Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability

CVE-2023-36719

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2023-38177

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2023-36016

Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability

CVE-2023-36021

Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

CVE-2023-36028

Microsoft Remote Registry Service Remote Code Execution Vulnerability

CVE-2023-36423

By Deeba Ahmed
As per cybersecurity researchers at Proofpoint, the APT group TA402 operates in support of Palestinian espionage objectives, with a primary focus on intelligence collection.
This is a post from HackRead.com Read the original post: Pro-Palestinian TA402 APT Using IronWind Malware in New Attack

The recently discovered IronWind malware is distributed via email attachments, cleverly disguised as official correspondence related to the “Economic Cooperation Program with the Countries of the Gulf Cooperation Council 2023-2024.”

Proofpoint cybersecurity researchers have discovered a **new phishing campaign** against Israeli entities, launched by a Middle Eastern APT group, TA402. Proofpoint has been monitoring TA402’s activities since 2020.

The group is also known as Gaza Cybergang, Molerats, WIRTE, and Frankenstein. Researchers agree that TA402 is a pro-Palestinian threat actor targeting Israel for intelligence gathering. The **group had previously been identified** using Facebook, Google Drive, and Dropbox to propagate malware

“TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection.” This aligns with earlier reports published by Proofpoint on this specific threat actor.”

The company’s latest report, authored by Joshua Miller and the Proofpoint Threat Research Team, revealed that the attackers used a novel initial access downloader dubbed IronWind in this campaign.

IronWind malware is written in the **Go programming language**. After getting deployed, it allows attackers to load additional malware, such as remote access trojans or keyloggers, to steal sensitive data.

Proofpoint researchers found that the attackers are targeting individuals and organizations linked to the Israeli government or military institutions. The campaign started in July 2023 and continued until October 2023. TA402 has consistently engaged in targeted activities and strongly focused on Middle Eastern and North African entities.

Using the labyrinthine infection chain IronWinds indicates that the threat actors have become more sophisticated in their choice of attack mechanisms and are focusing on evading security measures.

The group used a compromised Ministry of Foreign Affairs email account to target Middle Eastern government officials in this phishing campaign. The email message had an economic-themed social engineering lure that read:

“برنامج التعاون الإقتصادي مع دول مجلس التعاون الخليجي 2023-2024″ (Translation: Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024,”) the **blog post** revealed.

What’s interesting is that TA402 used three different delivery methods between July and October. This includes Dropbox links and XLL and RAR file attachments. Each variation leads to the downloading of a DLL containing the multifunctional malware. The email **delivered a Dropbox** link in July, from where a malicious Microsoft PowerPoint Add-in (PPAM) file was downloaded.

This file contained a macro, which dropped three files- version.dll (IronWind), timeout.exe (IronWind sideloader), and gatherNetworkInfo.vbs. When IronWind is sideloaded, the downloader sends an HTTP GET request to a known TA402 C2 domain (theconomicsnet) hosted on 191.101.78189. 

In August, the attacker included an XLL file in the email, which loaded IronWind. In October, the attacker sent an **RAR attachment** containing a renamed version of tabcal.exe to sideload the downloader instead of using the PPAM file. The same month, TA402 used the Gaza war conflict for the first time as a lure in emails.

TA402 has avoided using cloud services like Dropbox API, which Proofpoint had noticed in its activities in 2021 and 2022, and used attacker-controlled C2 infrastructure.

TA402 APT’s infection chain from November 2021 to January 2022 and infection chain in July 2023 campaign (Credit: Proofpoint)

This is a serious threat, and organizations must take steps to protect themselves. They should implement **cybersecurity awareness training for employees**, keep their systems up to date, and be on the lookout for suspicious activity. Hackread.com is tracking the activities of TA402 and will post updates as they become available.

****_RELATED ARTICLES_****

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware**
3.  **Deadglyph Backdoor Linked to Stealth Falcon APT in the Middle East**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine**
6.  **Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack**

Pro-Palestinian TA402 APT Using IronWind Malware in New Attack

In Abbott ID NOW before 7.1, settings can be modified via physical access to an internal serial port.

**Access the most recent product security updates from Abbott and its suppliers here.****NOVEMBER 14, 2023****Product Security Bulletin: ID Now**

Abbott has reviewed the level of potential impact of this vulnerability on product performance and safety, and has taken appropriate steps to mitigate this issue in its latest software update, v7.1.

****JANUARY 5, 2022******Product Security Bulletin: Apache Log4j**

Abbott is aware of the recently discovered remote code execution vulnerability impacting Apache Log4j, a logging tool commonly used in Java-based software applications.  

**DECEMBER 8, 2020****Product Security Bulletin: Amnesia:33**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party open-source networking software components (TCP/IP stacks), commonly referred to as "Amnesia:33".

****SEPTEMBER 7, 2020******Product Security Bulletin: Treck TCP/IP "Ripple 20"**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in the Treck TCP/IP stack, commonly referred to as"Ripple 20". According to published reports, including the CISA Alert1, the security vulnerabilities in the software that supports network connectivity could allow remote code execution or exposure of sensitive information.

****OCTOBER 8, 2020******Product Security Bulletin: "Sweyntooth" BLE**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party Bluetooth Low Energy (BLE) components, commonly referred to as “SweynTooth”. According to published reports, including the CISA Alert1, the vulnerabilities expose flaws in specific BLE components from multiple chip manufacturers that could allow an unauthorized user to interrupt BLE communication or bypass security.

****NOVEMBER 2, 2020******Product Security Bulletin: Microsoft CryptoAPI Spoofing**

Abbott is monitoring developments related to the recently published CISA Alert (Alert AA20-014A) identifying vulnerabilities in Microsoft’s Windows CryptoAPI, an application programming interface that enables developers to secure Windows-based applications. 

****JULY 7, 2020******Product Security Bulletin: VxWorks IPNet Vulnerabilities**

Abbott is monitoring developments related to recently published advisory (ICSA-19-211-01) identifying 11 IPNet vulnerabilities in Wind River’s VxWorks and other widely used Real Time Operating Systems (RTOSs). These vulnerabilities were reported by security researchers at Armis and are sometimes referred to as “Urgent/11”. RTOSs are used in a wide variety of products, including printers, routers, medical devices, firewalls, VOIP phones and industrial controllers.

****MAY 22, 2019******Product Security Bulletin: Microsoft RDP**

Abbott is aware of and actively monitoring updates related to the Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708), which was announced by Microsoft on May 14, 2019.

****JANUARY 12, 2018******Product Security Bulletin: Meltdown/Spectre**

The National Health Information Sharing and Analysis Center (NH-ISAC) has issued an advisory to the industry regarding Meltdown and Spectre, two new widespread cybersecurity vulnerabilities impacting processors in nearly every computer and mobile device.

CVE-2023-47262: Product Advisories

By Waqas
Omegle was founded on March 25, 2009.
This is a post from HackRead.com Read the original post: Video Chat Website Omegle Permanently Shuts Down

Omegle’s founder Brooks Leif K-Brooks, cited the rampant misuse of the platform by pedophiles and other criminals as a major factor in the decision to shut it down.

Omegle, a widely used video chat website that allows users to connect randomly with strangers, ceased operations on November 8, 2023. The closure was announced by founder Leif K-Brooks, who said that operating the website was “no longer sustainable, financially nor psychologically.”

Brooks cited the rampant misuse of the platform by paedophiles and other criminals as a major factor in the decision to shut it down. In recent years, Omegle has been mentioned in more than 50 cases (**1** & **2**) against paedophiles, and the site has been criticized by child protection organizations for its lack of safety features.

Brooks also said that the stress and expense of fighting the misuse of Omegle was too much to bear. “Frankly, I don’t want to have a heart attack in my 30s,” he **said** in a statement on the website.

Statement from Omegle founder Leif K-Brooks (Click or open in new tab to enlarge)

At the time of closure, **according to** Help Mama, Omegle had a user base of 235 million active users on a weekly basis. The platform maintained a strong daily presence, with 3.35 million users engaging actively each day.

Breaking down the numbers further, Omegle sustained hourly traffic of 139,880 active users, drawing in a consistent stream of 2,331 users every minute. The platform’s appeal was evident in its rapid growth, welcoming 39 new visitors every second.

Geographically, a significant portion of Omegle’s user demographic hailed from the United States, constituting 29.93% of the total user base. These statistics highlight the widespread and continuous engagement that Omegle enjoys on a global scale.

However, the closure of Omegle is a loss for many people who used the platform to connect with new friends and strangers from all over the world. The platform also played a vital role in YouTube and TikTok prank culture. Yet, it is also a reminder of the dangers of online anonymity and the challenges of keeping online platforms safe for users.

Alternatives to Omegle include Chatroulette, Chatrandom, and Tinychat. These platforms offer similar features to Omegle, but they have also been criticized for their lack of safety features. Users should be cautious when using any online platform that allows them to connect with strangers.

****_RELATED ARTICLES_****

1.  **9 risky apps that you need to monitor on your kids’ smartphone**
2.  **Microsoft’s new tool detects & reports pedophiles from online chats**
3.  **Operation Narsil – INTERPOL Busts Decade-Old Child Abuse Network**
4.  **How chat platforms are using Machine Learning for content moderation?**
5.  **Anonymous shut down thousands of Dark Web sites for hosting child porn**

Video Chat Website Omegle Permanently Shuts Down

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

Tag

#microsoft