Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.

South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as **Kimsuky**.

"A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.

Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

The threat actor's espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.

One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.

AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.

"AlphaSeed was developed in Golang and uses chromedp for communications with the \[command-and-control\] server," ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.

There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.

Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.

The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea's information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.

"The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions," the threat intelligence firm said in a report released earlier this month.

"Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled."

North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.

The prolific and aggressive nature of the attacks points to the different ways the country has resorted to evading international sanctions and illegally profiting from the schemes.

"People tend to think, … how could the quote-unquote 'Hermit Kingdom' possibly be a serious player from a cyber perspective?," CrowdStrike's Adam Meyers was quoted as saying to Politico. "But the reality couldn't be further from the truth."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

Ransomware gangs don't always win, and when they don't, it feels pretty great.

Ransomware gangs care about one thing: Stealing money.

Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.

As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors \[said\] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Considering all this, it’s pretty damn nice to see ransomware gangs lose.

As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.

Here are four times ransomware gangs failed in 2023.

**1\. The Royal Mail ransomware attack**

On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.

Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.

But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.

On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.

Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on _really big files_?

“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.

After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.

But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.

Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked _the wrong Royal Mail_, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.

At this point, the LockBit rep accepts defeat.

“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”

We’ll take that as a win.

**2\. MGM bounces back 10 days after ransomware siege**

In Sin City, the house always wins, even when it loses $100 million.

In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.

“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”

MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.  

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.  

MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.

**3\. Qakbot shot down**

Duck hunting season came early this year.

In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.

When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.

Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.

In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.

**4\. ALPHV tattles on its victim to little success**

A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.

That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.

Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.

But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.

Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).

To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.

MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.

To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The top 4 ransomware gang failures of 2023 

By Owais Sultan
Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in…
This is a post from HackRead.com Read the original post: Exploring Imgly SDK Alternatives for Ultimate Flexibility

Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in the dynamic software development environment, exploring alternatives can provide developers with greater flexibility and adaptability to varying project requirements.

In this article, we will delve into IMG.LY alternative SDKs that offer a range of features, allowing developers to choose the one that aligns best with their specific needs.

****1\. OpenCV (Open Source Computer Vision Library)****

Overview:

OpenCV is an open-source computer vision and machine learning library widely used in the field of image processing. It provides a comprehensive set of tools and algorithms for image and video analysis, making it a versatile choice for developers.

Key Features:

*   Image processing and manipulation.
*   Object detection and recognition.
*   Facial recognition.
*   Machine learning support.

Why Choose OpenCV:

OpenCV‘s extensive community support, cross-platform compatibility, and wide range of features make it a powerful alternative for developers looking for flexibility and customization in image processing.

****2\. ImageMagick****

Overview:

ImageMagick is a free open-source software suite for displaying, converting, and editing raster image files. It includes a command-line tool as well as a variety of libraries for different programming languages, making it adaptable to various development environments.

Key Features:

*   Image conversion and format support.
*   Image editing and manipulation.
*   Batch processing.
*   Command-line interface.

Why Choose ImageMagick:

ImageMagick’s versatility, support for a multitude of image formats, and command-line interface make it a strong contender for developers seeking a flexible image-processing solution.

****3\. Pillow (PIL Fork)****

Overview:

Pillow, a fork of the Python Imaging Library (PIL), is a Python Imaging Library that adds image processing capabilities to Python interpreters. It is a user-friendly alternative for developers working with Python applications.

Key Features:

*   Image manipulation and processing.
*   Support for various image formats.
*   Basic image editing operations.
*   Easy integration with Python applications.

Why Choose Pillow:

Pillow is an excellent choice for Python developers due to its simplicity, ease of use, and seamless integration with Python applications.

****4\. Sharp (for Node.js)****

Overview:

Sharp is a high-performance image processing library for Node.js applications. It is designed to be fast and efficient, making it suitable for handling image processing tasks in server-side applications.

Key Features:

*   Image resizing and manipulation.
*   Efficient memory handling.
*   Support for many image formats.
*   Advanced image processing operations.

Why Choose Sharp:

Developers working with Node.js can benefit from Sharp’s speed and efficiency, making it a go-to choice for server-side image processing tasks.

****5\. GD (Graphics Draw)****

Overview:

GD, or Graphics Draw, is an open-source library for dynamic image creation. It supports various programming languages, including PHP, and is commonly used for tasks such as creating thumbnails, processing images, and generating dynamic charts.

Key Features:

*   Image creation and manipulation.
*   Dynamic image generation.
*   Basic drawing functions.
*   Support for multiple programming languages.

Why Choose GD:

GD is a suitable choice for web developers, especially those working with PHP, as it provides a simple and efficient solution for dynamic image generation and manipulation.

****Conclusion****

While Imgly SDK has been a popular choice, exploring alternative image processing libraries can offer developers ultimate flexibility based on their project requirements, programming language preferences, and specific functionalities needed.

Each of the alternatives mentioned—OpenCV, ImageMagick, Pillow, Sharp, and GD—comes with its strengths and can be tailored to meet the diverse needs of image processing tasks.

By evaluating the features, ease of integration, and community support of each alternative, developers can make an informed decision that aligns with the goals of their projects.

****_RELATED ARTICLES_****

1.  **5 Best Video Editing SDKs for iOS**
2.  **Kotlin app development company – How to choose**
3.  **A Guide to Crafting a Dynamic App Using Weather APIs**
4.  **Run Android Applications on PC via Android SDK Manager**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**
6.  **Top Benefits of Using Flutter for Cross-Platform App Development**

Exploring Imgly SDK Alternatives for Ultimate Flexibility

Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920291, #920724  
       ID: 202312-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.6      >= 0.10.6

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.6"

References  
=========  
[ 1 ] CVE-2023-6004  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6004  
[ 2 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-16

Gentoo Linux Security Advisory 202312-17 - Multiple vulnerabilities have been discovered in OpenSSH, the worst of which could lead to code execution. Versions greater than or equal to 9.6_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920292, #920722  
       ID: 202312-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in OpenSSH, the worst of  
which could lead to code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-misc/openssh  < 9.6_p1      >= 9.6_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.6_p1"

References  
=========  
[ 1 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795  
[ 2 ] CVE-2023-51385  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385  
[ 3 ] CVE-2023-51385,CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385,CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-17

Online scams abound every day, but these four scams from 2023 were particularly devious.

In 2023, the public primarily confronted two varieties of online scams: the technical and the topical.

Technical scams abuse legitimate aspects of modern internet infrastructure to lead users to illegitimate or compromised sites. A team of hackers can, say, boost their own info-stealing websites through Google search results, providing a veneer of authenticity to their malicious intent. These scams can involve vast criminal segmentation and coordination between malware developers, code writers, and hackers who sometimes also infect legitimate websites with dangerous tools.

Topical scams, on the other hand, are simpler. By leveraging major news events or luring users with too-good-to-be-true deals, cybercriminals trick victims into giving away their vital credit card information through cyberspace.

Both are dangerous, both are effective, and both had their fair share of sneaky examples this year.

With your holiday shopping over (or, we hope it’s over, as it’s a bit late now for gifts), we at Malwarebytes Labs wanted to look back on four of the sneakiest online scams we saw last year.

****Forged in fire, fraud on Facebook****

In November, an insulated tumbler made by the drinkware company Stanley allegedly survived a roaring fire that sadly destroyed a woman’s car. The car owner, Danielle Marie Lettering, posted a video on TikTok that showed a Stanley tumbler—merely singed—inside a wrecked Kia.

“Everybody is so concerned if the Stanley spills but what else,” Lettering said in the video she posted. “It was in a fire yesterday and it still has ice in it.”

Lettering’s TikTok video has more than 90 million views and a wealth of comments about first-time interest in Stanley’s products.

And right on time, just weeks later, Malwarebytes Labs spotted a fraudulent Facebook ad—posing as a legitimate sale from Dick’s Sporting Goods—selling the now-storied Stanley Quencher cup for just $19, a steal compared to Amazon listings near $45.

Users who clicked on the ad were not taken to the legitimate website for Dick’s Sporting Goods, but instead routed to a website where the payment processor was registered in Hong Kong.

Sprung just before Black Friday, this scam had it all—the urgency of an annual mega-shopping event, the name of a recognized and trusted online retailer, and the allure of a once-benign product now launched into viral celebrity.

****WoofLocker sends victims into a redirection labyrinth****

Tech support scams often follow a similar plot: Cybercriminals will place malicious ads online that label a bogus phone number for everyday users who are experiencing common tech problems. When those users look up their tech troubles online, they’ll see results that display the scammers’ phone number, fooling them into calling what they think is a legitimate helpline, only to be led through a series of social engineering tricks to eventually hand over their money.

But the tech support scam held up by “Wooflocker” is different.

Wooflocker does not rely on malicious advertising (also known as malvertising). Wooflocker only ensnares victims who, of their own accord, visit any of several compromised websites.

With every visit to a compromised website, a user is surreptitiously “fingerprinted”—if their IP address, computer environment, and cyber-defenses (or lack thereof) are all preferable to the hackers behind Wooflocker, then those website visitors are redirected to another domain with a URL that is created then and there by Wooflocker’s hacking scripts.

Malwarebytes Labs first spotted Wooflocker in 2020, and even then, we learned that the cybercriminals behind it had likely been building out their web traffic redirection machine since 2017. But in the years since we last checked in, Wooflocker has become more sophisticated. The current iteration of Wooflocker now relies on web hosting services in Bulgaria and Ukraine, which could potentially provide added protection against any takedown efforts.

****The “logout king”** gets pinned**

In March, the reporting outlet ProPublica revealed that, after months of investigation, it had likely tracked down one of the most notorious online scammers—the self-proclaimed “log-out king,” also known as OBN Brandon.

OBN Brandon’s trick is almost always the same. He reports accounts of growing Instagram influencers to the customer service department of Meta, the company formerly known as Facebook, which also owns Instagram. Once he wrongfully enacts a ban on the account, OBN Brandon reaches out to the person behind the account and says he can bring it back—for a price.

As to _how_ OBN Brandon convinces Meta’s customer support to take down an account, there are multiple tactics. According to ProPublica:

“In some cases OBN hacks into accounts to post offensive content. In others, he creates duplicate accounts in his targets’ names, then reports the original accounts as imposters so they’ll be barred for violating Meta’s ban on account impersonation. In addition, OBN has posed as a Meta employee to persuade at least one target to pay him to restore her account.”

Once a simple image-sharing tool, Instagram has now ballooned into a business platform for countless influencers who take promotional offers from larger companies to be featured in posts and Reels—which are short-form videos on the app. Similarly, many small businesses and entrepreneurs use the platform to self-promote and connect users to their products and services.

One OBN victim that ProPublica spoke to claimed that, before his account was targeted, he had been making between $15,000 and $20,000 a month simply from his Instagram account.

“People pay me all the time to post promos for music, crypto,” the individual told ProPublica. “I can make five, 10 grand by accident if I needed to. … The money’s crazy.”

In its investigation, ProPublica identified a 20-year-old Nevada man as a likely operator or affiliate behind OBN Brandon. Once the outlet gave more details to Meta, Meta sent a cease-and-desist order to the man, also banning him from the platform.

****In their villain era****

For years, Taylor Swift fans were starving.

Not since 2018 had the most recent TIME Person of the Year produced a full-fledged world circuit tour. But in 2023, that changed, when Swift began her “Eras” tour, a globe-spanning celebration of her past albums that, on stage, delighted audiences for three-and-a-half hours every night, no matter the weather.

Still in production, Swift’s “Eras” tour has already brought in literal billions for the pop star goddess, according to one Washington Post estimate.

But the tour has also brought in a significant payday for ticket scammers.

In June, just a few months into the start of the “Eras” tour, Attorney General Dana Nessel for the state of Michigan issued a warning to Swift fans in her state.

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

According to Malwarebytes Labs’ own reporting at the time, scams that preyed on the Eras tour were popping up all across the United States:

“Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.”

With many, many, many more shows scheduled (the latest of which is in December 2024), stay alert.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 4 sneaky scams from 2023 

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi.
"This malware is a loader with three types of components: a downloader that downloads an

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.

Cybersecurity firm ESET is tracking the trojan under the name **Win/TrojanDownloader.Rugmi**.

"This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023.

Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expensive plan costs $20,000, but it also gives the customers access to the source code and the right to sell it.

There is evidence to suggest that the codebase associated with Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.

Besides continuously adapting its tactics to evade detection, the off-the-shelf tool is distributed through a variety of methods ranging from malvertising to fake browser updates to cracked installations of popular software such as VLC media player and OpenAI ChatGPT.

Another technique concerns the use of Discord's content delivery network (CDN) to host and propagate the malware, as revealed by Trend Micro in October 2023.

This entails leveraging a combination of random and compromised Discord accounts to send direct messages to prospective targets, offering them $10 or a Discord Nitro subscription in exchange for their assistance on a project.

Users who agree to the offer are then urged to download an executable file hosted on Discord CDN that masquerades as iMagic Inventory but, in reality, contains the Lumma Stealer payload.

"Ready-made malware solutions contribute to the proliferation of malicious campaigns because they make the malware available even to potentially less technically skilled threat actors," ESET said.

"Offering a broader range of functions then serves to render Lumma Stealer even more attractive as a product."

The disclosures come as McAfee Labs disclosed a new variant of NetSupport RAT, which emerged from its legitimate progenitor NetSupport Manager and has since been put to use by initial access brokers to gather information and perform additional actions on victims of interest.

"The infection begins with obfuscated JavaScript files, serving as the initial point of entry for the malware," McAfee said, adding it highlights the "evolving tactics employed by cybercriminals."

The execution of the JavaScript file advances the attack chain by running PowerShell commands to retrieve the remote control and stealer malware from an actor-controlled server. The campaign's primary targets include the U.S. and Canada.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rugmi Malware Loader Surges with Hundreds of Daily Detections

By Waqas
The company under criticism is National Amusements, the parent company of media giants such as Paramount and CBS.
This is a post from HackRead.com Read the original post: National Amusements Reveals Data Breach Amid Backlash Affecting 82,000+

Paramount and CBS’s parent company, National Amusements, took months to reveal the data breach that has impacted more than 82,000 people, including customers and potentially employees as well.

National Amusements, the parent company holding a controlling stake in entertainment giants Paramount, CBS, and numerous theatres across the United States, has come under scrutiny for delaying the disclosure of a major data breach that occurred late last year. The breach impacted 82,128 individuals, comprising both customers and potentially National Amusements employees.

The breach, which went unnoticed for months, was finally reported to the Maine Attorney General. According to the company’s statement, an “unauthorized individual” accessed the company network on December 13, 2022. However, National Amusements only became aware of the intrusion two days later.

Regarding the data affected in the breach, it includes information like name or other personal identifiers combined with financial account number or credit/debit card number (along with the security code, access code, password, or PIN for the account).

The data breach notification was submitted to the Maine Attorney General.

The company enlisted the services of a third-party firm to investigate the breach, a process that concluded “recently.” Curiously, the data breach was only officially acknowledged on August 23 of this year, possibly aligning with the completion of the external investigation.

Despite attempts from the media to seek clarification from National Amusements, the company has maintained near-radio silence, leaving questions about the delayed disclosure unanswered.

Currently, the company asserts that there have been no reports of stolen data being exploited by third parties or leaked online. Nevertheless, National Amusements has proactively taken measures to mitigate the aftermath, providing those affected with complimentary credit monitoring services through Experian for varying durations.

If you’re an employee of National Amusements or one of its customers, be cautious about phishing emails. Cybercriminals might impersonate the company to discuss the recent data breach, but their real intention could be to gather additional information, including your financial details. Stay vigilant and verify the legitimacy of any communication you receive related to the incident.

****_RELATED ARTICLES_****

1.  **OurMine hackers hack Marvel and Netflix Twitter accounts**
2.  **Best legal, free online streaming sites for movies, TV shows**
3.  **Hackers Leak First 8 Episodes of Steve Harvey’s “Funderdome”**
4.  **Soap2day Shuts Down Permanently – Free Legal, Paid Alternatives**
5.  **Potential 500GB Nickelodeon Leak: Unreleased Shows, Scripts at Risk**

National Amusements Reveals Data Breach Amid Backlash Affecting 82,000+

Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Git: Multiple Vulnerabilities  
     Date: December 27, 2023  
     Bugs: #838127, #857831, #877565, #891221, #894472, #905088  
       ID: 202312-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Several vulnerabilities have been found in Git, the worst of which could  
lead to remote code execution.

Background  
==========

Git is a free and open source distributed version control system  
designed to handle everything from small to very large projects with  
speed and efficiency.

Affected packages  
=================

Package      Vulnerable    Unaffected  
-----------  ------------  ------------  
dev-vcs/git  < 2.39.3      >= 2.39.3

Description  
===========

Multiple vulnerabilities have been discovered in Git. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Git users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3"

References  
==========

[ 1 ] CVE-2022-23521  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23521  
[ 2 ] CVE-2022-24765  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24765  
[ 3 ] CVE-2022-29187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29187  
[ 4 ] CVE-2022-39253  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39253  
[ 5 ] CVE-2022-39260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39260  
[ 6 ] CVE-2022-41903  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41903  
[ 7 ] CVE-2023-22490  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22490  
[ 8 ] CVE-2023-23946  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23946  
[ 9 ] CVE-2023-25652  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25652  
[ 10 ] CVE-2023-25815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25815  
[ 11 ] CVE-2023-29007  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-15

Apple updated its location-tracking system in an attempt to cut down on AirTag abuse while still preserving privacy. Researchers think they’ve found a better balance.

Apple's AirTags are meant to help you effortlessly find your keys or track your luggage. But the same features that make them easy to deploy and inconspicuous in your daily life have also allowed them to be abused as a sinister tracking tool that domestic abusers and criminals can use to stalk their targets.

Over the past year, Apple has taken protective steps to notify iPhone and Android users if an AirTag is in their vicinity for a significant amount of time without the presence of its owner's iPhone, which could indicate that an AirTag has been planted to secretly track their location. Apple hasn't said exactly how long this time interval is, but to create the much-needed alert system, Apple made some crucial changes to the location privacy design the company originally developed a few years ago for its “Find My” device tracking feature. Researchers from Johns Hopkins University and the University of California, San Diego, say, though, that they've developed a cryptographic scheme to bridge the gap—prioritizing detection of potentially malicious AirTags while also preserving maximum privacy for AirTag users.

The Find My system uses both public and private cryptographic keys to identify individual AirTags and manage their location tracking. But Apple developed a particularly thoughtful mechanism to regularly rotate the public device identifier—every 15 minutes, according to the researchers. This way, it would be much more difficult for someone to track your location over time using a Bluetooth scanner to follow the identifier around. This worked well for privately tracking the location of, say, your MacBook if it was lost or stolen, but the downside of constantly changing this identifier for AirTags was that it provided cover for the tiny devices to be deployed abusively.

In reaction to this conundrum, Apple revised the system so an AirTag's public identifier now only rotates once every 24 hours if the AirTag is away from an iPhone or other Apple device that “owns” it. The idea is that this way other devices can detect potential stalking, but won't be throwing up alerts all the time if you spend a weekend with a friend who has their iPhone and the AirTag on their keys in their pockets.

In practice, though, the researchers say that these changes have created a situation where AirTags are broadcasting their location to anyone who's checking within a 30- to 50-foot radius over the course of an entire day—enough time to track a person as they go about their life and get a sense of their movements.

“We had students walk through cities, walk through Times Square and Washington, DC, and lots and lots of people are broadcasting their locations,” says Johns Hopkins cryptographer Matt Green, who worked on the research with a group of colleagues, including Nadia Heninger and Abhishek Jain. “Hundreds of AirTags were not near the device they were registered to, and we're assuming that most of those were not stalker AirTags.”

Apple has been working with companies like Google, Samsung, and Tile on a cross-industry effort to address the threat of tracking from products similar to AirTags. And for now, at least, the researchers say that the consortium seems to have adopted Apple's approach of rotating the device public identifiers once every 24 hours. But the privacy trade-off inherent in this solution made the researchers curious about whether it would be possible to design a system that better balanced both privacy and safety.

“There’s this whole standards effort going on around how to do stalking resistance, which is really good. It means Apple and Google and the other companies are taking it seriously,” Green says. “The sad part is that Apple did the thing that everyone does when they're painted into a corner. They have a big knob—one direction is privacy, one direction is the other thing (in this case, anti-stalking)—and they turned that knob away from privacy.”

The solution Green and his fellow researchers came up with leans on two established areas of cryptography that the group worked to implement in a streamlined and efficient way so the system could reasonably run in the background on mobile devices without being disruptive. The first element is “secret sharing,” which allows the creation of systems that can't reveal anything about a “secret” unless enough separate puzzle pieces present themselves and come together. Then, if the conditions are right, the system can reconstruct the secret. In the case of AirTags, the “secret” is the true, static identity of the device underlying the public identifier that is frequently changing for privacy purposes.

Secret sharing was conceptually useful for the researchers to employ because they could develop a mechanism where a device like a smartphone would only be able to determine that it was being followed around by an AirTag with a constantly rotating public identifier if the system received enough of a certain type of ping over time. Then, suddenly, the suspicious AirTag's anonymity would fall away and the system would be able to determine that it had been in close proximity for a concerning amount of time.

Green notes, though, that a limitation of secret sharing algorithms is that they aren't very good at sorting and parsing inputs if they're being deluged by a lot of different puzzle pieces from all different puzzles—the exact scenario that would occur in the real world where AirTags and Find My devices are constantly encountering each other. With this in mind, the researchers employed a second concept known as “error correction coding,” which is specifically designed to sort signal from noise and preserve the durability of signals even if they acquire some errors or corruptions.

“Secret sharing and error correction coding have a lot of overlap," Green says. “The trick was to find a way to implement it all that would be fast, and where a phone would be able to reassemble all the puzzle pieces when needed while all of this is running quietly in the background.”

The researchers first published a paper about their findings in September and submitted it to Apple. More recently, they notified the industry consortium about the proposal. Apple did not return WIRED's request for comment about the research and whether it is considering implementing the scheme.

Green says he hopes the company will eventually do something with the work. And he adds that the project is an important reminder of the real-world impacts theoretical cryptography can have.

“What I love about this problem is it seems like there are two competing requirements that can't be reconciled,” he says. “But in cryptography, we can get full privacy and then, magically, the puzzle pieces click into place, or a ‘chemical reaction’ happens, and we phase-transition to a point where suddenly it’s obvious that this is a stalker, not just a benign AirTag. It's very powerful to be able to go between those two moments.”

Tag

#mac