Red Hat Security Advisory 2024-8721-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8721.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: firefox security update  
Advisory ID:        RHSA-2024:8721-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8721  
Issue date:         2024-11-01  
Revision:           03  
CVE Names:          CVE-2024-10458  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)

* firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)

* firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)

* firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)

* firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)

* firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)

* firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)

* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)

* firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-10458

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2322424  
https://bugzilla.redhat.com/show_bug.cgi?id=2322425  
https://bugzilla.redhat.com/show_bug.cgi?id=2322428  
https://bugzilla.redhat.com/show_bug.cgi?id=2322429  
https://bugzilla.redhat.com/show_bug.cgi?id=2322433  
https://bugzilla.redhat.com/show_bug.cgi?id=2322434  
https://bugzilla.redhat.com/show_bug.cgi?id=2322438  
https://bugzilla.redhat.com/show_bug.cgi?id=2322439  
https://bugzilla.redhat.com/show_bug.cgi?id=2322440  
https://bugzilla.redhat.com/show_bug.cgi?id=2322444

Red Hat Security Advisory 2024-8721-03

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.
"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ

Spyware / Mobile Security

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up.

"While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week.

LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device.

Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837.

This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy's Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0).

"After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the \[command-and-control\] data and working directory," the Dutch security company said.

"Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data."

The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL.

The exact distribution vehicle for the spyware is unclear, although it's believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date.

However, there is some evidence that the operators are likely based in China owing to the fact that the location plugin "recalculates location coordinates according to a system used exclusively in China." It's worth noting that Chinese map service providers follow a coordinate system called GCJ-02.

"The LightSpy iOS case highlights the importance of keeping systems up to date," ThreatFabric said. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for…

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for popular software. The malware steals Facebook credentials, hijacks accounts espicially those administrating business pages, and spreads further attacks globally.

A new malvertising campaign is exploiting Meta’s advertising platform to spread the **SYS01 infostealer**, a cybersecurity threat known to Meta and particularly Facebook users for stealing their personal information.

What makes this attack targeted is that millions of users globally, specifically men aged 45 and above, are potential victims of this ongoing attack, which cleverly disguises itself as advertisements for popular software, games, and online services.

This campaign, first detected in September 2024, stands out due to its impersonation tactics and popular brands that it exploits. Instead of focusing on a single lure, the attackers mimic a broad range of trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.

****How the Attack Works:****

According to Bitdefender’s **blog post** shared with Hackread.com ahead of publishing on Wednesday, the malicious ads often lead to MediaFire links offering direct downloads of seemingly legitimate software. These downloads, packaged as zip archives, contain a malicious Electron application.

Once executed, this application drops and **runs the SYS01 infostealer**, often while displaying a decoy app that mimics the advertised software. This deceptive tactic makes it difficult for victims to realize they’ve been compromised.

For your information, an Electron application is a type of desktop app built with web technologies like HTML, CSS, and JavaScript. Electron is an open-source framework developed by GitHub that allows developers to create cross-platform applications that run on Windows, macOS, and Linux, all from a single codebase.

In this attack however, behind the scenes, the Electron app uses obfuscated Javascript code and a standalone 7zip executable to extract a password-protected archive containing the core malware components. This archive includes PHP scripts responsible for **installing the infostealer** and establishing persistence on the victim’s system. The malware also incorporates anti-sandbox checks to evade detection by security researchers.

****Stealing Data and Hijacking Accounts:****

The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used to further attacks/scams.

What’s worse, the attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create **new malicious ads** that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.

Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign (Via Bitdefender)

****Global Reach and Protection****

While the campaign has a global reach, impacting users in the EU, North America, Australia, and Asia, Bitdefender could not verify the full extent of its impact, especially outside the EU, which remains unclear due to limited data transparency.

Nevertheless, if you are on Facebook—especially if you run a business page—you must watch out for SYS01 Infostealer and **similar threats**. While using common sense is essential, here are some vital steps you should take:

1.  **Monitor your accounts:** Regularly check your Facebook and other social media accounts for suspicious activity. Report any unauthorized access immediately and change your passwords.
2.  **Be wary of ads:** Exercise caution when clicking on ads, especially those offering free downloads or deals that seem too good to be true. Verify the source before downloading any software.
3.  **Stick to official sources:** Download software directly from official websites or trusted app stores. Avoid third-party platforms and file-sharing services.
4.  **Use strong security software:** Install reputable security software and keep it updated. Choose a solution that offers real-time protection and advanced threat detection.
5.  **Enable two-factor authentication (2FA):** Activate 2FA on your Facebook and other important online accounts for added security.

1.  **Fake GTA VI Beta Download Spreads Malware**
2.  **ALPHV Ransomware Uses Google Ads to Target Victims**
3.  **Fake WhatsApp clone steals crypto on Android and Windows**
4.  **Facebook, Meta, Apple, Amazon Most Impersonated in Scams**
5.  **Fake ChatGPT and Facebook Ads Used in DNS Investment Scam**

Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer

PRESS RELEASE

TEL AVIV-YAFO, Israel – Oct. 29, 2024 – Zenity, the leader in securing agentic AI, today announced they have received $38 million in Series B funding co-led by Third Point Ventures and DTCP, pushing the total capital raised to over $55 million. It follows the recent strategic investment by Microsoft’s venture arm M12, with strong support from existing investors Intel Capital and Vertex Ventures. The funds will be used to grow the team across product, engineering, sales, and marketing, as well as launching a partner program to expand the ecosystem of supporting enterprises globally as they adopt agentic workflows including agentic AI, enterprise copilots, and applications built on low-code platforms. With Forbes estimating more than 51% of companies are actively adopting AI for process automation, and Microsoft stating the number of people who use Copilot daily at work has nearly doubled quarter-over-quarter, many enterprises have already taken a bold leap into the world of AI. However, per Salesforce, only 11% of CIOs say they’ve fully implemented AI, with the number one reason for holding full implementation back being around security and data infrastructure concerns. This round of funding serves to further accelerate and expand Zenity’s ability to enable the use of AI apps and agents among Fortune 500 enterprises, including current Zenity customers that exist across financial services, technology, manufacturing, energy and pharmaceutical industries.

Ben Kliger, Zenity’s CEO and co-founder, said: “The future of work is now. For the first time, large enterprises are on the cutting edge by placing the power of AI and low-code at all users’ fingertips, meaning anyone can now use and build AI agents and business applications to get more done. As such, security teams need robust and purpose-built solutions to properly manage the risks that come when utilizing the most powerful tools we have ever seen. We are proud to partner with Third Point Ventures and DTCP to continue our mission in supporting the world’s largest and most consequential organizations to enable innovation securely.” Recently, Zenity researchers found that the average large enterprise has nearly 80,000 AI agents, apps, and automations that are built using low-code development platforms, with over 62% containing some type of security vulnerability. Additionally, Zenity CTO and co-founder Michael Bargury presented research at Black Hat 2024 revealing how easy it is for bad actors to take control over enterprise copilots, such as Microsoft 365 Copilot, all without requiring a compromised account. What these themes have in common, is that business users of all technical backgrounds are at the forefront for business productivity. It also means that IT organizations are lacking visibility, as AI agents and applications are being built and used across the enterprise. These applications exist with an implicitly shared responsibility model, similar to the cloud, and security teams do not have visibility into what risks exist. Zenity provides visibility, risk assessment, and governance that security teams need in order to fully harness AI agents. Having gotten their start as the pioneers in the low-code/no-code application security space, Zenity is uniquely positioned with this latest round of funding to support enterprises as they continue placing more power at the hands of business users via Agentic AI workflows. As a community-oriented organization, having led and co-sponsored initiatives like the OWASP Top 10 for Low-Code/No-Code Security and the newly minted GenAI Attacks Matrix, Zenity is at the forefront of both security research and product development to be able to continue as a force enabler to the world’s enterprises. 

Sapir Harosh, Partner, Third Point Ventures, said: “In the rapidly evolving realms of AI and low-code development, Zenity stands out as a first mover dedicated to securing enterprises from emerging threats. We are proud to invest in Zenity and work closely with the team as they enable enterprises to harness powerful tools safely and drive transformative change. At Third Point Ventures, we are on the lookout for visionary companies like Zenity—those with deep connections to technology and a bold mission to serve large enterprises. We look forward to supporting their next wave of growth as they continue to innovate with advancements in AI and low-code technologies.” 

Dean Shahar, Head of Israel, DTCP, said: “We are incredibly impressed with Zenity’s achievements and are thrilled to partner with them in their next phase of growth. It’s no secret that the race to secure AI is on, but Zenity is way ahead of the competition, driven by a strong customer base and over 3x YoY growth. Their research-driven and community-focused approach, combined with their expertise in securing and understanding low-code environments, gives them a distinctive advantage in securing how business users operate today – one that’s already delivering real value to their customers. We’re excited about the opportunity to work with Ben, Michael and their incredible team and look forward to a fruitful collaboration that drives innovation and success.” 

About Zenity  Zenity, the world’s first agent-less application security platform for enterprise Copilots and Low-Code development, protects organizations from security threats, helps meet compliance, and enables business continuity. Established in 2021, many of the world’s leading organizations trust Zenity to help configure security guardrails, generate prioritized lists of vulnerabilities, and accurately pinpoint and remediate vulnerabilities by continuously scanning business-led development platforms and providing centralized visibility, risk assessment, and governance. Visit us at https://www.zenity.io for more.

Zenity Raises $38M Series B Funding Round to Secure Agentic AI

PRESS RELEASE

NEW YORK, Oct. 28, 2024 /PRNewswire/ -- Casap, a disputes automation and fraud prevention platform, has raised $8.5 million to scale the first AI-powered solution for banks, credit unions and fintechs to intelligently tackle first-party fraud and automate disputes and chargebacks. The recent round was led by Lightspeed Venture Partners with participation from Primary Venture Partners, Commerce Ventures, Curql, Alloy Labs, and notable fintech founders and execs from Chime, Robinhood, Square, Current, Novo, and Alloy. The funding will enable Casap to continue to scale its AI decisioning, helping financial institutions reduce operational costs, curb fraud-related losses, and transform the consumer experience.

"The surge in first-party fraud and dispute volumes are overwhelming financial institutions," said Shanthi Shanmugam, co-founder and CEO of Casap. "Our platform helps banks, credit unions and fintechs meet these challenges head-on with intelligent automation that delivers fast, frictionless dispute resolution at a fraction of today's cost. By empowering institutions to identify fraudulent claims early and resolve legitimate cases swiftly, Casap is transforming what is often a frustrating customer service experience into an opportunity to build consumer loyalty."

Financial institutions are under immense pressure to resolve the 238 million chargebacks that emerge annually, most of which take 45-90 days to resolve. First-party fraud has consistently risen year over year since COVID, with more consumers disputing legitimate charges to avoid payment. This surge, combined with a growing tendency to file disputes directly with payment providers instead of merchants, has led to overwhelming volumes and substantial financial losses. Institutions are forced to hire large teams, navigate complex regulations, and outsource chargebacks yet still struggle to meet consumer expectations — 50% of consumers will switch banks if they are not getting the service they want and expect, leading to long-term attrition and escalating costs.

Casap's AI-powered automations and proprietary "first-party fraud score", similar to an industry-standard FICO score, combine to resolve a dispute end-to-end without human intervention. The platform intelligently analyzes evidence, predicts outcomes, and automates key actions — such as issuing credits, filing chargebacks, and responding to merchants — while using its fraud score to identify suspicious consumers and merchants to proactively reduce disputes.

"Our team was impressed by the deep expertise Shanthi and Saisi brought to what is a cross-industry problem with significant scale. The company's early momentum is a promising indication of the type of compounding technological innovation we look for," says Aaron Frank, Partner at Lightspeed.

Casap's chargeback model, the first of its kind, includes publicly available weights — putting Casap at the forefront of innovation and sets a new standard for transparency in the industry. With built-in regulatory expertise and key integrations, Casap's advanced AI and decisioning capabilities cut resolution times from days to minutes, driving significant cost savings and enhancing operational efficiency for financial institutions.

Casap is already delivering measurable results for customers across the payments ecosystem, from major fintechs and established institutions like Chartway Credit Union to Banking-as-a-Service providers and sponsor banks.

"Before Casap, our team lacked the tools to effectively resolve disputes or file chargebacks, leading to a negative member experience and limited ability to improve the process," said Karin Collier, Director of Card Services at Chartway Credit Union. "Partnering with Casap has revolutionized how we think about disputes. With Casap's built-in regulatory expertise and AI-powered automation, we get to drive fast, accurate dispute outcomes, catch friendly fraud early, achieve higher NPS, all while seeing an immediate positive impact on our bottom line. Casap's customizability helps us adapt quickly to evolving needs, fraud trends, and transforms the way we work across the credit union. With Casap, AI is more than a tool—it's the engine driving our mission to create an unparalleled member experience. We're excited to continue partnering with Casap to transform how we operate across the back-office and set a new benchmark for exceptional member service."

"Choosing Casap as our multi-year partner for disputes and fraud management was an easy decision," continues Collier. "The partnership delivers immediate impact, with 29% cost savings from day one with even greater efficiencies projected just a month out. More importantly, Casap enables us to build trust by offering our members a fast, seamless self-service experience that sets a new standard for dispute resolution."

Casap is committed to making its platform the best-in-class solution for resolving disputes and chargebacks, helping customers achieve results up to four times faster than competitors in the space.

"Consumer trust is the lifeblood of financial institutions," Shanmugam continues. "Casap gives banks, credit unions and fintechs the tools they need to resolve genuine disputes quickly, while curbing the rising costs of fraud. We're not just solving a back-office problem—we're reshaping how institutions build trust and loyalty in the face of fraud."

Before founding Casap, Shanthi Shanmugam and Saisi Peter spent years driving innovation at fintech powerhouses Chime and Robinhood, with a focus on delivering seamless, consumer-first experiences. Their expertise in revolutionizing the way we operate payments has fueled Casap's rapid growth and early momentum.

Casap has also been recognized by industry leaders, winning the NACUSO 2024 Next Big Idea Competition.

About

Casap is an AI-powered disputes automation and fraud prevention platform. With built-in regulatory expertise and network integrations, Casap's intelligent automation identifies fraudulent claims early and delivers fast, frictionless dispute and chargeback resolution at a fraction of today's cost. Growing financial institutions use Casap to scale with a triple shield — back office efficiencies, fraud protection, and consumer delight. Casap is backed by top-tier VCs and notable fintech founders. Learn more at casaphq.com.

Casap Secures $8.5M in Funding

Red Hat Security Advisory 2024-8616-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8616.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:8616-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8616Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2022-48773====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (CVE-2024-40998)* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48773References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2297582https://bugzilla.redhat.com/show_bug.cgi?id=2298109

Red Hat Security Advisory 2024-8616-03

Red Hat Security Advisory 2024-8577-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8577.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: krb5 security updateAdvisory ID:        RHSA-2024:8577-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8577Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-3596====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* freeradius: forgery attack (CVE-2024-3596)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3596References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263240

Red Hat Security Advisory 2024-8577-03

### Impact
Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired.

Users not implemented SAS Uri's are unaffected.

### Patches
This issue was resolved in version 8.0.0 of the library, all users should update to this version ASAP.

### Workarounds
None



**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-24mc-gc52-47jv: ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.
"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.
"The malvertising campaign leverages nearly a hundred malicious

Cybersecurity researchers have uncovered an ongoing malvertising campaign that abuses Meta's advertising platform and hijacked Facebook accounts to distribute information known as SYS01stealer.

"The hackers behind the campaign use trusted brands to expand their reach," Bitdefender Labs said in a report shared with The Hacker News.

"The malvertising campaign leverages nearly a hundred malicious domains, utilized not only for distributing the malware but also for live command and control (C2) operations, allowing threat actors to manage the attack in real-time."

SYS01stealer was first documented by Morphisec in early 2023, describing attack campaigns targeting Facebook business accounts using Google ads and fake Facebook profiles that promote games, adult content, and cracked software.

Like other stealer malware, the end goal is to steal login credentials, browsing history, and cookies. But it's also focused on obtaining Facebook ad and business account data, which is then used to propagate the malware further via phony ads.

"The hijacked Facebook accounts serve as a foundation for scaling up the entire operation," Bitdefender noted. "Each compromised account can be repurposed to promote additional malicious ads, amplifying the reach of the campaign without the hackers needing to create new Facebook accounts themselves."

The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. A majority of the Facebook ads are engineered to target men aged 45 and above.

"This effectively lures victims into clicking these ads and having their browser data stolen," Trustwave said in an analysis of the malware in July 2024.

"If there is Facebook-related information in the data, there is a possibility of not only having their browser data stolen but also having their Facebook accounts controlled by the threat actors to further spread malvertisements and continue the cycle."

Users who end up interacting with the ads are redirected to deceptive sites hosted on Google Sites or True Hosting that impersonate legitimate brands and applications in an attempt to initiate the infection. The attacks are also known to use hijacked Facebook accounts to publish fraudulent ads.

The first stage payload downloaded from these sites is a ZIP archive that includes a benign executable, which is used to sideload a malicious DLL responsible for decoding and launching the multi-stage process.

This includes running PowerShell commands to prevent the malware from running in a sandboxed environment, modifying Microsoft Defender Antivirus settings to exclude certain paths to avoid detection, and setting up an operating environment to run the PHP-based stealer.

In the latest attack chains observed by the Romanian cybersecurity company, the ZIP archives come embedded with an Electron application, suggesting that the threat actors are continuously evolving their strategies.

Also present within the Atom Shell Archive (ASAR) is a JavaScript file ("main.js") that now executes the PowerShell commands to perform sandbox checks and execute the stealer. Persistence on the host is achieved by setting up scheduled tasks.

"The adaptability of the cybercriminals behind these attacks makes the SYS01 infostealer campaign especially dangerous," Bitdefender said. "The malware employs sandbox detection, halting its operations if it detects it's being run in a controlled environment, often used by analysts to examine malware. This allows it to remain undetected in many cases."

"When cybersecurity firms begin to flag and block a specific version of the loader, the hackers respond swiftly by updating the code. They then push out new ads with updated malware that evades the latest security measures."

**Phishing Campaigns Abuse Eventbrite**

The development comes as Perception Point detailed phishing campaigns that misuse the Eventbrite events and ticketing platform to steal financial or personal information.

The emails, delivered via noreply@events.eventbrite\[.\]com, prompt users to click on a link to pay an outstanding bill or confirm their package delivery address, after which they are asked to enter their login and credit card details.

The attack itself is made possible by the fact that the threat actors sign up for legitimate accounts on the service and create fake events by abusing the reputation of a known brand, embedding the phishing link within the event description or attachment. The event invite is then sent to their targets.

"Because the email is sent via Eventbrite's verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient's inbox," Perception Point said.

"The Eventbrite sender domain also increases the likelihood that recipients will open the email and click through to the phishing link. This abuse of Eventbrite's platform enables the attackers to evade detection, ensuring higher delivery and open rates."

**Pig Butchering of a Different Kind**

Threat hunters are also calling attention to an increase in cryptocurrency fraud that impersonates various organizations to target users with bogus job lures that purportedly allow them to earn money while working from home. The unsolicited messages also claim to represent legitimate brands like Spotify, TikTok, and Temu.

The activity commences via social media, SMS, and messaging apps like WhatsApp and Telegram. Users who agree to take up the jobs are instructed by the scammers to register on a malicious website using a referral code, following which they are asked to complete various tasks – submit fake reviews, place product orders, play specific songs on Spotify, or book hotels.

The scam unfolds when victims' fake commission account balance suddenly goes into the negative and they are urged to top up by investing their own cryptocurrency in order to earn bonuses off the tasks.

"This vicious cycle will continue as long as the scammers think the victim will keep paying into the system," Proofpoint researchers said. "If they suspect their victim has become wise to the scam, they will lock their account and ghost them."

The illicit scheme has been attributed with high confidence to threat actors who also conduct pig butchering, which is also known as romance-based cryptocurrency investment fraud.

"The job fraud has smaller but more frequent returns for the fraudsters compared to pig butchering," Proofpoint said. "The activity leverages popular brand recognition in place of a long, romance-based confidence scam."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap