Advisor speeds a holistic approach to security management.

**Key Features****Inventory Check**

Security Advisor offers a complete inventory of physical and digital assets, identifies which devices and services are in use and by whom, and presents this information in a user-friendly dashboard.

**Current State Analysis**

Assesses the vulnerabilities associated with your assets. It checks for out-of-date devices, scans for threats, evaluates data security, and identifies any employees who may pose a greater security risk.

Security Advisor issues by severity

**Access Control**

Security Advisor enables simple and intuitive configuration of permissions and keeps track of changes over time, providing clear visibility of user permissions.

**Maintenance and Reporting**

Security Advisor’s maintenance and reporting capabilities provides real-time status updates and prompt alerts on any emerging issues, while also supporting compliance reporting for various regulations.

**Adaptive Recommendations**

As your business changes and grows, Security Advisor offers suggestions for additional security solutions that can further enhance the organization's security portfolio.

**Benchmarking**

Security Advisor leverages anonymized data from all Malwarebytes customers to provide benchmark comparisons with other organizations with a similar security mix.

“Whether it’s checking to see if EDR policies are properly configured or making sure scheduled scans are running regularly, we’re providing the recommended actions organizations need to quickly improve security and get back to running their business,” said Jonny Rivera.

**Try Security Advisor Today**

Ready to improve your organization's security posture? Nebula users can start using Security Advisor today, free-of-charge.

Not a Nebula user? Get a free demo.

New Security Advisor amps up security in minutes

The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.
In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often

Cyber Crime / Cryptocurrency

The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.

In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often employing misleading advertising campaigns that create a sense of urgency to pull them off.

"Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project," the FBI said in an advisory last week.

The replica websites urge potential targets to connect their cryptocurrency wallets and purchase the NFT, only for the threat actors to siphon the funds and NFTs to wallets under their control.

"Contents stolen from victims' wallets are often processed through a series of cryptocurrency mixers and exchanges to obfuscate the path and final destination of the stolen NFTs," the agency said.

To mitigate the risks posed by such scams, it's recommended that users carry out due diligence and review social media accounts and websites to verify their legitimacy.

The development comes nearly five months after the FBI warned of a spike in bogus cryptocurrency investment schemes called pig butchering (or shā zhū pán), leading to losses of $2 billion in 2022.

This includes a category called CryptoRom in which criminals use fictitious identities on dating apps and social media platforms to develop romantic relationships and build trust with victims, before introducing the idea of trading cryptocurrencies.

The operators are known to engage in initial conversation within the app with which they made initial contact with the target. Soon after, the chat is moved to a private messaging app such as Telegram or WhatsApp, where they encourage them to use fraudulent crypto websites or apps and make substantial investments.

"Criminals coach victims through the investment process, show them fake profits, and encourage victims to invest more," the FBI said. "When victims attempt to withdraw their money, they are told they need to pay a fee or taxes. Victims are unable to get their money back, even if they pay the imposed fees or taxes."

The romance-centered social engineering attacks have also gotten a facelift in recent months, with Sophos identifying apps on the Apple App Store and Google Play Store that make use of generative AI features to lend more credibility to conversations with the victims on messaging apps like WhatsApp.

"These applications are able to get past review by Apple and Google by modifying remote content associated with the apps after they are approved and published to the stores," the cybersecurity company said.

"By simply changing a pointer in remote code, the app can be switched from a benign interface to a fraudulent one without further review by Apple or Google, unless a complaint is filed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI Alert: Crypto Scammers are Masquerading as NFT Developers

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Users may upload php files through the system file upload utility to obtain remote code execution.

**Cockpit PHP Remote File Inclusion vulnerability**

Critical severity GitHub Reviewed Published Aug 6, 2023 to the GitHub Advisory Database • Updated Aug 9, 2023

GHSA-xcq3-7pf3-5jvc: Cockpit PHP Remote File Inclusion vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS.

**Cockpit Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Aug 6, 2023 to the GitHub Advisory Database • Updated Aug 9, 2023

GHSA-w3qm-93vf-5hrw: Cockpit Cross-site Scripting vulnerability

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

Expand Up

@@ -78,7 +78,7 @@

$\_sizeAllowed = $max\_size ? filesize($files\['tmp\_name'\]\[$i\]) < $max\_size : true;

  

// prevent uploading php files

if ($\_isAllowed && in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), \['php', 'phar', 'phtml'\])) {

if ($\_isAllowed && in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), \['php', 'phar', 'phtml', 'phps'\])) {

$\_isAllowed = false;

}

  

Expand Down

Tag

#git