Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.

Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.

Here’s what you need to know about the important updates you might have missed during the month.

Apple iOS

In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.

Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.

The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.

Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.

CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.

Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.

Google Chrome

Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.

It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.

Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.

Microsoft

Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.

Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.

It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.

Mozilla Firefox

Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.

Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

Apache

The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.

Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.

To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.

Atlassian

Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.

Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.

Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.

SAP

Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.

Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.

Google Fixes Nearly 100 Android Security Issues

By Deeba Ahmed
The police arrested two suspects in Beijing and two in Inner Mongolia.
This is a post from HackRead.com Read the original post: China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

The individuals confessed to creating variations of ransomware, enhancing the software through the utilization of OpenAI’s ChatGPT, carrying out vulnerability scans, infiltrating networks to secure access, deploying ransomware, and engaging in extortion.

Chinese media has reported the country’s first major step towards countering the use of ChatGPT as four Chinese individuals have been arrested for developing ransomware using ChatGPT. This is the country’s first instance involving the popular yet officially banned chatbot.

The arrests should not come as a surprise, as cybercriminals have been eager to exploit the AI chatbot for malicious purposes. Those who could not exploit it have created their own versions of the malicious ChatGPT, infamously known as WormGPT and FraudGPT.

According to the South China Morning Post (SCMP), the cyber attackers came under the authorities’ radar after an unidentified company in Hangzhou reported a cybercrime. The hackers demanded 20,000 Tether to unblock/restore access to their systems.

In late November 2023, the police arrested two suspects in Beijing and two in Inner Mongolia. The suspects admitted to writing ransomware versions, optimizing the program using the popular chatbot, conducting vulnerability scans, infiltrating networks to gain access and implanting ransomware, and performing extortion.

The use of ChatGPT, a chatbot developed by OpenAI, is prohibited in China as part of Beijing’s initiatives to limit access to foreign generative artificial intelligence products. In response, China has introduced its own version of ChatGPT named Ernie Bot. However, the report does not provide clear information on whether utilizing ChatGPT is subject to legal charges in China.

According to SCMP’s report, three of the detainees were previously implicated in other criminal activities, including spreading misinformation and selling stolen CCTV footage through deep fake technology.

Despite OpenAI blocking internet protocol addresses in China, Hong Kong, and sanctioned regions such as North Korea and Iran, certain users find ways to bypass these restrictions by using VPNs and obtaining phone numbers from supported areas. However, engaging in such circumvention practices may expose users to potential legal consequences.

Legal cases involving the use of generative AI have increased in China due to its mass popularity and potential for crimes. In May 2023, reportedly, a man was detained in Gansu province for allegedly using ChatGPT to spread fake news about a train crash.

****_RELATED ARTICLES_****

1.  **Why are Google and Facebook banned in China?**
2.  **List of Eight Popular websites That are Banned in China**
3.  **China arrests 11 for infecting 250M devices with Fireball malware**
4.  **Hackers Claiming to Jailbreak AI Chatbots to Write Phishing Emails**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**

China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.
"These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu,

Cryptocurrency / Phishing Scam

Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.

"These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said.

A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "scam-as-a-service" offering by charging a percentage of the stolen amount, typically 20% or 30%, from its collaborators in return for providing wallet-draining scripts and other services.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was shutting down its operations for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims since its launch in late 2022.

Web3 anti-scam solution provider Scam Sniffer, in May 2023, described the vendor as specializing in multi-chain scams and charging 20% of the stolen assets.

"It has been a long ride with all of you and we'd like to thank you from heart \[sic\]," the actor said in a message posted on its Telegram channel.

"A big thanks to everyone who has worked with us such as Drakan and every other customer, we hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest of making money."

At the crux of these services is a crypto-draining kit that's crafted to facilitate cyber theft by illegally transferring cryptocurrency from victims' wallets without their consent.

This is typically accomplished via airdrop or phishing scams, tricking targets into connecting their wallets on counterfeit websites that are propagated via malvertising schemes or unsolicited emails and messages on social media.

Earlier this month, Scam Sniffer detailed a phishing scam in which bogus ads for cryptocurrency platforms on Google and X (formerly Twitter) redirected users to sketchy sites that drained funds from users' digital wallets.

"The user is induced to interact with a malicious smart contract under the guise of claiming the airdrop, which stealthily increases the attacker's allowance through functions like approve or permit," Check Point noted.

"Unknowingly, the user grants the attacker access to their funds, enabling token theft without further user interaction. Attackers then use methods like mixers or multiple transfers to obscure their tracks and liquidate the stolen assets."

To mitigate the risks posed by such scams, users are recommended to employ hardware wallets for enhanced security, verify the legitimacy of smart contracts, and periodically review wallet allowances for signs of any suspicious activity.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks

By Deeba Ahmed
Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen.
This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

The findings came as part of Operation Triangulation, months after Kaspersky discovered that their employees’ iPhones had been hacked by spyware.

Kaspersky Global Research and Analysis Team (GReAT) has discovered an obscure hardware feature likely exploited by hackers during **spyware attacks against iPhone users**.

The attacks were part of an APT campaign dubbed Operation Triangulation, which has been active since 2019, targeting iOS devices Using **zero-click exploits via iMessage**, allowing attackers to gain control and access user data. It was discovered by Kaspersky this summer.

The yet publicly undocumented feature is a part of Apple’s system-on-a-chip (SoC) and was probably included in the iPhone for debugging or testing purposes by Apple engineers, or added in the final consumer version mistakenly. Nevertheless, it allowed attackers to bypass protections and hijack devices in attacks targeting Kaspersky senior employees’ iPhones.

The research into **Operation Triangulation** was conducted by the cybersecurity vendor, Kaspersky. It is worth noting that the operation kicked off when Kaspersky researchers identified that their employees’ iPhones were hacked by spyware.

On December 27, 2023, the company shared the **findings** in a presentation titled “Operation Triangulation: What You Get When Attack iPhones of Researchers” at the 37th Chaos Communication Congress held in Hamburg and published in a report authored by Boris Larin.

During the presentation, researchers explained that multiple iOS zero-day vulnerabilities (including an RCE issue in Apple’s ADJUST TrueType font instruction **CVE-2023-41990** and **CVE-2023-38606**, a bypass of hardware-based security protections) were exploited to execute code and install a stealthy spyware implant, known as TriangleDB.

These vulnerabilities were used to target iPhones running iOS versions up to **iOS 16.6**. The most critical of these was CVE-2023-38606 for allowing a JavaScript exploit to bypass the Page Protection Layer.

The attackers used malicious **iMessage attachments** to exploit a remote code execution zero-day and deploy TriangleDB without user interaction. The infection chain involved multiple checks and log-erasing actions to prevent malware identification. Researchers discovered new attacks/exploits daily, calling it the most sophisticated chain of attack they had ever witnessed.  

> _“We have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is the most sophisticated attack chain we have ever seen.”_
> 
> Kaspersky – GReAT

The obscure feature allowed overriding of hardware-based security to protect the kernel, the core part of an operating system. Attackers could then write data to a specific physical address while “bypassing hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.”

The attackers exploited MMIO registers from the GPU coprocessor, bypassing Apple’s DeviceTree ranges to write to memory, bypass protections, and achieve RCE.

Correlation of the gfx-asc MMIO ranges and the addresses used by the exploit (Kaspersky)

Apple responded by releasing security updates to address four zero-day vulnerabilities impacting various Apple products: **CVE-2023-32434**, **CVE-2023-32435**, CVE-2023-38606, and CVE-2023-41990.

However, there are still many unanswered questions, such as the purpose of this feature, how attackers learned to use it considering that the firmware didn’t use it and whether it was developed by Apple or a third-party component like ARM CoreSight.

****_RELATED ARTICLES_****

1.  **Hackers Targeting Apple’s M1 Chip with Mac Malware**
2.  **Turns out iPhone 5c can be hacked with a $100 hardware**
3.  **Apple Safari Safest, Google Chrome Riskiest Browser – Study**
4.  **Apple Bug bounty: Earn big for hacking iPhone, other products**
5.  **iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser**

iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure.

With political polarization, unrest, and violence escalating in many regions of the world, 2023 was fraught with uncertainty and tragedy. In digital security, though, the year felt more like a Groundhog Day of incidents caused by classic types of attacks, like phishing and ransomware, rather than a roller coaster of offensive hacking innovation.

The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here's WIRED's look back at the year's worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns. Stay alert, and stay safe out there.

One of the most impactful hacks of 2023 wasn’t a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit. The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy. Progress Software, which develops MOVEit, patched the flaw at the end of May, and broad adoption of the fix eventually stopped the spree. But the “Cl0p” data extortion gang had already gone on a disastrous joy ride, exploiting the vulnerability against as many victims as possible. Organizations are still coming forward to disclose MOVEit-related incidents, and researchers told WIRED that this trickle of updates will almost certainly continue in 2024 and possibly beyond.

Based in Russia, Cl0p emerged in 2018 and functioned as a standard ransomware actor for a few years. But the gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.

The identity management platform Okta disclosed a breach of its customer support system in October. The company said at the time that about 1 percent of its 18,400 customers were impacted. But the company had to revise its assessment in November to acknowledge that actually _all_ of its customer support users had had data stolen in the breach.

The original 1 percent estimate came from the company’s investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot. But that assessment had missed other malicious activity in which the attacker ran an automated query of a database that contained names and email addresses of “all Okta customer support system users” and some Okta employees. As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.

The US National Security Agency and its allied intelligence services around the world have been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting US critical infrastructure networks, including power grids, as part of its activity. Officials have continued to reinforce that network defenders need to be on the lookout for suspicious activity that could indicate a clandestine operation. Volt Typhoon's hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government's stockpile of zero-day vulnerabilities, which can be weaponized and exploited. Beijing collects these bugs through research, and some may also come as the result of a law that requires vulnerability disclosure.

Meanwhile, in June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company's systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. In a postmortem published in September, Microsoft explained that improper access to the key was incredibly improbable, but occurred in this case because of a unique comedy of errors. The incident was a reminder, though, that Chinese state-backed hackers conduct a massive quantity of espionage operations each year and are often lurking undetected in networks, waiting for the opportune moment to capitalize on any flaw or mistake.

MGM casinos in Las Vegas and other MGM properties around the world suffered massive and disruptive system outages in September after a cyberattack by an affiliate of the notorious Alphv ransomware group. The attack caused chaos for travelers and gamblers alike, and took the hospitality group days—in some cases, even weeks—to recover, as ATMs went down, hotel keycards stopped working, and slot machines went dark.

Meanwhile, Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a data breach at the hands of Alphv, one in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data. _The Wall Street Journal_ reported in September that Caesars paid roughly half of the $30 million the attackers demanded in exchange for a promise that they wouldn't release stolen customer data. MGM reportedly did not pay the ransom.

In December 2022, LastPass, maker of the popular password manager, said that an August 2022 breach it had disclosed at the end of November 2022 was worse than the company originally thought, and encrypted copies of some users’ password vaults had been compromised in addition to other personal information. It was a deeply concerning revelation given that LastPass has suffered other security incidents in the past, and users trust the company with the most sensitive pieces of their digital lives.

On top of this, though, the company disclosed a second incident in February 2023 that also began in August 2022. Attackers compromised the home computer of one of the company's senior engineers—who had special access to LastPass' most sensitive systems—and stole authentication credentials. These, in turn, allowed them to access an Amazon S3 cloud storage environment and ultimately “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the company wrote in March—a devastating breach for a password manager company.

23andMe disclosed at the beginning of October that attackers had successfully compromised some of its users' accounts and parlayed that access to scrape the personal data of a larger number of users through the company's “DNA Relatives” opt-in social-sharing service. In that initial disclosure, the company didn't say how many users were affected. In the meantime, hackers began hawking data that appeared to be taken from a million or more 23andMe users. Then, in a US Securities and Exchange Commission filing at the beginning of December, the company said that the attacker had accessed 0.1 percent of user accounts, or roughly 14,000 per a company estimate that it has about 14 million customers. The SEC filing didn't include a larger number of those impacted by the DNA Relatives scraping, but 23andMe ultimately confirmed to TechCrunch that the hackers collected data from 5.5 million people who had opted in to DNA Relatives, plus information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." Some of the stolen data included classifications like describing subsets of users as being “Ashkenazi Jews,” “broadly Arabian,” or of Chinese descent, potentially exposing them to specific targeting.

While troubling, the data theft didn't include raw genetic information and typically wouldn't qualify as a “worst hack” in and of itself. But the situation was an important reminder of the stakes when dealing with information related to genetics and ancestry, and the possible unintended consequences of adding social sharing mechanisms to sensitive services, even when user participation is voluntary.

The wireless carrier T-Mobile has suffered a ludicrous number of data breaches in recent years and now has the dubious distinction of being a two-time winner of an honorable mention in WIRED's annual Worst Hacks roundups. This year, the company disclosed two breaches. One began in November 2022 and ended in January, impacting 37 million current customers on both prepaid and postpay accounts. Attackers stole customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The second breach, which occurred between February and March and was disclosed in April, was small, impacting less than 900 customers. It is significant, though, because the stolen data included full names, dates of birth, addresses, contact information, government ID information, Social Security numbers, and T-Mobile account pins—in other words, the crown jewels for hundreds of people.

The Worst Hacks of 2023

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.

South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as **Kimsuky**.

"A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.

Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

The threat actor's espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.

One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.

AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.

"AlphaSeed was developed in Golang and uses chromedp for communications with the \[command-and-control\] server," ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.

There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.

Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.

The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea's information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.

"The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions," the threat intelligence firm said in a report released earlier this month.

"Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled."

North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.

The prolific and aggressive nature of the attacks points to the different ways the country has resorted to evading international sanctions and illegally profiting from the schemes.

"People tend to think, … how could the quote-unquote 'Hermit Kingdom' possibly be a serious player from a cyber perspective?," CrowdStrike's Adam Meyers was quoted as saying to Politico. "But the reality couldn't be further from the truth."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

Ransomware gangs don't always win, and when they don't, it feels pretty great.

Ransomware gangs care about one thing: Stealing money.

Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.

As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors \[said\] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Considering all this, it’s pretty damn nice to see ransomware gangs lose.

As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.

Here are four times ransomware gangs failed in 2023.

**1\. The Royal Mail ransomware attack**

On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.

Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.

But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.

On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.

Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on _really big files_?

“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.

After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.

But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.

Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked _the wrong Royal Mail_, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.

At this point, the LockBit rep accepts defeat.

“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”

We’ll take that as a win.

**2\. MGM bounces back 10 days after ransomware siege**

In Sin City, the house always wins, even when it loses $100 million.

In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.

“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”

MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.  

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.  

MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.

**3\. Qakbot shot down**

Duck hunting season came early this year.

In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.

When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.

Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.

In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.

**4\. ALPHV tattles on its victim to little success**

A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.

That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.

Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.

But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.

Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).

To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.

MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.

To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The top 4 ransomware gang failures of 2023 

By Owais Sultan
Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in…
This is a post from HackRead.com Read the original post: Exploring Imgly SDK Alternatives for Ultimate Flexibility

Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in the dynamic software development environment, exploring alternatives can provide developers with greater flexibility and adaptability to varying project requirements.

In this article, we will delve into IMG.LY alternative SDKs that offer a range of features, allowing developers to choose the one that aligns best with their specific needs.

****1\. OpenCV (Open Source Computer Vision Library)****

Overview:

OpenCV is an open-source computer vision and machine learning library widely used in the field of image processing. It provides a comprehensive set of tools and algorithms for image and video analysis, making it a versatile choice for developers.

Key Features:

*   Image processing and manipulation.
*   Object detection and recognition.
*   Facial recognition.
*   Machine learning support.

Why Choose OpenCV:

OpenCV‘s extensive community support, cross-platform compatibility, and wide range of features make it a powerful alternative for developers looking for flexibility and customization in image processing.

****2\. ImageMagick****

Overview:

ImageMagick is a free open-source software suite for displaying, converting, and editing raster image files. It includes a command-line tool as well as a variety of libraries for different programming languages, making it adaptable to various development environments.

Key Features:

*   Image conversion and format support.
*   Image editing and manipulation.
*   Batch processing.
*   Command-line interface.

Why Choose ImageMagick:

ImageMagick’s versatility, support for a multitude of image formats, and command-line interface make it a strong contender for developers seeking a flexible image-processing solution.

****3\. Pillow (PIL Fork)****

Overview:

Pillow, a fork of the Python Imaging Library (PIL), is a Python Imaging Library that adds image processing capabilities to Python interpreters. It is a user-friendly alternative for developers working with Python applications.

Key Features:

*   Image manipulation and processing.
*   Support for various image formats.
*   Basic image editing operations.
*   Easy integration with Python applications.

Why Choose Pillow:

Pillow is an excellent choice for Python developers due to its simplicity, ease of use, and seamless integration with Python applications.

****4\. Sharp (for Node.js)****

Overview:

Sharp is a high-performance image processing library for Node.js applications. It is designed to be fast and efficient, making it suitable for handling image processing tasks in server-side applications.

Key Features:

*   Image resizing and manipulation.
*   Efficient memory handling.
*   Support for many image formats.
*   Advanced image processing operations.

Why Choose Sharp:

Developers working with Node.js can benefit from Sharp’s speed and efficiency, making it a go-to choice for server-side image processing tasks.

****5\. GD (Graphics Draw)****

Overview:

GD, or Graphics Draw, is an open-source library for dynamic image creation. It supports various programming languages, including PHP, and is commonly used for tasks such as creating thumbnails, processing images, and generating dynamic charts.

Key Features:

*   Image creation and manipulation.
*   Dynamic image generation.
*   Basic drawing functions.
*   Support for multiple programming languages.

Why Choose GD:

GD is a suitable choice for web developers, especially those working with PHP, as it provides a simple and efficient solution for dynamic image generation and manipulation.

****Conclusion****

While Imgly SDK has been a popular choice, exploring alternative image processing libraries can offer developers ultimate flexibility based on their project requirements, programming language preferences, and specific functionalities needed.

Each of the alternatives mentioned—OpenCV, ImageMagick, Pillow, Sharp, and GD—comes with its strengths and can be tailored to meet the diverse needs of image processing tasks.

By evaluating the features, ease of integration, and community support of each alternative, developers can make an informed decision that aligns with the goals of their projects.

****_RELATED ARTICLES_****

1.  **5 Best Video Editing SDKs for iOS**
2.  **Kotlin app development company – How to choose**
3.  **A Guide to Crafting a Dynamic App Using Weather APIs**
4.  **Run Android Applications on PC via Android SDK Manager**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**
6.  **Top Benefits of Using Flutter for Cross-Platform App Development**

Exploring Imgly SDK Alternatives for Ultimate Flexibility

Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920291, #920724  
       ID: 202312-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.6      >= 0.10.6

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.6"

References  
=========  
[ 1 ] CVE-2023-6004  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6004  
[ 2 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-16

Gentoo Linux Security Advisory 202312-17 - Multiple vulnerabilities have been discovered in OpenSSH, the worst of which could lead to code execution. Versions greater than or equal to 9.6_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920292, #920722  
       ID: 202312-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in OpenSSH, the worst of  
which could lead to code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-misc/openssh  < 9.6_p1      >= 9.6_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.6_p1"

References  
=========  
[ 1 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795  
[ 2 ] CVE-2023-51385  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385  
[ 3 ] CVE-2023-51385,CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385,CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac