### Impact
Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in `wrangler` until `3.19.0`), an attacker on the local network could access other local servers.

### Patches
The issue was fixed in `miniflare@3.20231030.2`.

### Workarounds
Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the `host: "127.0.0.1"` option.

### References
- https://github.com/cloudflare/workers-sdk/pull/4532


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-7078

**Miniflare vulnerable to Server-Side Request Forgery (SSRF)**

High severity GitHub Reviewed Published Dec 29, 2023 in cloudflare/workers-sdk • Updated Dec 29, 2023

**Package**

npm miniflare (npm)

**Affected versions**

\>= 3.20230821.0, < 3.20231030.2

**Patched versions**

3.20231030.2

**Description**

**Impact**

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

**Patches**

The issue was fixed in miniflare@3.20231030.2.

**Workarounds**

Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: "127.0.0.1" option.

**References**

*   cloudflare/workers-sdk#4532

**References**

*   GHSA-fwvg-2739-22v7
*   https://nvd.nist.gov/vuln/detail/CVE-2023-7078
*   cloudflare/workers-sdk#4532

Published to the GitHub Advisory Database

Dec 29, 2023

Last updated

Dec 29, 2023

GHSA-fwvg-2739-22v7: Miniflare vulnerable to Server-Side Request Forgery (SSRF)

By Deeba Ahmed
Among others, developers of the infamous Lumma, an infostealer malware, are already using the exploit by employing advanced…
This is a post from HackRead.com Read the original post: Malware Leveraging Google Cookie Exploit via OAuth2 Functionality

Among others, developers of the infamous Lumma, an infostealer malware, are already using the exploit by employing advanced tactics like token manipulation and encryption in targeted attacks.

CloudSEK’s threat research team has reported a critical exploit affecting Google services, allowing threat actors to generate **Google cookies** continuously while ensuring continuous access to Google services even after a user performs a password reset. In a technical report, CloudSEK shared details of the exploit.

On October 20, 2023, CloudSEK’s AI digital risk platform XVigil discovered that on the Telegram channel, a developer/threat actor PRISMA had released a 0-day solution to address issues with incoming sessions of Google accounts.

AI-Translated Image: Russian to English

The solution offers session persistence, allowing the attacker to bypass security measures and enable cookie generation, gaining unauthorized access even when the account password is changed. The developer expressed openness to cooperation and potential collaboration on this newfound exploit.

Afterwards, **Lumma Infostealer** announced the feature’s integration with an advanced blackboxing approach on November 14, 2023. Rhadamanthys and WhiteSnake also announced similar blackboxing approaches. Lumma updated the exploit to counteract Google’s fraud detection measures on November 24, 2023. Other hackers, such as Stealc, Meduza, RisePro, and Whitesnake, implemented the feature. Hudson Rock posted a video from Darkweb demonstrating a hacker exploiting generated cookies on December 27, 2023.

CloudSEK threat researchers **revealed** that an undocumented Google Oauth endpoint named “MultiLogin” is the root of the exploit. The endpoint responsible for regenerating cookies was revealed through Chromium’s source code, which is an internal mechanism designed for synchronizing Google accounts across services.

The MultiLogin endpoint, as revealed through Chromium’s source code, operates by accepting a vector of account IDs and auth-login tokens, essential for managing simultaneous sessions or switching between user profiles seamlessly.

Chromium codebase examination confirmed that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled. Threat actors employ sophisticated tactics in cyber threats, such as Lumma’s exploitation of the undocumented Google OAuth2 MultiLogin endpoint.

Lumma’s approach entails manipulation of the token:GAIA ID pair, a critical component in **Google’s authentication process**. By applying encryption to this component, Lumma effectively masks the core mechanism of their exploit, hindering other malicious entities from duplicating their method. This strategic move preserves their exploit’s uniqueness in the competitive cybercrime landscape and provides them an edge in the illicit market.

Lumma’s subsequent adaptation involves using SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposing some details of the requests and responses, potentially compromising the exploit’s obscurity. Encrypted communication between the malware C2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems, as standard security protocols generally overlook encrypted traffic.

This exploit can continuously regenerate cookies for Google services, demonstrating sophistication in Google’s internal authentication mechanisms and a shift towards stealth-oriented **cyber threats**, emphasizing concealment over effectiveness.

****_RELATED ARTICLES_****

1.  **Scammers Weaponize Google Forms in New BazarCall Attack**
2.  **Google Workspace Vulnerabilities Lead to Network-Wide Breaches**
3.  **Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads**
4.  **Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID**
5.  **Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw**

Malware Leveraging Google Cookie Exploit via OAuth2 Functionality

Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability.

    From: Jacques Le Roux <jleroux () apache org>Date: Mon, 04 Dec 2023 21:04:50 +0000Severity: moderateAffected versions:- Apache OFBiz before 18.12.10Description:Pre-auth RCE in Apache Ofbiz 18.12.09.It's due to XML-RPC no longer maintained still present.This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10This issue is being tracked as OFBIZ-12812 Credit:Siebene@ (finder)References:https://ofbiz.apache.org/download.htmlhttps://ofbiz.apache.org/security.htmlhttps://ofbiz.apache.org/release-notes-18.12.10.htmlhttps://ofbiz.apache.org/https://www.cve.org/CVERecord?id=CVE-2023-49070https://issues.apache.org/jira/browse/OFBIZ-12812-----Packet Storm NoteBelow is the proof of concept circulating on twitter:#POC: /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y

Apache OFBiz 18.12.09 Remote Code Execution

An issue in the component IPAddressBitsDivision of IPAddress v5.1.0 leads to an infinite loop.

**IPAddress Infinite Loop vulnerability**

Moderate severity GitHub Reviewed Published Dec 29, 2023 to the GitHub Advisory Database • Updated Jan 3, 2024

GHSA-qphf-w3cq-jpmx: IPAddress Infinite Loop vulnerability

easy-rules-mvel v4.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component `mVELRule`.

**easy-rules-mvel vulnerable to remote code execution**

Critical severity GitHub Reviewed Published Dec 29, 2023 to the GitHub Advisory Database • Updated Dec 29, 2023

GHSA-fgwc-3j6w-ch22: easy-rules-mvel vulnerable to remote code execution

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.



**Mattermost Cross-site Scripting vulnerability**

Low severity GitHub Reviewed Published Dec 29, 2023 to the GitHub Advisory Database • Updated Jan 3, 2024

GHSA-h3gq-j7p9-x3p4: Mattermost Cross-site Scripting vulnerability

By Deeba Ahmed
Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen.
This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

The findings came as part of Operation Triangulation, months after Kaspersky discovered that their employees’ iPhones had been hacked by spyware.

Kaspersky Global Research and Analysis Team (GReAT) has discovered an obscure hardware feature likely exploited by hackers during **spyware attacks against iPhone users**.

The attacks were part of an APT campaign dubbed Operation Triangulation, which has been active since 2019, targeting iOS devices Using **zero-click exploits via iMessage**, allowing attackers to gain control and access user data. It was discovered by Kaspersky this summer.

The yet publicly undocumented feature is a part of Apple’s system-on-a-chip (SoC) and was probably included in the iPhone for debugging or testing purposes by Apple engineers, or added in the final consumer version mistakenly. Nevertheless, it allowed attackers to bypass protections and hijack devices in attacks targeting Kaspersky senior employees’ iPhones.

The research into **Operation Triangulation** was conducted by the cybersecurity vendor, Kaspersky. It is worth noting that the operation kicked off when Kaspersky researchers identified that their employees’ iPhones were hacked by spyware.

On December 27, 2023, the company shared the **findings** in a presentation titled “Operation Triangulation: What You Get When Attack iPhones of Researchers” at the 37th Chaos Communication Congress held in Hamburg and published in a report authored by Boris Larin.

During the presentation, researchers explained that multiple iOS zero-day vulnerabilities (including an RCE issue in Apple’s ADJUST TrueType font instruction **CVE-2023-41990** and **CVE-2023-38606**, a bypass of hardware-based security protections) were exploited to execute code and install a stealthy spyware implant, known as TriangleDB.

These vulnerabilities were used to target iPhones running iOS versions up to **iOS 16.6**. The most critical of these was CVE-2023-38606 for allowing a JavaScript exploit to bypass the Page Protection Layer.

The attackers used malicious **iMessage attachments** to exploit a remote code execution zero-day and deploy TriangleDB without user interaction. The infection chain involved multiple checks and log-erasing actions to prevent malware identification. Researchers discovered new attacks/exploits daily, calling it the most sophisticated chain of attack they had ever witnessed.  

> _“We have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is the most sophisticated attack chain we have ever seen.”_
> 
> Kaspersky – GReAT

The obscure feature allowed overriding of hardware-based security to protect the kernel, the core part of an operating system. Attackers could then write data to a specific physical address while “bypassing hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.”

The attackers exploited MMIO registers from the GPU coprocessor, bypassing Apple’s DeviceTree ranges to write to memory, bypass protections, and achieve RCE.

Correlation of the gfx-asc MMIO ranges and the addresses used by the exploit (Kaspersky)

Apple responded by releasing security updates to address four zero-day vulnerabilities impacting various Apple products: **CVE-2023-32434**, **CVE-2023-32435**, CVE-2023-38606, and CVE-2023-41990.

However, there are still many unanswered questions, such as the purpose of this feature, how attackers learned to use it considering that the firmware didn’t use it and whether it was developed by Apple or a third-party component like ARM CoreSight.

****_RELATED ARTICLES_****

1.  **Hackers Targeting Apple’s M1 Chip with Mac Malware**
2.  **Turns out iPhone 5c can be hacked with a $100 hardware**
3.  **Apple Safari Safest, Google Chrome Riskiest Browser – Study**
4.  **Apple Bug bounty: Earn big for hacking iPhone, other products**
5.  **iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser**

iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers

It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure.

With political polarization, unrest, and violence escalating in many regions of the world, 2023 was fraught with uncertainty and tragedy. In digital security, though, the year felt more like a Groundhog Day of incidents caused by classic types of attacks, like phishing and ransomware, rather than a roller coaster of offensive hacking innovation.

The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here's WIRED's look back at the year's worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns. Stay alert, and stay safe out there.

One of the most impactful hacks of 2023 wasn’t a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit. The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy. Progress Software, which develops MOVEit, patched the flaw at the end of May, and broad adoption of the fix eventually stopped the spree. But the “Cl0p” data extortion gang had already gone on a disastrous joy ride, exploiting the vulnerability against as many victims as possible. Organizations are still coming forward to disclose MOVEit-related incidents, and researchers told WIRED that this trickle of updates will almost certainly continue in 2024 and possibly beyond.

Based in Russia, Cl0p emerged in 2018 and functioned as a standard ransomware actor for a few years. But the gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.

The identity management platform Okta disclosed a breach of its customer support system in October. The company said at the time that about 1 percent of its 18,400 customers were impacted. But the company had to revise its assessment in November to acknowledge that actually _all_ of its customer support users had had data stolen in the breach.

The original 1 percent estimate came from the company’s investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot. But that assessment had missed other malicious activity in which the attacker ran an automated query of a database that contained names and email addresses of “all Okta customer support system users” and some Okta employees. As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.

The US National Security Agency and its allied intelligence services around the world have been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting US critical infrastructure networks, including power grids, as part of its activity. Officials have continued to reinforce that network defenders need to be on the lookout for suspicious activity that could indicate a clandestine operation. Volt Typhoon's hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government's stockpile of zero-day vulnerabilities, which can be weaponized and exploited. Beijing collects these bugs through research, and some may also come as the result of a law that requires vulnerability disclosure.

Meanwhile, in June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company's systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. In a postmortem published in September, Microsoft explained that improper access to the key was incredibly improbable, but occurred in this case because of a unique comedy of errors. The incident was a reminder, though, that Chinese state-backed hackers conduct a massive quantity of espionage operations each year and are often lurking undetected in networks, waiting for the opportune moment to capitalize on any flaw or mistake.

MGM casinos in Las Vegas and other MGM properties around the world suffered massive and disruptive system outages in September after a cyberattack by an affiliate of the notorious Alphv ransomware group. The attack caused chaos for travelers and gamblers alike, and took the hospitality group days—in some cases, even weeks—to recover, as ATMs went down, hotel keycards stopped working, and slot machines went dark.

Meanwhile, Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a data breach at the hands of Alphv, one in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data. _The Wall Street Journal_ reported in September that Caesars paid roughly half of the $30 million the attackers demanded in exchange for a promise that they wouldn't release stolen customer data. MGM reportedly did not pay the ransom.

In December 2022, LastPass, maker of the popular password manager, said that an August 2022 breach it had disclosed at the end of November 2022 was worse than the company originally thought, and encrypted copies of some users’ password vaults had been compromised in addition to other personal information. It was a deeply concerning revelation given that LastPass has suffered other security incidents in the past, and users trust the company with the most sensitive pieces of their digital lives.

On top of this, though, the company disclosed a second incident in February 2023 that also began in August 2022. Attackers compromised the home computer of one of the company's senior engineers—who had special access to LastPass' most sensitive systems—and stole authentication credentials. These, in turn, allowed them to access an Amazon S3 cloud storage environment and ultimately “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the company wrote in March—a devastating breach for a password manager company.

23andMe disclosed at the beginning of October that attackers had successfully compromised some of its users' accounts and parlayed that access to scrape the personal data of a larger number of users through the company's “DNA Relatives” opt-in social-sharing service. In that initial disclosure, the company didn't say how many users were affected. In the meantime, hackers began hawking data that appeared to be taken from a million or more 23andMe users. Then, in a US Securities and Exchange Commission filing at the beginning of December, the company said that the attacker had accessed 0.1 percent of user accounts, or roughly 14,000 per a company estimate that it has about 14 million customers. The SEC filing didn't include a larger number of those impacted by the DNA Relatives scraping, but 23andMe ultimately confirmed to TechCrunch that the hackers collected data from 5.5 million people who had opted in to DNA Relatives, plus information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." Some of the stolen data included classifications like describing subsets of users as being “Ashkenazi Jews,” “broadly Arabian,” or of Chinese descent, potentially exposing them to specific targeting.

While troubling, the data theft didn't include raw genetic information and typically wouldn't qualify as a “worst hack” in and of itself. But the situation was an important reminder of the stakes when dealing with information related to genetics and ancestry, and the possible unintended consequences of adding social sharing mechanisms to sensitive services, even when user participation is voluntary.

The wireless carrier T-Mobile has suffered a ludicrous number of data breaches in recent years and now has the dubious distinction of being a two-time winner of an honorable mention in WIRED's annual Worst Hacks roundups. This year, the company disclosed two breaches. One began in November 2022 and ended in January, impacting 37 million current customers on both prepaid and postpay accounts. Attackers stole customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The second breach, which occurred between February and March and was disclosed in April, was small, impacting less than 900 customers. It is significant, though, because the stolen data included full names, dates of birth, addresses, contact information, government ID information, Social Security numbers, and T-Mobile account pins—in other words, the crown jewels for hundreds of people.

The Worst Hacks of 2023

Ransomware gangs don't always win, and when they don't, it feels pretty great.

Ransomware gangs care about one thing: Stealing money.

Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.

As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors \[said\] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Considering all this, it’s pretty damn nice to see ransomware gangs lose.

As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.

Here are four times ransomware gangs failed in 2023.

**1\. The Royal Mail ransomware attack**

On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.

Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.

But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.

On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.

Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on _really big files_?

“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.

After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.

But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.

Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked _the wrong Royal Mail_, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.

At this point, the LockBit rep accepts defeat.

“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”

We’ll take that as a win.

**2\. MGM bounces back 10 days after ransomware siege**

In Sin City, the house always wins, even when it loses $100 million.

In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.

“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”

MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.  

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.  

MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.

**3\. Qakbot shot down**

Duck hunting season came early this year.

In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.

When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.

Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.

In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.

**4\. ALPHV tattles on its victim to little success**

A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.

That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.

Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.

But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.

Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).

To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.

MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.

To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.  

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The top 4 ransomware gang failures of 2023 

A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the component Java Expression Language Handler. The manipulation of the argument FilterExpression leads to code injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249151.

**ShifuML shifu code injection vulnerability**

Moderate severity GitHub Reviewed Published Dec 29, 2023 to the GitHub Advisory Database • Updated Jan 2, 2024

Tag

#vulnerability