Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for…

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for popular software. The malware steals Facebook credentials, hijacks accounts espicially those administrating business pages, and spreads further attacks globally.

A new malvertising campaign is exploiting Meta’s advertising platform to spread the **SYS01 infostealer**, a cybersecurity threat known to Meta and particularly Facebook users for stealing their personal information.

What makes this attack targeted is that millions of users globally, specifically men aged 45 and above, are potential victims of this ongoing attack, which cleverly disguises itself as advertisements for popular software, games, and online services.

This campaign, first detected in September 2024, stands out due to its impersonation tactics and popular brands that it exploits. Instead of focusing on a single lure, the attackers mimic a broad range of trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.

****How the Attack Works:****

According to Bitdefender’s **blog post** shared with Hackread.com ahead of publishing on Wednesday, the malicious ads often lead to MediaFire links offering direct downloads of seemingly legitimate software. These downloads, packaged as zip archives, contain a malicious Electron application.

Once executed, this application drops and **runs the SYS01 infostealer**, often while displaying a decoy app that mimics the advertised software. This deceptive tactic makes it difficult for victims to realize they’ve been compromised.

For your information, an Electron application is a type of desktop app built with web technologies like HTML, CSS, and JavaScript. Electron is an open-source framework developed by GitHub that allows developers to create cross-platform applications that run on Windows, macOS, and Linux, all from a single codebase.

In this attack however, behind the scenes, the Electron app uses obfuscated Javascript code and a standalone 7zip executable to extract a password-protected archive containing the core malware components. This archive includes PHP scripts responsible for **installing the infostealer** and establishing persistence on the victim’s system. The malware also incorporates anti-sandbox checks to evade detection by security researchers.

****Stealing Data and Hijacking Accounts:****

The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used to further attacks/scams.

What’s worse, the attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create **new malicious ads** that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.

Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign (Via Bitdefender)

****Global Reach and Protection****

While the campaign has a global reach, impacting users in the EU, North America, Australia, and Asia, Bitdefender could not verify the full extent of its impact, especially outside the EU, which remains unclear due to limited data transparency.

Nevertheless, if you are on Facebook—especially if you run a business page—you must watch out for SYS01 Infostealer and **similar threats**. While using common sense is essential, here are some vital steps you should take:

1.  **Monitor your accounts:** Regularly check your Facebook and other social media accounts for suspicious activity. Report any unauthorized access immediately and change your passwords.
2.  **Be wary of ads:** Exercise caution when clicking on ads, especially those offering free downloads or deals that seem too good to be true. Verify the source before downloading any software.
3.  **Stick to official sources:** Download software directly from official websites or trusted app stores. Avoid third-party platforms and file-sharing services.
4.  **Use strong security software:** Install reputable security software and keep it updated. Choose a solution that offers real-time protection and advanced threat detection.
5.  **Enable two-factor authentication (2FA):** Activate 2FA on your Facebook and other important online accounts for added security.

1.  **Fake GTA VI Beta Download Spreads Malware**
2.  **ALPHV Ransomware Uses Google Ads to Target Victims**
3.  **Fake WhatsApp clone steals crypto on Android and Windows**
4.  **Facebook, Meta, Apple, Amazon Most Impersonated in Scams**
5.  **Fake ChatGPT and Facebook Ads Used in DNS Investment Scam**

Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer

PRESS RELEASE

TEL AVIV-YAFO, Israel – Oct. 29, 2024 – Zenity, the leader in securing agentic AI, today announced they have received $38 million in Series B funding co-led by Third Point Ventures and DTCP, pushing the total capital raised to over $55 million. It follows the recent strategic investment by Microsoft’s venture arm M12, with strong support from existing investors Intel Capital and Vertex Ventures. The funds will be used to grow the team across product, engineering, sales, and marketing, as well as launching a partner program to expand the ecosystem of supporting enterprises globally as they adopt agentic workflows including agentic AI, enterprise copilots, and applications built on low-code platforms. With Forbes estimating more than 51% of companies are actively adopting AI for process automation, and Microsoft stating the number of people who use Copilot daily at work has nearly doubled quarter-over-quarter, many enterprises have already taken a bold leap into the world of AI. However, per Salesforce, only 11% of CIOs say they’ve fully implemented AI, with the number one reason for holding full implementation back being around security and data infrastructure concerns. This round of funding serves to further accelerate and expand Zenity’s ability to enable the use of AI apps and agents among Fortune 500 enterprises, including current Zenity customers that exist across financial services, technology, manufacturing, energy and pharmaceutical industries.

Ben Kliger, Zenity’s CEO and co-founder, said: “The future of work is now. For the first time, large enterprises are on the cutting edge by placing the power of AI and low-code at all users’ fingertips, meaning anyone can now use and build AI agents and business applications to get more done. As such, security teams need robust and purpose-built solutions to properly manage the risks that come when utilizing the most powerful tools we have ever seen. We are proud to partner with Third Point Ventures and DTCP to continue our mission in supporting the world’s largest and most consequential organizations to enable innovation securely.” Recently, Zenity researchers found that the average large enterprise has nearly 80,000 AI agents, apps, and automations that are built using low-code development platforms, with over 62% containing some type of security vulnerability. Additionally, Zenity CTO and co-founder Michael Bargury presented research at Black Hat 2024 revealing how easy it is for bad actors to take control over enterprise copilots, such as Microsoft 365 Copilot, all without requiring a compromised account. What these themes have in common, is that business users of all technical backgrounds are at the forefront for business productivity. It also means that IT organizations are lacking visibility, as AI agents and applications are being built and used across the enterprise. These applications exist with an implicitly shared responsibility model, similar to the cloud, and security teams do not have visibility into what risks exist. Zenity provides visibility, risk assessment, and governance that security teams need in order to fully harness AI agents. Having gotten their start as the pioneers in the low-code/no-code application security space, Zenity is uniquely positioned with this latest round of funding to support enterprises as they continue placing more power at the hands of business users via Agentic AI workflows. As a community-oriented organization, having led and co-sponsored initiatives like the OWASP Top 10 for Low-Code/No-Code Security and the newly minted GenAI Attacks Matrix, Zenity is at the forefront of both security research and product development to be able to continue as a force enabler to the world’s enterprises. 

Sapir Harosh, Partner, Third Point Ventures, said: “In the rapidly evolving realms of AI and low-code development, Zenity stands out as a first mover dedicated to securing enterprises from emerging threats. We are proud to invest in Zenity and work closely with the team as they enable enterprises to harness powerful tools safely and drive transformative change. At Third Point Ventures, we are on the lookout for visionary companies like Zenity—those with deep connections to technology and a bold mission to serve large enterprises. We look forward to supporting their next wave of growth as they continue to innovate with advancements in AI and low-code technologies.” 

Dean Shahar, Head of Israel, DTCP, said: “We are incredibly impressed with Zenity’s achievements and are thrilled to partner with them in their next phase of growth. It’s no secret that the race to secure AI is on, but Zenity is way ahead of the competition, driven by a strong customer base and over 3x YoY growth. Their research-driven and community-focused approach, combined with their expertise in securing and understanding low-code environments, gives them a distinctive advantage in securing how business users operate today – one that’s already delivering real value to their customers. We’re excited about the opportunity to work with Ben, Michael and their incredible team and look forward to a fruitful collaboration that drives innovation and success.” 

About Zenity  Zenity, the world’s first agent-less application security platform for enterprise Copilots and Low-Code development, protects organizations from security threats, helps meet compliance, and enables business continuity. Established in 2021, many of the world’s leading organizations trust Zenity to help configure security guardrails, generate prioritized lists of vulnerabilities, and accurately pinpoint and remediate vulnerabilities by continuously scanning business-led development platforms and providing centralized visibility, risk assessment, and governance. Visit us at https://www.zenity.io for more.

Zenity Raises $38M Series B Funding Round to Secure Agentic AI

PRESS RELEASE

NEW YORK, Oct. 28, 2024 /PRNewswire/ -- Casap, a disputes automation and fraud prevention platform, has raised $8.5 million to scale the first AI-powered solution for banks, credit unions and fintechs to intelligently tackle first-party fraud and automate disputes and chargebacks. The recent round was led by Lightspeed Venture Partners with participation from Primary Venture Partners, Commerce Ventures, Curql, Alloy Labs, and notable fintech founders and execs from Chime, Robinhood, Square, Current, Novo, and Alloy. The funding will enable Casap to continue to scale its AI decisioning, helping financial institutions reduce operational costs, curb fraud-related losses, and transform the consumer experience.

"The surge in first-party fraud and dispute volumes are overwhelming financial institutions," said Shanthi Shanmugam, co-founder and CEO of Casap. "Our platform helps banks, credit unions and fintechs meet these challenges head-on with intelligent automation that delivers fast, frictionless dispute resolution at a fraction of today's cost. By empowering institutions to identify fraudulent claims early and resolve legitimate cases swiftly, Casap is transforming what is often a frustrating customer service experience into an opportunity to build consumer loyalty."

Financial institutions are under immense pressure to resolve the 238 million chargebacks that emerge annually, most of which take 45-90 days to resolve. First-party fraud has consistently risen year over year since COVID, with more consumers disputing legitimate charges to avoid payment. This surge, combined with a growing tendency to file disputes directly with payment providers instead of merchants, has led to overwhelming volumes and substantial financial losses. Institutions are forced to hire large teams, navigate complex regulations, and outsource chargebacks yet still struggle to meet consumer expectations — 50% of consumers will switch banks if they are not getting the service they want and expect, leading to long-term attrition and escalating costs.

Casap's AI-powered automations and proprietary "first-party fraud score", similar to an industry-standard FICO score, combine to resolve a dispute end-to-end without human intervention. The platform intelligently analyzes evidence, predicts outcomes, and automates key actions — such as issuing credits, filing chargebacks, and responding to merchants — while using its fraud score to identify suspicious consumers and merchants to proactively reduce disputes.

"Our team was impressed by the deep expertise Shanthi and Saisi brought to what is a cross-industry problem with significant scale. The company's early momentum is a promising indication of the type of compounding technological innovation we look for," says Aaron Frank, Partner at Lightspeed.

Casap's chargeback model, the first of its kind, includes publicly available weights — putting Casap at the forefront of innovation and sets a new standard for transparency in the industry. With built-in regulatory expertise and key integrations, Casap's advanced AI and decisioning capabilities cut resolution times from days to minutes, driving significant cost savings and enhancing operational efficiency for financial institutions.

Casap is already delivering measurable results for customers across the payments ecosystem, from major fintechs and established institutions like Chartway Credit Union to Banking-as-a-Service providers and sponsor banks.

"Before Casap, our team lacked the tools to effectively resolve disputes or file chargebacks, leading to a negative member experience and limited ability to improve the process," said Karin Collier, Director of Card Services at Chartway Credit Union. "Partnering with Casap has revolutionized how we think about disputes. With Casap's built-in regulatory expertise and AI-powered automation, we get to drive fast, accurate dispute outcomes, catch friendly fraud early, achieve higher NPS, all while seeing an immediate positive impact on our bottom line. Casap's customizability helps us adapt quickly to evolving needs, fraud trends, and transforms the way we work across the credit union. With Casap, AI is more than a tool—it's the engine driving our mission to create an unparalleled member experience. We're excited to continue partnering with Casap to transform how we operate across the back-office and set a new benchmark for exceptional member service."

"Choosing Casap as our multi-year partner for disputes and fraud management was an easy decision," continues Collier. "The partnership delivers immediate impact, with 29% cost savings from day one with even greater efficiencies projected just a month out. More importantly, Casap enables us to build trust by offering our members a fast, seamless self-service experience that sets a new standard for dispute resolution."

Casap is committed to making its platform the best-in-class solution for resolving disputes and chargebacks, helping customers achieve results up to four times faster than competitors in the space.

"Consumer trust is the lifeblood of financial institutions," Shanmugam continues. "Casap gives banks, credit unions and fintechs the tools they need to resolve genuine disputes quickly, while curbing the rising costs of fraud. We're not just solving a back-office problem—we're reshaping how institutions build trust and loyalty in the face of fraud."

Before founding Casap, Shanthi Shanmugam and Saisi Peter spent years driving innovation at fintech powerhouses Chime and Robinhood, with a focus on delivering seamless, consumer-first experiences. Their expertise in revolutionizing the way we operate payments has fueled Casap's rapid growth and early momentum.

Casap has also been recognized by industry leaders, winning the NACUSO 2024 Next Big Idea Competition.

About

Casap is an AI-powered disputes automation and fraud prevention platform. With built-in regulatory expertise and network integrations, Casap's intelligent automation identifies fraudulent claims early and delivers fast, frictionless dispute and chargeback resolution at a fraction of today's cost. Growing financial institutions use Casap to scale with a triple shield — back office efficiencies, fraud protection, and consumer delight. Casap is backed by top-tier VCs and notable fintech founders. Learn more at casaphq.com.

Casap Secures $8.5M in Funding

Red Hat Security Advisory 2024-8616-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8616.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:8616-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8616Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2022-48773====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (CVE-2024-40998)* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48773References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2297582https://bugzilla.redhat.com/show_bug.cgi?id=2298109

Red Hat Security Advisory 2024-8616-03

Red Hat Security Advisory 2024-8577-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8577.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: krb5 security updateAdvisory ID:        RHSA-2024:8577-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8577Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-3596====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* freeradius: forgery attack (CVE-2024-3596)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3596References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263240

Red Hat Security Advisory 2024-8577-03

### Impact
Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired.

Users not implemented SAS Uri's are unaffected.

### Patches
This issue was resolved in version 8.0.0 of the library, all users should update to this version ASAP.

### Workarounds
None



**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-24mc-gc52-47jv: ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.
"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.
"The malvertising campaign leverages nearly a hundred malicious

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.

"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.

"The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real-time."

SYS01stealer was first documented by Morphisec in early 2023, describing attack campaigns targeting Facebook business accounts using Google ads and fake Facebook profiles that promote games, adult content, and cracked software.

Like other stealer malware, the end goal is to steal login credentials, browsing history, and cookies. But it's also focused on obtaining Facebook ad and business account data, which is then used to propagate the malware further via phony ads.

"The hijacked Facebook accounts serve as a foundation for scaling up the entire operation," Bitdefender noted. "Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves."

The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. A majority of the Facebook ads are engineered to target men aged 45 and above.

"This effectively lures victims into clicking these ads and having their browser data stolen," Trustwave said in an analysis of the malware in July 2024.

"If there is Facebook-related information in the data, there is a possibility of not only having their browser data stolen but also having their Facebook accounts controlled by the threat actors to further spread malvertisements and continue the cycle."

Users who end up interacting with the ads are redirected to deceptive sites hosted on Google Sites or True Hosting that impersonate legitimate brands and applications in an attempt to initiate the infection. The attacks are also known to use hijacked Facebook accounts to publish fraudulent ads.

The first stage payload downloaded from these sites is a ZIP archive that includes a benign executable, which is used to sideload a malicious DLL responsible for decoding and launching the multi-stage process.

This includes running PowerShell commands to prevent the malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and setting up an operating environment to run the PHP-based stealer.

In the latest attack chains observed by the Romanian cybersecurity company, the ZIP archives come embedded with an Electron application, suggesting that the threat actors are continuously evolving their strategies.

Also present within the Atom Shell Archive (ASAR) is a JavaScript file ("main.js") that now executes the PowerShell commands to perform sandbox checks and execute the stealer. Persistence on the host is achieved by setting up scheduled tasks.

"The adaptability of the cybercriminals behind these attacks makes the SYS01 infostealer campaign especially dangerous," Bitdefender said. "The malware employs sandbox detection, halting its operations if it detects it's being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases."

"When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures."

**Phishing Campaigns Abuse Eventbrite**

The development comes as Perception Point detailed phishing campaigns that misuse the Eventbrite events and ticketing platform to steal financial or personal information.

The emails, delivered via noreply@events.eventbrite\[.\]com, prompt users to click on a link to pay an outstanding bill or confirm their package delivery address, after which they are asked to enter their login and credit card details.

The attack itself is made possible by the fact that the threat actors sign up for legitimate accounts on the service and create fake events by abusing the reputation of a known brand, embedding the phishing link within the event description or attachment. The event invite is then sent to their targets.

"Because the email is sent via Eventbrite's verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient's inbox," Perception Point said.

"The Eventbrite sender domain also increases the likelihood that recipients will open the email and click through to the phishing link. This abuse of Eventbrite's platform enables the attackers to evade detection, ensuring higher delivery and open rates."

**Pig Butchering of a Different Kind**

Threat hunters are also calling attention to an increase in cryptocurrency fraud that impersonates various organizations to target users with bogus job lures that purportedly allow them to earn money while working from home. The unsolicited messages also claim to represent legitimate brands like Spotify, TikTok, and Temu.

The activity commences via social media, SMS, and messaging apps like WhatsApp and Telegram. Users who agree to take up the jobs are instructed by the scammers to register on a malicious website using a referral code, following which they are asked to complete various tasks – submit fake reviews, place product orders, play specific songs on Spotify, or book hotels.

The scam unfolds when victims' fake commission account balance suddenly goes into the negative and they are urged to top up by investing their own cryptocurrency in order to earn bonuses off the tasks.

"This vicious cycle will continue as long as the scammers think the victim will keep paying into the system," Proofpoint researchers said. "If they suspect their victim has become wise to the scam, they will lock their account and ghost them."

The illicit scheme has been attributed with high confidence to threat actors who also conduct pig butchering, which is also known as romance-based cryptocurrency investment fraud.

"The job fraud has smaller but more frequent returns for the fraudsters compared to pig butchering," Proofpoint said. "The activity leverages popular brand recognition in place of a long, romance-based confidence scam."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware

Four members of the notorious REvil ransomware group have been sentenced to prison terms in Russia. This development…

Four members of the notorious REvil ransomware group have been sentenced to prison terms in Russia. This development marks a major step in the global fight against cybercrime. Learn more about the REvil ransomware gang and the recent sentencing.

Four members of the notorious REvil ransomware gang (also known as Sodinokibi) have been sentenced to prison terms in Russia. This is a rare example of Russian authorities taking action against cybercriminals especially a ransomware group operating within their borders.

The St. Petersburg Garrison Military Court found Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of various cybercrimes, including illegal circulation of payment means and malware distribution.

The convicted individuals were part of a larger group of 14 people initially detained in connection with the REvil case. The REvil group, once a prolific threat actor, was dismantled following the arrest of several members by Russian authorities.

Revil ransomware gang aka Sodinokibi’s dark web leak site and ransomware note

“All defendants have been in custody since early 2022. They have not admitted their guilt. The arrests of the alleged REvil members, who are called pro-Russian cybercriminals in the Western press, took place in several regions of the Russian Federation in June 2021,” Russian news outlet Kommersant reported.

The investigation, initiated by a request from U.S. law enforcement, revealed the group’s involvement in high-profile cyberattacks targeting international technology companies, Spanish Telecom firm MasMovil, Kaseya, US nuclear weapons contractor, and many more.

The four individuals received prison sentences ranging from 4.5 to 6 years. This outcome is particularly noteworthy considering that Russia has often been perceived as a haven for cybercriminals.

The sentencing of these REvil members follows a wider crackdown on cybercrime in Russia. Earlier this year, Russian authorities also initiated investigations into the Cryptex and UAPS groups, known for providing money laundering services to cybercriminals.

In addition, it follows the sentencing of Yaroslav Vasinskyi, a 24-year-old Ukrainian national, to 13 years in prison in the U.S. for his involvement in over 2,500 REvil ransomware attacks.

It is important to note that the Russian government’s actions against REvil came amidst increased international pressure, particularly from the United States after 2021 when the gang targeted over 1,000 businesses worldwide.

1.  REvil ransomware gang goes dark after Tor sites hack
2.  REvil gang hits UK ITSPs with extortion-based DDoS attacks
3.  REvil ransomware is back after disappearing amid Kaseya attack
4.  Universal decryptor key for Sodinokibi, REvil ransomware released
5.  Cardiologist Charged for Developing Jigsaw v.2, Thanos Ransomware

Russian Court Jails Four REvil Ransomware Gang Members

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.
This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the

Cyber Security / Hacking News

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.

This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the knowledge you need to stay safe.

So grab your popcorn (and maybe a firewall), and let's dive into the latest cybersecurity drama!

**⚡ Threat of the Week**

**Critical Fortinet Flaw Comes Under Exploitation:** Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.

 **🚢🔐 Kubernetes Security for Dummies**

How to implement a container security solution and **Kubernetes Security best practices** all rolled into one. This guide includes everything essential to know about building a strong security foundation and running a well-protected operating system.

Get the Guide**️🔥 Trending CVEs**

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

**🔔 Top News**

*   **Severe Cryptographic Flaws in 5 Cloud Storage Providers:** Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull them off.
*   **Lazarus Exploits Chrome Flaw:** The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
*   **AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed:** A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
*   **SEC Fines 4 Companies for Misleading SolarWinds Disclosures:** The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
*   **4 REvil Members Sentenced in Russia:** Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.

**📰 Around the Cyber World**

*   **Delta Air Lines Sues CrowdStrike for July Outage:** Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. "CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," it said. "If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed." CrowdStrike said "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
*   **Meta Announces Secure Way to Store WhatsApp Contacts:** Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone's contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS "aims to store a WhatsApp user's in-app contacts on WhatsApp servers in a privacy-friendly way" and that "WhatsApp servers do not have visibility into the content of a user's contact metadata." All the identified shortcomings have been fully fixed as of September 2024.
*   **CISA, FBI Investigating Salt Typhoon Attacks:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the "malicious activity" was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Multiple reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
*   **Fraudulent IT Worker Scheme Becomes a Bigger Problem:** While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn't just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it's not clear what they were after. "Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process," HYPR said. "Video-based verification is a critical identity control, and not just at onboarding."
*   **Novel Attacks on AI Tools:** Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to "accept and respond with content that would normally be blocked" by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.

**🔥 Resources & Insights****🎥 Infosec Expert Webinar**

**Master Data Security in the Cloud with DSPM**: Struggling to keep up with data security in the cloud? Don't let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today's data-driven world.

**🛡️Ask the Expert**

**Q:** What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?

**A:** The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.

**🔒 Tip of the Week**

**Level Up Your DNS Security:** While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn't track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card's authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).

**Conclusion**

And there you have it – another week's worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We'll be back next Monday with more news and insights to help you navigate the digital landscape.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap