In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package.

Thursday, March 21, 2024 14:00

Whether you want to call them “catfishing,” “pig butchering” or just good ‘old-fashioned “social engineering,” romance scams have been around forever.  

I was first introduced to them through the MTV show “Catfish,” but recently they seem to be making headlines as the term “pig butchering” enters the public lexicon. John Oliver recently covered it on “Last Week Tonight,” which means everyone my age with an HBO account heard about it a few weeks ago. And one of my favorite podcasts going, “Search Engine,” just covered it in an episode. 

The concept of “pig butchering” scams generally follows the same chain of events: 

*   An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an “Oops, wrong number!” text. 
*   When the target responds, the actor tries to strike up a conversation with a friendly demeanor. 
*   If the conversation persists, they usually evolve into “love bombing,” including compliments, friendly advice, ego-boosting, and saying flattering things about any photos the target has sent. 
*   Sometimes, the relationship may turn romantic. 
*   The scammer eventually “butchers” the “pig” that has been “fattened up” to that point, scamming them into handing over money, usually in the form of a phony cryptocurrency app, or just straight up asking for the target to send the scammer money somehow. 

There are a few twists and turns along the way based on the exact scammer, but that’s generally how it works. What I think is important to remember is that this specific method of separating users from their money is not actually new.  

The FBI seems to release a renewed warning about romance scams every Valentine’s Day when people are more likely to fall for a stranger online wanting to make a real connection and then eventually asking for money. I even found a podcast from the FBI in 2015 in which they warned that scammers “promise love, romance, to entice their victims online,” estimating that romance-related scams cost consumers $82 million in the last half of 2014.  

The main difference that I can tell between “pig butchering” and past romance scams is the sheer scale. Many actors running these operations are relying on human trafficking and sometimes literal imprisonment, forcing these people against their will to send these mass blocks of messages to a variety of targets indiscriminately. Oftentimes in these groups, scammers who are less “successful” in luring victims can be verbally and physically harassed and punished. That is, of course, a horrible human toll that these operations are taking, but they also extend far beyond the world of cybersecurity. 

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. Instead, it relies on user education and the involvement of law enforcement agencies and international governments to ensure these farms can’t operate in the shows. The founders who run them are brought to justice. 

It’s never a bad thing that users become more educated on these scams, because of that, but I also feel it’s important to remember that romance-related scams, and really any social engineering built on a personal “relationship,” has been around for years, and “pig butchering” is not something new that just started popping up. 

These types of scams are ones that our culture has kind of just accepted as part of daily life at this point (who doesn’t get surprised when they get a call about their “car’s extended warranty?), and now the infrastructure to support these scams is taking a larger human toll than ever. 

**The one big thing **

Talos has yet another round of research into the Turla APT, and now we’re able to see the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclsions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. 

**Why do I care? **

Turla, and this recently discovered TinyTurlaNG tool that Talos has been writing about, is an international threat that’s been around for years, so it’s always important for the entire security community to know what they’re up to. Most recently, Turla used these tactics to target Polish non-governmental organizations (NGOs) and steal sensitive data.  

**So now what? **

During Talos’ research into TinyTurla-NG, we’ve released several new rounds of detection content for Cisco Secure products. Read our past two blog posts on this actor for more.  

**Top security headlines of the week **

**The Biden administration issued a renewed warning to public water systems and operators this week,** saying state-sponsored actors could carry out cyber attacks soon, citing ongoing threats from Iran and China. The White House and U.S. Environmental Protection Agency sent a letter to every U.S. governor this week warning them that cyber attacks could disrupt access to clean drinking water and “impose significant costs on affected communities.” The letter also points to the U.S. Cyber and Infrastructure Security Agency’s list of known exploited vulnerabilities catalog, asking the managers of public water systems to ensure their systems are patched against these vulnerabilities. The EPA pointed to Volt Typhoon, a recently discovered Chinese APT that has reportedly been hiding on critical infrastructure networks for an extended period. A meeting among federal government leaders from the EPA and other related agencies is scheduled for March 21 to discuss threats to public water systems and how they can strengthen their cybersecurity posture. (Bloomberg, The Verge) 

**UnitedHealth says it's still recovering from a cyber attack that’s halted crucial payments to health care providers across the U.S.,** but has started releasing some of those funds this week, and expects its payment processing software to be back online soon. The cyber attack, first disclosed in February, targeted Change Healthcare, a subsidiary of United, that handles payment processing and pharmaceutical orders for hospital chains and doctors offices. UnitedHealth’s CEO said in a statement this week that the company has paid $2 billion to affected providers who spent nearly a month unable to obtain those funds or needing to switch to a paper billing system. A recently published survey from the American Hospital Association found that 94 percent of hospitals that responded experienced financial disruptions from the Change Healthcare attack, and costs at one point were hitting $1 million in revenue per day. (ABC News, CNBC) 

**Nevada’s state court system is currently weighing a case that could undo end-to-end encryption across the U.S.** The state’s Attorney General is currently suing Meta, the creators of Facebook, Instagram and WhatsApp, asking the company to remove end-to-end encryption for minors on the platform, with the promise of being able to catch and charge users who abuse the platform to lure minors. However, privacy advocates are concerned that any rulings against Meta and its encryption policies could have larger ripple effects, and embolden others to challenge encryption in other states. Nevada is arguing that Meta’s Messenger a “preferred method” for individuals targeting Nevada children for illicit activities. Privacy experts are in favor of end-to-end encryption because it safeguards messages during transmission and makes it more difficult for other parties to intercept and read them — including law enforcement agencies. (Tech Policy Press, Bloomberg Law) 

**Can’t get enough Talos? **

*   The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions 
*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Talos Takes Ep. #176: Why no one should be relying on passive security in 2024 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 
*   Netgear wireless router open to code execution after buffer overflow vulnerability 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years

By Deeba Ahmed
Pwn2Own is back!
This is a post from HackRead.com Read the original post: Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

The Pwn2Own 2024 hacking contest saw a record-breaking first day as participants exposed critical vulnerabilities in Tesla vehicles, popular browsers, and operating systems – This highlights the ongoing challenge of securing our technology and the importance of bug bounty programs.

The Pwn2Own 2024, a hacking contest organized by Trend Micro’s Zero Day Initiative in Vancouver, saw participants earn over $700,000 on the first day through successful exploits against Tesla cars, browsers, and Linux and Windows systems. 

French cybersecurity firm Synacktiv’s hackers earned $200,000 for an integer overflow exploit targeting the Tesla ECU with CAN bus control and also won a new Tesla Model 3. It is worth noting that this was the only scheduled hacking attempt for Tesla cars for this contest. 

However, this isn’t the first time Synacktiv has dominated Pwn2Own – they previously won a car in Pwn2Own Automotive 2024. 

Tesla pwned (Screenshot: ZDI)

****About the Vulnerability****

While the specific details of the exploit remain undisclosed, as per Pwn2Own rules to allow for vendor patching, the competition organizers confirmed that a single integer overflow flaw was used. This vulnerability allowed the team to gain control of the Tesla’s CAN BUS, a crucial communication system within the car. Synacktiv exploited a Tesla ECU with Vehicle (VEH) CAN BUS Control using a single integer overflow flaw to secure their second victory in Pwn2Own competitions. 

****Day One Highlights****

On day one of the Pwn2Own contest, participants were awarded $732,500 by ZDI for reporting 19 unique zero-day vulnerabilities. Here’s the breakdown of the rewards.

Independent white-hat hacker Manfred Paul received $102,500 for remote code execution on Apple Safari using an integer underflow bug, and a PAC bypass exploiting a flaw in the same browser. Paul also executed a double-tap exploit on Chrome and Edge browsers using a rare CWE-1284 vulnerability in round two of the competition.

South Korean team Theori earned $130,000 by combining an uninitialized variable bug, a use-after-free (UAF) vulnerability, and heap-based buffer overflow to escape a VMware Workstation and execute code as system on Windows OS.

Oracle VirtualBox was targeted by REverse Tactics researchers, earning $90,000 and two researchers received $20,000 for their respective Oracle VirtualBox exploits. 

Other Pwn2Own participants earned rewards for Chrome and Edge, Safari, Adobe Reader, Windows 11 local privilege escalation, and two Ubuntu local privilege escalation exploits. 

Seunghyun Lee, AbdulAziz Hariri, and the Devcore Research team successfully exploited Google Chrome, Adobe Reader, and Windows 11 bugs, earning them $60,000, $50,000, and $30,000 respectively. Lee successfully executed an exploit on Google Chrome, Hariri completed a code execution attack, and the Devcore Research team successfully executed a local privilege escalation (LPE) attack.

Chrome browser pwned (Screenshot: ZDI)

Participants will attempt to hack various software on the second day, including VMware Workstation, Oracle VirtualBox, Firefox, Chrome, Edge, Ubuntu, Windows 11, and Docker Desktop. The three-day event is offering a total of $1.3m in cash and prizes.

1.  Whitehat hacker bypasses SQL injection filter for Cloudflare
2.  Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own
3.  White hat hackers infect Canon DSLR camera with ransomware
4.  Whitehat hacker shows how to detect hidden cameras in hotels
5.  White hat hacker infects smart coffee machine with ransomware

Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

By Waqas
About to pay your taxes? Watch out for tax return phishing and malware campaigns targeting individual taxpayers and businesses.
This is a post from HackRead.com Read the original post: Microsoft Warns of New Tax Returns Phishing Scams Targeting You

New and sophisticated tax phishing scams are targeting taxpayers, warns Microsoft. These scams impersonate trusted sources and use urgency tactics to steal personal and financial data.

Taxpayers beware! Phishing scams are on the rise again as tax season heats up. Microsoft Threat Intelligence has issued warnings about new and innovative tactics cybercriminals are using to steal your personal information and financial data.

These scams don’t discriminate, but they do target specific groups more heavily. New taxpayers, recent immigrants with green cards, small business owners who file themselves, and older adults are all prime targets because they might be less familiar with tax procedures.

It is also worth noting that these threat actors are getting more sophisticated too. They’re impersonating trusted sources like employers, tax agencies, and even payment processors. They might send emails with blurry or incomplete tax documents to create a sense of urgency and trick you into clicking on a malicious attachment.

These attachments, as per Microsoft Threat Intelligence’s blog post, contain malware that steals your login credentials, or they might redirect you to a fake website that looks like a legitimate tax platform designed to capture your information.

One example scam identified in January involved emails that appeared to be from employers sending tax documents. Clicking on the attached HTML file led to a fake landing page designed to steal the user’s login credentials.

Screenshot via Microsoft Threat Intelligence

****Tycoon and NakedPages – PhaaS****

In addition to their blog post, Microsoft Threat Intelligence has also sent out a series of tweets addressing the increasing prevalence of phishing campaigns during the tax season in the United States.

These campaigns, including those associated with notorious phishing-as-a-service (PhaaS) platforms like Tycoon and NakedPages, are leveraging tax-related themes for social engineering tactics, putting individuals and organizations at risk of financial fraud and data theft.

One notable campaign tied to the Tycoon PhaaS platform involved deceptive emails posing as official tax forms such as W-2 and W-9 notifications, alongside other payroll tax documents.

These emails featured HTML attachments that initiated a Cloudflare captcha check, ultimately leading victims to a phishing page designed to harvest sensitive information. When recipients opened these attachments, JavaScript scripts were executed, facilitating the installation of info-stealing malware.

Additionally, Microsoft observed phishing efforts linked to the AiTM phishing kit NakedPages, where fraudulent emails disguised as DocuSign-shared documents about tax adjustments were circulated. Clicking on embedded images within these emails triggered redirections culminating in phishing pages, demonstrating the sophisticated nature of these attacks.

This malicious software is designed to harvest sensitive data, including cryptocurrency wallet information, login credentials for PuTTY and WinSCP, as well as credentials stored in web browsers and email clients. Such comprehensive data theft poses significant risks to individuals and organizations, potentially resulting in financial losses and compromised digital identities.

Screenshot via Microsoft Threat Intelligence

Both Tycoon and NakedPages are recognized for their automation capabilities in executing phishing activities, as well as their ability to bypass multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) techniques, strengthening the threat posed by these campaigns.

Microsoft recommends staying alert throughout tax season. Don’t click on suspicious links or attachments in emails, even if they seem to come from a familiar source. If you’re unsure about the legitimacy of an email, contact the sender directly through a verified phone number or website.

You can find more resources and tips for staying safe from tax season scams by searching for the “Microsoft Threat Intelligence tax season report.”

1.  IRS tax forms W-9 email scam drops Emotet malware
2.  New Ransomware Email Scam Using FBI and IRS as Bait
3.  Security Breach Rattles IRS, 334,000 Tax Payers Data Stolen
4.  US Citizens Hit by Ransomware via Fake IRS Tax Return Emails
5.  Thanks IRS for poor security: Data On 100,000 Taxpayers Stolen

Microsoft Warns of New Tax Returns Phishing Scams Targeting You

The North American finals of the Apex Legends Global have been postponed after at least two hacking incidents.

The North American finals of online shooter game Apex Legends has been postponed after games were disrupted by hacking incidents.

Apex Legends, published by EA, is currently in an important stage of its Global Series, the regional finals mode. This is a big deal for the top players since there is a $5 million prize pool, with a few of the top teams in each region set to battle it out in the finals.

But on Monday, the Apex Legends official X account tweeted that it had postponed the contest after deciding the “competitive integrity” of the series had been compromised.

> Due to the competitive integrity of this series being compromised, we have made the decision to postpone the NA finals at this time.  
> We will share more information soon.
> 
> — Apex Legends Esports (@PlayApexEsports) March 18, 2024

According to PCGamer, there were at least two major incidents:

> “First, Noyan “Genburten” Ozkose of DarkZero suddenly found himself able to see other players through walls, then Phillip “ImperialHal” Dosen of TSM was given an aimbot.”

An aimbot is a program or patch that allows the player to cheat by having the character’s weapon aimed automatically. Using cheats like those would lead to immediate disqualification and total loss of respect if done on purpose.

The volunteers of the Anti-Cheat Police Department warned players against playing any games protected by Easy Anti-Cheat (EAC) or any EA titles for a while, because they suspected a Remote Code Execution (RCE) exploit was being used against the players.

> PSA: There is currently an RCE exploit being abused in @PlayApex. It is unsure whether it comes from the game or the actual anti-cheat (@TeddyEAC ). I would advise against playing any games protected by EAC or any EA titles once they have fixed this or can comment.
> 
> Currently,…
> 
> — Anti-Cheat Police Department 🕵️ (@AntiCheatPD) March 18, 2024

However, recent developments point less toward an RCE being the cause and more to an actual infection on the players’ computers…

**Malwarebytes to the rescue**

In a livestream, affected gamer ImperialHal spoke to cybersecurity expert “PirateSoftware,” who has been investigating the attacks.

ImperialHal uses Malwarebytes to scan his machine which flags an inbound connection from an IP address linked to a server known for malicious activities.

It appears that the attacker had direct access to ImperialHal’s computer, likely via a Trojan. PirateSoftware concluded:

> “I don’t see evidence of Apex having RCEs. It does not mean that it’s impossible but I still don’t see evidence, while I do see evidence of him having direct access to your machine.”

**Protect yourself**

We recommend that all gamers scan their computers with reliable security software. Malwarebytes Premium for Windows’ Brute Force Protection feature blocked the connection from being made to ImperialHal’s computer, so make sure you enable that feature.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Apex Legends Global Series plagued by hackers 

There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak.

Wednesday, March 20, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities across a range of products, including one that could lead to remote code execution in a popular Netgear wireless router designed for home networks. 

There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Netgear RAX30 JSON parsing stack-based buffer overflow vulnerability **

_Discovered by Michael Gentile._ 

The Netgear RAX30 wireless router contains a stack-based buffer overflow vulnerability that could allow an attacker to execute arbitrary code on the device.  

An adversary could send a targeted device a specially crafted HTTP request to eventually cause a buffer overflow condition. 

The RAX30 is a dual-band Wi-Fi router that’s commonly used on home networks. In an advisory about TALOS-2023-1887 (CVE-2023-48725), Netgear stated that the vulnerability “requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited.” 

**NVIDIA D3D10 driver out-of-bounds read vulnerability **

_Discovered by Piotr Bania._ 

TALOS-2023-1849 (CVE-2024-0071) is an out-of-bounds read vulnerability in the shader functionality of the NVIDIA D3D10 driver that runs on several NVIDIA graphics cards. Drivers like D3D10 are usually necessary for the GPU to function properly. 

An adversary could send a specially crafted executable or shader file to the targeted machine to trigger an out-of-bounds read and eventually leak memory.  

This vulnerability could be triggered from guest machines running virtual environments to perform a guest-to-host escape. Theoretically, it could be exploited from a web browser, but Talos tested this vulnerability from a Windows Hyper-V guest using the RemoteFX feature, leading to execution of the vulnerable code on the Hyper-V host. While RemoteFX is no longer actively maintained by Microsoft, some older machines may still use this software.  

An out-of-bounds read vulnerability exists in the Shader functionality of NVIDIA D3D10 Driver, Version 546.01, 31.0.15.4601. A specially crafted executable/shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability. 

An adversary could also use this vulnerability to leak host data to the guest machine. 

**Denial-of-service vulnerability in Google Chrome Video Encoder **

_Discovered by Piotr Bania._ 

A denial-of-service vulnerability in Google Chrome’s video encoder could crash the browser.  

TALOS-2023-1870 is triggered if the targeted user visits an attacker-created website that contains specific code.  

Talos’ sample exploit runs a JavaScript code related to the Chrome video encoding functionality, eventually causing a denial-of-service in the browser and stopping all processes in Chrome.

Netgear wireless router open to code execution after buffer overflow vulnerability

Red Hat Security Advisory 2024-1408-03 - An update for emacs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1408.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: emacs security updateAdvisory ID:        RHSA-2024:1408-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1408Issue date:         2024-03-19Revision:           03CVE Names:          CVE-2022-48337====================================================================Summary: An update for emacs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language (elisp), and the capability to read e-mail and news.Security Fix(es):* emacs: command execution via shell metacharacters (CVE-2022-48337)* emacs: command injection vulnerability in htmlfontify.el (CVE-2022-48339)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48337References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2171987https://bugzilla.redhat.com/show_bug.cgi?id=2171989

Red Hat Security Advisory 2024-1408-03

Research conducted by Cisco Talos last year uncovered multiple vulnerabilities rated as low severity despite their ability to allow for full arbitrary code execution.

Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word

Anonymous, candid reviews made Glassdoor a powerful place to research potential employers. A policy shift requiring users to privately verify their real names is raising privacy concerns.

Using Glassdoor, the site famous for candid employee reviews that break through corporate facades, is less anonymous than it used to be.

In July last year, the company added new social features integrated from Fishbowl, an app for work-related discussions acquired in 2021. Glassdoor has also changed its sign-up process to ask people to disclose their full name, job title, and employer; historically, it had required email addresses, but not names. In tests by WIRED, returning users who didn’t previously provide a full name are prompted to enter one by an impossible-to-dismiss pop-up that says, “Entering your real name is required to verify your profile but other users won't see your name unless you choose to share it.”

Reviews of employers posted to Glassdoor remain anonymous, and people can post in its new discussion channels with only their work titles or employer visible, but the company’s policy of collecting and verifying real names has triggered concern among some users and privacy experts.

Alarm about those changes recently spread on social media, where several people described logging in to old Glassdoor accounts and allegedly finding their names had been added, they say, without their consent. WIRED reviewed emails in which one user was told by a Glassdor support representative that they would not be able to remove their name, and would have to delete their account if they wanted it gone. Glassdoor did not provide comment on these scenarios. When this reporter attempted to delete or change her name from a Glassdoor profile, the site instead provided a link to contact the help center to make changes.

Glassdoor’s help pages say it has to verify identities and employment information to “ensure that our users can engage in authentic, candid conversations with other professionals, coworkers, and company leaders in a safe space.” Having verified identity info on file could also make it more seamless for people to respond to the job ads listed on the platform. But trying to maintain that accuracy comes with a cost.

“You can’t both be verified and anonymous,” says Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project, a pro-privacy organization. “You can’t both be a social network and a confidential reporting space. You can do one of those well, or you can do both of them badly.”

The concerns over Glassdoor’s evolving policies on real names show how confusion can arise when a platform that many people visit only infrequently shifts its business model. Amanda Livingood, Glassdoor’s VP of corporate communications, provided a statement saying that integrating Fishbowl with Glassdoor created a broader set of services that user information is now shared across—a different model to that many people with older Glassdoor accounts signed up for. Fishbowl’s old terms of service state that people who signed up for accounts may have been required to add their names.

“When a user provides information, either during the sign-up process or by uploading a résumé, that information will automatically cross-populate between all Glassdoor services, including our community app Fishbowl,” Livingood says. “When using Glassdoor and Fishbowl, there is always the option to remain anonymous. Users can choose to be fully anonymous or reveal elements of their identity, like company name or job title, while using our community service.” Company help pages say real names and email addresses are used only for “verification purposes _only_.”

Glassdoor has a history of working to keep its users’ identities private, but there are concerns about these identity changes. “Glassdoor has been second to none in defending their user’s First Amendment rights,” says Aaron Mackey, a senior staff attorney with the digital rights group Electronic Frontier Foundation. He represented a Glassdoor user in a case initiated in 2019 when their former employer, cryptocurrency exchange Kraken, attempted to unmask the authors of reviews, alleging that former workers had violated severance agreements with their posts. (The parties settled and the subpoena was withdrawn in 2020).

The current terms, Mackey says, are a big shift. “This is concerning, if the way in which they’re operating their business now creates potential for people to be identified, separate from whether or not they’re sued.”

Glassdoor won name recognition by marketing itself as a place focused on protecting anonymity, but companies with smaller workforces have always had good odds at guessing who wrote a particular review. That might be even easier if managers can also see social channels on Glassdoor where people are posting with their real names, indicating which workers have accounts on the site. People unaccustomed to thinking about their online footprint could inadvertently leave big clues, for example, by posting anonymously and then less covertly at the same time.

Glassdoor’s terms cite the risk. “You acknowledge that Glassdoor cannot guarantee your anonymity,” as a company or department’s size, the content posted, and the user’s location may allow employers’ to infer who left a review, the document says. “You should understand this risk before submitting Content to the services.”

**Social Pivot**

Glassdoor’s acquisition of Fishbowl in 2021 united two platforms that lured users by hosting relatively unfiltered discussions of work, a place to pick up the kind of gossip more often shared in person. Together they had offered a counterweight to LinkedIn, which relies on people using their full identities and often results in rose-tinted, overly congratulatory, and sometimes downright cringey posts about work.

Glassdoor is owned by Recruit Holdings, which also owns Indeed. Indeed and Glassdoor profit from advertising open jobs. Some 55 million people visit Glassdoor every month, according to the company. Verifying profiles could help prevent trolls from posting fake information about companies and misleading those seeking an insider’s view—all of which erode trust with other users.

Changing policies on names and verification can erode trust, too. If Glassdoor isn’t so anonymous, it may change how some of those users engage. The recent social media discussion inspired some people to try and delete their accounts.

Tracking the evolution of Glassdoor’s terms of service shows how its commitments to users changed as it began to add new social features. The company consolidated its terms with Fishbowl between December 2022 and January 2023, months before the company announced the new discussion channels on Glassdoor.

Some of the changes to the terms added information about how users are verified, as well as how they can be anonymous across services. Glassdoor’s terms of use state that the company may use information obtained from third parties to update profiles, along with personal data provided on résumés or elsewhere on its services. It may also attempt to verify employment history.

Glassdoor’s approach is very different from that of Blind, a younger, competing forum where people discuss work. It requires an email to sign up, and a work email to access certain features, but says that it does not store email addresses, and that activity on the site cannot be linked back to a person’s email. Blind does not require real names to use its services, but employers could potentially know an employee signed up by seeing they received a verification code at a company email address.

Glassdoor calls its community aspects a “verified network,” requiring people to confirm their identity, including name, job title, industry, company, and active email address or social network to gain access to all of the Glassdoor services. (It also recommends handing over both work and personal email addresses, as well as a phone number.) On a page updated in December, Glassdoor says it uses a “proprietary verification process” to validate accounts, along with confirming emails or an active profile from another social network.

The company’s help pages also say, “We don’t allow anyone, including employers, to access the identity of anonymous posts.”

But Glassdoor’s pages add a caveat: “Considering the reality of our digital age, we're unable to fully confirm our users' identities, the truthfulness of their contributions, or their employment status.”

Glassdoor Wants to Know Your Real Name

By Waqas
New AI-Dodging Phishing Attack AI Security and Exploits Machine Learning.
This is a post from HackRead.com Read the original post: Cybercriminals Beta Test New Attack to Bypass AI Security

Hackers develop a new attack (Conversation Overflow) to bypass AI security. Learn how this technique fools Machine Learning and what businesses can do to stay protected.

A recent discovery by SlashNext threat researchers reveals a dangerous cyberattack method termed “Conversation Overflow.” This technique involves cloaked emails designed to bypass machine learning (ML) security controls, allowing malicious payloads to infiltrate enterprise networks.

In a typical Conversation Overflow attack, cybercriminals employ cloaked emails designed to deceive ML tools into categorizing them as harmless. These emails contain two distinct sections: one visible to the recipient, prompting them to take action such as entering credentials or clicking links and another hidden portion filled with innocuous text.

Threat actors exploit ML algorithms by strategically inserting blank spaces to separate these sections, often focusing on deviations from “known good” communications rather than identifying malicious content.

According to SlashNext’s research shared with Hackread.com ahead of publication on Tuesday, this novel approach poses a significant challenge to traditional cybersecurity measures, which rely on databases of “known bad” signatures. Unlike these methods, ML systems analyze patterns to detect anomalies, making them susceptible to manipulation by attackers mimicking legitimate communication styles.

Once a Conversation Overflow attack breaches security defences, attackers can deliver seemingly genuine messages requesting credential reauthentication, particularly targeting high-level executives. The stolen credentials are then sold on dark web forums, highlighting the lucrative nature of such cybercrime.

SlashNext threat researchers express deep concern regarding the potential ramifications of this attack becoming widespread. There is a significant risk that cybercriminals are actively developing an entirely new toolkit, which could exacerbate the impact of such attacks, potentially leading to devastating consequences for organizations and individuals alike.

> _“This is not your same old credential harvesting attack, because it is smart enough to confuse certain sophisticated AI and ML engines. From these findings, we should conclude that cyber crooks are morphing their attack techniques in this dawning age of AI security. As a result, we are concerned that this development reveals an entirely new toolkit being refined by criminal hacker groups in real-time today.”_
> 
> SlashNext

The implications of this discovery are profound, signalling a shift in cybercriminal tactics to exploit vulnerabilities in AI and ML-driven security platforms. As cyber criminals adapt and refine their techniques, it becomes increasingly imperative for organizations to remain vigilant and proactive in fortifying their defences.

1.  Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
2.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
3.  RIG Exploit Toolkit Spread CeidPageLock Malware to Hijack Browsers

Cybercriminals Beta Test New Attack to Bypass AI Security

Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1317.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP3 security updateAdvisory ID:        RHSA-2024:1317-03Product:            Red Hat JBoss Core ServicesAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1317Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section.Security Fix(es):* curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)* curl: excessively long file name may lead to unknown HSTS status (CVE-2023-46219)* httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)* jbcs-httpd24-mod_proxy_cluster: mod_cluster/mod_proxy_cluster: Stored Cross site Scripting (CVE-2023-6710)* jbcs-httpd24-openssl: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)* libxml2: crafted xml can cause global buffer overflow (CVE-2023-39615)* libxml2: use-after-free in XMLReader (CVE-2024-25062)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2235864https://bugzilla.redhat.com/show_bug.cgi?id=2245332https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252030https://bugzilla.redhat.com/show_bug.cgi?id=2252034https://bugzilla.redhat.com/show_bug.cgi?id=2254128https://bugzilla.redhat.com/show_bug.cgi?id=2262726

Tag

#mac